cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
654
Views
0
Helpful
5
Replies

why set gateway at gateway2 can use the same path communication such as SSH?

martlee2
Cisco Employee
Cisco Employee

PC1 SSH PC0

if set gateway at gateway1 which at ASA

i go from switch0 to switch1 , switch1 to switch2

however, design make it go back with switch3 , so SSH failed.

if set gateway at gateway2 which at core switch, 

it can SSH with the same path which means

go from switch0 to switch1 , switch1 to switch2

back from switch2 to switch1 , switch1 to switch0

why set gatewaty at gateway2 core switch is like a magic?

i mean it physically need to pass ASA too, why set gateway2 is magic?

is TCP do something different at gateway2?

5 Replies 5

cofee
Level 5
Level 5

if set gateway at gateway1 which at ASA

i go from switch0 to switch1 , switch1 to switch2

however, design make it go back with switch3 , so SSH failed. - This fails because of asymmetric routing. As we know SSH uses TCP as transport and therefore requires a 3 way handshake. Source PC sending an SYN packet through the firewall but receives syn ack via switch 3 ( I am not sure if switch 3 is doing any sort of routing and has the ability to directly route the packet to  PC1 or does it still have to go through the firewall but it arrives on another interface on firewall) Lets assume switch 3 can route SYN ACK packet from PC0 to PC1 without going through the firewall it will still fail because when PC0 replies back with an ACK (which is the last piece of 3 way handshake) it will send it through the firewall and firewall is still expecting a SYN ACK from PC0 which it never saw, so firewall will end up drop that connection.

if set gateway at gateway2 which at core switch, 

it can SSH with the same path which means

go from switch0 to switch1 , switch1 to switch2

back from switch2 to switch1 , switch1 to switch0

why set gatewaty at gateway2 core switch is like a magic? This is working because based on the packet flow you provided packet doesn't go through switch 3 and is taking the same route in both directions. If this had been a connection less protocol like UDP you wouldn't have known that there is an issue with the packet flow.

Now if your question is why return traffic goes through switch 3 when ASA is the gateway and not when gateway2 is configured as gateway for that you will need to look at the routing and layer 2 configuration.

design is to deliberately to make return traffic go another way through switch 3

but i do not know why set gateway at gateway2, it did not go another way through switch 3

and can go back with the same path

where should i look to understand this?

It appears default gateway for pc0 is switch 2 so I will check there and switch 3 is directly connected to switch 2. Return packet originated by pc0 arrives at switch 2 and then switch 2 is forwarding to switch 3. Does pc0 vlan exist on switch 3 if so check who is the root bridge for than vlan. It's either layer 2 or layer 3 and it's something on switch 2 that's causing the issue.

What's the role of switch 3, are you using it as layer 2 or layer 3? If you don't find the problem then please share the running config of your devices.

it is a abstract diagram, not the actual topology

just want to represent two different path when SSH

i am guessing ASA to switch 1 is using layer 3 and then switch 1 to switch 2 is using layer 2

i am just wondering why it ask core switch behind the ASA can make sure it return 

to the same path

i guess the legacy network configuration of switch 2 do not have route to ASA

and switch 2 can have route to switch 1

so, is it setting gateway means that to allow only gateway to decide where do route ?

Lets say I have a PC on 192.168.1.0/24 network. My PC is connected to a multi layer switch( it's capable of routing).Now there are other hosts on the same network (192.168.1.0/24) and connected to the same switch, assuming layer 2 configuration is correct meaning they are on the same vlan, end hosts on this network don't need a default gateway to communicate with other members that are on the same network because no routing is taking place. Now you add another network on this switch 172.16.0.0, in this case you will need to define a default gateway for your PC and default gateway will be multi layer switch your PC is connected to. If someone in 192.168.0.0 network wants to communicate with in 172.16.0.0 network that packet will be sent to the default gateway and because multi layer switch has route to the destination network it will successfully deliver the packet. If default gateway doesn't have route to the destination network then packet will be dropped. Your PC is smart enough to figure out when the destination address is local and when it's on a different network by looking at the network address and as I mentioned before when the packet has to be delivered outside the local network it relies on layer 3 device and that could be a switch/router or a firewall.

So yes you are right the next hop or the gateway will decide how the packet will be routed to the destination network exactly the same way your PC is deciding how it wants to deliver/route the packet that it generated by looking at its own routing table.

I hope this answers your question.