cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3554
Views
20
Helpful
15
Replies

interface-vlan versus no-switchport on L3 switch

jimmyc_2
Level 1
Level 1

We currently use routable 4507s. We connect to other routers using the interface-vlan IP addresses. I am about to clean up the configuration by assigning ports as "no switchport", then putting the IP address on those physical ports. Is this wise, or even desirable? Is there an advantage either way? Thanks

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Jimmy

Without fully understanding your topology this can only be a generic answer.

Given a choice between connecting a router to a L3 switch using a routed port on the L3 switch and a /30 subnet and using a L3 vlan interface on the 4500 i would go with L3 routed ports.

Advantages are

1) If router has more than one connection then with a dynamic routing protocol such as EIGRP or OSPF you can have equal cost routes and virtually instantaneous failover if one of the links goes.

2) You are not extending L2 from the router to the switch which you are with a L3 vlan interface.

As i say this is a very generic answer and there is nothing wrong with using vlan interfaces as the endpoint the on the L3 switch. Given a choice and all things being equal i would go with L3.

Jon

View solution in original post

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Jimmy

Without fully understanding your topology this can only be a generic answer.

Given a choice between connecting a router to a L3 switch using a routed port on the L3 switch and a /30 subnet and using a L3 vlan interface on the 4500 i would go with L3 routed ports.

Advantages are

1) If router has more than one connection then with a dynamic routing protocol such as EIGRP or OSPF you can have equal cost routes and virtually instantaneous failover if one of the links goes.

2) You are not extending L2 from the router to the switch which you are with a L3 vlan interface.

As i say this is a very generic answer and there is nothing wrong with using vlan interfaces as the endpoint the on the L3 switch. Given a choice and all things being equal i would go with L3.

Jon

I agree with Jon.

This was a 5-pointer. ;-)

Victor

That is why he has 2700 points.

Clear and succinct; just what I was looking for.

Regards,

Jimmy / Victor

Missed this one, comments much appreciated as are ratings.

Jon

Hi Jon,

We finally got around to trying to implement this, and we failed miserably. I'm not sure I made clear that only the core 4507s were routable, the access 4507s are L2 only. We think that is what is stopping us from moving off of interface VLANs on the core. Does that sound right? See you at Networkers.

Ahh okay that would change my answer then :-).

I would leave the vlan interfaces on the 4507 core switches and just make your uplinks either L2 access ports or if you need more than one vlan then make them trunks.

I would make them "no switchports" if both ends were L3 capable switches. Can't see much benefit otherwise.

Which networkers - i'm in the UK and i think ours in Europe was January just gone :-)

Jon

Jon,

Thanks for prompt reply, it was only in hindsight did I realize I left out some valuable information.

I'll be in Orlando in June; I didn't detect a accent, so I assumed you were in the states.

Go Manchester United!

Thanks again.

Jimmy

Was that a guess about Manchester United. I work in London but i'm actually from Manchester. So you guessed right.

Deserves a rating - (hope ken isn't reading this :-))

Jon

Hi Jon,

How 'bout them Red Devils!!

We always get confused when we apply an access list to an SVI. What is the rule of thumb about inbound or outbound?

Let's say data is routed from Newcastle, through London, then onto Cork. I want to block some Newcastle-sourced traffic in London from going to Cork, but allow it to the rest of London. London has SVI's. How do I do that?

Regards,

Jimmyc

Jimmy

Inbound access-list on vlan interface is for traffic generated by devices on that vlan.

Outbound access-list on vlan interface is for traffic destined for devices on that vlan.

In answer to your question you could apply the access-list on the interface that connects London to Cork. So lets say

R1 -> R2 -> L3 switch -> R3 -> R4

R1 is in Newcastle.

R2, L3 switch, R3 in London

R4 in Cork

You could apply access-list outbound on SVI interface that connects L3 switch to R3.

Or you could appply access-list inbound on R3 interface that connects to L3 switch.

Or you could apply outbound on R3 WAN interface to Cork.

Recommended way is to drop traffic as near to the source as possible however so i would apply the access-list in Newcastle and stop the traffic using any of the WAN bandwidth.

Jon

That explains it well, thanks.

As for Renaldo, maybe good for the team, maybe not.

BTY, Happy anniversary of D-Day.

My old man flew B-17 missions starting June 8, out of Rattlesden, near Bury St. Edmonds.

Oh yes, forgot to say. Very happy with our seasons football, now if we can just keep Ronaldo....

I think you have it figured out . Using SVI's allows you to put that address range onto any trunk that is feeding your L2 access switches , if you tried to change that setup thats probably why it broke . You can do what you were trying for links between routers instead of SVI's and it should not break anything. If you didn't have more than one subnet on each access switch you could do what you tried but then you would have to turn on ip routing on the access 4506's and use a default static route back to the core 4506's.

Thanks Glen,

That is exactly what happened. Looks like our initial configuration was optimal, thereby proving, once again, that if it ain't broke, don't fix it.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco