cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
5
Helpful
19
Replies

route of 0.0.0.0 0.0.0.0 10.10.10.x will this break other traffic?

ddavis99
Level 1
Level 1

I just posted saying i couldn't get my switch online for management,    the first suggestion was to enter a route of 0.0.0.0 0.0.0.0 10.10.10.254  which is the default gateway on vlan10 where the switch IP resides.  which worked to gain me access to the switch through SSH.
unfortunately i accepted the answer and i cannot reply back to ask follow up questions!

so,
now my question is,  i have traffic on that switch for multiple other vlans which of course have their own gateways, 
did i just route everything at my vlan10 gateway for my firewall to have to figure out?  or is the last resort route just going to route the traffic generated by the switch (aka the management interface)

furthermore,  my firewall is doing l3 routing,  should i just do a #no ip routing   and turn it off on the switch?  i should still be able to get to my switch that's at vlan10  IP 10.10.10.x  255.255.255.0  default gateway 10.10.10.x  right?

 

 

1 Accepted Solution

Accepted Solutions

Joseph W. Doherty
Hall of Fame
Hall of Fame

"did i just route everything at my vlan10 gateway for my firewall to have to figure out? or is the last resort route just going to route the traffic generated by the switch (aka the management interface)"

For a L3 switch with enabled routing, it will route traffic it "sees", such as locally (i.e. the switch's traffic), but not VLAN L2 traffic.

For your L3 switch to route its VLAN traffic, you would need corresponding SVIs and the traffic would need to ingress on a SVI.

As you've not mentioned SVIs, and have mentioned other gateways for VLAN hosts, no other traffic should be routed by your L3 switch.

BTW, this reply appears to counter @DanielP211's but I believe given the conditions noted above, he'll agree.  

View solution in original post

19 Replies 19

Hello! 

Yes you have routed all your traffic through vlan 10. Best for you is to create a seperate inter-connecting segment like a /29, that will act as a connecting segment between your switch and the firewall.

If yo do not need L3 at your switch, just use one L3 vlan for management with a default-gateway, and use other vlans only as L2. 

Which switch is it, so that I can help you with the configuration?

BR

****Kindly rate all useful posts*****

We need to know a bit more about your situation to be able to give you good advice. In particular we need to know whether your switch is operating as a layer 2 switch or as a layer 3 switch. A layer 2 switch will use the default route for management traffic but it does not affect user traffic. A layer 3 switch will use the default route to forward both management and user traffic. To help us understand the environment would you post the output of these commands on your switch:

show version

show ip protocol

show ip route

HTH

Rick

Hi Rick,  all L3 operations are at my firewall,  my Switchgear needs only L2 vlan config,

so routing on the switch is not needed.   the switch i replaced with this had no L3 config, so i entered my vlans and assigned them to match the old switch but i left all other config on this new c9200l alone,  which is where i think i made my error.  now the switch is in production so i need to be careful what i do with it to correct the situation. 
so, i have two questions

1. since my FW does all the L3 routing so, should I simply disable routing all together on the switch? #no ip routing.   will my switch report remotely at its assigned IP on vlan10? will its l2 vlan assignments still function fine?

2.  if i disable routing on the switch, will it bring down l2 traffic while i apply the config? i have critical equipment on there that would be affected.

here is the running config which i think will illustrate the L2 config i entered vs the switches default options which may not be needed in my case.

Current configuration : 12520 bytes
!
! Last configuration change at 11:25:43 UTC Tue Jul 16 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform punt-keepalive disable-kernel-core
!
hostname ---------------------------
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging console emergencies
enable secret -----------------------------------
enable password --------------------------
!
!
!
!
no aaa new-model
switch 1 provision c9200l-48p-4g
!
!
!
!
!
!
!
!
!
ip routing
!
ip domain name -------------------
!
!
!
login on-success log
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3020552832
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3020552832
revocation-check none
rsakeypair TP-self-signed-3020552832
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
redacted
quit
crypto pki certificate chain TP-self-signed-3020552832
certificate self-signed 01
redacted
quit
!
license boot level network-essentials addon dna-essentials
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 10633
!
username ------------------- secret --------------------------------------------
!
redundancy
mode sso
!
!
transceiver type all
monitoring
lldp run
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 11
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 202
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 206
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 205
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 207
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 210
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 211
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 10
!
interface GigabitEthernet1/0/32
switchport access vlan 209
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 208
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/36
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 210
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 10
switchport mode trunk
!
interface GigabitEthernet1/0/43
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
!
interface Vlan10
IP address 10.10.10.210 255.255.255.0
!
ip default-gateway 10.10.10.254
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
exec-timeout 0 0
length 0
stopbits 1
line aux 0
line vty 0 4
login local
length 0
transport input ssh
line vty 5 15
login local
length 0
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

to answer your question its a c9200l-48p-4g  running 17.2

all other traffic was passing as normal before i entered that route,  it only served to bring my switch online to manage at its vlan 10 assigned IP,  so heres a couple questions to help me understand. 


#1 would it make more sense for me to remove the 0.0.0.0 0.0.0.0 route and enter a static just for my switch ip to vlan 10 gateway?  ip route 10.10.10.210 255.255.255.0 10.10.10.254.      having that single static, would that stop all the other vlan traffic or let it proceed as normal?

#2  again my FW does all the L3 routing so,  what if I simply disable routing all together on the switch?   will my switch report remotely at its assigned IP on vlan10?  will its l2 vlan assignments still function fine?

#3 if i disable routing on the switch,  will it bring down l2 traffic while i apply the config?  i have critical equipment on there that would be affected.

 

 

Hello @ddavis99 ,

if your switch hasn't SVI interfaces (L3 VLAN interfaces)  in other L2 VLANs you are fine because there is no way for the switch to be the gateway for users in other vlans and you can stay with the default static route.

By the way ,

this one:

ip route 10.10.10.210 255.255.255.0 10.10.10.254

this is conceptually wrong because a static route should describe the destination network and not the source IP address of your switch interface Vlan 10.

ip route 10.100.0.0 255.255.0.0 10.10.10.254

this would make more sense if you were into the 10.100.0.0/16 address block.

However, as I have noted above if there are no other SVI interfaces the effect of this on user traffic is minimal to null.

Hope to help

Giuseppe

 

 


@ddavis99 wrote:

#1 would it make more sense for me to remove the 0.0.0.0 0.0.0.0 route and enter a static just for my switch ip to vlan 10 gateway?  ip route 10.10.10.210 255.255.255.0 10.10.10.254.      having that single static, would that stop all the other vlan traffic or let it proceed as normal?


As that route statement would be conceptionally wrong because you have a host IP destination with a /24 mask which also includes the gateway IP.  What your route statement effectively is:  ip route 10.10.10.0 255.255.255.0 10.10.10.254  Further, route statements don't take into consideration source IP or source network.  To limit other VLAN/subnets you would need to use PBR.


@ddavis99 wrote:

#2  again my FW does all the L3 routing so,  what if I simply disable routing all together on the switch?   will my switch report remotely at its assigned IP on vlan10?  will its l2 vlan assignments still function fine?


Yes, if you have the default-gateway setup correctly.  And yes to your VLANs correct functioning.


@ddavis99 wrote:

#3 if i disable routing on the switch,  will it bring down l2 traffic while i apply the config?  i have critical equipment on there that would be affected.


Don't believe it would be impactful, and if it is, just a "blip".  However, ideally any configuration change should be done during scheduled maintenance with contingency plans if things "break".

(I suspect most of us have seen, at some time, things break that shouldn't have.  [Worst case of that, was one shop I was in, had four identical core L3 large chassis switches, all almost identically configured, but one of them, just logging onto it, and using any show command, had a 50/50 chance of crashing.  Hardware vendor, non-Cisco, couldn't resolve this issue or explain, so SOP, don't ever "touch" that box for almost any reason during business hours.])

Martin L
VIP
VIP

the default route of 0.0.0.0 0.0.0.0 <next-hop | exit-interface>  purpose is to route traffic that does not match (uses) any other routes in the routing table (RIB) at that moment; RIB uses concept of the longest match; which means /32 is preferable over /30 over /24 over /10, ..... and so on.  The /0 is the default route and is used last, aka as a last resort , aka Gateway of last resort 

Regards, ML
**Please Rate All Helpful Responses **

Joseph W. Doherty
Hall of Fame
Hall of Fame

"did i just route everything at my vlan10 gateway for my firewall to have to figure out? or is the last resort route just going to route the traffic generated by the switch (aka the management interface)"

For a L3 switch with enabled routing, it will route traffic it "sees", such as locally (i.e. the switch's traffic), but not VLAN L2 traffic.

For your L3 switch to route its VLAN traffic, you would need corresponding SVIs and the traffic would need to ingress on a SVI.

As you've not mentioned SVIs, and have mentioned other gateways for VLAN hosts, no other traffic should be routed by your L3 switch.

BTW, this reply appears to counter @DanielP211's but I believe given the conditions noted above, he'll agree.  

ok,  if you look i responded to Rick with my running-config it may confirm what you are suggesting.  
as you can see i entered my L2 config as normal,  vlans, trunk, assigned access ports,  set up ssh and my user creds,  and i assigned my switch an ip on vlan10  and the vlan 10 default gateway.
so if someone is on an endpoint connected to a vlan120 access port (which is a 10.10.1.x network)   the route 0.0.0.0 0.0.0.0 10.10.10.254  would NOT affect the traffic as it resides in L2?


@ddavis99 wrote:

so if someone is on an endpoint connected to a vlan120 access port (which is a 10.10.1.x network)   the route 0.0.0.0 0.0.0.0 10.10.10.254  would NOT affect the traffic as it resides in L2?


Correct, as long as that VLAN 120, or any VLAN (including VLAN 10), traffic doesn't enter the switch, logically, at/on a L3 interface.

Yes I agree with you completely. I forgot to mention that L2 vlan traffic remains unaffected in your case. . 

****Kindly rate all useful posts*****

thanks @DanielP211  this has been very helpful! 

Joseph W. Doherty
Hall of Fame
Hall of Fame

"furthermore, my firewall is doing l3 routing,  should i just do a #no ip routing   and turn it off on the switch?"

Unless all traffic must be inspected by the FW, I would recommend using your L3 switch for routing and only send non local destination traffic to FW.

correct,  all traffic needs inspection by the firewall,  all routing policy between critical segments in the FW are protected and have full logging  this is the route the company took via consultant (before my time)

Review Cisco Networking for a $25 gift card