hi! currently i've the following config in my core sw. We're deploying a new software based FW + a SSL GW in my network. I've attached a diagram with sample wan ip segments to illustrate the scenario. Eg. In the public DMZ segment 203.105.20.0/29, i;ve added in an umanaged sw to enable 3 connections from this segment. My question is that can this work by turning one of my core switch's port to L3 using the command no switch port and set the ip to 203.105.20.2 + add a route "ip route guest 0.0.0.0 0.0.0.0 203.105.20.1" to the core sw? (of course the existing ip route guest 0.0.0.0 0.0.0.0 172.16.252.1 command will be removed). Will this route enable clients from the VRF network to go to the internet?

I would also add a route to enable traffic to 10.10.10.1/24 segment by adding another route to the core sw "ip route 10.10.10.10.1 255.255.255.0 10.10.11.1".

Is the routing required for this public/private dmz being done correctly? Any additional route required in the static route or routing protocol?

My last question is why there's a need to have a private dmz with a private address in this case?

Thanks in advance

ip vrf guest

description guest internet access

rd 100:1

route-target export 100:1

route-target import 100:1

interface loopback11

ip vrf forwarding guest

ip address 172.16.255.255 255.255.255.255

interface vlan 11

ip vrf forwarding guest

ip address 172.16.252.2     255.255.255.0

standby 1 ip 172.16.252.1

standby 1 priority 150

standby 1 preempt

router ospf 11 vrf guest
log-adjacency-changes
passive-interface default
no passive-interface Vlan123
network 172.16.252.0 0.0.0.255 area 0
network 172.16.255.255 0.0.0.0 area 0
!

ip route guest 0.0.0.0 0.0.0.0 172.16.252.1