3com 5500G - VLAN routing

[soltarian]

Hi all,

I have two 3com 5500G that I need to configure for VLAN (with possible additional 5500g coming in the future).

My understanding is that 5500G can do layer 3 and therefore can act as a router (for VLAN purposes). Right?

The network in the office is currently configured by sending everything through a server (ie: everyone is connected to the server and the server does the DHCP - as far as I can understand for now). The ISP router (that I cannot touch) is connected to Server that is then connected to switches).

What I wanted to do is "plug" one of my 5500G (the one that will act as the router) into the server and then the second 5500g into that first one.

Server --- 5500G (1) --- 5500G (2)

I have already configured the 5500Gs with the vlan settings and everything seem fine on that side.
I am just confused/lost for the 5500G (1) and its connection to the server, how do I configure so that it gets an IP from the server and then propagates that one to my VLAN (so they can access the network)?


Sorry if it is all a bit unclear; it's my first professional experience (I'm doing my work placement experience), the only experience I have is playing with Cisco gear in a lab environment...


Thanks in advance guys!


-Max

 

[VinceWhirlwind]

First step is to do a complete design, including all components.

Then, with your design on paper, step through the connectivity you expect to be providing for each of your devices/systems. A dry-run if you like. Start from scratch - imagine you are connecting each device in turn and run through what you expect/need to happen, eg, you plug the server in: it should be able to see the router, then the internet, how will that happen? What switchport is it using, how does the switch deal with the frames from the server?
You plug a PC in: it should receive a DHCP address, how? Where will the request go, how does it get there, how is it replied to, what information is contained in the reply, can the PC use that information to connect to the server, the router, the printer, etc....

You can't make it work on paper without a design, and if you can't make it work on paper, then you can't go changing anything until you understand what you are doing.

 

[soltarian]

Thanks Vince.

I have done that on paper (a few times already). But maybe I'm going the wrong way about it since I wrote/drew down what I wanted to happen....

The way the network works now is
ISP --- Server --- Switch (5500G#3)
If I plug a computer in the 5500G#3 (which is already configured and working), it gets an automatic IP address and can access internet + email.

What I am required to do is to implement VLANs so the network can be easier to manage/monitor and to save some IPs addresses.

My understanding was that I could plug my 5500G#1 into the 5500G#3. Create the VLANs routing on 5500G#1 and then connect 5500G#2 to #1 to distribute the vlans to PCs....

I tried with removing one of the extra 5500G (either #1 or #2) but with no success at all.

The thing that "bothers" me, is the lack of router to configure sub-interfaces (which i learnt on cisco) ....

 

[soltarian]

Also, forgot to mention.

At the moment I would just like to be able to ping my vlans from outside. I am ok with manually assigning my VLAN PCs with IPs.

I was planning on working with the DHCP after I could at least ping my VLANS from outside.

 

[soltarian]

Ok, I did some progess in finding out details about how the network is set-up at the moment.

DHCP Server (with 192.168.1.0 scope) --> 3Com 5500G (that connects to everything else).

What I need to do is connect another 5500G (to the current 5500G). The different VLANs will then be connected to that 2nd 5500G.

---

Of what I understood, I need to:

- Define a new scope on the DHCP Server for my VLAN (ie: 192.168.10.0 ??)
- Set up VLAN interface on the connection between Server and 1st 5500G
- Connect 2nd 5500G with crossover to 1st 5500G. Then does that connection need to be "trunk"?
- Assign the various ports of the 2nd 5500G to the VLANs I want.


Am I on the right track here?


-Max

 

[VinceWhirlwind]

A couple of things - instead of sub-interfaces, you will be configuring VLAN interfaces. Make sure you have the 5500 manual handy to look up the config you need.

It sounds like maybe your Server is acting as your network router at the moment, as well as firewall and presumably also performing NAT. What is the IP configuration of the link between Server and ISP router?

Personally, I wouldn't myself be trying to adjust what you have now, I would come up with a brand new design and implement it.

You would have:
ISPRouter--firewall--L3Switch--Switch2

With all your server and hosts patched to whichever switch they are closest to. To do this, you would need to figure out what the firewall is going to be. Usually, you have a router for that purpose. Maybe your Server would need to stay where it is? Not sure.

If your Server has to stay where it is to be the firewall, then you would create a routed link between the Server & L3 switch. The Layer3 switch should have the default GW addresses configured as VLAN interfaces for each of the subnets you want your hosts to be in. The VLAns created on the L3 switch would then need to be trunked over to any additional switches. To keep things simple, I would keep the Server--L3Switch link on its own subnet which doesn't extend out to any of the hosts.

 

[soltarian]

Thanks for the reply Vince.

I did suggest them to have the ISPRouter -- Firewall -- Switch(es) configuration. But they want to keep it the way it is now.

I did sort of assumed that the server was assuming the "router" role in the network.

I can get my head around the logical concept of connecting Server to switch to switch, but when I try to implement it it doesn't work.

---

The server is connected to port #18 of 5500G(1). I connected the new 5500G (2) to port #24 of 5500G(1).

- port #18 = access (haven't changed anything on this port)
- port #24 = trunk (add and "permitted" my vlan on this port)
- I set up my vlan and vlan interface (with ip address) on 5500G(1)
I'm missing something here am I????

---

Ideally I want to other 5500G to 5500G(2); each additional 5500G to be part of one vlan only.

---

For now I'm happy to get it all working without involving DHCP (ie: I'll manually put IPs for the different PCs in the vlans) just yet (unless it is easier to do everything in one go).

 

[soltarian]

I have a feeling I'm missing a static route somewhere.

The 5500G(1) doesn't have any routes (apart from my VLANs).
So should I add a route from 5500G(1) to DHCP server.
Or add a scope on DHCP server for my VLANs?

Also, if I connect a PC directly to 5500G(1), I get automatic IP and access to all network features (and I can ping everyone).
Whith my current VLAN set-up, I cannot ping from VLAN to outside (same goes for outside to VLAN)

 

[soltarian]

Sorry if I keep replying to myself guys! I just write as I discover stuff and try to make it as clear as possible for you guys to help me.

----

Server --- 5500G(1) --- 5500G(2)
|
|
5500G(3)


- I create my VLAN + VLAN interfaces (with IP address) on my 5500G(1)
- I modify the current connection between Server and 5500G(1) to be trunk with all VLANs tagged. (would that affect the current connection in any ways?)
- I make the connection between 5500G(1) and 5500G(2)+5500G(3) trunk with all VLANs tagged.
- I create VLAN + VLAN interfaces (without IP address) on 5500G(2) and 5500G(3)
- I assign VLANs to specifics ports (untagged).
- I assign correct IP to PC then connect to the switches.

I should be able to ping from outside 5500G(2) and 5500G(3) to their inside VLANs. Correct?

 

[soltarian]

Sorry, i mis-interpreted what I wanted to say:

----

Server --- 5500G(1) --- 5500G(2)
|
|
5500G(3)

----

- I create my VLAN + VLAN interfaces (with IP address) on my 5500G(1)
- I modify the current connection from Server to 5500G(1) to be trunk with all VLANs tagged. (would that affect the current connection in any ways?)
- I make the connection from 5500G(1) to 5500G(2) and from 5500G(2) to 5500G(3) trunk with all VLANs tagged.
- I create VLAN + VLAN interfaces (without IP address) on 5500G(2) and 5500G(3)
- I assign VLANs to specific ports (untagged) on 5500G(2) and 5500G(3)
- I assign correct IP to PC then connect to the switches.

I should be able to ping from outside 5500G(2) and 5500G(3) to their inside VLANs. Correct?

 

[VinceWhirlwind]

If your Switch#1 has your VLAN interfaces, then you need to trunk these VLAns out to Switches #2 & #3, there's no reason to trunk them to the Server - the Server and Sw#1 already communicate via whatever subnet it is that connects them.
You probably need a default route on Sw#1 pointing at the Server?

Also, as the Server and Sw#1 are routers in your original VLAN, you need to be clear on what their respective routing interfaces are actually doing for the original subnet.

This is why I suggested not to try changing what you have now, but to design a solution and implement it without worrying about existing config which may or may not suit what you are trying to do.

 

[soltarian]

Sorry for delay, I had to solve an unrelated problem.

I'm now back to this one. What I've done in the mean time:

- I duplicated the server and I'm using the copy as my own test environment. That way I'm sure of not breaking anything in the current set-up.

- My VLANs are working ok on my switch except from the fact that VLAN 1 (default) cannot ping any other VLANs. But the other VLANs can ping each other.

- The ports on the switch that haven't been given a VLAN ID (and therefore still on VLAN 1) can get DHCP from my server. I have not configured "int vlan 1".

- My other VLANs cannot contact my DHCP server. I have created scopes on the DHCP Server, I have added "udp-helper" to my switch and its VLANs interfaces, I enabled ip-forward broadcast and the link between the server and the switch is trunked to permit my VLANs.


I'm running in circles here, I have tried everything that I can think of to solve the DHCP problem but I now feel that i'm mixing everything up...