cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1175
Views
0
Helpful
20
Replies

Switch not passing unknon subnets to default gateway

mfawehin
Level 1
Level 1

Hi guys,

I have set up a couple of 3750's as edge switches replacing an HP device. However even though I have specified a default route 0.0.0.0 to the firewall for all unknown subnets, the switch does not seem to be passing the traffic to the firewall and I have now had to configure a load of static route statement point various subnets to the firewall to get people working, internet traffic appears to be fine though.

It kinda defeats the purpose of implementing dynamic routing if I still have a stack of static routes on my devices!!

Any advice would be much appreciated.

Cheers,

Martha.

20 Replies 20

andrew.prince
Level 10
Level 10

Firstly - for a switch to pass unknown traffic, the traffic has to be handled by a layer 3 interface that sits in the same IP subnet of the LAN.

The switches must be able to see the firewall - but REMEMBER if you are NOT running a dynamic routing protocol, you will then be working on a hop by hop basis.

So for all default traffic from the edge - your next hop to the internet is the next layer 3 capable device that is closer to the firewall - basic routing.

HTH>

Thanks for the response Andrew.

Perhaps I should clarify, the switch is an L3 switch - a 3750 -, it is running OSPF but not on the firewall and it has a direct connection to the firewall albeit on L2 (this connecting interface is on an outside vlan created for the firewall, the edge devices and other outside facing kit) so the switch can definitely see the firewall.

Any advice on what to do?

Thanks again,

Martha.

glen.grant
VIP Alumni
VIP Alumni

If you do a show ip route do you see all the connected subnets in the routing table along with your defualt static route ? If so then it should be working . If its going to a firewall then he has to have routes pointing inward also so it has a path back . Did you keep the exact same addressing as the old HP switch ?

Glen has nailed it - you need to double check and ensure you have basic layer 3 connectivity from and to the firewall to the switches.

Check your routes on all devices making sure they are point to the next hop correctly.

Thanks Glen for the response. When I do a sh ip route I see a bunch of ospf discovered routes, my defailt static route and now all the static routes I've had to add because users were complaining they could no longer connect to various places since the old HP had been decomissioned. The addressing on the HP switch was retained and all static routes (there were only very few) were copied over.

Somehow on the HP, the default route statement was working better and we did not have to specifically put the routes in to send the traffic to the firewall as I have had to do on this Cisco switch.

The firewall side is fine as nothing changed and simply adding a static route to these networks via the firewall is fixing the users problem but this is not ideal and there might be several more that will call over the next few days that have routes set up on the firewall.

Cheers,

Martha.

Martha

Is it possible that your switch configuration includes the command no ip classless? Having this command in the config could produce the symptoms that you are experiencing. If you find that command change it to ip classless and see if the issue improves.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks I've checked and one of the edge switches did indeed contain the no ip classless command, I've changed that and will test and get back to you as soon as possible.

Cheers,

Martha.

Martha

Thanks for confirming that one of the edge switches did have the no ip classless in its config. That command can produce the symptoms that you describe. With the normal default of ip classless in the config a layer 3 device (router or switch) will forward packets with destination address in an unknown subnet to the default route. But with no ip classless the layer 3 device adopts a classful approach to forwarding traffic. And in the classful approach the device assumes that if it has some subnets of a network in its routing table that it knows ALL of the valid subnets of that network. So if it is attempting to forward a packet and the destination address is an a subnet of some network and the device knows some subnets of that network but not the subnet of the destination, then the device assumes that the destination is invalid and discards the packet and does not forward to the default route.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for your detailed explanation. I have changed the command but the users were unable to connect once the static routes were removed.

Do I need to reboot the switch for the command to take effect (difficult as its in a production environment) or is there a way to reset the switch to get the command to work without taking the switch down?

Cheers,

Martha.

configuration is real time - post the config for review.

Thanks for your response Andrew, please see attached config.

As you can see, I have changed the ip classless command but the routes don't work till I have added the static.

Cheers,

Martha.

Hello Martha,

do

ip classless

no ip route

clear ip route *

Hope to help

Giuseppe

Thanks Giuseppe,

So just to clarify if removing this static route - 10.13.4.0/24 which points towards the firewall, I will type as below:

ip classless

no ip route 10.13.4.0 255.255.255.0 firewall ip address

clear ip route *

What is the impact of doing a clear ip route * which clears all routes, on a device in a production network? Dare I do it now during working hours with no negative impact on the network?

Cheers,

Martha.

Martha,

I would not config the suggestion on the edge config you just posted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: