A couple of years ago, I set up a small 30 host network on a switch behind a Pix firewall. Now the network has almost outgrown its boundaries, and is still expanding. Because adjoining networks are already used, I cannot go from a /27 network to a /26 or /25 network.
The question is this - can I set up two separate L3 networks on two separate interfaces on a PIX firewall, and connect them to a single L2 Vlan on a switch, then have hosts in both Vlans access their own gateways?
Here's an example. If 192.168.1.0/27 is on one interface of a PIX connected to a 3550 switch, which has all of its ports on Vlan 1, and I add another interface to the PIX, addresss it as 192.168.2.0/25 and plug it into the same switch, will any host devices plugged into the 3550 switch be able to access their own gateway if they are in different networks? The long term plan is to put a new network on the existing switch, and gradually migrate the old addresses to a new range, while still being able to add new devices. It would be kind of like secondary addresses on a router.
I hope I'm asking this question right. I think it can be done, but want to see if anyone else has done it.
You want have your 3550 a part of a flat L2 network. All ports are going to be on vlan 1 (the default vlan) and you want to create 2 seperate L3 network address range for hosts residing of the switch?
If this is the case, this will work. When a hosts tries to ARP it's configured gatway, only the correct PIX interface will reply with it's MAC, which gets stored in the ARP table on the 3550, and switches traffic as it would any other packet.
The only issue I can see with this design, is obvioulsy it doesn't allow you to truly segment the two networks. Where two machines on the seperate L3 networks can't talk directly to one another, virurses, multicast and broadcast traffic still can be seen by all. So stuff like NETBios can't be segmented from the 2 L3 networks. Also, I don't know what version of PIX you are using, anything prior to 7.0 does not allow two interfaces to be the same security level, meaning you will obviously have make sure you write Access-lists for the inside interface.
Thanks for the reply. The devices hanging off the back of this PIX will be storage devices and non-Windows devices. The whole purpose of this is to allow expansion of a small 30 host network to half of a Class C without having to do any more work other than re-IP'ing the hosts. Once everything is migrated to the new network, we'll turn down the old interface (old network) and disconnect it from the switch.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...