Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

Hello there:

Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:


Should we configure the switch stack w/ layer 3, or layer 2 VLANs?


We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.

We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.

We have several 10GB connections to servers.

We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.

No ip phones, no POE.

Inter-VLAN connectivity/throughput and security are priorities.

Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.


Thank you.

Hall of Fame Super Gold

If all of your servers are

If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 


Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.


In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

New Member

Network traffic is sporadic

Network traffic is sporadic throughout the day, w/ maybe 1 - 2 concurrent file transfers at a time. This isn't really a DC environment, maybe technically it is, however servers are NOT getting hammered non-stop.  

No virtualization here.

Does this change your view at all?


Thank you.


Hall of Fame Super Gold

Does this change your view at

Does this change your view at all?

LOL!  A bit.  


Presently (emphasis on the word "presently"), yes.  If you are saying that the current environment is working well with the current design, then sure.  


In the future, can you look into your "crystal ball"?  (I ask because I can't see what your network is going to be like 5 years down the track.)

We have several 10GB connections to servers.

How many?  

New Member

We have (5) 10GB connections

We have (5) 10GB connections.

Presently, yes, we are fine.

I'm asking about design for this type of environment, presently.  Should we implement layer 3 here at the switch level, would be benefit from this?

Thank you.

VIP Super Bronze

If you need a lot of Inter

If you need a lot of Inter-vlan routing and it seems like you do, then I would create the SVIs for the vlans on the 3850, so the packets don't have to go to the firewall to get routed from one vlan to another. In addition, this will also avoid the extra hop that is not need it if the 3850 is doing the routing.



New Member

Appreciate the input.  Thank

Appreciate the input.  Thank you.

New Member

So with layer 3 enabled w/

So with layer 3 enabled w/ SVI's and ACL's, inter-VLAN traffic doesn't touch the ASA?

But isn't the ASA 'faster' than the switch re processing ACL's?

Thank you.