Default Gateway...Needed or Not?

Unanswered Question
Oct 8th, 2007

I?m replacing 4 2950 switches for 2 3560 switches, there are several Vlans and for the most part the Firewall is doing all the routing. The current 2950s do not have a default gateway set, for any Vlan, so my question is should I setup a default gateway in the new switches, or does that make it less secure? Should I set an IP address for each VLAN and corresponding default gateway? There is only one VLAN with an IP and so long as I?m on one of the servers that are in the same subnet as the switches I can manage the switches. Currently the default VLAN, (1) is shutdown, unfortunately for me I didn?t install this network so I?m inheriting this and the admin that did is unavailable.

We are basically an eCommerce type infrastructure, where I have 3 layers, the Internet layer, the Application layer, and the DB layer.

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 10/08/2007 - 18:45

Bob

With the 2950 switch your only option was to operate it as a layer 2 switch, which means that some other device must supply the layer 3 routing function. It is not clear from your post but am I correct in assuming that you will continue to operate the switches as layer 2 switches and depend on the firewall (or whatever) for routing?

A switch (including the layer 2 only 2950s) can have multiple active VLANs and forward layer 2 traffic on each VLAN. The layer 2 switch configures a VLAN interface with an IP address to provide the ability to remotely manage the switch. With an appropriate default gateway configured you should be able to access the switch from anywhere in your network. With no default gateway you make it more difficult (but not necessarily impossible) to access the switch from outside the VLAN/subnet. Some of the switches will ARP for remote destinations if they do not have a default gateway configured. If the switch does ARP and if some layer 3 device has enabled proxy arp then the switch will be able to communicate with remote subnets.

While we can make the point that the default gateway is not required, I believe that configuring a default gateway is a good idea and I suggest that you do configure it. If you are worred about security there are better ways to secure the switch than to not have a default gateway.

HTH

Rick

bob.mckinley Mon, 10/08/2007 - 19:23

Rick

Thanks for the reply, and you are correct I'm going to continue to allow the FW to do the routing. However, I belive if my main benifit is to allow me to manage the switches from anywhere then I'd prefer to simply leave out the default gateway. The less servers that can access them the better.

Actions

This Discussion