L2 switch default gateway clarification

grapevine · ‎02-06-2025

I have an L2 switch that has 2 SVIs 172.18.16.51 and 10.145.16.250 with default gateway 172.18.16.1 It's connected to a firewall, firewall has gateway interface 10.145.16.1 and also a meraki and a firewall with gateway 172.18.16.1

If I want to reach 10.145.16.250 from another network (VPN 10.250.1.0) connected to firewall with gateway 10.140.16.1 should the default gateway on switch be changed to 10.145.16.1. I am able to ping the switch from the firewall directly but when I try to reach via VPN from the gateway connected to 10.145.16.1 it says ICMP aged out on the connected Palo Alto firewall. Please advise how to fix this.

Flavio Miranda · ‎02-06-2025

@grapevine

If you have 172.18.16.1 as default Gateway on the switch, If you ping the switch from a different network, the switch will sendo the traffic to default-gateway. 172.18.16.1.

Run a trave route from VPN and see where It stops. This can be missing rules on firewall or route missing on the gateway

grapevine · ‎02-06-2025

grapevine · ‎02-06-2025

172.18.16.51 is reachable from VPN gateway 1, 1 need 10.145.16.250 reachable from vpn gateway 2, should I change the default gateway on the switch to 10.145.16.1

Flavio Miranda · ‎02-06-2025

If you change the gateway to 10.145.16.1 it might work but you probably will loose access from VPN1 if 10.145.16.1 does not have route to VPN1

grapevine · ‎02-06-2025

We are migrating from 172.18 to 10.145 network.so we don't want access to 172. 18. all devices will be moved to 10.145 network

Flavio Miranda · ‎02-06-2025

Then you are good. Just move the gateway

Joshqun Ismayilov · ‎02-06-2025

Hello @grapevine

Change the Default Gateway to 10.145.16.1 and / configure a Static Route for VPN Traffic #ip route 10.250.1.0 255.255.255.0 10.145.16.1

Ensures that replies to VPN traffic (10.250.1.xx) go through 10.145.16.1 instead of the default gateway

Thanks !