I?m replacing 4 2950 switches for 2 3560 switches, there are several Vlans and for the most part the Firewall is doing all the routing. The current 2950s do not have a default gateway set, for any Vlan, so my question is should I setup a default gateway in the new switches, or does that make it less secure? Should I set an IP address for each VLAN and corresponding default gateway? There is only one VLAN with an IP and so long as I?m on one of the servers that are in the same subnet as the switches I can manage the switches. Currently the default VLAN, (1) is shutdown, unfortunately for me I didn?t install this network so I?m inheriting this and the admin that did is unavailable.
We are basically an eCommerce type infrastructure, where I have 3 layers, the Internet layer, the Application layer, and the DB layer.
With the 2950 switch your only option was to operate it as a layer 2 switch, which means that some other device must supply the layer 3 routing function. It is not clear from your post but am I correct in assuming that you will continue to operate the switches as layer 2 switches and depend on the firewall (or whatever) for routing?
A switch (including the layer 2 only 2950s) can have multiple active VLANs and forward layer 2 traffic on each VLAN. The layer 2 switch configures a VLAN interface with an IP address to provide the ability to remotely manage the switch. With an appropriate default gateway configured you should be able to access the switch from anywhere in your network. With no default gateway you make it more difficult (but not necessarily impossible) to access the switch from outside the VLAN/subnet. Some of the switches will ARP for remote destinations if they do not have a default gateway configured. If the switch does ARP and if some layer 3 device has enabled proxy arp then the switch will be able to communicate with remote subnets.
While we can make the point that the default gateway is not required, I believe that configuring a default gateway is a good idea and I suggest that you do configure it. If you are worred about security there are better ways to secure the switch than to not have a default gateway.
Thanks for the reply, and you are correct I'm going to continue to allow the FW to do the routing. However, I belive if my main benifit is to allow me to manage the switches from anywhere then I'd prefer to simply leave out the default gateway. The less servers that can access them the better.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...