?
Solved

Cisco Layer 3 and switches - How does my network work?

Posted on 2014-07-14
8
Medium Priority
?
995 Views
Last Modified: 2014-07-14
Hello All,

Please can someone help with some explanations or links to relevant (short) docs?  

I have a 12 year old CCNA and basic understanding of routing/switching.  I have inherited responsibility for a 0 documented network! I need to figure out how to swap out my ASA firewall (but don't let that distract you - 0% ASA stuff in this question)

So, I have three user Cisco switches (Catalyst 4000, C3750 and C2950G) that workstations/phones etc are plugged into.  Only one of these switches has a direct connection to my ASA firewall.  This one switch shows
ip default-gateway 10.7.1.5

Open in new window

which is the address configured on the connected interface of the ASA.

The three switches have a trunked connection between them.

Only one of the two switches without the gateway set (using ip default-gateway 10.7.1.5) has static routes:
ip route 0.0.0.0 0.0.0.0 10.7.1.5

Open in new window



VTP is enabled across the three switches and there are multiple VLANs. As an example I have:

interface Vlan106
 ip address 10.7.6.254 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48

Open in new window


And on my workstation I would have an ip address 10.7.6.x and a gateway of 10.7.6.1  For the sake of argument, all addresses have a 24bit mask.

So... a couple of questions:
1- Routing is obviously occurring between the VLANs (but I have no connected router). How is this happening?
2- Does the default-gateway have anything to do with it?
3- Does the static route on one switch for 0.0.0.0 0 0.0.0.0. have anything to do with it?
4 - I need to substitute the ASA for a new one with proper rules on it.  What do I need to be looking at changing?

Finally, looking above at the config for the VLAN interface, what is all that 'standby' stuff all about?

Can someone give me a quick and dirty overview as this company won't hire a network engineer! :)

Thanks all!
0
Comment
Question by:Tommy_Cooper
8 Comments
 
LVL 10

Expert Comment

by:Korbus
ID: 40194477
1-  They are called "layer 3 switches"-  but this basically means it's both a switch and a router (which is needed to route traffic to appropriate vlan ports).
2-  If you have a specific route setup, then no, the gateway does not matter.  If you do NOT have a specific route setup, traffic will attempt to go out the gateway to reach the another subnet.
3- I'm not sure what this route means either- doesn't really make sense.  If 0.0.0.0 represents ALL networks (not sure of this), then why send it to 0.0.0.0 for a gateway:  to drop them perhaps?
4-  I'd think the more important thing is what to keep the same:  Make sure your new firewall has the same LAN IP as your older one.  This should keep you from having to change ANY routing stuff in the switches.
0
 
LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 1268 total points
ID: 40194481
Ok so here goes my attempt to address your questions.
The 3750 is a layer 3 switch means it can do routing.
The 4000 may or may not be a layer 3 switch depending on the supervisor module
The 2950G is only a layer 2 switch.

So it sounds like that the single switch with an ip route statement is the layer 3 switch.  Since the switches are trunked and you are using VTP - all of the vlans are propagated throughout all switches.  

Routing is occurring on the switch with the ip route statement.  It is routing internet traffic to the firewall and receiving inbound traffic to the firewall and then routes them to the local lan network where the PCs are.

You need to look at the ASA config to make sure your rule set stays the same.


The standby stuff has to do with HSRP (Hot Standby Routing Protocol).  This is a mechanism that provides default gateway failover ability - if you have 2 layer 3 devices.  If you issue the command "show standby" on the switch with this command, you should find that he is the active router, and then it will show the standby router.  If there is a standby, that means that either there is another router or a layer 3 switch that might be routing as well.  If there is not a standby its not doing you any good.

Hope that helps.
0
 
LVL 17

Assisted Solution

by:James H
James H earned 632 total points
ID: 40194568
Not to discredit any posters but don't post if you don't know or understand.

1- Routing is obviously occurring between the VLANs (but I have no connected router). How is this happening?
Answer: The 3750 is a layer 3 and can (and is) route traffic accordingly.
2- Does the default-gateway have anything to do with it?
Answer: Not for inter-vlan routing which your switch can handle.
3- Does the static route on one switch for 0.0.0.0 0 0.0.0.0. have anything to do with it?
Answer: This statement sends ALL undefined traffic to your firewall, meaning anything that isn't a part of your internal subnets. This is a required statement if you want to send traffic to your edge device and this will route that traffic accordingly.
4 - I need to substitute the ASA for a new one with proper rules on it.  What do I need to be looking at changing?
Answer: I wouldn't change anything before fully understanding the inner workings. Map out your network and then logically plan the migration after it is documented.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 100 total points
ID: 40194586
Just as a bit of info, the difference between the 'ip route 0.0.0.0 0.0.0.0 x.x.x.x' and 'ip default-gateway x.x.x.x' comes down to whether or not 'ip routing' is enabled on the switch. If an L3 switch has 'ip routing' in the config, then it must use the 'ip route x.x.x....' statements. 'ip default-gateway' is for L2 switch communication for management. The only exception to this is that you can have the 'ip default-gateway' on an L3 switch, but that will only come into play during a crash if syslog or crash dumps are enabled.
0
 
LVL 3

Author Comment

by:Tommy_Cooper
ID: 40194662
kenboonejr / Spartan – thank you both.

So the 3750 is doing all the routing for all three switches?  This is the switch with the default-gateway setting
Nope – I know that can’t be it as the 4000 is the one with a few static routes set up (including the default route to 0.0.0.0)

So the 3750 and the 4000 can route.  The 2950G is layer 2 only.  Oh! And I just spotted that has a default-gateway setup too…. which points to an interface on the 4000.

So please can you join the dots for me…. The facts are:

I have a workstation plugged into the 2950G and it has an ip address 10.7.6.x/24 and a gateway of 10.7.6.1
The 3750 and the 4000 have the following configuration on BOTH switches:
interface Vlan106
 ip address 10.7.6.25x 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48
The 4000 has the static route configured 0.0.0.0 0.0.0.0 10.7.1.5
The 3750 has ip default-gateway 10.7.1.5

So – when a workstation wants to access the internet, it tries to reach its gateway at 10.7.6.1 which exists on either the 4000 or the 3750 but the 2950 will forward the traffic to one or other of these switches as the interface is in the same VLAN.  The 3750 or the 4000 will see that the ultimate destination is to the internet (0.0.0.0 match) and will pass it off to the configured gateway (10.7.1.5 my ASA).

Is that basically correct?

And also… Just because I’m confusing myself now…. why does the 2950 have a default gateway if it’s just a layer 2 switch?  (This is just for the purpose of management, right – so it can ‘talk’ to devices on different subnets – SSH etc. )
0
 
LVL 3

Author Comment

by:Tommy_Cooper
ID: 40194674
Ooops -Just noticed rauenpc comments. So all sorted on the gateway address for 2950 :) Thanks mate.
Interestingly though - I just searched the config on all three switches for 'ip routing' and it doesn't appear at all.

Does that mean that the switch with the static routes set is not using them?
0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 1268 total points
ID: 40194680
ok - here goes...


Ok so the 4000 is the layer 3 switch acting as a layer 3 switch doing routing!

----------------
I have a workstation plugged into the 2950G and it has an ip address 10.7.6.x/24 and a gateway of 10.7.6.1
The 3750 and the 4000 have the following configuration on BOTH switches:
interface Vlan106
 ip address 10.7.6.25x 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48
The 4000 has the static route configured 0.0.0.0 0.0.0.0 10.7.1.5
The 3750 has ip default-gateway 10.7.1.5
-----------

So if this type of config is set up on both the 3750 and the 4000 then they are both doing routing and they are backing each other up with in case one fails as far as acting like the default gateway for your 10.7.6.x network.

The 4000 has a static route in order to route internet bound traffic to the firewall.  The 3750 does not have a static route which means if he takes over in answering for the .1 address, then you will lose internet as it does not have a static default route configured.  The default gateway command is only used when the switch does not have ip routing turned on.


-----------------
So – when a workstation wants to access the internet, it tries to reach its gateway at 10.7.6.1 which exists on either the 4000 or the 3750 but the 2950 will forward the traffic to one or other of these switches as the interface is in the same VLAN.  The 3750 or the 4000 will see that the ultimate destination is to the internet (0.0.0.0 match) and will pass it off to the configured gateway (10.7.1.5 my ASA).
-----------------
HSRP allows two routers to share an IP address if you will that will be used as the default gateway for users of that network.  Only one of the devices will take ownership of the .1 hsrp address.  If a failure occurs then the other device will take over.  If you issue a show standby command on these switches it will tell you which one is active.  - because you don't have the same static route on both switches, if it fails over, your internet traffic will go down.


----------
And also… Just because I’m confusing myself now…. why does the 2950 have a default gateway if it’s just a layer 2 switch?  (This is just for the purpose of management, right – so it can ‘talk’ to devices on different subnets – SSH etc. )
--------
Yes the 2950 simply looks like any host on the network in order for you to manage it.  So it has an ip address, subnet mask and default gateway for communicating to the device.
0
 
LVL 3

Author Comment

by:Tommy_Cooper
ID: 40194943
Ken - Brilliant - Thank you. Now I know where to start reading :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
Transparency shows that a company is the kind of business that it wants people to think it is.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question