OK, this may sound silly, but here goes....
Imagine you have a layer 3 switch with, say, vlan 5 configured on it. And then hanging off that layer 3 switch is a layer 2 switch with a vlan 5 interface configured for management purposes.
Do you have to configure a default gateway (default route) to the layer 3 switch's vlan interface on the layer 2 switch or will the layer 2 switch discover its default gateway by ARPing?
You would certainly need to configure a default gateway on the layer 2 switch pointing to the layer 3 device's IP to be able to reach destinations beyond the LAN (vlan 5). The command would be 'ip default-gateway
Sundar, I thought the same thing, but Cisco says you do not have to do so on the Cisco 2960 switch, for example. They say you only have to do so if you did not configure IP routing on the layer 2 switch.
Check out this output from an "ip ?" query on a 2960 switch:
Global IP configuration subcommands:
default-gateway Specify default gateway (if not routing IP)
the ip default-gateway command on a layer two switch just tells the switch where to send management traffic from the switch if it is destined for another subnet than the switch is on. For hosts connected to your 2960, their default gateway should be the address of the vlan 5 interface on your layer 3 switch.
You probably may know the difference between a default route and default gateway. I don't know whether 2960 is a layer 3 capable switch. Let's assume, it's a layer 3 capable switch and you have IP routing enabled then you would add this command to route all unknown traffic to the next-hop address.
ip route 0.0.0.0 0.0.0.0 172.16.1.5 --> Gateway of last resort when IP routing is enabled.
In the 2nd scenario, if you turn off ip routing in the switch then you would add this command to forward all unknown traffic to the next-hop IP.
ip default-gateway 172.16.1.5 --> Gateway of last resort when IP routing is disabled.
The biggest difference between the two is the default route would be used by the switch to forward all traffic that's passing through the switch whereas the default-gateway would only be used to forward traffic (management traffic) that's originated from the switch.
Sundar, yes, I know the difference between a default gateway and a default route. I sometimes use the two terms loosely, though..
nonetheless, what I am saying is that the Cisco 2960 is a layer 2 switch, not 3, and that it does NOT need a default gateway configuration.
I have a 2960 with a management interface on a vlan (which also exists on the layer 3 switch - hence, its "flat"), and NO default gateway set up, yet I can PING, TELNET, etc, from the switch itself to any network.
I think the 2960 does a proxy ARP, the layer 3 switch responds with its mac-address as a default gateway for the switch to use, and the switch just forwards its management/utility traffic to that mac-address...hence, no need for the default gateway command to be configured.
As I said, I THINK this is whats happening, because I have NO default gateway set up, yet the switch is reachable from any subnet.
If this is indeed the case, does it also apply to ANY layer 2 switch?
Ahh I see. You are probably using a different subnet mask (unintentionally) on the 2960. What's the IP/subnet mask of vlan 5 int on both switches?
It DOES work, so I cant be using different masks. The switch IS able to communicate with hosts on other vlans. If I was using different subnet masks, then it would NOT work. The subnet masks on the switch and the router are both /24.
It seems like I am answering my own question, but as I said, I am only speculating as to why the layer 2 switch can forward management/utility (telnet, PING, etc) traffic without the default gateway command being configured.
If indeed the 2960 does a proxy ARP with the layer 3 switch, then is that also the case for ANY layer 2 switch? I do remember having to configure a management interface on the CatOS-based switches (4006) and also having to configure a default route. I don't think the CatOS switches had a default gateway command, so you had to use the default route command.
Any feedback on these thoughts?
Not really. It would work even if you have a different mask. Here's a scenario.
layer 3 switch:
int vlan 4
ip add 10.1.4.1 255.255.255.0
int vlan 5
ip add 10.1.5.1 255.255.255.0
layer 2 switch:
int vlan 5
ip add 10.1.5.2 255.255.0.0
Look at the subnet mask on layer 2 switch. Let's say if you attempt to telnet to 10.1.4.1 from the layer 2 switch the switch would think 10.1.4.1 is on the same LAN based on the subnet mask of /16 bits and ARP for it, the layer 3 switch would respond with a proxy ARP and telnet would succeed. Instead, if the correct subnet mask of /24 was configured on the layer 2 switch then with no default gateway configured the traffic would be dropped right there. BTW, proxy ARP is enabled by default on cisco routers.
As you can see, though there is no default gateway configured on layer 2 switch you are still able to get to a remote network because of the subnet mask variation.
yes, you are absolutely right. My mistake. Thank you.
Nonetheless, I did check the mask and it is set correctly on both switches. So, i guess the 2960 IS proxy ARPing with the router, right? And that is why you dont need to configure a default gateway.
So, is that also true for every layer 2 switch? Specifically, that, if I have a management interface in the same vlan/subnet thats configured on the layer 3 switch, I won't need to configure a default gateway or default route?
You are correct!! Honestly, I didn't think it would work that way until I tested it my lab. Technology for sure is changing rapidly!!
My lab switch (layer 2) sure did ARP out every port for a remote network and there was no default gateway configured in it. The router that knew how to get to that network did respond w/proxy ARP and everybody was happy.
As far as your question goes, if I were you I would configure a default gateway anyways in all the switches as I wouldn't count on proxy ARP. Moreover, proxy ARP adds some overhead to the devices.
I didn't think it would work either! :-)
But Im glad that it all makes sense to me and I am happy that you confirmed our suspicions in your lab environment. Thank you very much!
I forgot to mention one other thing. I also did a little testing of my own using a CatOS based 4006 switch. When I removed the "ip route" command ("default gateway" command is not available), I lost connectivity to the switch. So, apparently, that switch does not proxy ARP.
So, as you said, I would always install the default route/gateway command to avoid any problems.