Cisco
Catalyst switches
equipped with the Enhanced Multilayer Image (EMI) can work as Layer 3
devices with full routing capabilities. Example switch models that
support layer 3 routing are the 3550,
3750, 3560 etc.
On
a Layer3-capable
switch, the port interfaces work as Layer 2 access ports by
default, but you can also configure them as “Routed
Ports”
which act as normal router interfaces. That is, you can assign an IP
address directly on the routed port. Moreover, you can configure also
a Switch
Vlan Interface (SVI)
with the “interface vlan” command which acts as a virtual layer 3
interface on the Layer3 switch.
On
this post I will describe a scenario with a Layer3
switch acting as “Inter Vlan Routing” device together with
two Layer2 switches acting as closet access switches. See the diagram
below:
Interface
Fa0/48 of the Layer3 switch is configured as a Routed Port with IP
address 10.0.0.1. Two Vlans are configured on the L3 switch, Vlan10
and Vlan20. For Vlan10 we will create an SVI with IP address
10.10.10.10 and for Vlan20 an SVI with IP address 10.20.20.20. These
two IP addresses will be the default gateway addresses for hosts
belonging to Vlan10 and Vlan20 on the Layer2 switches respectively.
That is, hosts connected on Vlan10 on the closet L2 switches will
have as default gateway the IP address 10.10.10.10. Similarly, hosts
connected on Vlan20 on the closet switches will have address
10.20.20.20 as their default gateway. Traffic between Vlan10 and
Vlan20 will be routed by the L3 Switch (InterVlan Routing). Also, all
interfaces connecting the three switches must be configured as Trunk
Ports in
order to allow Vlan10 and Vlan20 tagged frames to pass between
switches. Let’s see a configuration snapshot for all switches
below:
Cisco
L2 Switch (same configuration for both switches)
!
Create
VLANs 10 and 20 in the switch databaseLayer2-Switch#
configure terminal
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end
Layer2-Switch(config)#
vlan 20
Layer2-Switch(config-vlan)# end
Layer2-Switch(config-vlan)# end
!
Assign Port Fe0/1 in VLAN 10Layer2-Switch(config)#
interface fastethernet0/1
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end
!
Assign Port Fe0/2 in VLAN 20Layer2-Switch(config)#
interface fastethernet0/2
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end
!
Create Trunk Port Fe0/24
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end
Cisco
Layer 3 Switch
!
Enable Layer 3 routing
Layer3-Switch(config) # ip routing
Layer3-Switch(config) # ip routing
!
Create VLANs 10 and 20 in the switch databaseLayer3-Switch#
configure terminal
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end
Layer3-Switch(config)#
vlan 20
Layer3-Switch(config-vlan)# end
Layer3-Switch(config-vlan)# end
!
Configure a Routed Port for connecting to the ASA
firewall
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252
!
Create Trunk Ports Fe0/47 Fe0/46
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
Layer3-Switch(config)#
interface fastethernet0/46
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end
!
Configure Switch Vlan Interfaces (SVI)
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut
Layer3-Switch(config)#
interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut
!
Configure default route towards ASA
firewall
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2
