ip route 0 0 versus ip default-gateway

Answered Question
Aug 20th, 2007
User Badges:

Hi,

I know that I should use "ip route 0 0" when "ip routing" is enabled, and "ip default-gateway" otherwise. However, everything (ping, ssh, tftp) seems to work just fine using "ip route 0 0" when "ip routing" is disabled. Can someone explain? I'm using 3560 /w IOS version 12.1(19)EA1d. -Thanks

Binh

Correct Answer by Edison Ortiz about 9 years 8 months ago

So the only way for this device to reach a different subnet is via a router with proxy-arp enabled. If you want to test, disable proxy-arp on every single router on that subnet (if there is more than one).


If you remove the ip route 0.0.0.0 can you still do all the tasks you mentioned before ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (7 ratings)
Loading.
Edison Ortiz Mon, 08/20/2007 - 17:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Let's verify 'ip routing' is disabled by posting the output from typing


'show ip route'


Also, if you have a device on that segment that has proxy-arp enabled, it will forward the packets onto the next segment on this switch's behalf. Proxy-arp is enabled by default.

binhkdinh Mon, 08/20/2007 - 17:55
User Badges:

Here you go:


HHMC_2H13_C3560_2#sh ip route

Default gateway is not set


Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

HHMC_2H13_C3560_2#


Thanks

Correct Answer
Edison Ortiz Mon, 08/20/2007 - 18:20
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

So the only way for this device to reach a different subnet is via a router with proxy-arp enabled. If you want to test, disable proxy-arp on every single router on that subnet (if there is more than one).


If you remove the ip route 0.0.0.0 can you still do all the tasks you mentioned before ?

Richard Burts Mon, 08/20/2007 - 18:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Edison


I would think that the output of show protocol would be more conclusive than the output of show ip route. But from the fact that nothing shows up in the output of show ip route (not even any connected interfaces) I think it may be safe to assume that ip routing is, in fact, disabled.


Binh


Can you clarify for us whether ip default-gateway is configured or not. Also can you show us the results of attempting access to other devices (esspecially in the situation that default-gateway is not configured and default route is configured.


HTH


Rick

binhkdinh Tue, 08/21/2007 - 09:14
User Badges:

Rick, I'm sure that the "ip default-gateway" is not configured. Here are the results as you suggested:

HHMC_2H13_C3560_2#sh run | in ip route

ip route 0.0.0.0 0.0.0.0 10.107.29.1

HHMC_2H13_C3560_2#

HHMC_2H13_C3560_2#copy start tftp

Address or name of remote host []? 10.107.16.55

Destination filename [hhmc_2h13_c3560_2-confg]?

!!!!!

18023 bytes copied in 0.092 secs (195902 bytes/sec)

HHMC_2H13_C3560_2#sh ip int bri

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan29 10.107.29.6 YES NVRAM up up


HHMC_2H13_C3560_2#sh run | in ip default-ga

HHMC_2H13_C3560_2#


------

To Edision, it's a live network at a hospital (very critical). Sorry, I can't just add/remove commands. All I can do are just "show" commands unless I can show that things are not working properly.

------------------------------------------

Thanks

Binh

Richard Burts Tue, 08/21/2007 - 09:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Binh


Thanks for posting the additional information. It does appear that ip default-gateway is not configured. And it does look like ip routing is enabled. There are several other pieces of information that would be helpful. Would you post the output of show protocol? Also would you post the output of show arp? And would you post the configuration of the VLAN interface? Actually that raises a question in my mind: is there just a single VLAN configured or are there multiple VLANs?


HTH


Rick

sundar.palaniappan Tue, 08/21/2007 - 09:38
User Badges:
  • Green, 3000 points or more

Binh,


The static default route configured isn't being used as 'ip routing' is disabled in the switch.


I believe the behavior of the newer switches is to ARP out for any non local destination address, when no default gateway is configured, and another router/L3 switch that has proxy ARP enabled would respond to the ARP with it's own MAC address. You can verify this by doing 'show ip arp' in the switch and if you see ARP entry for those remote destinations then we can conclude that indeed is the case.


HTH


Sundar



binhkdinh Tue, 08/21/2007 - 10:42
User Badges:

I agree that "ip route 0 0" isn't used at all, but I can't prove that it's not working properly, so we can use "ip default-gateway" instead. The point is if everything is working properly, my upper mgmt don't want to take the risk of changing configs.


Anyway, we do have other vlans on the switch, but only one SVI is up. Also, I'm pretty sure that the "ip routing" is not enabled (it doesn't show up in "show run", and you can tell that in "show ip route").


Show cmds:

HHMC_2H13_C3560_2#sh protocols

Global values:

Vlan1 is administratively down, line protocol is down

Vlan29 is up, line protocol is up

Internet address is 10.107.29.6/24

FastEthernet0/1 is administratively down, line protocol is down

FastEthernet0/2 is down, line protocol is down

FastEthernet0/3 is up, line protocol is up

[truncated]


HHMC_2H13_C3560_2#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.107.16.112 160 0007.b400.1d02 ARPA Vlan29

Internet 10.107.2.251 154 0007.b400.1d02 ARPA Vlan29

Internet 10.107.9.78 197 0007.b400.1d02 ARPA Vlan29

Internet 159.225.173.254 73 0007.b400.1d01 ARPA Vlan29

[truncated-exact the same as show arp]


HHMC_2H13_C3560_2#sh run int vlan 29

Building configuration...


Current configuration : 191 bytes

!

interface Vlan29

ip address 10.107.29.6 255.255.255.0

no ip redirects


Thanks

Binh Dinh

binhkdinh Tue, 08/21/2007 - 11:01
User Badges:

Proxy-arp is indeed enabled (by default as Edison O. mentioned) on our vlan 29 (show ip int vlan 29). Well, this means that cisco's default settings had bailed us out though having the incorrect command.

Thank you all for your contribution!

-Binh

Richard Burts Tue, 08/21/2007 - 11:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Binh


Thanks for posting the additional output. I believe that it is sufficient for us to explain what is going on. I would explain it this way: the switch is in VLAN 29 for its management interface address 10.107.29.6/24. It is accessing successfully addresses that are outside of its own subnet. It is doing this by ARPing for the remote addresses. Other layer 3 devices in VLAN 29 are responding to the ARP requests because they have proxy ARP enabled. This is shown if you look at the ARP table on the switch and find that there are 4 addresses in the ARP table of remote devices (and that 2 different layer 3 devices are resonding to the ARP requests).


So this switch is not using the default-gateway configuration option, and while a default route is configured it is not being used either (the output of show protocol shows that ip routing is not enabled). Successful access to remote addresses is based on proxy ARP in other devices in the VLAN. So long as the other devices continue to enable proxy ARP then connectivity should work with no config changes required. If it were me I would want to change the config and either configure the default gateway or enable routing and use the default route. But I can understand the position of management that they do not want config changes unless it is really necessary. And in this circumstance change is not really necessary.


HTH


Rick

sundar.palaniappan Tue, 08/21/2007 - 11:06
User Badges:
  • Green, 3000 points or more

As suspected the other layer 3 devices on the subnet are doing proxy ARP, as the ARP cache shows entries for remote destinations, on behalf of remote destinations resulting in remote access to this switch even when there's no default gateway configured.


Though it's working fine for now in order to ensure the remote access to the switch works uninterrupted you should definitely configure a default gateway on the switch.


HTH


Sundar

binhkdinh Tue, 08/21/2007 - 11:35
User Badges:

Again, thank you all for your replies and explanations! They are all greatly appreciated.

Actions

This Discussion