cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2521
Views
9
Helpful
16
Replies

Is it wrong to configure access layer switches as layer 3

adeebtaqui
Level 4
Level 4

Is it wrong to configure access layer switches as layer 3 instead of layer2 as all the latest 9200 9309 series essential switches are layer 3 by default ie ip routing is enabled hence i define interface vlan ip for all vlans being spanned through network and ip route to core for routing instead of ip default  gatey to core.

What is the best practice?

 

 

16 Replies 16

are there same VLAN in other SW ? 

Data, voip, wifi , security/cctv vlans are same throughout all switches.

then config GW of VLAN (for example Data) in one Access SW make this SW do all inter-VLAN for all host in Data VLAN ,
you need to push the GW up to Core SW which have more resource to process this inter-vlan traffic 

@adeebtaqui I would say Use Access layer switch as L3 is Neither Right Nor Wrong. it's totally up to design.

if you are using same Vlan access the all Access switch then i would say use that as a L2.

Advantage: you can use same vlan across the campus.
Disadvantage: MAC address will flood through network and spanning-tree will be the Key role in this setup.

If you using Access Layer as L3, then each switch you can create different VLAN for Data, VoIP, WiFi, Security/CCTV.

Advantage: No More worry about Spanning-Tree (Still it's present on network), and No More MAC Flood, Easy to Identify Device as all Access-switch has different subnet.

Disadvantage: you have to configured Static/Dynamic Routing between Switch. Need to Maintain many IP Subnet. if you change Device (AP, IP-Phone, CCTV) from one Switch to another IP will change of that device. 

 

"Advantage: you can use same vlan across the campus."

Perhaps, debatable how much of an "advantage" that is.

"Disadvantage: you have to configured Static/Dynamic Routing between Switch. Need to Maintain many IP Subnet. if you change Device (AP, IP-Phone, CCTV) from one Switch to another IP will change of that device."

BTW, if you have every 24 or 48 port L3 switch it's own L3 node, subnets do tend to become numerous.  However, if your edge is a large chassis L3 switch, or a stackable set of 24/48 port switches, you often do not need as many small subnets.

(As an aside, one the the "biggest" [for port density] one single physical device L3 edge switches I ever supported, were Cisco 6513s with eleven 96 port line cards supporting a VoIP phone and PC on each port.  Later on, supported one single "logical" edge L3 devices with 6500s and IAs or Nexus with FEXs, providing even more ports.  [Even with these "monster" edge L3 devices, almost all routing was North:South.])

"Disadvantage: you have to configured Static/Dynamic Routing between Switch. Need to Maintain many IP Subnet. if you change Device (AP, IP-Phone, CCTV) from one Switch to another IP will change of that device."

BTW, which is why most edge hosts support/use DSCP hopefully bound to dynamic DNS.  APs not a problem if bound to a controller.

Hi

 It depends. If your core or distribution is a stack or VSS then keep access switch in layer 2 is the best practive because you can double the uplink soeed. You can bundle two giga or tengiga interface together and create one uplink of 2giga or 20giga or forrt, etc

 And, you  can have one vlan anywhere you want just to adding it to the port channel of access switch. 

But, if your cores are two separated switch,  them, I see more Advantage keeping access switch in layer 3. Because in layer 2 one uplink will be dead due the spanning-tree. 

 Using layer 3 on this case, you can create OSPF between than and bemefit of the flexibility of routing protocol. You can have redundancy also and load balance the uplink thus increasing capacity. 

 The only problem with layer 3 on access is if you need to extended vlan or move then around. As the vlans will be only locally on the access switch. 

Joseph W. Doherty
Hall of Fame
Hall of Fame

Wrong to have L3 at access/edge?  Not at all.  In fact, I recall (?), Cisco used to recommend it, although not quite at the level of a best practice.  (I haven't read their design guides, for years, so don't know Cisco's current recommendations.)

That said, in the past, usually it wasn't done for a couple of reasons.  First, often edge devices, especially user edges, don't have East/West traffic (consider where private VLANs might be used).  Second, L3 switches tend to be more expensive, with often further cost for dynamic routing beyond RIP (and additional contract maintenance costs for both.)

Hello

Pros - limits STP only within each access layer switch's thus no issue with stp l2 loops within the lan estate, no L2 blocking of links, host to host communication between vlans always routed, any FHRP is not required, L3 convergence would be a lot quicker than L2 stp convergence

Cons - you cannot extended L2 vlan between the access-layer switches, each switch will have specific vlans assigned with a L3 addresses, meaning you cannot have the same vlans across multiple switches, so if your LAN requires vlan extension, a routed access-layer isnt viable. 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

"Cons - you cannot extended L2 vlan between the access-layer switches, each switch will have specific vlans assigned with a L3 addresses, meaning you cannot have the same vlans across multiple switches, so if your LAN requires vlan extension, a routed access-layer isnt viable."

BTW, there are ways to extend L2 across L3, but, generally, one should inquire must we really?

Hello 


@Joseph W. Doherty wrote:

BTW, there are ways to extend L2 across L3, but, generally, one should inquire must we really?

I do not dis agree Joseph however given the context of the OP I assumed this setup wasn’t in the realms of referring to such features and was querying a L3 access layer within a traditional lan campus design.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The reason I added my posting, your "CON", IMO, isn't really a con on a L3 access switch because a L3 switch is still a fully functional L2 switch.

Of course if you only use the L3 switch for only its L3 capabilities, you've precluded using L2 doing something like VLAN extension across switches, but the L3 switch, itself, doesn't preclude doing both L2 and L3 concurrently.

The way I read (perhaps incorrectly, or not so intended), your statement saying L3 switches, if doing L3, at the access layer "cannot" extend L2, implying it's impossible.

Between a pair of L3 switches, I can pass VLAN(s) across a trunk, just as you would between a pair of L2 switches, and on that same trunk, I can have a dedicated "p2p" VLAN, used for routing between those switches.

I don't know if you've ever done this yourself, but I have, works fine.  Basically allows use of L3 switch as L2 and/or L3 as desired.  (It also has a side benefit, if such a port fails, you might already have a similar port configured likewise, which causes no conflict as would L3 routed ports.  I.e. all you need to do is repatch to the standby port, no switch configuration changes needed.  [BTW, for just L3, that can also be done using access ports.])

If the forgoing is unclear, consider:

 

L2SW1 L2SW2 L2SW3

V101  V101
      V102  V102
V5    V5    V5
V#    V#    V#
V#    V#    V#
V#    V#    V#

 

In the above there's a trunk between SW1 and SW2 and between SW2 and SW3.

Each trunk allows VLAN5.  Trunk between SW1 and SW2 also allows VLAN101, while trunk between SW2 and SW3 also allows VLAN102.

VLAN5 is a "classic" extension of a VLAN between L2 switches.

VLANs 101 and 102 only have a SVI on each switch supporting a routed p2p network (i.e. /30 or /31).

All the other VLANs on the switches are only known to each switch.  Each has its own SVI.  For those VLANs to intercommunicate, between switches, they need to use the p2p VLAN/network.

VLAN5 can have an SVI on any of the three L3 switches, or even all three switches or none at all.

Perhaps your "cannot" wasn't also intended as "impossible", but that's the way I read it, and hopefully, the above shows it certainly isn't impossible.

 

PS:

Forgot to mention, the above also allows a migration from a "classic" L2 topology to a L3 topology, as you can run old next to new side by side, and with DHCP hosts, all you might need to do is reassign the ports access VLAN number.

adeebtaqui
Level 4
Level 4

All latest 9200 9300 caralyst switches that are cisco recommended switches for access layer are by default layer 3 enabled with ip routing.

Hence, making them layer 2 when deploying at access layer looks like not utilizing the resources of the switch.

L3 by default can support same vlan for example data/wifi/voip/cctv accross all access layer to core layer by creation of vlan interface of each vlan on all switches and ip routing which is there by default.

 

We can add default route to direct core instead of having default-gateway.

 

Only addition is having assignment of ip for each switch for each vlan

 

I dont see any other issue.

 

Hence, i suggest to not waste the l3 features of new Catalyst switches by downgrading them to l2 as this was done in past deployment with older featured switches.

You have multi access SW and all have same vlanx and vlany 

You decide to config svi in access sw and do inter-vlan inbetween vlans.

Here the issue you have multi access sw as I mention above' now dhcp server will reply to host with IP of default GW.

Which SVI will select as gw for all host in all access SW.

The dhcp will select one SVI (one access SW) and this as I mention before will handle all inter-vlan for all access SW.

"Hence, making them layer 2 when deploying at access layer looks like not utilizing the resources of the switch."

True, and although it seems "bad" not to take full advantage of what your hardware can do, you should consider whether L3 at the edge really benefits you vs. its additional complexity to set up and its on-going "care and feeding".

I agree with @STD_NetWorld's statement "I would say Use Access layer switch as L3 is Neither Right Nor Wrong. it's totally up to design." with the understanding that the "design" is up to you to meet your needs.

"Best practices" are general recommendations, and should seriously be considered, as there are often good reasons behind such recommendations.  However, a general "best practice", doesn't necessarily means it's also "best" for you.

 

Review Cisco Networking for a $25 gift card