SS3 4400 vlan nightmare

[BigRedDog]

Thanks in advance for all who may be able to help.

I work for a NFP organazation that spans 3 facilities and am charged with supporting over 7 other NFP org's within those facilities. The requirement of supproting these other org's is that they be provided with connectivity to our Internet connection and as a result to our smtp server for outgoing mail.

I currnetly have 2 4900SX switches and 9 4400 (combo of 24 & 48 port) switches. I went through setting up seperate vlan's only to find out that the "high end" 4400's don't support layer 3 switching. I set the port on which our internet firewall/router is connected to tagged members of each vlan only to find that this hoses anyones ability to connect to the outside world.

I know it's a shot in the dark but was hoping someone may know something I don't or a CHEAP way of remedying this issue as I have a tremendous amount of moeny already invested and would like to avoid forking out anymore than I have to.

 

[TimRegester]

You are correct, the 4400s are not layer 3 switches, but the 4900s are. I take it that the 4900s are the core switches, the 4900s are layer 3 switches, however you need to ensure you have the layer 3 code on each of them to allow inter vlan routing. This code can be downloaded from the 3Com website. Once you have done this and all the vlans are created on all the switches you are in a pos

I would suggest you create a seperate vlan for your internet connection create a port on one of the 4400s for the internet connection. Then simply add an IP interface for each vlan/subnet configure the routing and all should work well.

Ideally, assuming the 4900s are in the core, then you would have the internet gateway connected to one of these, but I notice you have the SX version so you have no copper ports. An investment that may be worth investing in would be a copper module for the 4900SX, but this is not an investment you need to make now, though the link between the 4900s and the 4400 with the internet connection may get congested.

It should all work quite nicely.

Oh and install Network Supervisor to manage it all.

I hope this helps.

 

[BigRedDog]

Thanks Tim(?).

Am I to understand then that that the base software I have have, currently v3.0, does not include the layer 3 switching capabilities and that I have to load the Layer 3 switching software v2.55?

If that's the case no wonder I can't get it to work.

Thanks.

 

[TimRegester]

The version 3.00 software includes support for XRN the distributed fabric system, in common with the 4050 and 4060 switches. You do not need this functionality. The 2.02 version software should be ok for your needs however I would check the release notes for subsequent versions in case there are any relevant bug/fixes. Btw registering the software is a good idea, it will help get any support in future.

 

[BigRedDog]

The firmware version I have loaded (came loaded) does support layer 3. Still can't seem to make it work. Here is a little more detail. Maybe someone can catch something I'm missing.


VLANID 2 - 4900 unit 1 as core connected to 4400 unit 1 via fibre. Port 4 on 4900 and port 49 on 4400, both ports tagged on default VLAN and VLAN 2. On 4400 unit 1 port 48 is untagged member of VLAN 2 witch is connected to other organizations cable/dsl router.

VLANID 1 - (default)4900 unit 1 all ports tagged members default vlan. 4900 unit 1 port 1 connected via fibre to 4400 unit 2 port 50. 4400 unit 2 port 49 connected via fibre 4400 unit 3 port 49. (all fibre connection ports tagged members of default vlan) 4400 unit 3 port 1 is internet gateway.

THEIR cable/dsl router connected to port 48 on 4400 unit 1 and has IP of 192.168.2.2/29. Gateway on THEIR router set to internet gateway address on 4400 unit 3 port 1 (192.168.1.2/24). IP interface 3 on 4900 unit 1 set to 192.168.2.4/29

What am I missing in this config? I have registered all units, have the 3com NS v4.0.1 SP2 loaded and it shows/reports no config errors. I'm still at a loss. I'm not going to disagree with anyone that I've got something configured wrong. I've just been looking at it for so long I don't think I would know what it was if it walked up and slapped me in the face.

?????

 

[TimRegester]

You seem to have an overly complex physical design. Is it not possible that one fibre can run from the 4900 to each of the 4400s

e.g.

4900 p1 ---- 4400 unit 1 p49
4900 p2 ---- 4400 unit 2 p49
4900 p3 ---- 4400 unit 3 p49

This would make more sense unless there is a physical limitation on doing this.

If the 'other' organisation is in VLAN 2 I Would suggest making the default gateway for their network the IP interface of VLAN 2 and the D/G of the 4900 the internet gateway. This becomes the model for the rest of the network The VLAN IP address becomes the def gateway in each vlan. You will need to set up either static routes or a common routing protocol so their cable/dsl router knows the way to your network and internet gateway and vice versa.

I would put the internet gateway in it's own VLAN if possible just for "good practice" and easy isolation should you get hacked Oh and not in the default gateway as this could provide hackers with access to your switch management.

I hope this helps.