Reconfigure network from flat layer 2 to routing switch and VLANs.

Posted on 2010-11-16
Last Modified: 2012-05-10
I am charged with re-configuring a network that has moved from wireless modems to fiber optic.  VLANs for each remote site have been created to organize the network by location and function. A VOIP VLAN will span the entire network.  The traffic for the remote sites is being tunneled by a third party and terminates on Port 1 of an HP ProCurve 3500yl-48 routing switch.  The routing switch connects via Port 12 to a layer 2 top switch that connects to the firewall and other switches.  The top switch and all other switches not connected to the routing switch have co-mingled IP addresses ( and  All devices on those two segments are statically assigned.  DHCP has been implemented for the VLANs at the remote sites.  That is working fine.
Just recently I implemented VLAN 103 and found workstations with Windows 7 (192.168.103.x) can not stay connected to Outlook ( They continue to build sessions to a maximum and then error out.  A tracert from workstation to the email server fails to the count of 30.  A ping is returned in <1ms.  When I checked the other VLANs for traceroutes, I found they all fail at their gateways (192.168.xx.5).  The routing switch fails as well (  I've included information in attached files to help show current configurations.  I've also included the results of traceroutes from each VLAN top switch at the remote sites to the email server ( and another server (  The VLAN 103 switch is the only switch that is connected directly by fiber to the routing switch at Port 47.
I need another set of eyes to see if there is a misconfiguration or a better way of implementation.  
Question by:cityofpasco
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 12

Expert Comment

ID: 34160272
Hi cityofpasco,

First of all, thanks for supplied vsd. It helps a lot, but please name the switches (something like SW1, SW2...etc). This way it is easier to know which switch we are talking about.

As a first suggestion you should change range to some 192.168.x.x range. You can find explanation here:
Pay attention to following paragraph: Addresses from this range SHOULD NOT be used  as an alternative to the private IPv4 address ranges assigned by the IETF in the Best Current Practice document, RFC 1918.

Second, try to have 1 IP range = 1 VLAN it will simplify communication and we will be able to troubleshoot easier.

Few questions to clarify situation:
Your topology now is the same as Goal topology?
Who has the address
Please provide routing tables from firewall and 3500 switch.

Thanks in advance!


Author Comment

ID: 34160673
Thank you for responding to my question.  I have modified the .vsd and attached it for your review.  Please note the Current topology has a layer 2 switch (SW2) between the routing switch (SW1) and the Firewall.  My intent is to remove that and make it a subordinate to the routing switch. The Goal .vsd depicts that.

As far as the address range goes, I have inherited this network and it is my intention to move as many devices off this segment and onto the 192.168.xx.xx/24 with this redesign.  There are numerous AD, DNS, DHCP, and WINS servers on the segment and by moving workstations and other devices first onto DHCP and new 192.168.xx.xx segments, it will be easier to configure through the scopes any changes in those all important functions.  Right now every workstation is statically assigned and a person must touch each one to make any changes.  

I had included a rough .xls spreadsheet with my original question submission.  Did you not see it there?  I will attach it again for your review.  It has Firewall and switch information as well as traceroutes and pings results.
LVL 12

Expert Comment

ID: 34166317

Thanks for clarification. Sorry, I missed routing info in .xls.

If I understood correctly, first 24 lines in .xls are regarding firewall, and from 26 to 48 is for SW1. Correct me if I'm wrong.

OK. Traceroute fails probably because of firewall. By default firewalls do not allow traceroute. You probably already checked that, but I'm trying to cover every possible place for problem. As I can see all traceroute attempts are failing after first hop, and second hop is firewall.

Simplest solution as I can see is to disconnect SW2 from firewall, and connect SW1 directly to firewall, and transfer all routing to SW1. Only default route should be pointing to firewall
This scenario will be most efficient transient solution to achieve goal topology.

Result of this transient solution will be, elimination of firewall as source of problems, and it will simplify routing troubleshoot.

Same effect, without physical reconnection can be achieved by putting IP address on VLAN1, so all the routing between VLANs will be done on SW1.

I hope this helps, keep me informed about progress, so we can troubleshoot further.

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 34166890
Thank you for your explanations.  Yes, you are correct on the .xls lines of information for firewall and SW1.

I have a question about your suggestion regarding VLAN1.  What IP address would I use?  How does the routing get moved over to SW1 without disconnecting the and devices?  VLAN 99 and VLAN100 do not have any members yet because of STP.  


LVL 12

Accepted Solution

Fidelius earned 500 total points
ID: 34168974

You can add two IP addresses to VLAN interface. I think it is something like this:
3500# vlan 1 ip address
3500# vlan 1 ip address

In this example I used .254 as host address. You can use whichever is available.

You will just need to set default gateway on hosts to addresses set above. Try it first on hosts used in traceroute commands. This setup will not affect hosts which have firewall as default gateway.


Author Comment

ID: 34169425
Thank you for explaining and now that I see it, I understand.  Thank you for taking time to look this over for me.  I am going to accept your answer and close the issue now.

Go in peace.

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Launching a report from a Sharepoint webpage is slow. 2 27
Which Switch is Switch - improving performance 9 74
clear arp 1 47
Auto Qos question 1 24
This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question