default gateway best practice

This is what I have in one vlan:


The default gateway (DG) for all switches are pointing to the fw. What is the default gateway configuration best practice.  In other words, should I have sw4 DG as sw3, sw3 DG as sw2, sw2 DG as SW1, and sw5 DG as sw2?

Who is Participating?
pergrConnect With a Mentor Commented:
If you use only a PC on the internal network to login to the switches, then that PC is on the same subnet as the switches - so you do not need the DG.

The DG is only used to send packets outside the subnet.

For example, assume your subnet is (same as
All you switches IPs are 192.168.1.x and your management PC is 192.168.1.y.

Your subnet is all IPs between to
This means your PC is within the subnet, so the DG is never used.

For the record, the IP address of the switches is only used for management, and not for forwarding user traffic.
Tapan PattanaikSenior EngineerCommented:
Hi biggynet,

Spanning-Tree Cisco Enhancements

Q-in-Q Tunneling:

Private Vlans – Control Plane/Data Plane:

Cisco LAN Switching Fundamentals: Configuring Switches:
Neil RussellConnect With a Mentor Technical Development LeadCommented:
FW as DG is fine but your switch config has no redundancy at all if that diagram is to be believed. What happens to your network if SW2 dies?
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Would be better (for redundancy and capacity) to have all switches connected directly to SW1.
pergrConnect With a Mentor Commented:
Default GW is fine.

If you can buy more hardware, get a redundant "stack" as SW1, like the Juniper EX virtual chassis.
biggynetAuthor Commented:
Taking out the redundancy design. Is having the DG as the FW the best practice? Thanks
pergrConnect With a Mentor Commented:
With all 4 switches in the same subnet, the DG is only used when you want to go outside the subnet - which is outside the firewall. Hence, it is perfectly fine to have the DG on the FW.

This assumes you have a single subnet on your network.
AkinsdConnect With a Mentor Network AdministratorCommented:
Default Gateway is the Gate Way to exit a subnet.
The Gate Way is always the Non-switching Interface that a subnet is connected to physically or virtually.
If you have layer 3 switches, you can configure interface vlans and use it as gateways for respective vlans created.

In your case, if all the switches are Layer 3 with no interface vlan, or Layer 2 switches, the only gateway you will have is the interface on the FW that connects to SW1 (Assuming all switches belong to the same vlan since you did not indicate how many and where vlans are configured).

In layman's terms
Imagine a house with multiple rooms and a main front door. The only way anyone in any room can go on the street is to exit through the front door.

In other words, there is no best practice persay (with exceptions with interface vlan configurations).

Hope this helps
biggynetAuthor Commented:
one vlan... one subnet...
AkinsdNetwork AdministratorCommented:
Then your ONLY gateway is the FW interface connecting to SW1 in this scenario
Actually, you do not even need to configure any DG..., but the FW is fine.
biggynetAuthor Commented:
Why is DG not necessary?
I assume you are connecting to the switches only from within your own subnet - for management, statistics, etc.

Only if the switch needs to make a connection outside the firewall - or if you connect to the switches from outside, do you need any DG on them.
biggynetAuthor Commented:

Sorry but I don't understand your reply.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.