Rick

It would be helpful if you would supply some additional information so that we can better understand your question and the environment that it applies to.  In particular it would help to know which switches have ip routing enabled and which switches do not. You indicate that there are SVI for vlan 10 in core, in distribution, and in access. So it would be nice to know who is routing and who is not. It would also be helpful if you would clarify if you are asking about access to outside addresses from the perspective of a PC connected to the access switch or from the perspective of access to outside addresses from the switch itself.

If the question is about access from a PC connected to the switch then it is pretty easy. If the PC has its own default gateway configured and pointing to either the distribution or core switches then it will work because the PC is able to get to its default gateway regardless of whether the access switch has a default gateway or not.

If the question is about access from the access switch itself, then I believe that Alain has correctly identified the answer. If the access switch does not have default gateway configured then it must be doing arp for remote addresses and receiving arp response because distribution or core (or both) have proxy arp enabled.

Perhaps the important point here is that default-gateway on the access switch is only used for traffic from the management interface of the switch itself. It has nothing to do with access for PCs connected to the vlan.

HTH

Rick

The core is routing - EIGRP with other core devices in network

The dist is routing - static route to core

The access is not routing

trunk connections from core to dist allow vlan 10, port-channel

trunk connections from dist to access allow vlan 10, port-channel

The vlan is 10

ip adress on core vlan interface 10.0.0.1

ip address on dist vlan interface 10.0.0.2

ip address on access vlan interface 10.0.0.3

DHCP provides the default gateway to the hosts.

One of the questions posed to me, how does the switch know where to send traffic if there is no default-gateway configured on the switch?  How does it know how to "route?"  Keep in mind it does not have ip routing enabled on the access switch.

In regards to the proxy arp, is that happening by default or does that mean if a default-gateway is used then proxy arp is utilized?  I think I understand as it is explained that a request from the switch receives the proxy arp reply, the MAC, of the distribution as to where to send traffic.

The last statement, Rick, almost makes it very clear for me.

Thank you Alain and Rick for your timely responses, aways know that I post something and have 100% confidence when you both, or Guiseppe and Joseph respond (there are others too) because I know the anwers will be rock solid.

Rick

I do not completely understand your response. But let me comment on a couple parts of it.

You said:"One of the questions posed to me, how does the switch know where to send  traffic if there is no default-gateway configured on the switch?  How  does it know how to "route?".

My response is that the answer depends very much on whether the switch is operating at layer 2 or at layer 3. If the switch is operating at layer 2 then it does need a configured default-gateway (or it needs to arp for all addresses - which some of lower end switches will do) but that is only for traffic from the switch management interface. If the switch is operating at layer 2 then the PCs connected to it will forward traffic to their configured default gateway and there is no need for the switch to "route". And if the switch is operating at layer 3 then it does not need a configured default-gateway (and would ignore it if one was configured).

I have re-written that paragraph about 4 times and am still not satisfied. So let me try to explain it from a different perspective. If a switch is operating at layer 2 then it is forwarding traffic from its attached hosts based on the destination MAC address. There is no concept of routing for a layer 2 switch. The configured default-gateway is only to enable traffic from the switch management interface and functions only at layer 2. It has no role to play in forwarding traffic from connected hosts if the router is operating at layer 3.

HTH

Rick

The access switch is functioning at layer 2 only, with an svi configured so we can ssh to it.

Currently, I do not have a default-gateway configured and all traffic routes from the switch or end point just fine throughthe distribution (distribution is a layer 3 switch) through the core (layer 3 device) to cisco.com, for example.

With no default-gateway you state it will arp.

Here is where I am getting a little confused, perhaps.  I understand the traffic flow but having to explain it in a technical term poses difficult for some on the team who have been doing things one way for 20+ years and the technology changes and being redesigned it is a little difficult to show different ways to accomplish many of the same tasks.

Rick,

I think I found what I was looking for, as a direct result of the guidance given here.

Here is the scenerio I was working through, which lead to the seeking of an answer.

I had swapped network equipment in one of our buildings on campus from nortel switches, and a few 4006's, to a new set up of 3750x and 4500x in VSS.  When we converted over we had an issue with our monitoring of the switches.  During the troubleshooting of that issue (at 2am to 4am - yeah it was a lot of fun after working a 10 hour day) we found that something was not allowing the monitoring software to communicate with our new equipment. All the configurations were identical and one person was asking why the default-gateway was missing.  I could not give a very good answer because I did not fully know technically why I left it out, other than the fact it was just working without it, even when adding it in it did not resolve our issue.

What we found was one host on the local network, building, was causing all of the grief, once we found it and shut the interface down everything was back to normal.

What I believe is happening to the traffic, when on the switch and going beyond the local subnet the distribution, or core depending on how I had it set up, was responding via proxy arp and passing the traffic upstream based on the request from the layer 2 (access) switch.  So without the default-gateway configured proxy arp is the mechanism that is allowing, or responding, to the request to traverse beyond the local subnet.

Is that correct?

Rick

The additional explanation is helpful. I understand that the question of why the default-gateway was left out could be a pretty difficult question to answer. On the surface it does look like an error (it is contrary to what documentation says). But in fact there are some Catalyst switches that will arp for remote addresses if they do not have default-gateway configured. And clearly this is what was happening in your situation. And the fact that it was not a problem is clear from the fact that when you added the default-gateway the original problem continued.

I am not clear why the other host on the subnet was interfering with communication to the switch, but one explanation that could fit this scenario is that the host was configured with the same IP address as the switch. This would result in the upstream trying to send packets to the layer 2 switch but having the host mac address as the destination mac address. But I believe that it is clear what what was making things work as well as they did was the proxy arp response from the upstream switches when the layer 2 switch did not have default-gateway configured.

HTH

Rick

Hm...

We have a similar problem: recently upgraded 4500x stack (instead of 3750s) also doesn't have a 'default-gateway' statement. When introduced, that crashed the network... so now, my management vlan interface has no ip address, I route everything statically to ASA and access layer switches are pointing to the upstream firewall that routes the traffic back to distribution (Core 4500x) via different vlan.

The fun part? Can someone explain how no device can ping interfaces on Core, and Core cannot ping anything back - yet traffic flows normally...

Thanks for your help,

Plamen

ACCESS - > - - (250.1)ASA

      ^

      |                               |

      |                            99.1

      |                               |

   CORE (99.2)- - < ---

I do not understand well your question or the topology of your network. The drawing that you post seems to show a path from ACCESS and response from ASA to CORE. Is this what you intended it to represent?

But I believe that I do understand the essential part of your question and believe that I can give you an explanation for it.

If the core has problems in pinging other devices and other devices have problems in pinging the core then this involves layer 3 operation of the switch. And if the switch does not have a default gateway then it may well have problems with layer 3 forwarding of traffic to remote  subnets. But traffic from other devices passing through the core on their way to ASA etc are being forwarded at layer 2. And the core switch does not depend on any default gateway to correctly do layer 2 forwarding.

HTH

Rick

Thanks Rick for your help....

I understand your respeonse and agree. But in practice, when I introduced the default gateway to core, added an address to management vlan interface (192.168.250.2) and removed layer 3 statements ( ip route 0.0.0.0  0.0.0.0 192.168.99.1) network crashed...and currently both interfaces on core are unreachable by SolarWinds pings...traffic flows, I don't know how...  :-))

Relevant configs:

ASA:

int eth0/1

nameif inside

ip address 192.168.99.1 255.255.255.224

!

int Management0/0

desc Management Only Interface

ip address 192.168.250.1 255.255.255.0

CORE 4500x:

interface Vlan1
description :Core:
ip address 192.168.99.2 255.255.255.0
!

interface VlanX
description :XXXXXX:
ip address 192.168.X.1 255.255.255.0

!
interface Vlan250
description :Management:
no ip address

Access layer switches:

int vlan 250

ip address 192.168.250.X 255.255.255.0

ip default-gateway 192.168.250.1

Thanks for the additional information. I still think that we do not have enough information to fully understand your issues. But based on this information here is what I think I understand. Perhaps it will help you toward an understanding of the full issue.

I am assuming that your access layer switches are acting as purely layer 2 switches. I also assume that the access switches probably have 3 vlans configured (vlan 1, vlan x, and vlan 250) and use vlan 250 for management purposes. Is this correct?

I am also assuming that your core 4500 are operating as layer 3 switches. I am assuming that originally they were configured to provide inter vlan routing and that probably it worked ok. Is that correct?

Then you added the default gateway statement on the core 4500 and removed the existing static default route of

ip route 0.0.0.0  0.0.0.0 192.168.99.1)

Is this correct?

If that is the case then I believe that I can explain most of your problem. The first thing is that the default gateway statement for a switch is functional on a switch when routing is not enabled on the switch. And that the default gateway statement is useful for "management" traffic to/from the switch (a telnet session perhaps, or sending SNMP, or sending syslog, or that type of thing). But it is not useful for forwarding data traffic passing through the switch. So when you configured a default gateway and removed the static default route you essentially removed the ability of the core 4500 to forward the data traffic in the network.

If hosts in the 192.168.99 network are configured so that their default gateway is 192.168.99.1 then they will work because their data traffic is forwarded through the switches to the ASA which forwards the traffic to the Internet. I do not understand how network 192.168.x works because you have not provided enough information about that network for us to understand it. And traffic in network 192.168.250.0 works, again because it is being forwarded to the ASA for processing.

So at this point your core 4500 are still forwarding vlan traffic correctly at layer 2. But they no longer have adequate capability to forward traffic at layer 3. And you can not ping from access switches or from ASA to the core 4500 because the core 4500 has no IP address in that management subnet.

HTH

Rick