Config Lab: Layer 3 Switching w/ SVIs
Layer 3 switches, aka multilayer switches, route packets using the same logic as IP routers. A layer 3 switch can simultaneously support layer 2 features such as LAN switching and VLANs. To route packets for devices in those VLANs, the switch needs a switched virtual interface (SVI): An interface enabled for layer 3 processing that in effect connects to the VLAN. In this lab, you configure two switches to act as layer 3 switches to support two different VLANs.
The Lab Exercise
Lab Requirements
This lab begins with a working network. It shows two PCs, each in two separate VLANs/Subnets. To start the lab, PCs in the same subnet/VLAN can ping each other. However, PCs in different subnets cannot ping each other to begin the lab. Therefore, you need to configure layer 3 switching on the two distribution switches to route packets between the subnets.
Once you understand the initial configuration, configure distribution switches Dist1 and Dist2 with SVIs – VLAN interfaces – for VLAN 10 and VLAN 11. Use the following details:
- For VLAN 10, create and configure a VLAN 10 interface:
- For Dist1, use address/mask 10.1.10.1/24.
- For Dist2, use address/mask 10.1.10.2/24.
- For VLAN 11, create and configure a VLAN 11 interface:
- For Dist1, use address/mask 10.1.11.1/24.
- For Dist2, use address/mask 10.1.11.2/24.
Figure 1: Topology for this Lab
Figure 2: Layer 3 Topology – Subnet 10
Figure 3: Layer 3 Topology – Subnet 11
Initial Configuration
The four switches begin with VLAN, VLAN trunking, and STP configuration to support the two VLANs used in this lab (VLANs 10 and 11.) The STP config causes switch Dist1 to be the root switch for VLAN 10 and Dist2 to be the root switch for VLAN 11. All switch-to-switch links act as VLAN trunks. For information about the PCs and the router, look below these next four examples.
hostname Dist1
!
vtp mode transparent
vlan 10,11
!
spanning-tree vlan 10 root primary
spanning-tree vlan 11 root secondary
!
interface range GigabitEthernet1/1/1-4
switchport mode trunk
Example 1: Dist1 Config
hostname Dist2
!
vtp mode transparent
vlan 10,11
!
spanning-tree vlan 11 root primary
spanning-tree vlan 10 root secondary
!
interface range GigabitEthernet1/1/1-4
switchport mode trunk
Example 2: Dist2 Config
hostname Access3
!
vtp mode transparent
vlan 10,11
!
interface range GigabitEthernet1/1/1-2
switchport mode trunk
!
interface GigabitEthernet1/0/11
switchport mode access
switchport access vlan 10
!
interface GigabitEthernet1/0/21
switchport mode access
switchport access vlan 11
Example 3: Access3 Config
hostname Access4
!
vtp mode transparent
vlan 10,11
!
interface range GigabitEthernet1/1/1-2
switchport mode trunk
!
interface GigabitEthernet1/0/12
switchport mode access
switchport access vlan 10
!
interface GigabitEthernet1/0/22
switchport mode access
switchport access vlan 11
Example 4: Access4 Config
The four PCs connect to two different access VLANs and subnets, as follows:
- PC11 and PC12: VLAN 10, subnet 10.1.10.0/24, gateway 10.1.10.1.
- PC21 and PC22: VLAN 11, subnet 10.1.11.0/24, gateway 10.1.11.2.
Address: 10.1.10.11
Mask: 255.255.255.0
Gateway: 10.1.10.1
Example 5: PC11 Configuration Settings
Address: 10.1.10.12
Mask: 255.255.255.0
Gateway: 10.1.10.1
Example 6: PC12 Configuration Settings
Address: 10.1.11.21
Mask: 255.255.255.0
Gateway: 10.1.11.2
Example 7: PC21 Configuration Settings
Address: 10.1.11.22
Mask: 255.255.255.0
Gateway: 10.1.11.2
Example 8: PC22 Configuration Settings
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Network Device Info:
This table lists the interfaces used in the lab exercise documentation that differ from those used in the sample CML file.
Device | Lab Port | Â CML Port |
Dist1 | G1/1/2 | G1/2 |
Dist1 | G1/1/3 | G1/3 |
Dist1 | G1/1/4 | G1/0 |
Dist2 | G1/1/1 | G1/1 |
Dist2 | G1/1/3 | G1/3 |
Dist2 | G1/1/4 | G1/0 |
Access3 | G1/1/1 | G1/1 |
Access3 | G1/1/2 | G1/2 |
Access3 | G1/0/11 | G0/1 |
Access3 | G1/0/21 | G0/2 |
Access4 | G1/1/1 | G1/1 |
Access4 | G1/1/2 | G1/2 |
Access4 | G1/0/12 | G0/1 |
Access4 | G1/0/22 | G0/2 |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Lab Answers
Figure 1: Topology for this Lab
ip routing
interface vlan 10
ip address 10.1.10.1 255.255.255.0
!
interface vlan 11
ip address 10.1.11.1 255.255.255.0
Example: Dist1 Config
ip routing
!
interface vlan 10
ip address 10.1.10.2 255.255.255.0
!
interface vlan 11
ip address 10.1.11.2 255.255.255.0
Example: Dist2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Lab Commentary
First, to configure the lab as requested, you simply need to create VLAN interfaces and configure the IP address and mask information as noted in the lab.Â
Note that in production networks, you would normally include a First Hop Redundancy Protocol (FHRP) like Hot Standby Router Protocol (HSRP). With HSRP, both layer 3 switches would share an IP address in each subnet, and the PCs would use that IP address as their default gateway address. Both layer 3 switches could then mutually support each other, handling the routing load if the other device fails.
Note that in this lab, because all the PCs refer to the IP addresses on Dist1 as their default gateway, Dist1 will do all the routing in this small lab. Dist2 does not perform any routing. We included both layer 3 switches for extra configuration practice and to let you ponder the issues related to using multiple layer 3 switches.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | ASIC configuration | To perform this lab in Cisco PT, you do not need to use any hardware-focused command to enable IP routing entries in the switch ASIC, eg, sdm prefer lanbase-routing. On real switches, you might need to enable L3 switching with such a command. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- The distribution switches act as layer 3 switches, routing IP packets between the two subnets. Verify the routing tables on each using the show ip route command.
- The distribution switches act as the default gateway for the PCs. Use the ping command on the PCs to test whether the PCs can ping their respective default gateways.
- Once configured, PCs in one subnet should be able to successfully ping PCs in the other subnet. Use ping to test connectivity between PCs in different subnets.
You are forgot ” IP ROUTING ” global configration command on distbrution switches
added just now. Thanks, Raed!
Hi Wendell, the answer config for both switches are still not showing the “ip routing” command.
Hi Wendell,
Following up on the comment of Raed. I didn’t use the ip routing command, but after creating the. SVI’s on both dist switches and checking the ip routing table, I noticed everything was working. I was able to ping every PC. I did the lab in CML btw.
So, I’m unsure why this is the case when I haven’t specifically enabled ip routing manually. How can you verify if ip routing is enabled in the first place, does the fact I get output from the command show ip route confirms it is enabled? Should it be mentioned in the running config?
Hope you can clear this up for me.
Thanks!
Hi Frank,
First, let’s consider real Cisco switches. Most Cisco switches built for enterprises support some kind of layer 3 switching. Some are almost certainly used as layer 3 switches, being intended as distribution or core switches, while others, typically access switches, are more commonly used as layer 2 switches. So, it’s pretty common for Cisco switches to ship with default settings that do not enable layer 3 switching and IP routing. So on those real switches, you would need to do two commands before you could configure SVIs and have IP routing work:
the **ip routing** global command
Some other command, platform-dependent, that changes how the switch’s forwarding ASIC allocates entries, so it allocates some for layer 3 entries.
**ip routing** is a non-default command on a switch. So, how to know if it is or isn’t set?
**show run** – if NOT there, the switch default of **no ip routing** should be expected. If there, **ip routing** has been configured.
**show ip route** – if **ip routing** is configured, you see the legend of routing codes, even if there are no routes. if the default of **no ip routing** is in use, then you some different output that’s NOT the IP routing table.
Last thing on real switches – I’ve never attempted to track the defaults across Cisco’s entire product line. Some switches may come with **ip routing** as the default setting… so think of the above as the normal behavior on access switches that are layer 3 capable.
Then, on Cisco Packet Tracer, it depends on the switch model as to whether you need to add the **ip routing** command. To make this lab work correctly, I used the PT’s simulated 3650 switches. Real 3650s do support layer 3 switching. Anyway, whether a default or not, **ip routing** must be set (explicitly, or by default) for IP routing to work. I just checked, and you can too. If you download the original .pkt file for this lab, and open the console of DIST1, and do those checks above, you’ll see (a) the absence of **ip routing** and (b) something other than the IP routing table in response to **show ip route**. Configure just that command, and you’ll see signs of IP routing.
Hope this helps…
Also, check out Chapter 17 of the CCNA OCG Vol 1 for more depth on this entire topic.
PS: You did the lab, without **ip routing** configured, and it worked, and even the pings worked. On real switches it would not have worked. So I’ll get something put together on that new “feature” of PT. Thanks!
Wendell
Hi Wendell,
Thanks for reaching out and clearing this up, it does help!
It’s good to know how I can check this and to know that the lab I actually did wasn’t supposed to work.
Just bare in mind, I did the lab in CML and not in Packet Tracer.
Thanks again!
Went back to the lab to check out the ip routing settings like you explained. I must be doing something wrong or the switches in CML aren’t capable of ip routing (which I don’t believe) because the config wont show the ip routing anywhere after I issued the command from global config. Very confused on why I got it working in the first place if the ip routing isn’t enabled.
Sorry to keep bothering you with this, I’d really appreciate your insight on this.
Thanks!
Couldn’t let it go so I turned Google upside down and think I figured it out, sorry to spam you so much. Tried to edit my previous comment but I don’t think thats possible.
The fact nothing showed up in the running config after enabling ip routing was really bothering me. And I found out that you can do a show run all command, which list probably everything you can enable or configure, right? So when I did the command show run all | include routing the output was:
ip routing protocol purge interface
ip routing
service-routing capabilities-manager
event manager detector routing bootup-delay 0
So I’m guessing this would mean that ip routing is in fact turned on and it’s a default actually (checked it on a newly deployed switch and it shows the same output).
So I guess that explains why it did work earlier without me enabling it manually. Took me long enough to figure it out, but eventually with the help of you and Google I got there 🙂
Thanks again for your help again Wendell, really appreciate it!
Frank
You’re welcome, and no worries on the posts. When I have less time, well, you may not hear for a while. 🙂 I just like doing it. Anyway…
Because you’re using CML, try a **show run all**. It shows all non-default settings too. You’ll see the **ip routing** command there. But not when using only **show run**. Which tells me… **ip routing** is the default in that image.
Anyway, I don’t think you’re doing anything wrong. I think you’ve discovered a feature of the CML IOSL2 image in that it appears **ip routing** is the default in that image. That is, if you add a new IOSL2 image to that topology:
show run – does not display **ip routing**
show ip route – displays the legend of routing codes, indicating **ip routing** is configured
Then, if you configure **no ip routing**
show run – displays **no ip routing**, confirming that’s NOT a default setting
show ip route – No longer displays the legend of routing codes, indicating **no ip routing** is configured
Hope this helps…
Wendell
Frank – comments passed in the Ether. Glad you figured it out!
Hi Wendell,
An observation. The picture shows interface G1/1/2 of switch Dist1 as a link to Dist2. But in the config shows G1/1/1 (Packet Tracer File).
Best regards.
Vicente,
And… thanks again! I agree again.
This time I fixed it by updating the .pkt file, so a new download should now have Dist1 using port G1/1/2 to connect to SW2.
Thanks again…
Wendell
unable to open file. the file is not compatible with this version of Cisco PT (8.1.1)
Yes, you should try with Packet Tracer 8.2.
Hi Wendell,
I successfully did this lab according to the solution shown here. But it seems on PacketTracer version 8.2.0.0162 It’s not working correctly.
If I do >show ip route on either of Dist switches I get an empty routing table with the message “ICMP redirect cache is empty”
I’m not sure if there is something else missing in the PT file, as just creating vlan interfaces on both Dist switches is not enough.
Thank you
Hello Wendell,
Please a question not related to this lab. Back in chapter 6 of ccna study guide, you discussed management ip address for the switch and the fact that the address is configured using SVI. I would assume L3 switch still needs a management ip address? How/where would I configure a management ip on a L3 switch and differentiate it from other ip addresses on the switch using SVI? Or can any of the ip addresses on the switch be used as management ip address for the switch? Don’t know if my question makes sense.
Hi Tewa,
No problem.
Short answer: On a layer 3 switch, you can manage the switch using any working IP address. For example, if you need four VLAN interfaces to support routing, you can use SSH, Telnet, SNMP, etc, with any of those addresses. The config does not need to differentiate the VLAN interface in any way.
Hi Wendell,
I’m a bit lost why we configure 4 different IP addresses on the vlan interafaces:
The 2 different subnet requires 2 different gateways only as per my understanding:
Gateway: 10.1.10.1
Gateway: 10.1.11.2
the 10.1.10.2 and the 10.1.11.1 seems redundant to me. I dont understand, can you please explain?
Tom,
Sure, no problem.
First off, my overall design point with the Config Labs is to help all exercise configuration skills. I don’t emphasize the design aspects. The reason I bring that up is that your question gets to the design and purpose of the config.
As you suggest, you only need one default router in each subnet, but the lab, as written, requires that you configure two. The hosts in the subnet refer to one default router in each subnet, making one seem useless and unnecessary. So, from a design perspective, if we stopped here, added no other functions, then I agree, those extra IP address configurations would be pointless.
The next step in a useful design is to somehow have two default routers in a subnet, in such a way that both might be used, at least in a primary/backup kind of relationship. However, this lab is meant for practice at a point in the books that hasn’t yet discussed how to provide “first hop redundancy” as it’s called… so the lab doesn’t include it. However, once you get to that in the books (Vol 2), you then learn about HSRP for instance, with which you add a little more config… and the two default routers in each subnet form a primary/backup relationship (called active/standby with HSRP) so that one is used and one is waiting to take over if the active router fails.
In production networks, the choice then is whether a subnet is worthy of having more than one router (or layer 3 switch) connected to it. If so, the primary way to make the best use of the multiple routers is some FHRP, with HSRP being the most common protocol.
hope this helps,
Wendell
Very well explained, thank you!
Hello Wendell,
Please a question. I am reviewing some topics and came across a question I had left on the margins of a page and still can’t wrap my head around the reason for the configuration option. I would appreciate if you can shed some light on this.
Vol 1, Chapter 17, page 402, figure 17-3. You indicated Vlan 30 was needed to connect the L3 switch to the physical router, why is that? Why is there a need to create a vlan interface to be able to connect to the router. Is it not sufficient to just connect both interfaces with a cable, assign them ip addresses in the same subnet and have them route traffic?
so we have to use( sdm prefer )command to enable routing if a lab like this comes in exam?how to chk if we need this command or not like is there any show for this sdm command?
to confirm:
if our physical interface is up then we dont need to use no shut for svi’s (as they are virtual)?
thanks
Sana,
1) On sdm prefer, I wouldn’t expect you to see it, but: If it’s needed and hasn’t been issued yet (plus the reload afterwards), IOS responds to show ip route command as if the command did not exist. Likewise for the ip routing global config command.
2) I wouldn’t venture to offer a comprehensive ruleset for SVIs in call cases, models, IOS versions, etc. Instead: Look at the state, and if it’s shutdown, add the *no shutdown* command to bring them up. Just be practical about it.