Link to home
Start Free TrialLog in
Avatar of nicholsj

asked on

VLANS and routing


We have 6 sites all connected to a central office via fibre.  All incoming connections come into one layer 3 switch (3com 4050).  There are vlans setup and routing on the switch accordingly (1 IP per site, every sites default router is this switch with the ip from their subnet).

There is one exception... one of the sites comes off of another site(Site A) and does not have a direct link back to this switch.  To get connectivity to this site, fibre is ran from Site A to the other site (Site B).  We have a vlan swich set up at Site B (3com 4500) with 2 vlans one with an IP from Site A, and one from Site B.  The routing table is on the switch at site B and seems to route traffic fine.  The default router for Site B is set to the IP address of the 4500 with the Site B IP, the routing table on the 4050 switch is set to route traffic to Site B via the Site A IP.

All seems to work just fine (internet and network connectivity), and all traffic seems to be routing like it should... except for a few odd things.  I am unable to publish ip addresses from the Site B subnet to the external network.  Our external firewall will not allow incoming traffic (explicitly allowed) to come into the Site B network, and we use a program for our Library system (Follett) that looks up MARC records online.  It will not function on the site B subnet... it says something about the port access not allowed, but i have no deny rules at all on the switch.

I am confused at why most everything works just fine, but these few oddities are giving me problems.  Thanks for any assistance.
Avatar of JFrederick29
Flag of United States of America image

Does your Firewall have a route to the Site B subnet via the 4500?
you might need to put a static route on the 3COM 4050 switch to Site B since networks are connected ot it and the VLANS are routed from there. Do you have default route configured on there as well? ?I would assume that yuou made the default route the firewall ip address, if this is the case then putting a route on the 3COM 4050 switch should help. I am not familiar with the 3COMs configurations for VLANs but if its the same as cisco, the static route would do the trick.
Avatar of nicholsj


I checked this and the firewall has a route to Site B subnet via the 4050 which has a route to Site B.  The Firewall is at the main office location and has a default route to the internet, with static routes to all the sites via the 4050.  Also, from the firewall, you can ping to Site B without any problems.
Sorry, my comment should have been:

Does your Firewall have a route to the Site B subnet via the 4050?
Avatar of JFrederick29
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes there is a static route on the 4050 switch to Site B via the 4500 IP on the Site A subnet.
it sounds like you need to open a port on the firewall to allow the specific traffic to site B. do you have one of those firewalls, where you can identify the networks and allow certain service or protocols to them? If this is the case you will need to identify the port(s) required for the application and open them. Care to share your firewall name/device?
Ok, there was not a default route on the 4500 switch.  Only the static ones to our internal network sites.  But this still did not resolve the issue, and we were able to get out to the internet before putting in a default route.  ??? strange.  and the error message about follett is "cannot open socket"  

Yes we have specific NAT rules.  and i forgot that one of the other issues is... We have a DHS worker here on site who needs to VPN into their system.  We have many of these configurations, and i usually make an ALL allow rule on the firewall to the static IP address (internally) for the DHS machines.  This works perfectly at all sites except for SITE B.

Our Firewall is Novell Border Manager
Ok i think i know why the internet traffic worked without a default route... the Firewall is a proxy also and all browsers must have the proxy configured in the browser to work.  So i am assuming the proxy makes the request out to the internet.
mmmm!!!!  What does your default route look like on the 4050? can you remove the proxy on one of the client machine from subnet a and b and try to browse. ensure that you have the dns and default gateway configured on the machines, whether static or dhcp. I would also like you to verify if you can do a ping to a external ip and s tracert to an external ip on the inside network on subnet a and b. i hope i put this clear as i am troubleshooting some issues here with GFI and my brain is sort of let me know when you encounter difficulties.
Duh.... the default route fixed the problem.  I never noticed because internet traffic works, but it was only working because of the proxy.  Any internet traffic coming or going outside of the proxy was failing.  No that there is a default route everything works like it should.  Thank you both for your time and efforts.  Sorry that i missed something so simple. :)
That is the default route on the 4500...
Thanks for your assistance, sir.  Glad to have this figured out.  :)