Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Patrick Colbeck

L3 sub-interfaces and VLANs

This is one that's just occurred to me and I have no L3 switches to lab it on.

I am planning a large scale VRF-Lite rollout and the following has occurred to me:

Are L3 sub-interfaces dot1q tags tied to the VLAN database on a L3 switch in anyway ?

Say I have an L2 access port assigned to VLAN 7 along with an associated SVI "interface VLAN 7" with and Ip address of Can I then configure a L3 sub-interface with a dot11 tag of 7 and give it an IP address of ?

If so can I then create another L3 sub-interface on a different physical port and also tag that with 7 and give it an IP address of

What I suppose I am asking here is are the dot1q tags on L3 sub-interfaces only of local significance to that physical port or is the traffic exiting or arriving on them or even the VLAN allocation tied back to a normal L2 VLAN with the same ID on that switch or even other L3 sub-interfaces with the same dot1q id ?

If the VLAN IDs only have local significance on L3 sub-interfaces it would save on using a lot of VLANs up with say 20 VRFs and 20 L3 aggregation switch pairs under the core switches.



dotQ tags only matter in L2. Yes, the SVIs are tagged with that VLAN (so interface vlan 7 is tagged for VLAN 7). Traffic destined for that VLAN from outside that VLAN will "enter" there, and any traffic heading out of that VLAN to another will "exit" here. The SVIs are most useful when inter-vlan routing is concerned, where traffic can be routed from one SVI to another that's from the destination VLAN. So if VLAN 7 and VLAN 3 are on the same router, you can route traffic between them.

I know that. This question was more about L3 sub-interfaces such as those used when doing vrf-lite between L3 switches.

So below VLAN 7 and its access port ten 1/1 and SVI are all related but what about the sub-interface on ten 1/2.7 ?.

As ten 1/2 is not a switchport does this mean that the dot1q tagging it is using on the sub-interfaces is completely disconnected from the L2 switching on the rest of the switch ?

I have a hunch the answer depends on the particular switch architecture.

vlan 7


interface vlan 7

 ip address


int ten 1/1

 switchport access vlan 7


int ten 1/2

 no switchport

 int ten 1/2.7

  encap dot1q 7





Can't give a definitive answer for your switch but I know that with 6500s and IOS 12.2 (old I know) that vlan IDs were global to the switch which meant you could not reuse vlan IDs as you want to here. 


I have not come across a switch where you can reuse vlans but then to be honest I have never tried to do what you are doing so need to look. 



Me too Jon. Been a CCIE for nearly 25 years and the question never occurred to me before. I always just used different VLAN IDs. Its only the fact that this customer needs a large number of VRFs and they have a hundreds of VLANs already that got me thinking about a logical VLAN range for VRF dot1q tagging and then why have I always done it that way before and what's really going on.