Solved: Re: management port for management switch(2960x) / IP default-ga

Kyujin Choi · ‎02-20-2014

1)

I am going to connect all mgmt ports of server to this access switch (L2; 2960x) like below. Then I have a management port in 2960x (FastEthernet / L3 port). As you can see below, even though one of Core switch is down, I am able to access through the other Core switch for mgmt SW. Do I need this FastEthernet port of 2960X?

Core Pri ------- Core Sec (Core Pri 192.168.1.2 / Sec 192.168.1.3 / HSRP VIP 192.168.1.1)

\ /

mgmt SW ----- (FastEthernet0) ------ Goes to where? I don't have RAS (Remote Access Server)

|

servers' mgmt ports

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swint.html#wp2220949

2) From server side, server put default gateway (192.168.0.1) so if destination is not known, it dumps all to default gateway. This is L3. I understand this. What about L2 default gateway from switch itself? The L2 access switch supports "ip default-gateway" command. I know that without this command still servers do not have any problems to connect to network. Then this command is for switch (2960x) itself? i.e I log into the switch and ping google.com then switch will try to resolve through DNS, but if DNS is not set up in the switch, it sends all traffic to "ip default-gateway"? Is it right?

3) If L2 (Access) switch has multiple data vlans and mgmt vlan (10.0.0.0/24 10.0.10.0/24 192.168.0.1). Then what will be the "ip default-gateway" for this switch?

Thanks for your time and knowledge.

======================== Reference from Cisco regarding ip default-gateway --------------------------------------

How to configure the ip default-gateway command on a Cisco 3550 series switch

VERSION 2

Resolution

To define a default gateway when IP routing is disabled, issue the ip default-gateway global configuration command. Then, enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured.

The default gateway receives IP packets with unresolved destination IP addresses from the switch. Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate.

Note: When the switch is configured to route with IP, it does not need to have a default gateway set.

For more information, refer to Assigning the Switch IP Address and Default Gateway.

ip default-gateway

https://supportforums.cisco.com/docs/DOC-5090

Jon Marshall · ‎02-20-2014

Yes, as you say, you can see proxy arp is enabled which is why it is working.

If you disabled this then i don't think you would be able to connect remotely without a default gateway on the switch.

Obviously don't do it though for a couple of reasons -

1) you would need to configure correct default gateways on all your L2 switches before doing it or you will only be able to connect from the same subnet

2) there may be other devices relying on that. Shouldn't be ie. all end devices should hopefully have the right default gateway due to DHCP etc. but you would need to be sure.

It is not necessarily something you need to change.

Jon

View solution in original post

Jon Marshall · ‎02-20-2014

1) if you are only trying to make sure you can get to the servers if one core switch is down then you don't need to anything ie. just connect the servers to the 2960 switch.

As long as the 2960 is connected to both core switches that will work.

A separate management network is used where you don't use any of the existing switches that are used for data but that isn't what you have.

The only reason to use a separate port on the 2960 would be to connect it to a separate switch/router/RAS etc. so if both core switches were unavailable you could still get to the servers (assuming the 2960 switch was still up). But without the core switches the servers aren't going to be doing anything anyway.

2) You are correct when you say the ip default-gateway command is used on a L2 switch simply to be able to connect to it from remote networks so you can manage the switch. It has, as you say, nothing to do with passing server traffic. However when you say this -

i.e I log into the switch and ping google.com then switch will try to resolve through DNS, but if DNS is not set up in the switch, it sends all traffic to "ip default-gateway"? Is it right?

this is not right. It's nothing to do with whether DNS works or not. The switch will send any traffic that has a destination IP that is not on the same subnet as the switch to it's default gateway.

3) On a L2 switch you configure one SVI ie. "interface vlan " with an IP address. On the core switches there will also be SVIs for this vlan. You may well be running HSRP for your vlans on the core switches.

So you set the default gateway on the L2 switch to be the HSRP VIP for the same subnet on the core switches.

Jon

Kyujin Choi · ‎02-20-2014

Thanks Jon.

I have updates.

1) cleared. Thanks.

2) you said that "the ip default-gateway command is used on a L2 switch simply to be able to connect to it from remote networks so you can manage the switch" I think without this "ip default-gateway" command, I can manage this switch if this vlan is advertised through routing protocol correctly. For example. this switch has a management vlan 90. then I made a vlan 90 with IP address 192.168.0.100. Then as long as this interface is up, I am able to remotely manage this switch. If I am wrong, plz correct me.

3) cleared. I was confused that the access switch has all SVI for vlans. You are right. It doesn't need to have all, except management vlan interface. Thanks.

Jon Marshall · ‎02-20-2014

2) You can manage the switch without a default gateway as long as you try to connect from a device in the same IP subnet as the SVI on the L2 switch.

But if you try to connect from a subnet that is not the same as the SVI on the L2 switch it won't work without a default gateway on the switch. Think of the switch in this respect being similiar to a PC.

Note also that if proxy arp is enabled for that vlan on the core switches then you may well be able to connect to the switch from a remote network even without a default gateway on the switch but i have never relied on proxy arp being enabled and have always used a default gateway.

3) a true L2 switch will only allow you to have one SVI configured. The 2960 however can do limited L3. So you may well have multiple SVIs. If routing is enabled then you may find you can connect to the switch on any SVI.

Jon

Kyujin Choi · ‎02-20-2014

Jon,

I love your explanation. but, let me add little bit more.

"Note also that if proxy arp is enabled for that vlan on the core switches then you may well be able to connect to the switch from a remote network even without a default gateway on the switch"

So, I checked up core switch and all interface (show run | i ip proxy-arp) it doesn't have any ip proxy-arp under interface

But without ip default-gateway x.x.x.x from access switch, I was able to access remotely (from different vlans)

This is my grayed area because when I looked at couple of access switches, they don't have this default-gateway.

Weired thing is that some switches have even wrong default-gateway, but I am able to access remotely.

enable / disable proxy arp in cisco switch

http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html

Jon Marshall · ‎02-20-2014

It depends on the switch but proxy arp may be enabled by default in which case you won't see it.

In addition this may be to do with your 2960 having multiple SVIs.

Can you do a "sh ip int br | include Vlan" and see which SVIs are actually up/up ?

Jon

Kyujin Choi · ‎02-20-2014

Vlan 99 is management port. This is an access switch. I am accessing this swtich through SSH remotely (10.1.2.x)

WirelessSWLab#sh ip int b

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan99 10.1.99.35 YES manual up up

GigabitEthernet0/1 unassigned YES unset up up

GigabitEthernet0/2 unassigned YES unset down down

GigabitEthernet0/3 unassigned YES unset down down

GigabitEthernet0/4 unassigned YES unset down down

GigabitEthernet0/5 unassigned YES unset down down

GigabitEthernet0/6 unassigned YES unset down down

GigabitEthernet0/7 unassigned YES unset down down

GigabitEthernet0/8 unassigned YES unset down down

GigabitEthernet0/9 unassigned YES unset down down

GigabitEthernet0/10 unassigned YES unset down down

GigabitEthernet0/11 unassigned YES unset down down

GigabitEthernet0/12 unassigned YES unset down down

GigabitEthernet0/13 unassigned YES unset down down

GigabitEthernet0/14 unassigned YES unset down down

GigabitEthernet0/15 unassigned YES unset down down

GigabitEthernet0/16 unassigned YES unset down down

GigabitEthernet0/17 unassigned YES unset down down

GigabitEthernet0/18 unassigned YES unset down down

GigabitEthernet0/19 unassigned YES unset down down

GigabitEthernet0/20 unassigned YES unset down down

GigabitEthernet0/21 unassigned YES unset down down

GigabitEthernet0/22 unassigned YES unset down down

GigabitEthernet0/23 unassigned YES unset down down

GigabitEthernet0/24 unassigned YES unset up up

WirelessSWLab#

Jon Marshall · ‎02-20-2014

Okay, then i suspect it has proxy arp enabled by default on the core switches.

On the core switch can you post the output of -

"sh ip int vlan 99"

Just to point out, i wouldn't try disabling it as there may be other devices you are unaware of relying on it.

Jon

Kyujin Choi · ‎02-20-2014

You are right. It was enabled in vlan 99. That explained all. Thanks.

Vlan99 is up, line protocol is up

Internet address is 10.1.99.1/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.10

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Probe proxy name replies are disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: MCI Check

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Jon Marshall · ‎02-20-2014