OK for Default Gateway to be in Different Subnet?

When the switch wants to reach another IP belonging to a different network, it will attempt to forward the packet to its configured default gateway. In your case, the default gateway is in a different network - it won't arp for it - there's no way to forward the packet because it doesn't know the MAC address of the gateway.

A solution could be using proxy arp (depending on your current IP addressing of course)

I see I left out an important fact: the switch is on a different logical network but the same physical network. When it ARPs for the MAC address of the gateway, won't the router see the broadcast and reply?

If it functions today it is because the router interface is configured for proxy-arp (sh ip interface). It is not a particularly good idea from a security perspective to have IP proxy-arp enabled.

It depends. If your switch IP/subnetmask config is such that the router it's trying to reach does not belong to its own network, it won't even attempt to send ARP requests.

Cen, Thanks, I understand. I suppose I could play with the mask, but I don't think I'll persue that path.

If I recall correctly, there's a way to permanently map a MAC addr to an IP address. What's this called? Do most manageable switches have this feature?

BellSouth is the ISP and they own the router at this site. In order to add a secondary address to the router's inside interface, I have to call them.

Is the managed switch reachable from the router ?

Is their an ARP entry for the default gateway in the switches ARP cache ?

Merv, I can ping the router from the switch but the IP address of the router does not appear in the switch's ARP table. How does this work?

I cannot obtain even the low-level password to log into the router to ping the switch. I can try to ping the switch from the outside tonight at home.

Can you post the switch config ( without passwords of course)?

Can you telnet to the switch ?

Merv, It's not a Cisco switch so the config is not what we're used to seeing, but I've pasted some info below with public address of gateway munged. I can telnet to the switch from the inside with no problem. I will try from home tonite.

SS3R24i:4#show switch Command: show switch

Device Type : SS3R24i Fast-Ethernet Switch Module Type : SSmx 1-port GBIC Gigabit Ethernet and 1 Stacking Port Unit ID : 1 MAC Address : 00-02-41-00-62-C0 IP Address : 192.168.168.89 (Manual) VLAN Name : default Subnet Mask : 255.255.255.0 Default Gateway : xxx.yyy.95.1 Boot PROM Version : Build 2.00.001 Firmware Version : Build 3.00-B24 Hardware Version : 2B1 Device S/N : System Name : System Location : System Contact : Spanning Tree : Disabled GVRP : Disabled IGMP Snooping : Enabled RIP : Enabled DVMRP : Disabled PIM-DM : Disabled OSPF : Disabled TELNET : Enabled (TCP 23) WEB : Enabled (TCP 80) RMON : Disabled

I have some new info which somewhat contradicts what I said earlier: I can ping the router from my workstation connected to a switch port but cannot ping the router when I'm logged into the switch using the CLI.

This makes perfect sense given the ARP issue Cen mentioned. I will investigate if I can create static mapped entries.

If you can ping the router interface form your PC, then I assume you PC has an address in the router's IP subnet.

That being the case then why not just change the switch managment address to also be in the current router IP subnet ???