Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7461
Views
35
Helpful
47
Replies

Purpose of using a Switch as a default gateway as opposed to the Router it’s connected to

fbeye
Level 4
Level 4

‎07-26-2021 09:13 AM - edited ‎07-26-2021 09:31 AM

Hello

 

This is sort of a generic question and don’t really have a good reason as to what my meaning is but…

 

I have a Router connected to a Switch.. On the Switch I have 3 vlans, all coming from different Routers. 
Ive noticed that any device connected to the Switch can either #1 see each other if they use the Switch gateway (but no internet access) or #2 connect to the internet by using their default routers gateway )but can not connect to other devices in the switch).

I’ve eliminated this issue by directly connect the other 2 routers to 2 interfaces in my default router (bypassing switch) and then their ip routes are in the ASA (router) and everything works fine.

I just don’t want to use 2 of the 8 only Interfaces on the ASA so that everyone can talk.

Would ‘ip routes’ on each Router to each other work instead of having a common gateway kn the switch?

 

Untitled.jpg

 

Preview file
103 KB
0 Helpful
47 Replies 47

fbeye
Level 4
Level 4
In response to nagrajk1969

‎08-18-2021 05:14 PM

I appreciate your thorough and informative response. I went along with it and was pretty verbatim.  I find myself having the same result.

Through the Catalyst using vlan 3 ip address 10.0.2.124, I can SEE 10.0.2.111 and 10.0.2.1 as well as PING but can not "access" but can access 10.0.2.126.

When I set back to ASA and assign an Interface (10.0.2.124) to it, and have an Ethernet cable plugged into vlan 3 on the Cat (no vlan interface ip at this point) I can see, ping and connect to 10.0.2.1, 10.0.2.111 and 10.0.2.126.

I am at a loss. There should be no extra ip route as I am simply connecting from one L3 to another L3 with 'ip routing' enabled. There is no special permission on the Catalyst as I have never had such a thing and looking at the ASA I have no special NAT or ACL.

I do not want to blame the Catalyst before myself but it does work via ASA.

 

I will say that there is NO dhcp server or what not on the Cat.

It is a simple setup.

 

ip routing

no cdp enabled

GE 1/0/1-1/0/10 vlan 2

GE 1/0/11-1/0/20 vlan 3

GE 1/0/21-24 vlan 1

all are switchport mode access and switchport access (its respective vlan)

NO default route of any kind

NO ip route of any kind

 

There simply is nothing that would change the dynamic any differently than the ASA, aside from the 192.168.1.0 DHCP Server residing on the same ASA that I have a dedicated GE for the 10.0.2.0 (10.0.2.124) and has a default route of it's own simply cause they are on same ASA.

When I disable the given GE and assign vlan 3 ip address 10.0.2.124 on the Cat, I do indeed have a route 'inside 10.0.2.0 255.255.255.0 192.168.1.5' which is the Catalysts vlan 1 ip address.

 

Possible ip routing is not working correctly on the Cat? I really really thought it was a PC issue but when I did the static routes it was same issue

 

 

I do not claim defeat, but I claim "i'm cool with it working as it is, as it works as it is".

0 Helpful

nagrajk1969
Spotlight
Spotlight

‎08-19-2021 04:19 AM


>>>I do not claim defeat,
Yep. Keep up the spirits HIGH..Try Again whenever you can!

 

>>>but I claim "i'm cool with it working as it is, as it works as it is".
Yes ofcourse. Very Nice your saying


>>>I can SEE 10.0.2.111 and 10.0.2.1 as well as PING but can not "access" but can access 10.0.2.126.

So whenever you could (maybe when its all quiet on the network front :-)), IF you revert back to the "problematic connection/deployment", and you observe that you are unable to again "access" 10.0.2.111...then:

 

1. What is this "access" that you are attempting to 10.0.2.111? Is it tcp/udp/? , From which src-ipaddr are you "accessing" 10.0.2.111 when it fails?

 

2. Lets focus on 10.0.2.111
a) what is this OS running on this box? Is it a linux?
b) which interface of 10.0.2.111 has the ipaddr and is it connected to the catalyst-switch(or via Router2)?
c) can you post the output of "ifconfig" on 10.0.2.111?
d) If its a linux, Can you post the output of

root# ip route
root# route -n
root# ip route show table all
root# ip rule

e) is there firewall/iptables on 10.0.2.111...???, if iptables, could you post output of "iptables -nvL", "iptables -nvL -t nat", "iptables -nvL -t mangle"

 

2. When in problem-state, and ping is sent to 10.0.2.111, can you do a capture on the interface of 10.0.2.111 and check to which ipaddr is it sending ping-replies?

a) with Ping traffic sent from 192.168.1.x to 10.0.2.111, can you capture using tcpdump -eni ethX....and in the ping-replies, check the dst-mac-address...is it of the "default-gateway" (the Router2)?

b) when you try to "access" the application on 10.0.2.111 from 192.168.1.x, capture on 10.0.2.111 interface and

- check, is the src-ipaddr of the "access" session 192.168.1.x?....
- is 10.0.2.111 sending a reply to this "access" connection request...???...if yes, to which ipaddress is it sending...? AND on which interface is it sending the reply to the "access" connection request?

 

regards

 

 

Richard Burts
Hall of Fame
Hall of Fame
In response to nagrajk1969

‎08-19-2021 05:35 AM

In several posts in this discussion it has been clearly stated that ping to the .111 address is successful. If ping is successful then it is not a routing issue.

If we are going to spend any more time investigating this I would like to see the arp entry for .111 on the Catalyst when connecting through the switch and the arp entry on the ASA when routing is on ASA.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card