Config Lab: Layer 3 Switching 1
This next lab asks you to enable layer 3 switching in a couple of distribution layer switches. This lab is pretty far reaching as well, asking for some VLAN trunking configuration and VLAN creation. Because it is such a comprehensive lab, rather than the usual 5-10 minute exercise, plan on 15 minutes to do this one in a text editor. Dig in and enjoy!
The Lab Exercise
Requirements
In this design, you will create the routing configuration required to support four user VLANs. Two user VLANs exist on switch Access1 (VLANs 10 and 20), and two user VLANs exist on switch Access2 (VLANs 30 and 40). The two distribution switches route between those VLANs, using a link between the two switches to route packets between the distribution switches.
The specific rules for this lab are:
- Configure the access switches (Access1 and Access2):
- As layer 2 switches
- Create the necessary VLANs per the figure
- Assume VTP Transparent mode is in use on all switches
- Configure the ports on the bottom of the access switches (in the figure) to be access ports in the listed VLANs
- Configure trunks:
- Make the link from switch Dist1 to Access1 a manual 802.1Q trunk
- Make the link from switch Dist2 to Access2 a manual 802.1Q trunk
- (Do NOT make the Dist1 to Dist2 link a trunk)
- Configure the distribution switches (Dist1 and Dist2)
- As layer 3 switches
- Use SVIs for the switches’ layer 3 interfaces (that is, VLAN interfaces)
- Use the IP addresses listed in the figure
- Create the necessary VLANs per the figure
- Assume VTP transparent mode
- Configure the link between the distribution switches
- Do not trunk on this link
- Make this link an access link in VLAN 50
- Route between switches Dist1 and Dist2 over this link between the switches
- Administratively enable all SVI/VLAN interfaces
- Note that OSPF has been pre-configured in preparation for your layer 3 switching configuration
Figure 1: Switch Square Topology
Initial Configuration
Examples 1, 2, 3, and 4 show the beginning configuration state of Dist1, Dist2, Access1, and Access2.
hostname Dist1
!
interface GigabitEthernet1/1/1
no shutdown
!
interface GigabitEthernet1/1/2
no shutdown
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 1: Dist1 Config
hostname Dist2
!
interface GigabitEthernet1/1/1
no shutdown
!
interface GigabitEthernet1/1/2
no shutdown
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
Example 2: Dist2 Config
hostname Access1
!
interface GigabitEthernet1/0/1
no shutdown
!
interface GigabitEthernet1/0/2
no shutdown
!
interface GigabitEthernet1/1/1
no shutdown
Example 3: Access1 Config
hostname Access2
!
interface GigabitEthernet1/0/1
no shutdown
!
interface GigabitEthernet1/0/2
no shutdown
!
interface GigabitEthernet1/1/1
no shutdown
Example 4: Access2 Config
Config Lab Intro Video
The above lab intro – the text, figures, and initial configuration – tells you all you need to know. But if you want a little more, with a little different slant on what to do in this lab, watch this lab intro video!
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.
Device | Lab Port | Â CML Port |
Dist1 | G1/1/1 | G0/1 |
Dist1 | G1/1/2 | G0/2 |
Dist2 | G1/1/1 | G0/1 |
Dist2 | G1/1/2 | G0/2 |
Access1 | G1/1/1 | G0/1 |
Access1 | G1/0/1 | G0/3 |
Access1 | G1/0/2 | G0/2 |
Access2 | G1/1/1 | G0/1 |
Access2 | G1/0/1 | G0/3 |
Access2 | G1/0/2 | G0/2 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Switch Square Topology
vlan 10,20,50
!
ip routing
!
interface GigabitEthernet1/1/1
switchport access vlan 50
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no shutdown
!
interface Vlan20
ip address 10.10.20.1 255.255.255.0
no shutdown
!
interface Vlan50
ip address 10.100.100.1 255.255.255.252
no shutdown
Example 1: Dist1 Config
vlan 30,40,50
!
ip routing
!
interface GigabitEthernet1/1/1
switchport access vlan 50
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan30
ip address 10.10.30.1 255.255.255.0
no shutdown
!
interface Vlan40
ip address 10.10.40.1 255.255.255.0
no shutdown
!
interface Vlan50
ip address 10.100.100.2 255.255.255.252
no shutdown
Example 2: Dist2 Config
vlan 10,20
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport access vlan 20
!
interface GigabitEthernet1/0/2
switchport access vlan 10
Example 3: Access1 Config
vlan 30,40
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/1
switchport access vlan 40
!
interface GigabitEthernet1/0/2
switchport access vlan 30
Example 4: Access2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
Layer 3 switching has become the preferred method for layer 3 forwarding in LANs as compared with using routers. Layer 3 switching relies of LAN switching hardware that often performs both layer 2 and layer 3 forwarding at higher capacities (more messages per second) than comparable routers. Also, using layer 3 switches instead of routers avoids having to use the Router-on-a-Stick method required for routers, which sends packets over a link to a router and then back out that same physical link. As a result, many campus and data center networks are built with switches only, with routers sitting only at the edge of the WAN.
With this lab you were tasked with configuring switches as both layer 2 and layer 3. The access switches will utilize only their layer 2 features while their distribution counterparts will use both their layer 2 and layer 3 features. In this case, the layer 3 distribution switches could act as gateways for PCs attached to the access switch interfaces.
Begin by looking at the configuration of the Access1 switch and the two access VLANs. Two interfaces will be access ports that connect to two different LANs. To create the two VLANs use the vlan 10 and vlan 20 commands. (Note that you could configure both in one command with the vlan 10,20 command as shown in Example 3.) To configure interface GigabitEthernet0/2 into VLAN 10 use the switchport access vlan 10, to configure interface GigabiEthernet0/3 into VLAN 20 use the switchport access vlan 20 command.
Similarly, switch Access2 switch has two access VLANs, 30 and 40, and would be configured with similar commands: vlan 30, Â vlan 40 and on the respective interfaces, switchport access vlan 30 and switchport access vlan 40.
To create trunks between Access1 and Dist1, plus Acces2 and Dist2, the requirements asked for a manually configured trunk. Basically that means to use the switchport mode trunk interface subcommand on the interfaces on both ends of the trunk.
The distribution switch configuration is a bit more complex as it uses trunks, access ports and layer 3 VLAN interfaces.
At the distribution layer of the design, first consider switch Dist1 and its three VLANs: 10, 20, and 50. Dist1 will need to route for the subnets defined on those three VLANs. First, Dist1 must know about the three VLANs (not VLAN interfaces), so the configuration includes the vlan 10,20,50 command, which defines all three VLANs as if you had typed the vlan 10, vlan 20 and vlan 50 commands separately.
Next, you need to configure a matching VLAN interface for each VLAN with the associated interface subcommands. In each case, you need to configure the IP address as shown in the figure. Also, some switches start with VLAN interfaces in a shutdown state, so to make sure the interface comes up, use the no shutdown command. Example 1 lists the details.
Each of the two distribution switches must also enable layer 3 switching. On some models of switches, the switch first requires that the switching ASIC be enabled to support IPv4 routing with a command like the sdm prefer command, followed by a reload exec command. (This lab does not show that part of the configuration). The switch also needs to have IPv4 routing enabled, which requires the ip routing global configuration command. (That command is listed in the configuration in both Example 1 and Example 2.)
The final part of the configuration on Dist1 calls for the Dist1 to Dist2 link to be an access link in VLAN 50. So, configure Dist1 interface GigabitEthernet0/1 into VLAN 50 use the switchport access vlan 50 command.
Moving on to switch Dist2, it uses similar logic to Dist1, but with different details. Dist2 routes for the subnets sitting on VLANs 30, 40 and 50. As a result, you need to create the VLANs by using the the vlan 30, vlan 40 and vlan 50 commands. Then, as on Dist1, you would enable IPv4 routing (ip routing), create a VLAN interface corresponding to each VLAN (for instance, interface vlan 30), then configure an IP address (for instance, ip address 10.10.30.1 255.255.255.0), and enable the interface (no shutdown).
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | None | No known issues related to this lab. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
On the distribution switches:
- Check that the VLANs have been created by using the show vlan brief command.
- Check that the VLAN interfaces were configured with the show ip interfaces brief and/or show running-config commands.
- Check that the trunks are operational using the show interfaces trunk command.
On the Access switches:
- Check that the VLANs have been created and assigned properly using the show vlan brief command.
- Verify that the trunks are operational using the show interfaces trunk command.
Config Lab Review Video
Want to hear more about this lab’s solution? Check out the video to the left.
Hi Mr. Wendell, I have a few doubts…:
1. What would it be the result if we configured de interfaces that link Dist1 & Dist2 as routed ports?
2. If we configured the link between Dist1 & Dist2 as a trunk
Hello again,
Great questions.
I think you’ll see that a similar lab, https://www.certskills.com/clab152, does what you describe in your #2. It has two distribution switches, asks for layer 3 switching using SVIs. As a result, you need a layer 2 path between the two switches, and the lab asks for trunking between dist1 and dist 2.
As for your #1, this lab (https://www.certskills.com/clab302/) is similar enough to be of some help. But to answer your question, you do not create the SVIs, but configure the physical ports on each end of the Dist1-Dist2 link as Layer 3 ports (no switchport), configure IP addresses, and you’re done.
The rule of thumb, generally, is this: if you need to route to endpoints that connect to Layer 2 ports, you need an SVI. But if you need to connect two layer 3 switches, or a layer 3 switch and a router, so you have a point-point routed connection, use routed ports. That lab 302 link above is a lab that focuses on the routed port.
Hope this helps,
Wendell
Hi Wendell, I’m just re-visiting this lab and this same question occured to me as well – why did you choose an access port (vlan 50) between the ditribution switches to pass traffic for multiple vlans? it seems counter-intuitive (to me), and that like previously suggested by the commentator above that a trunk or a routed port is more ‘logically acceptable’. is this something that we can expect to encounter in a real life scenario?
Elad,
Well, it really depends on what you’re trying to accomplish. Let me apply some context first, though.
My design point with Config Labs is to help people exercise configuration skills. I give no thought to the design, other than whether it is useful for exercising config skills.
That said, here’s some real life design: Do you need VLANs to span between the distribution switches? Sometimes yes, sometimes no. If you do, you need a VLAN trunk. If you need a VLAN trunk, do you have a VLAN trunk, which is a switched port, and then a separate link that is a routed port? Think on these things.
Say you did want some VLANs to span between them. You could have two parallel links in a layer 2 etherchannel, trunking, to support those. Two more in a layer 3 etherchannel, used by the routing logic in the two distribution switches.
Or put all four ports in a layer 2 Etherchannel, and configure the routing between distribution switches to use VLAN interfaces.
See, lots of options. It gets into available ports, whether you expect a lot of traffic routed between the two distributions switches, etc etc.
Now back to this lab. I wanted to provide a lab to configure layer 3 switching using VLAN interfaces. None of the VLANs needed to be supported beyond the distribution switches. EG, vlan 10 and 20 are below Dist 1, vlan 30 and 40 remain below Dist2. So, there’s no need for a VLAN trunk. So I just need one link between the two distribution switches, it doesn’t need to be a trunk, so I picked. rndom VLAN to use (50). And the lab didn’t have to get into layer 3 (aka routed) ports, which was a goal for this lab.
Hope this gives a little insight!
Wendell
Hi, is it true that if a switch recieves a frame with a destination mac address where there is another mac address in the mac address table, the switch still broadcasts out on all ports to find the mac address it’s looking for?
Chris,
If I’m understanding your statement, then the answer is yes.
More specifically to clarify…
The MAC table list MAC A in the table, but not MAC B.
A frame arrives with destination of MAC B.
Therefore, the switch “floods” the frame out all ports (except the port in which the frame arrived.)
The presence/absence of the MAC table entry for MAC address A is unrelated to the decision when forwarding a frame sent to MAC address B, no matter what information about MAC A is in the table.
I think there’s a typo in the answer config for the distribution switches on line 5, and access switches on line 3: shouldn’t it be interface GigabitEthernet1/1/1 (instead of interface GigabitEthernet0/1)?
Also, the instructions say “Note that RIPv2 has been pre-configured in preparation for your layer 3 switching configuration,” but I think you meant OSPF.
Exactly I too puzzled by these two very visible print errors slipped through the proofreading perhaps!!!!
Will be very happy to learn from you actually what happened.
Hi Emil,
Thanks! Yep, looks like a review step was missed when we migrated this lab. The older version used different interface IDs and those had not been updated in the blog post. My mistake. Should all be fixed now. Thanks for the heads up.
Regards,
Wendell
Hi, just wondering, I know this exercise tackles SVI but just out of curiosity, isn’t it better to use routed ports for the link between two distribution switches?
Hi Patrick,
Sure, Layer 3 interfaces would work well, and probably preferred in real life in that particular part of the design. In that case, no need for a VLAN.
Wendell
Hi,
Just and observation, in the answers section showing the switches configs, I think the VLANs are swapped with respect to interfaces giga 1/0/1 and 1/0/2, according to the diagram, for both access switches.
Best regards.
Hi Vicente,
Thanks for letting me know! I agree. I fixed the config. Thanks again,
Wendell
Hey Wendell,
In the configuration you specifically asked for the link between the distribution switches to be created as access links in vlan 50. These switches should also be configured as Layer 3 switches. Why shouldn’t the link between the Layer 3 distribution switches be trunked?
Great question, Ermundo. Couple of points.
First, literally, I did so for variety. My #1 design criteria for these labs is CCNA prep, so I try and use a variety of scenarios to give broader exercise. Sometimes that means the scenario may be less common than some others… I purposefully made this lab with no redundancy to remove some of the larger design issues.
So, in this topology, as planned, there is no need (by design) for VLANs to span beyond either layer 3 switch. So, no need for a trunk. You can view the L3 switches as routers from a forwarding logic perspective. As such, the link between the L3 switches just needs to support forwarding IP packets between them, and an access link works fine. EG, Dist 1 won’t forward a VLAN 10 or 20 frame, using L2 forwarding, out the link towards Dist 2 (again, by the design in the lab.) So there’s no need for the link to be a trunk.
However… I could make a different design that supported, say, VLAN 10, with devices on both access switches. In that case, we would need a trunk between the two switches. But that’s a different design.
I’ve even seen designs with some links between L3 switches as a trunk (often an EtherChannel), and ALSO some links as routed ports (also an EtherChannel)… see chapter… 17 of Vol 1 Edition 1 (the one available here in CY2023), layer 3 switching, for some detail on the routed ports.
So, to sum up… If you need a Layer 2 path between them, and it’s more than one VLAN that needs it, yes, trunk. If you need a layer 2 path but it’s only one VLAN (which is what happens here), an access link works fine. If the link exists only to support routing between the devices, you can make the links be routed rather than switched ports… and the switches’ Layer 2 logic ignores the ports.
So you might now see why I removed a little of the complexity for a lab! 🙂
Wendell
Hello Wendell,
Please see attached image, any guidance will be greatly appreciated. Thank you
Hi Tewa,
It’s not a dumb question. Getting your mind around the options can be a challenge.
So, one way to help work the problem is to draw the network exclusively from a layer 3 perspective. Where as the subnets, what device acts as a default router, which links have only routers on them, and so on.
Second, what you show in the figure can’t be a three-tier design. For that, it would need a core switch or two.
Third, a key design choice of building a two-tier or three-tier design is where you enable layer 3 routing. These days, and the last… 15 years maybe, the distribution-core links would be layer 3 links. That is, the core switches performed layer 3 services aka routing only. The distribution switches used routing om the dist-core links. Then, they used SVIs to support VLANs that extended to the layer 2 access switches. So the distribution switches would have VLAN config, VLAN interface config (aka SVIs), possibly some layer 3 ports (configured with the no switchport command) and layer 3 EtherChannels.
It’s not that uncommon today to enable layer 3 at the access layer switch as well, but that’s just getting too far into the weeds for a blog response.
So, back to the drawing you have shown. It’s a two-tier LAN based on the switches shown. Then, with the router, the question I’d ask is: Are the distribution switches performing routing? Typically yes. Then, the links between the Dist. switches and the router can be layer 3 links, with no need to use ROAS on the router. BUT, if you made those links layer 2 links on the dist switches, and supported routing over those using SVIs, then the router MUST be aware of the VLANs, and would need ROAS config.
So, for the router side, if the adjacent switch is using L3 ports, then ROAS does not make sense. If the adjacent switch is using L2 ports and SVIs, then ROAS becomes useful.
Of course, when using Packet Tracer, the further you go into the features, the more likely something isn’t supported… so I’ll check out your related query in a bit.
Hope this helps.
Hi all,
If you happened to be working on this lab today, FYI, I changed it a little. I changed the subnet between the Dist1-Dist2 switches to 10.100.100.0/30, in the figures, and in the answer. I think I caught all the references. Just a heads up in case you’re in the middle of it right now.
Hi Mr. Wendell, I am doing layer 3 switching 1 lab in packet tracer from scratch. In dist 1 switch when I type router ospf 1 command it says ip routing not enable. I read the book and tried to use sdm prefer lanbase-routing to enable routing and it gives me invalid input detection marker. How do I go ahead and enable ip routing. I also did no shutdown command on interface but still it is not working
Hi Kasturi,
I’ve been away for a year-end break, sorry for the delay…
So, I’m guessing you issued the router ospf 1 command on one of the two access layer switches. Those aren’t meant to act as layer 3 switches in this lab, so they don’t have pre-configuration of the command IP routing. So, really two answers:
A layer 3 capable switch likely has a default of no ip routing, so you need to configure the ip routing global command.
Re-think the lab a bit and consider the design – As intended, at least, you need to configure the layer 3 features on the two distribution switches.
Hope this helps…
Wendell