Re: Help configuring Routes on HP 3500 switch

John_796 · ‎03-18-2009

I'm hoping somebody can help me out. Our company is switching over to a new network and we need to setup some new routing and it's not working.

What we have is Internet that comes into Office A and distributes Internet to Office B, C & D. Right now we have an HP 3500 Switch setup with VLAN 2, 3, 4 & 5 (1 is the default setup to reach the Internet). Internet comes in on #2 then goes out #3 to our Firewall. From the firewall it reaches our switches and the rest of the network etc...the problem we have is if office C comes in thru #4 to reach the Internet, instead of going out #5 to a switch, then to the Firewall and #3 it goes directly to #2 and out to the Internet (meaning it bypasses our switches and firewall). we attempted to add a 2nd metric but can't figure out how to (we don't want to use RIP or OSPF). We did try using ACLs but they just block 2-3 from talking to 4-5. They don't tell #5 the route to reach our firewall.

Anybody know how I can successfully set this up? I'm sorry if I just confused everybody but I tried to explain it best I could.

Thanks

cenk sasmaztin · ‎03-18-2009

please send me 3500 switch sh run print

cenk

Pieter 't Hart · ‎03-19-2009

your description of the vlan and routing configuration is very confusing.
The "show run print" as Cenk requests will help.

possibly the 3500 has a default route to the internet, it should be to the local port of the firewall.

vlan2 is only used to connect port #2 and #3 between the internet and the firewall?
if so the switch does not need an ip-adress on this vlan to access the internet directly.

Why should office-C need to be routed to your "switches" first and then to the firewall?
the 3500 is also a switch and can route data to local-port of the firewall on the right vlan/subnet.

John_796 · ‎03-19-2009

I will get that for you as soon as I can. To try and clarify I will see if I can explain it better.

The 3500 switch is outside our firewall. So Internet comes into our office A on VLAN 2, then it goes out to our Firewall on VLAN 3. From VLAN 3 it goes to our switches etc...
Our WAN comes into Office A on VLAN 4 then goes out to our switches / servers on VLAN 5. The problem we have is, if anybody on our WAN requests Internet it comes in on VLAN 4 then hops across to VLAN 2 and goes out to the Internet, therefore bypassing our Firewall. The reason the other offices need to reach a switch (if we are doing this right) is so that they come in on VLAN 4 - go out of VLAN 5 to a switch and then pass thru the Firewall to reach the Internet. I hope that makes more sense?

Pieter 't Hart · ‎03-19-2009

so there is your problem!
the 3500 routes between vlan 2 and vlan3
to connect the internet to the firewall.

Comming from offices B, C & D you route to the 3500 (as default route?).
And the 3500 has internet as the default route (basically only for the firewall).
So also from other vlan's known on the 3500(your WAN) it knows the route to the internet and takes the direct path.

What you need to do is separate traffic between firewall and internet from the router inside the 3500 that routes your WAN!
I don't think you can do that in a manageable way with a single 3500 and a default route to the internet.
You can't configure a default route from the WAN to the firewall AND from the firewall to the internet on the same 3500.

A working solution could be
- connect the outside interface of the firewall directly to the internet either physically or through a single vlan (not two vlan's).
- NOT let the 3500 route to the internet but to the inside interface of the firewall.
- configure the firewall to communicate directly with the outside router.

In this case the connection between the firewall and internet is on layer-2 (switching) not layer-3 (routing), and the firewall in fact connects directly to the internet (the switch just connects the two cables from firewall and internet).
And the router (inside the 3500) only routes from WAN to local network.

John_796 · ‎03-19-2009

Thank you for your response Pieter 't Hart

In reading what you posted it appears we will need more equipment to make this work. Since our Internet & WAN is direct Ethernet hand off we were trying to use the 3500 switch 2 route everything for us (Internet and WAN). Then we hit the snag of the default routes and couldn't figure out how to set a 2nd default route to our network. We currently don't have a router setup in the office, just the switch and the firewall. So we'll either need to get an Ethernet card for our router or buy a 2nd 3500 switch.

Thanks again for your help

Pieter 't Hart · ‎03-19-2009

i made this diagram of what i see as the current situation and what could be a solution with only a single 3500.

John_796 · ‎03-19-2009

I don't see the diagram, or how I can get it?

Pieter 't Hart · ‎03-19-2009

attached the file, but was not uploaded somehow,
will try again with this post

John_796 · ‎03-19-2009

I attached a drawing of what we need. Bascially the traffic needs to follow the lines as in your drawings.

A question my boss had was

Can we have a null route that says "if destination is not 10.1.0.0 / 0 then go to 10.1.1.1 "

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Help configuring Routes on HP 3500 switch

Help configuring Routes on HP 3500 switch