Cisco Layer 3 and switches - How does my network work?

Hello All,

Please can someone help with some explanations or links to relevant (short) docs?  

I have a 12 year old CCNA and basic understanding of routing/switching.  I have inherited responsibility for a 0 documented network! I need to figure out how to swap out my ASA firewall (but don't let that distract you - 0% ASA stuff in this question)

So, I have three user Cisco switches (Catalyst 4000, C3750 and C2950G) that workstations/phones etc are plugged into.  Only one of these switches has a direct connection to my ASA firewall.  This one switch shows
ip default-gateway 10.7.1.5

Open in new window

which is the address configured on the connected interface of the ASA.

The three switches have a trunked connection between them.

Only one of the two switches without the gateway set (using ip default-gateway 10.7.1.5) has static routes:
ip route 0.0.0.0 0.0.0.0 10.7.1.5

Open in new window



VTP is enabled across the three switches and there are multiple VLANs. As an example I have:

interface Vlan106
 ip address 10.7.6.254 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48

Open in new window


And on my workstation I would have an ip address 10.7.6.x and a gateway of 10.7.6.1  For the sake of argument, all addresses have a 24bit mask.

So... a couple of questions:
1- Routing is obviously occurring between the VLANs (but I have no connected router). How is this happening?
2- Does the default-gateway have anything to do with it?
3- Does the static route on one switch for 0.0.0.0 0 0.0.0.0. have anything to do with it?
4 - I need to substitute the ASA for a new one with proper rules on it.  What do I need to be looking at changing?

Finally, looking above at the config for the VLAN interface, what is all that 'standby' stuff all about?

Can someone give me a quick and dirty overview as this company won't hire a network engineer! :)

Thanks all!
LVL 3
Tommy_CooperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KorbusCommented:
1-  They are called "layer 3 switches"-  but this basically means it's both a switch and a router (which is needed to route traffic to appropriate vlan ports).
2-  If you have a specific route setup, then no, the gateway does not matter.  If you do NOT have a specific route setup, traffic will attempt to go out the gateway to reach the another subnet.
3- I'm not sure what this route means either- doesn't really make sense.  If 0.0.0.0 represents ALL networks (not sure of this), then why send it to 0.0.0.0 for a gateway:  to drop them perhaps?
4-  I'd think the more important thing is what to keep the same:  Make sure your new firewall has the same LAN IP as your older one.  This should keep you from having to change ANY routing stuff in the switches.
0
Ken BooneNetwork ConsultantCommented:
Ok so here goes my attempt to address your questions.
The 3750 is a layer 3 switch means it can do routing.
The 4000 may or may not be a layer 3 switch depending on the supervisor module
The 2950G is only a layer 2 switch.

So it sounds like that the single switch with an ip route statement is the layer 3 switch.  Since the switches are trunked and you are using VTP - all of the vlans are propagated throughout all switches.  

Routing is occurring on the switch with the ip route statement.  It is routing internet traffic to the firewall and receiving inbound traffic to the firewall and then routes them to the local lan network where the PCs are.

You need to look at the ASA config to make sure your rule set stays the same.


The standby stuff has to do with HSRP (Hot Standby Routing Protocol).  This is a mechanism that provides default gateway failover ability - if you have 2 layer 3 devices.  If you issue the command "show standby" on the switch with this command, you should find that he is the active router, and then it will show the standby router.  If there is a standby, that means that either there is another router or a layer 3 switch that might be routing as well.  If there is not a standby its not doing you any good.

Hope that helps.
0
James HIT DirectorCommented:
Not to discredit any posters but don't post if you don't know or understand.

1- Routing is obviously occurring between the VLANs (but I have no connected router). How is this happening?
Answer: The 3750 is a layer 3 and can (and is) route traffic accordingly.
2- Does the default-gateway have anything to do with it?
Answer: Not for inter-vlan routing which your switch can handle.
3- Does the static route on one switch for 0.0.0.0 0 0.0.0.0. have anything to do with it?
Answer: This statement sends ALL undefined traffic to your firewall, meaning anything that isn't a part of your internal subnets. This is a required statement if you want to send traffic to your edge device and this will route that traffic accordingly.
4 - I need to substitute the ASA for a new one with proper rules on it.  What do I need to be looking at changing?
Answer: I wouldn't change anything before fully understanding the inner workings. Map out your network and then logically plan the migration after it is documented.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

rauenpcCommented:
Just as a bit of info, the difference between the 'ip route 0.0.0.0 0.0.0.0 x.x.x.x' and 'ip default-gateway x.x.x.x' comes down to whether or not 'ip routing' is enabled on the switch. If an L3 switch has 'ip routing' in the config, then it must use the 'ip route x.x.x....' statements. 'ip default-gateway' is for L2 switch communication for management. The only exception to this is that you can have the 'ip default-gateway' on an L3 switch, but that will only come into play during a crash if syslog or crash dumps are enabled.
0
Tommy_CooperAuthor Commented:
kenboonejr / Spartan – thank you both.

So the 3750 is doing all the routing for all three switches?  This is the switch with the default-gateway setting
Nope – I know that can’t be it as the 4000 is the one with a few static routes set up (including the default route to 0.0.0.0)

So the 3750 and the 4000 can route.  The 2950G is layer 2 only.  Oh! And I just spotted that has a default-gateway setup too…. which points to an interface on the 4000.

So please can you join the dots for me…. The facts are:

I have a workstation plugged into the 2950G and it has an ip address 10.7.6.x/24 and a gateway of 10.7.6.1
The 3750 and the 4000 have the following configuration on BOTH switches:
interface Vlan106
 ip address 10.7.6.25x 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48
The 4000 has the static route configured 0.0.0.0 0.0.0.0 10.7.1.5
The 3750 has ip default-gateway 10.7.1.5

So – when a workstation wants to access the internet, it tries to reach its gateway at 10.7.6.1 which exists on either the 4000 or the 3750 but the 2950 will forward the traffic to one or other of these switches as the interface is in the same VLAN.  The 3750 or the 4000 will see that the ultimate destination is to the internet (0.0.0.0 match) and will pass it off to the configured gateway (10.7.1.5 my ASA).

Is that basically correct?

And also… Just because I’m confusing myself now…. why does the 2950 have a default gateway if it’s just a layer 2 switch?  (This is just for the purpose of management, right – so it can ‘talk’ to devices on different subnets – SSH etc. )
0
Tommy_CooperAuthor Commented:
Ooops -Just noticed rauenpc comments. So all sorted on the gateway address for 2950 :) Thanks mate.
Interestingly though - I just searched the config on all three switches for 'ip routing' and it doesn't appear at all.

Does that mean that the switch with the static routes set is not using them?
0
Ken BooneNetwork ConsultantCommented:
ok - here goes...


Ok so the 4000 is the layer 3 switch acting as a layer 3 switch doing routing!

----------------
I have a workstation plugged into the 2950G and it has an ip address 10.7.6.x/24 and a gateway of 10.7.6.1
The 3750 and the 4000 have the following configuration on BOTH switches:
interface Vlan106
 ip address 10.7.6.25x 255.255.255.0
 ip helper-address 10.x.x.x
 ip helper-address 10.x.x.x
 standby 106 ip 10.7.6.1
 standby 106 priority 95
 standby 106 preempt
 standby 106 track GigabitEthernet1/0/48
The 4000 has the static route configured 0.0.0.0 0.0.0.0 10.7.1.5
The 3750 has ip default-gateway 10.7.1.5
-----------

So if this type of config is set up on both the 3750 and the 4000 then they are both doing routing and they are backing each other up with in case one fails as far as acting like the default gateway for your 10.7.6.x network.

The 4000 has a static route in order to route internet bound traffic to the firewall.  The 3750 does not have a static route which means if he takes over in answering for the .1 address, then you will lose internet as it does not have a static default route configured.  The default gateway command is only used when the switch does not have ip routing turned on.


-----------------
So – when a workstation wants to access the internet, it tries to reach its gateway at 10.7.6.1 which exists on either the 4000 or the 3750 but the 2950 will forward the traffic to one or other of these switches as the interface is in the same VLAN.  The 3750 or the 4000 will see that the ultimate destination is to the internet (0.0.0.0 match) and will pass it off to the configured gateway (10.7.1.5 my ASA).
-----------------
HSRP allows two routers to share an IP address if you will that will be used as the default gateway for users of that network.  Only one of the devices will take ownership of the .1 hsrp address.  If a failure occurs then the other device will take over.  If you issue a show standby command on these switches it will tell you which one is active.  - because you don't have the same static route on both switches, if it fails over, your internet traffic will go down.


----------
And also… Just because I’m confusing myself now…. why does the 2950 have a default gateway if it’s just a layer 2 switch?  (This is just for the purpose of management, right – so it can ‘talk’ to devices on different subnets – SSH etc. )
--------
Yes the 2950 simply looks like any host on the network in order for you to manage it.  So it has an ip address, subnet mask and default gateway for communicating to the device.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tommy_CooperAuthor Commented:
Ken - Brilliant - Thank you. Now I know where to start reading :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.