cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
855
Views
0
Helpful
3
Replies

2960 default-gateway

jessica jestol
Level 1
Level 1

So, I'm doing inventory/auditing some networks and I've noticed something that i think is configured incorrectly. All these networks have a pretty simple hardware setup. An ASA 5505 connects to a 3750 with an ipservices license. The 3750 is then connected to five - ten 2960s. The 2960s on a couple of these networks are using the ASA as the default gateway. To me, it seems that the 3750 is setup as the core switch and should be doing all the routing. There is an ipsec l2l vpn on the ASA but, I don't see any reason that the ASA should be doing all the routing. Can anyone confirm/deny this?

Thanks!

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Jessica

Difficult to say as it's not our network :-)

If the 3750 is doing all the routing between vlans and if you also have a management vlan for the switches on the 3750 then I would have thought the default gateways of all 2960s should be pointing to the 3750 and not the ASA.

Usually in the setup you have described you would have a default route on the 3750 pointing to the ASA and then routes on the ASA for the inside subnets routed on the 3750.

Even if access was needed from the ASA to the 2960s I would expect it go via the 3750 to be honest.

There may be reasons why it has been done that way but from your brief description it is not what I would expect to see.

Jon

eh, it's recently my network by default... LOL. And I agree. It's not what I expected to see. I thought I was losing my mind though. I'm still trying to see if I can find a reason my predecessor 6 times removed set it up this way. Thanks for the fast reply.

There may well be no real reason but it's always safe to assume there might be until you are sure there isn't.

What I would say though is that if you have a management vlan for the switches they should probably use that and not be in the same vlan/IP subnet as the ASA.

If access is needed to those switches via the VPN for example it can still get there, just via the 3750s instead of direct.

Jon