Solved

default gateway best practice

Posted on 2013-02-04
14
583 Views
Last Modified: 2013-02-05
This is what I have in one vlan:

FW<-->sw1<-->sw2<-->sw3<-->sw4
                         |
                        sw5

The default gateway (DG) for all switches are pointing to the fw. What is the default gateway configuration best practice.  In other words, should I have sw4 DG as sw3, sw3 DG as sw2, sw2 DG as SW1, and sw5 DG as sw2?

Thanks
0
Comment
Question by:biggynet
  • 6
  • 4
  • 2
  • +2
14 Comments
 
LVL 21

Expert Comment

by:Tapan Pattanaik
ID: 38853874
Hi biggynet,

Spanning-Tree Cisco Enhancements

http://ciscoiseasy.blogspot.in/2010_10_01_archive.html

Q-in-Q Tunneling:

http://netcerts.net/category/switching/

Private Vlans – Control Plane/Data Plane:

http://mellowd.co.uk/ccie/?tag=switch

Cisco LAN Switching Fundamentals: Configuring Switches:

http://www.ciscopress.com/articles/article.asp?p=358549&seqNum=5
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 100 total points
ID: 38854051
FW as DG is fine but your switch config has no redundancy at all if that diagram is to be believed. What happens to your network if SW2 dies?
0
 
LVL 17

Expert Comment

by:pergr
ID: 38854073
Would be better (for redundancy and capacity) to have all switches connected directly to SW1.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
ID: 38854074
Default GW is fine.

If you can buy more hardware, get a redundant "stack" as SW1, like the Juniper EX virtual chassis.
0
 

Author Comment

by:biggynet
ID: 38855231
Taking out the redundancy design. Is having the DG as the FW the best practice? Thanks
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 300 total points
ID: 38855286
With all 4 switches in the same subnet, the DG is only used when you want to go outside the subnet - which is outside the firewall. Hence, it is perfectly fine to have the DG on the FW.

This assumes you have a single subnet on your network.
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 100 total points
ID: 38855538
Default Gateway is the Gate Way to exit a subnet.
The Gate Way is always the Non-switching Interface that a subnet is connected to physically or virtually.
If you have layer 3 switches, you can configure interface vlans and use it as gateways for respective vlans created.

In your case, if all the switches are Layer 3 with no interface vlan, or Layer 2 switches, the only gateway you will have is the interface on the FW that connects to SW1 (Assuming all switches belong to the same vlan since you did not indicate how many and where vlans are configured).

In layman's terms
Imagine a house with multiple rooms and a main front door. The only way anyone in any room can go on the street is to exit through the front door.

In other words, there is no best practice persay (with exceptions with interface vlan configurations).

Hope this helps
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:biggynet
ID: 38855713
one vlan... one subnet...
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 38855732
Ok
Then your ONLY gateway is the FW interface connecting to SW1 in this scenario
0
 
LVL 17

Expert Comment

by:pergr
ID: 38855876
Actually, you do not even need to configure any DG..., but the FW is fine.
0
 

Author Comment

by:biggynet
ID: 38856899
Why is DG not necessary?
0
 
LVL 17

Expert Comment

by:pergr
ID: 38857159
I assume you are connecting to the switches only from within your own subnet - for management, statistics, etc.

Only if the switch needs to make a connection outside the firewall - or if you connect to the switches from outside, do you need any DG on them.
0
 

Author Comment

by:biggynet
ID: 38857219
pergr,

Sorry but I don't understand your reply.
0
 
LVL 17

Accepted Solution

by:
pergr earned 300 total points
ID: 38857311
If you use only a PC on the internal network to login to the switches, then that PC is on the same subnet as the switches - so you do not need the DG.

The DG is only used to send packets outside the subnet.

For example, assume your subnet is 192.168.1.0/24 (same as 255.255.255.0).
All you switches IPs are 192.168.1.x and your management PC is 192.168.1.y.

Your subnet is all IPs between 192.168.1.1 to 192.168.1.254.
This means your PC is within the subnet, so the DG is never used.

For the record, the IP address of the switches is only used for management, and not for forwarding user traffic.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
display iPhone Wifi network name 19 79
PCI Compliance Free scan 2 76
ssh setup on Cisco swith 11 44
Incredibly slow speeds while testing on server in China? 5 43
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now