Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Setting up Layer 3 VLAN routing

New Member

Setting up Layer 3 VLAN routing

We have three physically separated locations. We just connected them via an AT&T CSME or Opt-E-Man. It’s fiber, but what AT&T provides is a port on an AT&T owned HP Switch in the MPOE. We then plug our switches into the AT&T switch.

We have several VLANS on each switch: Default, 100, 103, 108, 111, 120

We’ve made the connection between sites by connecting ports tagged for all VLANS on our switches to the AT&T switches. The issue is AT&T. They limit the number of MAC addresses on each of the Opt-E-Man ports.

To prevent AT&T from seeing all the MACs on each side of the Opt-E-Man we need to set the switches to route all the VLANS on layer 3. Then all AT&T sees are the MACs of the three connected switch ports.

This is new territory for us, but probably very simple to others. Can anyone provide an example of how this is set up? We have HP Procurve 2650’s at the two remote sites and an HP Procurve 5304xl at the main location. The default gateway for all the VLANS is on a SonicWall NSA E-6500 at the main site. Each VLAN has a physical port on the SonicWall. VLAN 108 is passing VOIP traffic.

It’s working, however we have too many MAC addresses for AT&T – they can solve the issue, it just cost 5 bucks a month for each additional MAC.


K Conde
Sutter County Schools
Trusted Contributor

Re: Setting up Layer 3 VLAN routing

Hi, Kevin !

First you should choose a device to be a router.
To allow ip routing at the chosen device you need to enable it :
#no default-gateway
#ip routing

Then to enable static ip routing between VLANs you need to set up ip interfaces for those VLANs :
#vlan 777
#ip address
#vlan 999
#ip address
You may need to add a default route:
#ip routing .....
Do not forget to add a default gateway on devices connected to your network pointing to ip address of the appropriate vlan.

Good luck,

Re: Setting up Layer 3 VLAN routing

It's a bit complicated but I give it a try.
I assume the sonicwall to be at the main location as the 5304xl is.

Configure the 5304xl to use 'ip routing' and configure the default gw IP's (which currently are configured on the sonicwall) on each vlan on this core switch. You will lose connection to the sonicwall but I will get back to that later.

Then, you will have to define for both remote sites (not being the main site) new IP-block's for EACH vlan including of course new default gw's for these vlan's. Configure these default gw addresses on the vlan's on the 2650's (after also configuring 'ip routing' on them).

Then, define a new vlan and call it 'routing vlan'. Configure this vlan on all switches on the port connected to AT&T and to the sonicwall. Give the switches and the sonicwall new IP-addresses all in the same IP-block.

At last, configure static routes on all swithces and the sonicwall to each other using the 'routing vlan ip address' as destination. Or use RIP if all systems support it.

On both remote sites you will have to renumber all hosts,.. but if you use DHCP just configure 'ip helper-address' on each vlan towards your DHCP server and allow the DHCP server to serve the IP-addresses.

As I already noticed,.. not an easy task but it could be done.

Hint: when you use link-keepalive on each AT&T port, the port will shut down when AT&T mis configures their network. This is very useful if you can afford another E-MAN from another company as backup.