Solved

default gateway best practice

Posted on 2013-02-04
14
605 Views
Last Modified: 2013-02-05
This is what I have in one vlan:

FW<-->sw1<-->sw2<-->sw3<-->sw4
                         |
                        sw5

The default gateway (DG) for all switches are pointing to the fw. What is the default gateway configuration best practice.  In other words, should I have sw4 DG as sw3, sw3 DG as sw2, sw2 DG as SW1, and sw5 DG as sw2?

Thanks
0
Comment
Question by:biggynet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 21

Expert Comment

by:Tapan Pattanaik
ID: 38853874
Hi biggynet,

Spanning-Tree Cisco Enhancements

http://ciscoiseasy.blogspot.in/2010_10_01_archive.html

Q-in-Q Tunneling:

http://netcerts.net/category/switching/

Private Vlans – Control Plane/Data Plane:

http://mellowd.co.uk/ccie/?tag=switch

Cisco LAN Switching Fundamentals: Configuring Switches:

http://www.ciscopress.com/articles/article.asp?p=358549&seqNum=5
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 100 total points
ID: 38854051
FW as DG is fine but your switch config has no redundancy at all if that diagram is to be believed. What happens to your network if SW2 dies?
0
 
LVL 17

Expert Comment

by:pergr
ID: 38854073
Would be better (for redundancy and capacity) to have all switches connected directly to SW1.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
ID: 38854074
Default GW is fine.

If you can buy more hardware, get a redundant "stack" as SW1, like the Juniper EX virtual chassis.
0
 

Author Comment

by:biggynet
ID: 38855231
Taking out the redundancy design. Is having the DG as the FW the best practice? Thanks
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
ID: 38855286
With all 4 switches in the same subnet, the DG is only used when you want to go outside the subnet - which is outside the firewall. Hence, it is perfectly fine to have the DG on the FW.

This assumes you have a single subnet on your network.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 100 total points
ID: 38855538
Default Gateway is the Gate Way to exit a subnet.
The Gate Way is always the Non-switching Interface that a subnet is connected to physically or virtually.
If you have layer 3 switches, you can configure interface vlans and use it as gateways for respective vlans created.

In your case, if all the switches are Layer 3 with no interface vlan, or Layer 2 switches, the only gateway you will have is the interface on the FW that connects to SW1 (Assuming all switches belong to the same vlan since you did not indicate how many and where vlans are configured).

In layman's terms
Imagine a house with multiple rooms and a main front door. The only way anyone in any room can go on the street is to exit through the front door.

In other words, there is no best practice persay (with exceptions with interface vlan configurations).

Hope this helps
0
 

Author Comment

by:biggynet
ID: 38855713
one vlan... one subnet...
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38855732
Ok
Then your ONLY gateway is the FW interface connecting to SW1 in this scenario
0
 
LVL 17

Expert Comment

by:pergr
ID: 38855876
Actually, you do not even need to configure any DG..., but the FW is fine.
0
 

Author Comment

by:biggynet
ID: 38856899
Why is DG not necessary?
0
 
LVL 17

Expert Comment

by:pergr
ID: 38857159
I assume you are connecting to the switches only from within your own subnet - for management, statistics, etc.

Only if the switch needs to make a connection outside the firewall - or if you connect to the switches from outside, do you need any DG on them.
0
 

Author Comment

by:biggynet
ID: 38857219
pergr,

Sorry but I don't understand your reply.
0
 
LVL 17

Accepted Solution

by:
pergr earned 300 total points
ID: 38857311
If you use only a PC on the internal network to login to the switches, then that PC is on the same subnet as the switches - so you do not need the DG.

The DG is only used to send packets outside the subnet.

For example, assume your subnet is 192.168.1.0/24 (same as 255.255.255.0).
All you switches IPs are 192.168.1.x and your management PC is 192.168.1.y.

Your subnet is all IPs between 192.168.1.1 to 192.168.1.254.
This means your PC is within the subnet, so the DG is never used.

For the record, the IP address of the switches is only used for management, and not for forwarding user traffic.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Make the most of your online learning experience.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question