Solved

default gateway best practice

Posted on 2013-02-04
14
582 Views
Last Modified: 2013-02-05
This is what I have in one vlan:

FW<-->sw1<-->sw2<-->sw3<-->sw4
                         |
                        sw5

The default gateway (DG) for all switches are pointing to the fw. What is the default gateway configuration best practice.  In other words, should I have sw4 DG as sw3, sw3 DG as sw2, sw2 DG as SW1, and sw5 DG as sw2?

Thanks
0
Comment
Question by:biggynet
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 21

Expert Comment

by:Tapan Pattanaik
Comment Utility
Hi biggynet,

Spanning-Tree Cisco Enhancements

http://ciscoiseasy.blogspot.in/2010_10_01_archive.html

Q-in-Q Tunneling:

http://netcerts.net/category/switching/

Private Vlans – Control Plane/Data Plane:

http://mellowd.co.uk/ccie/?tag=switch

Cisco LAN Switching Fundamentals: Configuring Switches:

http://www.ciscopress.com/articles/article.asp?p=358549&seqNum=5
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 100 total points
Comment Utility
FW as DG is fine but your switch config has no redundancy at all if that diagram is to be believed. What happens to your network if SW2 dies?
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
Would be better (for redundancy and capacity) to have all switches connected directly to SW1.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
Comment Utility
Default GW is fine.

If you can buy more hardware, get a redundant "stack" as SW1, like the Juniper EX virtual chassis.
0
 

Author Comment

by:biggynet
Comment Utility
Taking out the redundancy design. Is having the DG as the FW the best practice? Thanks
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
Comment Utility
With all 4 switches in the same subnet, the DG is only used when you want to go outside the subnet - which is outside the firewall. Hence, it is perfectly fine to have the DG on the FW.

This assumes you have a single subnet on your network.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 100 total points
Comment Utility
Default Gateway is the Gate Way to exit a subnet.
The Gate Way is always the Non-switching Interface that a subnet is connected to physically or virtually.
If you have layer 3 switches, you can configure interface vlans and use it as gateways for respective vlans created.

In your case, if all the switches are Layer 3 with no interface vlan, or Layer 2 switches, the only gateway you will have is the interface on the FW that connects to SW1 (Assuming all switches belong to the same vlan since you did not indicate how many and where vlans are configured).

In layman's terms
Imagine a house with multiple rooms and a main front door. The only way anyone in any room can go on the street is to exit through the front door.

In other words, there is no best practice persay (with exceptions with interface vlan configurations).

Hope this helps
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:biggynet
Comment Utility
one vlan... one subnet...
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Ok
Then your ONLY gateway is the FW interface connecting to SW1 in this scenario
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
Actually, you do not even need to configure any DG..., but the FW is fine.
0
 

Author Comment

by:biggynet
Comment Utility
Why is DG not necessary?
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
I assume you are connecting to the switches only from within your own subnet - for management, statistics, etc.

Only if the switch needs to make a connection outside the firewall - or if you connect to the switches from outside, do you need any DG on them.
0
 

Author Comment

by:biggynet
Comment Utility
pergr,

Sorry but I don't understand your reply.
0
 
LVL 17

Accepted Solution

by:
pergr earned 300 total points
Comment Utility
If you use only a PC on the internal network to login to the switches, then that PC is on the same subnet as the switches - so you do not need the DG.

The DG is only used to send packets outside the subnet.

For example, assume your subnet is 192.168.1.0/24 (same as 255.255.255.0).
All you switches IPs are 192.168.1.x and your management PC is 192.168.1.y.

Your subnet is all IPs between 192.168.1.1 to 192.168.1.254.
This means your PC is within the subnet, so the DG is never used.

For the record, the IP address of the switches is only used for management, and not for forwarding user traffic.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now