02-20-2014 10:37 AM - edited 03-07-2019 06:19 PM
1)
I am going to connect all mgmt ports of server to this access switch (L2; 2960x) like below. Then I have a management port in 2960x (FastEthernet / L3 port). As you can see below, even though one of Core switch is down, I am able to access through the other Core switch for mgmt SW. Do I need this FastEthernet port of 2960X?
Core Pri ------- Core Sec (Core Pri 192.168.1.2 / Sec 192.168.1.3 / HSRP VIP 192.168.1.1)
\ /
\ /
mgmt SW ----- (FastEthernet0) ------ Goes to where? I don't have RAS (Remote Access Server)
|
|
servers' mgmt ports
2) From server side, server put default gateway (192.168.0.1) so if destination is not known, it dumps all to default gateway. This is L3. I understand this. What about L2 default gateway from switch itself? The L2 access switch supports "ip default-gateway" command. I know that without this command still servers do not have any problems to connect to network. Then this command is for switch (2960x) itself? i.e I log into the switch and ping google.com then switch will try to resolve through DNS, but if DNS is not set up in the switch, it sends all traffic to "ip default-gateway"? Is it right?
3) If L2 (Access) switch has multiple data vlans and mgmt vlan (10.0.0.0/24 10.0.10.0/24 192.168.0.1). Then what will be the "ip default-gateway" for this switch?
Thanks for your time and knowledge.
======================== Reference from Cisco regarding ip default-gateway --------------------------------------
To define a default gateway when IP routing is disabled, issue the ip default-gateway global configuration command. Then, enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured.
The default gateway receives IP packets with unresolved destination IP addresses from the switch. Once the default gateway is configured, the switch has connectivity to the remote networks with which a host needs to communicate.
Note: When the switch is configured to route with IP, it does not need to have a default gateway set.
For more information, refer to Assigning the Switch IP Address and Default Gateway.
ip default-gateway
https://supportforums.cisco.com/docs/DOC-5090
Solved! Go to Solution.
02-20-2014 01:02 PM
Yes, as you say, you can see proxy arp is enabled which is why it is working.
If you disabled this then i don't think you would be able to connect remotely without a default gateway on the switch.
Obviously don't do it though for a couple of reasons -
1) you would need to configure correct default gateways on all your L2 switches before doing it or you will only be able to connect from the same subnet
2) there may be other devices relying on that. Shouldn't be ie. all end devices should hopefully have the right default gateway due to DHCP etc. but you would need to be sure.
It is not necessarily something you need to change.
Jon
02-20-2014 11:16 AM
1) if you are only trying to make sure you can get to the servers if one core switch is down then you don't need to anything ie. just connect the servers to the 2960 switch.
As long as the 2960 is connected to both core switches that will work.
A separate management network is used where you don't use any of the existing switches that are used for data but that isn't what you have.
The only reason to use a separate port on the 2960 would be to connect it to a separate switch/router/RAS etc. so if both core switches were unavailable you could still get to the servers (assuming the 2960 switch was still up). But without the core switches the servers aren't going to be doing anything anyway.
2) You are correct when you say the ip default-gateway command is used on a L2 switch simply to be able to connect to it from remote networks so you can manage the switch. It has, as you say, nothing to do with passing server traffic. However when you say this -
i.e I log into the switch and ping google.com then switch will try to resolve through DNS, but if DNS is not set up in the switch, it sends all traffic to "ip default-gateway"? Is it right?
this is not right. It's nothing to do with whether DNS works or not. The switch will send any traffic that has a destination IP that is not on the same subnet as the switch to it's default gateway.
3) On a L2 switch you configure one SVI ie. "interface vlan
So you set the default gateway on the L2 switch to be the HSRP VIP for the same subnet on the core switches.
Jon
02-20-2014 11:28 AM
Thanks Jon.
I have updates.
1) cleared. Thanks.
2) you said that "the ip default-gateway command is used on a L2 switch simply to be able to connect to it from remote networks so you can manage the switch" I think without this "ip default-gateway" command, I can manage this switch if this vlan is advertised through routing protocol correctly. For example. this switch has a management vlan 90. then I made a vlan 90 with IP address 192.168.0.100. Then as long as this interface is up, I am able to remotely manage this switch. If I am wrong, plz correct me.
3) cleared. I was confused that the access switch has all SVI for vlans. You are right. It doesn't need to have all, except management vlan interface. Thanks.
02-20-2014 11:35 AM
2) You can manage the switch without a default gateway as long as you try to connect from a device in the same IP subnet as the SVI on the L2 switch.
But if you try to connect from a subnet that is not the same as the SVI on the L2 switch it won't work without a default gateway on the switch. Think of the switch in this respect being similiar to a PC.
Note also that if proxy arp is enabled for that vlan on the core switches then you may well be able to connect to the switch from a remote network even without a default gateway on the switch but i have never relied on proxy arp being enabled and have always used a default gateway.
3) a true L2 switch will only allow you to have one SVI configured. The 2960 however can do limited L3. So you may well have multiple SVIs. If routing is enabled then you may find you can connect to the switch on any SVI.
Jon
02-20-2014 12:34 PM
Jon,
I love your explanation. but, let me add little bit more.
"Note also that if proxy arp is enabled for that vlan on the core switches then you may well be able to connect to the switch from a remote network even without a default gateway on the switch"
So, I checked up core switch and all interface (show run | i ip proxy-arp) it doesn't have any ip proxy-arp under interface
But without ip default-gateway x.x.x.x from access switch, I was able to access remotely (from different vlans)
This is my grayed area because when I looked at couple of access switches, they don't have this default-gateway.
Weired thing is that some switches have even wrong default-gateway, but I am able to access remotely.
enable / disable proxy arp in cisco switch
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
02-20-2014 12:39 PM
It depends on the switch but proxy arp may be enabled by default in which case you won't see it.
In addition this may be to do with your 2960 having multiple SVIs.
Can you do a "sh ip int br | include Vlan" and see which SVIs are actually up/up ?
Jon
02-20-2014 12:41 PM
Vlan 99 is management port. This is an access switch. I am accessing this swtich through SSH remotely (10.1.2.x)
WirelessSWLab#sh ip int b
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan99 10.1.99.35 YES manual up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset down down
GigabitEthernet0/3 unassigned YES unset down down
GigabitEthernet0/4 unassigned YES unset down down
GigabitEthernet0/5 unassigned YES unset down down
GigabitEthernet0/6 unassigned YES unset down down
GigabitEthernet0/7 unassigned YES unset down down
GigabitEthernet0/8 unassigned YES unset down down
GigabitEthernet0/9 unassigned YES unset down down
GigabitEthernet0/10 unassigned YES unset down down
GigabitEthernet0/11 unassigned YES unset down down
GigabitEthernet0/12 unassigned YES unset down down
GigabitEthernet0/13 unassigned YES unset down down
GigabitEthernet0/14 unassigned YES unset down down
GigabitEthernet0/15 unassigned YES unset down down
GigabitEthernet0/16 unassigned YES unset down down
GigabitEthernet0/17 unassigned YES unset down down
GigabitEthernet0/18 unassigned YES unset down down
GigabitEthernet0/19 unassigned YES unset down down
GigabitEthernet0/20 unassigned YES unset down down
GigabitEthernet0/21 unassigned YES unset down down
GigabitEthernet0/22 unassigned YES unset down down
GigabitEthernet0/23 unassigned YES unset down down
GigabitEthernet0/24 unassigned YES unset up up
WirelessSWLab#
02-20-2014 12:46 PM
Okay, then i suspect it has proxy arp enabled by default on the core switches.
On the core switch can you post the output of -
"sh ip int vlan 99"
Just to point out, i wouldn't try disabling it as there may be other devices you are unaware of relying on it.
Jon
02-20-2014 12:55 PM
You are right. It was enabled in vlan 99. That explained all. Thanks.
Vlan99 is up, line protocol is up
Internet address is 10.1.99.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
02-20-2014 01:02 PM
Yes, as you say, you can see proxy arp is enabled which is why it is working.
If you disabled this then i don't think you would be able to connect remotely without a default gateway on the switch.
Obviously don't do it though for a couple of reasons -
1) you would need to configure correct default gateways on all your L2 switches before doing it or you will only be able to connect from the same subnet
2) there may be other devices relying on that. Shouldn't be ie. all end devices should hopefully have the right default gateway due to DHCP etc. but you would need to be sure.
It is not necessarily something you need to change.
Jon
02-20-2014 01:08 PM
Thanks Jon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide