Re: Default -gateway on switches

daudparvez · ‎03-22-2011

Can some please explain that why do we configure the IP Address and the Default Gateway on the switches?

Switches are Layer 2 devices, so that they are unable to read the Layer 3 packets and thus are unable to understand the IP Addresses. Then how do they decide as which packet should be forwarded to the default gateway?

Also, when we configure an ip address on a VLAN interface, should it be from the same subnet as being used in that VLAN or it can be from some other subnet?

And if a VLAN interface being configured on one VLAN say e.g, int VLAN 1, can be or cannot be accessed by hosts from another VLAN say e.g from hosts of VLAN 3?

Thanks in advance,

Daud Parvez

kitanaka · ‎03-22-2011

Hello Daud,

Low end desktop switches from Cisco which has only layer 2 switching capability can have only one vlan interface for management purpose.

With those switches, if you need to telnet to the switch or you need to snmp polling or trap, you need to configure an ip address

for management purpose on the switch.

And if your management workstation is not in the same subnet as the switch, you need to configure default-gateway on the switch

since the switch does not know where the management workstation is and what the next-hop address to reach the management workstation.

The default-gateway should be in the same subnet as the ip address of the vlan interface.

With multi layer switches which has layer 2 and layer 3 switching capability, you need an ip address and default-gateway for the same purpose as mention above. Also, multi layer switch can have multiple vlan interfaces and is able to do layer 3 switching between configured subnets.

> And if a VLAN interface being configured on one VLAN say e.g, int VLAN 1, can be or cannot be accessed by hosts from another VLAN say e.g from > hosts of VLAN 3?

In order to reach an ip address of interface vlan 1 (e.g 192.168.1.1/24) on the switch from other device (e.g 192.168.2.2/24) in vlan 2, the switch should have an ip address on interface vlan 2 (e.g. 192.168.2.1/24).

And the other device should know the next-hop for the subnet 192.168.1.0/24 is the interface vlan 2 192.168.2.1/24.

To let the other device know the subnet 192.168.1.0/24 is over the switch, you can run a routing protocol between the switch and

the other device. Other ways are you configure a static route or a default-route on the other device.

Pls let me know if you have more questions.

If you find this helpful, pls rate this post.

Thanks,

Kim.

Peter Paluch · ‎03-26-2011

Hi Kim,

Low end desktop switches from Cisco  which has only layer 2 switching 
capability can have only one vlan  interface for management purpose.

Yes, that was true for 2950 Catalyst series. When the new 2960 originally came out, they were only Layer2 switching capable, yet they allowed having multiple VLAN interfaces (SVIs) configured and put to up/up state. I guess it was aligned with the recently introduced basic Layer3 switching capability to 2960 series although I have troubles considering the 2960 as Layer3 switches. Nevertheless, my point is that even a Layer2 switch may have multiple SVIs configured and activated, although it does not serve much purpose. How many SVIs can be brought up is not a definitoric issue, rather an implementation-dependent decision and can be modified by IOS developers at any time.

Best regards,

Peter

Steven Williams · ‎03-25-2011

Switch management only. Layer 2 switches will work just fine without IP and

default gateway.

daudparvez · ‎03-25-2011

Thankyou for your reply.

I dont have actual switches to plan with, but I have tried this on Packet Tracer and found following resutls:

1..If you dont configure an IP Address on the switch, then you will be unable to connect (telnet) to the switch from a host conncected to an Access Port.

2..If you configure the VLAN Interface say e.g, Interface VLAN 1 with an IP Address from the subnet used on VLAN 1, then you will only be able to telnet to the switch from the hosts of same VLAN 1 using the IP Addresses from the same subnet only and cannot telnet the switch from the host of any other VLAN using a diifferent subnet.

3..If you configure ROUTER-ON-A-STICK for inter-VLAN communication and dont configure a default-gateway on a switch, then you will not be able to connect to a switch from other subnets either from another VLANs on the same switch or from some other subnet connected to the Router used for Inter-VLAN comminications.

4..However, if you configure the default-gateway, then you become able to connect the switch with either VLAN of the switch or from some other subnet connected to the router.

Please correct me if I am wrong.

Best Regards,

Daud Parvez.

Peter Paluch · ‎03-26-2011

Hello Daud,

First of all, you have to be somewhat careful when drawing conclusions from experiments in Packet Tracer. The Packet Tracer does not implement real IOS routines, rather it uses its own implementation or even simulation of processes running in routers and switches. As a result, when making deep-dive into great detail, the behavior of Packet Tracer may differ from what you would see on real devices.

1..If you dont configure an IP Address on the switch, then you will be 
unable to connect (telnet) to the switch from a host conncected to an 
Access Port.

Absolutely correct. You cannot make an IP connection to something that has no IP address at all.

2..If you configure the VLAN Interface say e.g, Interface VLAN 1 with an
 IP Address from the subnet used on VLAN 1, then you will only be able 
to telnet to the switch from the hosts of same VLAN 1 using the IP 
Addresses from the same subnet only and cannot telnet the switch from 
the host of any other VLAN using a diifferent subnet.

Absolutely correct. That is the idea of the management VLAN. The switch, as a manageable object, is attached to the particular VLAN and can be reached in that VLAN. If you want to manage it, you either have to be a member of that VLAN, or have a routed connectivity to it.

3..If you configure ROUTER-ON-A-STICK for inter-VLAN communication and 
dont configure a default-gateway on a switch, then you will not be able 
to connect to a switch from other subnets either from another VLANs on 
the same switch or from some other subnet connected to the Router used 
for Inter-VLAN comminications.

True in Packet Tracer, not entirely true in real life. Cisco Catalyst switches have a rather nasty habit of relying on ProxyARP when then do not have the default gateway configured. In other words, if they don't have a gateway defined, they will ARP directly for an IP packet's destination address, hoping that someone will respond. As routers have ProxyARP enabled by default, they will answer and the switch will send the packet towards them, in effect doing the same as if the default gateway was defined. The downside of this approach is threefold: the ARP cache on the switch grows inordinately huge, the switch generates a large amount of ARP traffic, and if the ProxyARP is deactivated on routers (which is a good security measure) then the switch will lose the connectivity with outside world.

I personally wish that the real Catalyst switches behaved more like the Packet Tracer switches, but Cisco obviously thought otherwise.

4..However, if you configure the default-gateway, then you become able 
to connect the switch with either VLAN of the switch or from some other 
subnet connected to the router.

Absolutely correct.

Best regards,

Peter

johnnytoth · ‎03-27-2011

For management purpose only(ex. Telnet,snmp,tftp,etc)

Sent from Cisco Technical Support iPhone App