07-16-2024 05:55 AM
I just posted saying i couldn't get my switch online for management, the first suggestion was to enter a route of 0.0.0.0 0.0.0.0 10.10.10.254 which is the default gateway on vlan10 where the switch IP resides. which worked to gain me access to the switch through SSH.
unfortunately i accepted the answer and i cannot reply back to ask follow up questions!
so,
now my question is, i have traffic on that switch for multiple other vlans which of course have their own gateways,
did i just route everything at my vlan10 gateway for my firewall to have to figure out? or is the last resort route just going to route the traffic generated by the switch (aka the management interface)
furthermore, my firewall is doing l3 routing, should i just do a #no ip routing and turn it off on the switch? i should still be able to get to my switch that's at vlan10 IP 10.10.10.x 255.255.255.0 default gateway 10.10.10.x right?
Solved! Go to Solution.
07-16-2024 07:33 AM
The SW is either
L2
Or
L3
What different between these two mode'
L2 the GW of client in other L3 device which do routing.
In this mode (L2) the mgmt traffic use defualt GW config in SW or default route' the data traffic dont use any routing it brdige to other L3 for routing so defualt route not effect it.
L3 mode the GW of client is in this SW and SW do routing' here both
Mgmt and data traffic use defualt route' so it effect.
But as I see your SW is pure L2 mode so defualt route not effect any data.
MHM
07-16-2024 07:41 AM
@MHM Cisco World wrote:
But as I see your SW is pure L2 mode so defualt route not effect any data.
For (hopefully further) clarity (and perhaps quibbling), from what's been described, switch is being used for L2, but it's not running as a pure L2 switch. Locally sourced traffic (which is some [switch host] data) is being routed.
07-16-2024 07:55 AM
@ddavis99 wrote:
correct, all traffic needs inspection by the firewall, all routing policy between critical segments in the FW are protected and have full logging this is the route the company took via consultant (before my time)
Okay, in that case, as you suspected you don't need to route on this switch.
Does that mean you should disable routing on it? Well, first of all, some advanced L3 switches won't allow routing to be disabled, don't know if that applies to yours (probably not).
Secondly, you might argue either way. Should NOT impact performance. Disabling L3 could preclude accidental L3 changes impacting your network, conversely, though, if all of sudden you need routing, you'll need to reenable routing. For L2 management, you'll need to use default-gateway (which can, most likely, be preconfigured before you disable routing). (One of the nice things about a router or L3 switch, you can use a loopback for management, and if you're doing dynamic routing, can access the device on any possible path. Likely, you don't have multiple L3 paths.)
All-in-all, in your case, I would lean to disabling routing and treating it as just a L2 switch.
07-16-2024 07:35 AM
thanks everyone @Giuseppe Larosa @DanielP211 @Joseph W. Doherty @Richard Burts @Martin L
I found this very helpful indeed, I've jumped into understanding SVIs and the way the switch handles the traffic, plus i regained remote access to my switch!
i tested traffic from a client access vlan port on the switch and its all routing as it should through that vlan interface so you all were correct, the static route of 0.0.0.0 0.0.0.0 10.10.10.254 only affects the vlan10 interface I've assigned an IP to.
i have a long long way to go understanding networks, I'm a sysadmin who hasn't put as much work into understanding networking as i should! but I'm trying to remedy that now. so i appreciate how helpful you all are even with a fundamental question!
07-16-2024 08:05 AM
Pure L2 SW
Have command ""No ip routing""
Have one mgmt vlan SVI
Have defualt GW
L3 SW
Have command ""ip routing""
Have mgmt vlan svi and other vlan svi
Have defualt route abd static or IGP
After I check both your post you mix both mode
You run command
Ip routing
And have Defualt GW in SW
These two not work together' if you afraid to add defualt route then use
Defualt GW command and disable ip routing
This make your SW pure L2
Goodluck friend
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide