interface-vlan versus no-switchport on L3 switch

Answered Question
Apr 1st, 2008
User Badges:

We currently use routable 4507s. We connect to other routers using the interface-vlan IP addresses. I am about to clean up the configuration by assigning ports as "no switchport", then putting the IP address on those physical ports. Is this wise, or even desirable? Is there an advantage either way? Thanks

Correct Answer by Jon Marshall about 9 years 3 months ago

Jimmy


Without fully understanding your topology this can only be a generic answer.


Given a choice between connecting a router to a L3 switch using a routed port on the L3 switch and a /30 subnet and using a L3 vlan interface on the 4500 i would go with L3 routed ports.


Advantages are


1) If router has more than one connection then with a dynamic routing protocol such as EIGRP or OSPF you can have equal cost routes and virtually instantaneous failover if one of the links goes.


2) You are not extending L2 from the router to the switch which you are with a L3 vlan interface.


As i say this is a very generic answer and there is nothing wrong with using vlan interfaces as the endpoint the on the L3 switch. Given a choice and all things being equal i would go with L3.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (6 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 04/01/2008 - 11:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jimmy


Without fully understanding your topology this can only be a generic answer.


Given a choice between connecting a router to a L3 switch using a routed port on the L3 switch and a /30 subnet and using a L3 vlan interface on the 4500 i would go with L3 routed ports.


Advantages are


1) If router has more than one connection then with a dynamic routing protocol such as EIGRP or OSPF you can have equal cost routes and virtually instantaneous failover if one of the links goes.


2) You are not extending L2 from the router to the switch which you are with a L3 vlan interface.


As i say this is a very generic answer and there is nothing wrong with using vlan interfaces as the endpoint the on the L3 switch. Given a choice and all things being equal i would go with L3.


Jon

lamav Tue, 04/01/2008 - 11:48
User Badges:
  • Blue, 1500 points or more

I agree with Jon.


This was a 5-pointer. ;-)


Victor

jimmyc_2 Tue, 04/01/2008 - 11:57
User Badges:

That is why he has 2700 points.

Clear and succinct; just what I was looking for.

Regards,


Jon Marshall Wed, 04/02/2008 - 09:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jimmy / Victor


Missed this one, comments much appreciated as are ratings.


Jon

jimmyc_2 Mon, 05/19/2008 - 12:20
User Badges:

Hi Jon,

We finally got around to trying to implement this, and we failed miserably. I'm not sure I made clear that only the core 4507s were routable, the access 4507s are L2 only. We think that is what is stopping us from moving off of interface VLANs on the core. Does that sound right? See you at Networkers.

Jon Marshall Mon, 05/19/2008 - 12:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ahh okay that would change my answer then :-).


I would leave the vlan interfaces on the 4507 core switches and just make your uplinks either L2 access ports or if you need more than one vlan then make them trunks.


I would make them "no switchports" if both ends were L3 capable switches. Can't see much benefit otherwise.


Which networkers - i'm in the UK and i think ours in Europe was January just gone :-)


Jon


jimmyc_2 Mon, 05/19/2008 - 12:48
User Badges:

Jon,

Thanks for prompt reply, it was only in hindsight did I realize I left out some valuable information.


I'll be in Orlando in June; I didn't detect a accent, so I assumed you were in the states.


Go Manchester United!


Thanks again.

Jon Marshall Mon, 05/19/2008 - 12:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jimmy


Was that a guess about Manchester United. I work in London but i'm actually from Manchester. So you guessed right.


Deserves a rating - (hope ken isn't reading this :-))


Jon

jimmyc_2 Fri, 06/06/2008 - 09:54
User Badges:

Hi Jon,


How 'bout them Red Devils!!


We always get confused when we apply an access list to an SVI. What is the rule of thumb about inbound or outbound?


Let's say data is routed from Newcastle, through London, then onto Cork. I want to block some Newcastle-sourced traffic in London from going to Cork, but allow it to the rest of London. London has SVI's. How do I do that?


Regards,


Jimmyc

Jon Marshall Fri, 06/06/2008 - 10:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jimmy


Inbound access-list on vlan interface is for traffic generated by devices on that vlan.


Outbound access-list on vlan interface is for traffic destined for devices on that vlan.


In answer to your question you could apply the access-list on the interface that connects London to Cork. So lets say


R1 -> R2 -> L3 switch -> R3 -> R4


R1 is in Newcastle.

R2, L3 switch, R3 in London

R4 in Cork


You could apply access-list outbound on SVI interface that connects L3 switch to R3.


Or you could appply access-list inbound on R3 interface that connects to L3 switch.


Or you could apply outbound on R3 WAN interface to Cork.


Recommended way is to drop traffic as near to the source as possible however so i would apply the access-list in Newcastle and stop the traffic using any of the WAN bandwidth.


Jon

jimmyc_2 Fri, 06/06/2008 - 10:29
User Badges:

That explains it well, thanks.

As for Renaldo, maybe good for the team, maybe not.


BTY, Happy anniversary of D-Day.

My old man flew B-17 missions starting June 8, out of Rattlesden, near Bury St. Edmonds.

Jon Marshall Fri, 06/06/2008 - 10:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Oh yes, forgot to say. Very happy with our seasons football, now if we can just keep Ronaldo....



glen.grant Mon, 05/19/2008 - 15:14
User Badges:
  • Purple, 4500 points or more

I think you have it figured out . Using SVI's allows you to put that address range onto any trunk that is feeding your L2 access switches , if you tried to change that setup thats probably why it broke . You can do what you were trying for links between routers instead of SVI's and it should not break anything. If you didn't have more than one subnet on each access switch you could do what you tried but then you would have to turn on ip routing on the access 4506's and use a default static route back to the core 4506's.

jimmyc_2 Tue, 05/20/2008 - 03:45
User Badges:

Thanks Glen,

That is exactly what happened. Looks like our initial configuration was optimal, thereby proving, once again, that if it ain't broke, don't fix it.

Regards,

thilo schueler-mach Tue, 04/01/2008 - 13:23
User Badges:

I am not very familiar with c4500 but with c3750.

So i belive you will lose some nice features with L3 Interfaces. With L3 Interfaces you can not build sub-interfaces and you do not have the choice to switch one VLAN and route other VLAN`s using the same physical Interface. Also VRF-Lite makes more sense via switched ports.

Only in high security environments L3 ports are better, cause all L2 packets are terminated.


But switching from L3 interface to svi or vice versa should be possible in nearly every environment to match your network requirements.


Actions

This Discussion