cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
695
Views
0
Helpful
5
Replies

Layer 3 switch

aconticisco
Level 2
Level 2

Hello,

I know that if I had to look at a layer 2 switch table I would see mac addresses associated with ports and forwarding decision based on this table.

If I had to do the same for a layer 3 swict I would see the exact table but with IP addresses instead of mac addresses or is it different ?

1 Accepted Solution

Accepted Solutions

aconticisco wrote:

if I have a pc with ip 192.168.1.2 and wants to speak with pc 192.168.2.2, the layer 3 switch will need to have 2 vlans setup ( Vlan 1 and Vlan 2 )

Each vlan should be assigned an ip address. Each pc should have its gateway poiting to the layer 3 device corresponding vlan.

Then within the switch itself it checks destination mac address and IP address, find out that it is ofr a different vlan ( by looking at the table ) and forwards it to Vlan2.

Is this assumption correct ?

Pretty much yes, that's how it works. pc1 (192.168.1.2) will send packet to vlan 1 L3 interface IP with

src mac-address = pc1

dst mac-address = vlan 1 L3 SVI mac-address

src IP = pc1

dst IP = pc2

the L3 switch then checks the dst IP, sees it is on a locally connected network and sends the packet to pc2 with -

src mac-address = vlan 2 L3 SVI mac-address

dst mac-address = pc2

src IP = pc1

dst IP = pc2

If you want to stop clients in vlan 1 talking to clients in vlan 2 you can either -

1) not have L3 SVIs for each vlan on the switch but then clients in each vlan will only be able to communicate with other clients in the same vlan ie. they will not be able to communicate with any other devices including vlan 1 devices but not limted to vlan 1 devices.

2) use access-lists on the L3 SVIs for vlan 1 and vlan 2 denying traffic between the 2 vlans

Jon

View solution in original post

5 Replies 5

You still have the same table on a Layer 3 switch as it still needs to understand what MAC addresses are on each port. It will also have a arp table in addition to this which will map IP addresses to MAC addresses. I don't believe you'll have one table with ports, MACs and IPs.

so since If I use just 1 layer 3 switch and internally I want to avoid that 1 VLAN speaks to another VLAN, how do I set this since there is no trunk link to allow or deny vlans ?

if I have a pc with ip 192.168.1.2 and wants to speak with pc 192.168.2.2, the layer 3 switch will need to have 2 vlans setup ( Vlan 1 and Vlan 2 )

Each vlan should be assigned an ip address. Each pc should have its gateway poiting to the layer 3 device corresponding vlan.

Then within the switch itself it checks destination mac address and IP address, find out that it is ofr a different vlan ( by looking at the table ) and forwards it to Vlan2.

Is this assumption correct ?

aconticisco wrote:

if I have a pc with ip 192.168.1.2 and wants to speak with pc 192.168.2.2, the layer 3 switch will need to have 2 vlans setup ( Vlan 1 and Vlan 2 )

Each vlan should be assigned an ip address. Each pc should have its gateway poiting to the layer 3 device corresponding vlan.

Then within the switch itself it checks destination mac address and IP address, find out that it is ofr a different vlan ( by looking at the table ) and forwards it to Vlan2.

Is this assumption correct ?

Pretty much yes, that's how it works. pc1 (192.168.1.2) will send packet to vlan 1 L3 interface IP with

src mac-address = pc1

dst mac-address = vlan 1 L3 SVI mac-address

src IP = pc1

dst IP = pc2

the L3 switch then checks the dst IP, sees it is on a locally connected network and sends the packet to pc2 with -

src mac-address = vlan 2 L3 SVI mac-address

dst mac-address = pc2

src IP = pc1

dst IP = pc2

If you want to stop clients in vlan 1 talking to clients in vlan 2 you can either -

1) not have L3 SVIs for each vlan on the switch but then clients in each vlan will only be able to communicate with other clients in the same vlan ie. they will not be able to communicate with any other devices including vlan 1 devices but not limted to vlan 1 devices.

2) use access-lists on the L3 SVIs for vlan 1 and vlan 2 denying traffic between the 2 vlans

Jon

Thanks Jon for the explanation

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: