I am setting up a new network consisting of several different zones. Everything has been planned except for the initial line drop into the lab. I have 2 routers (2 layer 3 ports each, and a 4 port HWIC module (ports function as layer 2 unless bumped to layer 3, but limited configuration)) that act also as the firewall, IDS and VPN, a managed 2948-l3 switch and then a couple lower level managed switches. Our Internent line comes in as a single line with a block of static addresses.
My plan for the design was to take the one line in and split it to both routers respectively. I thought I could do this through the layer 3 switch, but that is not the case due to it not supporting NAT. This leaves me with one Internet line that needs to go to 2 different routers, but not much options. I know I can put the routers inline with eachother, but this is not ideal. As mentioned before, this ONE network will be separeted into different zones. One router will function as the standard user net whereas the other will NEED unrestricted access at all times and have NO communication with the usernet. If I put them inline with eachother, I will constantly need to modify the top router (usernet) to allow the testing network out or in. Does anyone have any ideas on how to solve this with just the current hardware mentioned? I know buying a core router that those routers would branch off of would work, but if I don't need to spend money to fix this then that works better.
Just to add, I have thought of an idea that may work:
- Having usernet take the internet line in, create a NAT pool that testing can pull from and connect them that way. Allow anything from testing out and worst case I update the static NAT when needed.
Hopefully all of this makes sense. Thanks in advance.