Topic '[Config] ip default-gateway' in forum 'Cisco' - dslreports.com

Re: [Config] ip default-gateway

Mon, 09 Dec 2019 13:37:22 EDT

DarkLogix posted :

Best practice is sourcing from always-on interface such as a loopback.

If switch runs L2 trunks to send traffic anywhere, then one must source from active or designated mgmt svi.

Yep.
If it's a plain L2 switch I'd use ether a Management VLAN that you know will be active, or the native vlan used in the uplink trunk.

If it's a L3 switch then yes I'd use the loopback.

If it's just an L2 switch then it might not be able to be configured to do routing (Yes I know Cisco has changed that a bit but I wouldn't go in assuming a L2 switch can route anything other than just being pointed to it's gateway.)

Re: [Config] ip default-gateway

Sun, 08 Dec 2019 12:01:43 EDT

tired_runner posted : Best practice is sourcing from always-on interface such as a loopback.

If switch runs L2 trunks to send traffic anywhere, then one must source from active or designated mgmt svi.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 15:58:27 EDT

DarkLogix posted :

said by alana:

From a radius perspective, we have the following command on our switches

ip radius source-interface Vlan111

vlan 111 is the only svi on the switch.

code version: 15.0(2)EX3

Well if it's the only SVI then it's kind of unneeded to have that command.
That command is more important when you have multiple SVI's and you want to ensure that the communication is going to be sourced from a specific SVI.

Personally I've done that too for SNMP and SSH, but again if there is only one L3 interface then it's not really changing anything as that's the only interface it can be sourced from.

And those source-interface commands can be even more important for routers outside of the firewall. (IE you then want to make sure it has a management VRF and that things like SNMP, SSH, and radius only come via that management port and not a port out on the internet.)

IE the source-interface command can be security related, also it can be involved with ensuring security don't get in the way.
IE say you have a switch with multiple L3 interfaces and one of them is in a guest network, so any traffic from that subnet would be blocked when trying to get to some parts of the network, thus you might not want Radius, SSH, or SNMP traffic to by chance come from that L3 interface and instead you want it to come from one you designate.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 15:01:29 EDT

alana posted : From a radius perspective, we have the following command on our switches

ip radius source-interface Vlan111

vlan 111 is the only svi on the switch.

code version: 15.0(2)EX3

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 10:33:31 EDT

DarkLogix posted :

said by mbruno:

no SVI on the router just vlan # plus iP?

And SVI ie Switch virtual interface
»en.wikipedia.org/wiki/Sw ··· nterface

Is just a Layer 3 interface in a Layer 2 vlan.

So if the router is truly a router and not a switch doing intervlan routing I'd expect it to be done on the router side with sub interfaces or with BVI's.
BVI = Bridge Virtual Interface
»www.cisco.com/c/en/us/su ··· ace.html

But the way it may have been working before is if it was using a feature set that allowed the command "IP routing" and that was in place it could have had a route such as "ip route 0.0.0.0 0.0.0.0 10.1.1.1" but if in upgrading you went from say a pre-universal to a universal image and possibly lost the higher feature set then those commands would be gone.

On a switch an SVI as I described above is done as "interface vlan #".

To be sure we'd need to see the show ver before and after the upgrade, and if you have the pre-upgrade config.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 10:19:59 EDT

mbruno posted : ok then how was it working before without issue? no SVI on the router just vlan # plus iP? I would show the config but I am not authorize to do so.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 10:00:10 EDT

DarkLogix posted :

said by mbruno:

So the radius server is in another vlan but since the router is doing router on a stick it should already know about the connected network with the routing table on the router.

No it wouldn't.

If the destination is in another subnet then without a default gateway it'll only know how to reach other hosts in the same subnet as it's SVI.

Router on a stick doesn't make it automatically learn how to get to another subnet.

Knowing how to get to "directly connected networks" only includes the subnet(s) that an active SVI is in.
IE if you have an SVI like the following

Interface Vlan 2
ip address 10.254.254.20 255.255.255.0

And that's the only SVI, then the only directly connected network would be 10.254.254.0/24, any subnet beyond that will be unreachable without a default gateway.

though if you have the following

Interface Vlan 2
ip address 10.254.2.20 255.255.255.0
Interface Vlan 3
ip address 10.254.3.20 255.255.255.0
Interface Vlan 4
ip address 10.254.4.20 255.255.255.0
Interface Vlan 5
ip address 10.254.5.20 255.255.255.0

And "show ip int bri" shows that all 4 SVI's are active, then the scope of directly connected would encompass 10.254.2.0/24, 10.254.3.0/24. 10.254.4.0/24. 10.254.5.0/24, but any subnet beyond those 4 is not directly connected and some form of routing statement would be needed.

So in the 2nd scenario if you wanted it to reach an IP in 10.254.1.0/24 it would need a route to that subnet or a default route where the router knows a route to that subnet.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 07:52:59 EDT

mbruno posted : So the radius server is in another vlan but since the router is doing router on a stick it should already know about the connected network with the routing table on the router.

Re: [Config] ip default-gateway

Wed, 04 Dec 2019 07:50:51 EDT

mbruno posted : So to answer some of the questions. Yes, I had to reboot the switch after the upgrade and there was only two options to choose for the image. I am running cat3k_caa-universalk9.16.06.07.SPA.bin.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 17:13:26 EDT

HELLFIRE posted : FWIW, in Cisco's own hand : »www.cisco.com/c/en/us/su ··· ult.html

quote:
Use the ip default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco routers that have ip routing enabled. The way in which routing protocols propagate the default route information varies for each protocol.

I'm taking a stab you had to reboot the switch during your code upgrade mbruno ? As a WAG*, reboot killed whatever route / arp entries it was previously using to get to RADIUS, et al. Unfortunately, it's all a WAG*

Dumb Question(TM), and building on DarkLogix 's point, besides the code version upgrade, what about code featureset -- ie. was it a LANBASE to LANLITE, or something?

Regards

*Wild A** Guess

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:58:56 EDT

DarkLogix posted :

said by coxhaus:

Yes I understand directly connected networks. When you change IP networks directly connected or not you are using layer3.

Yep, and if you don't have an active SVI in that subnet it's not directly connected at L3.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:57:05 EDT

coxhaus posted : Yes I understand directly connected networks. When you change IP networks directly connected or not you are using layer3. IP default-gateway is looking for a layer3 device.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:48:34 EDT

coxhaus posted : I was referring to Cisco small business switches. I have not been on IOS in many many years. We were running CAT 6600 switches back then for L3.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:44:37 EDT

DarkLogix posted :

said by coxhaus:

If I hook up a switch with just a trunk with a few VLANs then I don't define IP route because I know this switch will be only defined as layer2. But I always define IP default-gateway.

Well if the switch is not going to be managed that's fine.

But if say the server the switch's management interface needs to reach isn't in the same subnet as the management interface (IE be it a radius server, SNMP monitor server, or just an SSH client) then since at L3 it only knows directly attacked subnets that are attacked to VLAN's with an SVI it won't be able to reach to another subnet to talk to the server.

Now if the switch has IPservices (Or IP base) then you can issue the command "IP routing" and then use multiple SVI's and/or a standard routing statement.

IE by standard routing statement I mean the following. (IE where 10.1.2.1 is the router's IP in that subnet)

ip route 0.0.0.0 0.0.0.0 10.1.2.1

vs if you don't have the "IP routing" command in the config you'd achieve the same via this.

ip default-gateway 10.1.2.1

The difference being that without the "IP routing" command in place it only sees one L3 network, and that's where it's SVI is active.

I could see one possibility being that prior to the upgrade it was maybe running IP base or IP services, but oddly after it's on Lan Lite and thus the "IP routing" command was purged from the config as not being supported, or another possibility is there were multiple SVI's but after upgrading all but one got disabled.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:37:28 EDT

DarkLogix posted :

said by coxhaus:

In the last few years the switches now run in both modes so no easy way to tell layer mode.

It's not about "mode"
If the switch has the command "IP routing" in it's config then the "IP default-gateway" command is ignored and you have to set the default gateway via a standard routing statement.

Both are layer 3 functions, it's just a matter of if the switch's L3 functions are set to support multiple SVI's and thus multiple routes or just a simple gateway of last resort.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:33:56 EDT

DarkLogix posted : Is the radius server in the same subnet as the SVI on the switch?
Guessing the switch is not running IP services and thus isn't doing intervlan routing and thus only has one SVI.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 11:03:33 EDT

coxhaus posted : IP Default-gateway and IP default route always gave me trouble, one being at layer2 and one being at layer3. It is a fine line you walk with Cisco switches now days. In the old days it was easy the expensive switches were L3 and cheaper switches were L2. I am retired 13 years now and I only play with the Cisco small business switches which started out easy also because the small business switches were either in layer2 or layer3 with a mode setting. In the last few years the switches now run in both modes so no easy way to tell layer mode. Now I have to check all the uplink connections to see if they are access ports or trunk ports and whether there is an IP change or not. An access port will force the switch to use layer3 whereas a trunk port is passing the data for another router. So I just try to keep both IP default-gateway and IP default route defined on switches.

PS
If I hook up a switch with just a trunk with a few VLANs then I don't define IP route because I know this switch will be only defined as layer2. But I always define IP default-gateway.

Re: [Config] ip default-gateway

Tue, 03 Dec 2019 07:57:28 EDT

mbruno posted : @hellfire The only thing I notice that was different from before was under the show ip route section I had no default gateway but it knew that my connected network was the core switch which it knew about it since it is directly connected to it. After I upgraded the switch, it still knew about the same network nothing changed. Only exceptions is I told the switch to used the default gateway of the core router. This router happens to be also doing the router on the stick.

Re: [Config] ip default-gateway

Mon, 02 Dec 2019 23:32:16 EDT

HELLFIRE posted : Happen to grab any pre/postchange from your work? "show ip route" and "show arp" would be my first thoughts.

Otherwise "ip default-gateway" is the command that tells a Catalyst switch "any unknown traffic, send it this way."

Regards

[Config] ip default-gateway

Mon, 02 Dec 2019 19:16:11 EDT

mbruno posted : Hello all, I had something really weird happen to me today and I was wondering if someone could shed some light on this to clear this up for me. So for the past few days, I have been having an issue after upgrading one of our access layer switches from a 15.x release to version 16.6.x release. We are currently using I believe it was a 3650-24ps-s. So I notice after upgrading I could no longer SSH into the switch, the authentication would fail right out of the gateway. However, I could authenticate to the other network devices on the network just fine using the same radius server with the same username and password, no problems at all. The only way I could communicate with the switch for management was to console into the switch and use the local account on the switch. The switch itself worked fine and all other capacities for moving data and things of that nature but not authenticating using SSH via radius.

So the important thing to remember here is that I changed nothing on the original configuration besides doing a simple version upgrade. What I found out here is that I had to use the command of IP default-gateway for routing. To give you some perspective on how one of our networks is structured is the following. (troubled switch) ------> (core switch) ---------> (router, router on a stick) --------> (back to core switch) ----------> (back to pain in the ass switch) The other thing to note here is we do not use any routing protocols on this network so everything knows what it is directly connected to. In the past, this worked just fine without having to use the "ip default-gateway" command. So why now does it bitch about it now and not before? Can someone please explain this to me? The rest of this network does not use the default gateway and it works fine. Is it just pure dumb luck they are working and I should really put this command in since we are not using routing protocols? Any insight would be appreciated.