Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access port loop prevention

Access port loop prevention

I have recently been told by a consultant that access layer loops can be prevented without spanning tree on host ports by using Layer 3 routing. This go's against everything that I know about L2/L3 switching (although I would never call myself an expert on the matter…)

I have been under the impression that layer 3 at the access layer removes the need for spanning tree only on the distribution layer uplinks and not on host ports. Is this incorrect?

Here are my potentially misguided thoughts…

Moving layer 3 to the access layer removes the need for spanning tree in the core and distribution layers as they are protected by standard routing protocols.

Vlans would no longer be able to span switches in other areas as a result of this configuration.

Host access ports would still need to be layer 2 to connect to servers, workstations, phones, etc and thus require spanning tree to protect these ports from loops.

How close am I?


Lets say that wireless is added to the network. Would you not need switch spanning vlans for roaming devices? If so, does wireless support suggest that you cannot move Layer 3 to the access layer, or is it possible to 'bridge' a wireless vlan to other switches across layer 3 uplink ports through the distribution layer?

All comments are greatly appreciated…


Re: Access port loop prevention

I think your understanding is good. You still need a STP process on the access switch to protect your L2 in your wiring closet.

Now for the wireless...

You need a L3 Centralize wireless solution. Cisco's LWAPP can work in a L3 network. The access points connect to a centralize controller(and client traffic is encapsulated). The clients networks are configure on the centralize controller.

Community Member

Re: Access port loop prevention

Hi Dominic. I'm working on a L2 to L3 network migration plan right now and have this exact problem (re: wireless).

I have 60+ wireless APs -- all of which use six spanned VLANs (VLANs 140-145) -- these VLANs span the entire network.

If I did go to LWAPP and tunnelled the traffic back to the WCS(?) at a central point, could I continue to use that single set of six VLANs for wireless or would I have to have six 'different' VLANs for APs in each wiring closet? (Considering that I'm trying to push L3 right to the access layer.) I have about 70 wiring closets in my campus, so that's 420 wireless VLANs. UGLY!

BTW, I'm now seriously considering a parallel network to be used only for wireless ... ugly, but true! :(



Re: Access port loop prevention

I worked on small to medium networks, but never came across a scenario where L3 would be used at access layer. However, there are networks which deploy a single L3 switch that works on all 3 layers (core, access, distribution). But technically, its not layered architecture.

Even if its L3 switch, access ports are still L2. Trunk ports are still L2. & u'll always need STP on these ports to provide a loop free topology.

CreatePlease to create content