Solved

Default Gateways on Cisco Switches

Posted on 2007-03-27
8
804 Views
Last Modified: 2010-04-17
I have a Cisco 3500 switch connected to a Cisco 2600 router. Initially, the switch did not have a default gateway set but the switch could still ping the 2600 router. Then, as a test, we set a wrong default gateway on the switch (ip default-gateway x.x.x.x) to see if the switch could still ping the router - and it could. No matter what default gateway address we put in the switch, we could still ping the router and beyond the router to any device on our network.

I believe that the switch can ping the router (despite the wrong default gateway settings) because they are directly connected and are communicating via Layer 2.

Am I correct?

Also, what is the purpose of the "default-gateway" command if the switch can still see the default gateway (router) regardless of what default gateway IP address you give it?
0
Comment
Question by:COE-IT
  • 4
  • 2
  • 2
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18802873
The purpose of the default gateway is to allow remote managment across a large network, through many routers.
You can access any system on the same IP subnet without a DG set, but you cannot ping anything on any other ip subnet without the gateway setting.
If your siwtch is a 3500XL, then the only purpose for having an IP address at all is to manage the switch, and the only purpose for the DG is to be able to manage it from a different IP subnet/location.
0
 
LVL 1

Author Comment

by:COE-IT
ID: 18804016
In both scenarios (without a DG defined and with a wrong DG defined on the 3500XL switch) I was able to ping a different subnet from the switch.

I agree with you that the only reason to have the switch IP defined is for remote management. But why was I able to ping a different subnet as I mentioned above? I'm confident that the reason is because the switch found the router via layer 2 (since they are directly connected) and the router was able to pass the ping along from there. Do you disagree?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18804213
Is there any ip route statement? It could override the DG statement. It should not be able to communicate with a different IP subnet without the proper default gateway assigned. I don't think it has the intelligence for gateway discovery, but I guess ARP could happen if the router had the foreign IP in its own local cache. Did it get its IP address by DHCP, or was it manually configured?


0
 
LVL 2

Expert Comment

by:rrb31337
ID: 18805081
Your 3500 will not ping another subnet without the correct default gateway.  This is the purpose of the router - to forward packets at Layer 3.

Contrary to what another poster mentioned, there are no such things as 'ip route' statements on any of the 3500 series switches, and there is no way to obtain an IP via DHCP.  If you're "pinging another subnet" without the router's IP as your default gateway, then I'd contend that you're not really pinging "another subnet" at all, what you're pinging is in the same subnet.  I'm envisioning a scenario where the router and 3500 are, for example, 10.0.0.1 and 10.0.0.255 and you're pinging 10.0.1.1 or similar with a very broad mask, i.e. something less specific than 255.255.255.0.  In that case you have the target host in the same Layer 2 domain and obviously no routing is taking place.  If that doesn't make any sense, take the router out of the equation and see for yourself.

If you take the router out of the equation, putting the target IPs that you claim are "beyond the router" in the same Layer 2 domain and it stops routing as you claim it does now, then your router is likely doing proxy ARP.  You can test that theory with "no proxy arp" on the relevant interfaces in the router.  When you deny proxy arp in the router, the 3500 should stop pinging those targets you say are "beyond the router".  Hope that makes sense.

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:COE-IT
ID: 18805418
rrb31337 is right, we have no "ip route" statements on our 3500 switches, and I don't believe it's possible to do so on those switches.

Also, all of our network gear is manually IP assigned, no DHCP running.

rrb31337 - To reiterate your example, if I ping 10.0.1.1 255.255.255.0 from 10.0.0.1 255.255.255.0.......I am pinging a device on a different subnet. It sounds like you are trying to say that these IP addresses are on the same network.

Thanks for the information on Proxy ARP, I read about it and it sounds like it's the reason I can ping these devices on different subnets. I will try disabling Proxy ARP to see if I can still ping the same device on the other network.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18805510
>there are no such things as 'ip route' statements on any of the 3500 series switches,
This is absolutely not true. The 3550 is a L3 switch and most certainly does have ip route statements.

COE-IT,  you can also test the theory if you try to ping any other IP address on any other network that is not also directly connected to the router. It should certainly fail because the router problably won't have it in the arp cache.
0
 
LVL 2

Accepted Solution

by:
rrb31337 earned 125 total points
ID: 18805554
COE-IT>To reiterate your example, if I ping 10.0.1.1 255.255.255.0 from 10.0.0.1 255.255.255.0.......I am
COE-IT>pinging a device on a different subnet.

In the example you cited, yes, you're certainly pinging IPs on different subnets.  I figured you might have had a mask like 255.0.0.0, in which case they'd be on the same subnet.  My money is now on proxy-arp.

lrmoore>The 3550 is a L3 switch and most certainly does have ip route statements.

I'm persuaded that because COE-IT is talking about router<>switch, his "3500" is actually a 3500XL; this family of switches is not the same as the 3550, both in Cisco's eyes and in mine, for obvious reasons.  It's been my experience that when someone says "3500", they mean i.e. 3524-XL-EN, as opposed to simply saying "3550".  It's all about semantics though.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18816262
WTF?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now