Ive read the Cisco white paper on routed access layers and the benfits of having a routed access layer are many:
mitigates L@ loops
load balance across equal-cost paths
route summarization and stub routing
So, what is the argument for having a switched layer then? When would someone opt to maintain a switched access layer when the routed one offers so much?
Before anyone answers that, imagine Im building an access layer (LAN campus or server farm -- doesnt matter) from scratch and that spending money on a L3 switch is no issue.
I think both are good options . Even a non routed access if configured correctly and best practices are used you will have very few problems . you will use more addresses connecting the routed access to the dist. boxes as opposed to the dist doing the routing , not a lot granted but probably a couple of /30's for the uplinks per box . L2 loops are pretty well mitigated with all the spanning tree tools that are available on todays switches , fast convergence with rapid spanning tree , generally like 2 seconds with rpvst . If you have smaller less populated subnets you are corralled into a more expensive box say a 3750 versus a 2960 (L2) which is a fairly big price difference , for most people price is a factor , if not then that does not matter.
In a building/campus setup there is a strong case for routing from the access layer. The 2 major drawbacks would be
1) cost - although switches such as the 3560/3750's will run L3 even with base IP images (static + EIGRP stub)
2) You cannot extend a vlan across floors. This is the main limiting factor. You do not have as much flexibiblity in terms of IP addressinfg/vlan placement which can be an issue. If you are starting from scrath then with careful planning you can design around this but it is something to be aware of.
That said as you say routing in the access-layer does have some major advantages. And one of the key benefits that was not mentioned is troubleshooting. It is generally a lot eaiser to troubleshoot L3 issues than L2 issues.
The one place i would think twice about deploying a fully routed access-layer would be in the data centre especially if, as we do, you utilse the 6500 service modules. You can design around this as well but i have found it is too limiting in this sort of environment.
Others may see it differently.
Jon, I think i know what you mean and I have heard this before, but can you offer some more clarity on this...
"2) You cannot extend a vlan across floors. This is the main limiting factor."
Okay, layer 2 access-layer first.
You have 2 floors each with an access-layer switch and they are connected to a distribution switch with L2 links. The distribution switch is L3 and is responsible for the inter-vlan routing.
You have 2 vlans which extend across both floors.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.10.0/24
Ac client on floor 1 wants to talk to a client on floor 2 both in vlan 10.
Client A = 192.168.5.10
Client B = 192.168.5.11
Client A compares 192.168.5.11 with it's own subnet mask 255.255.255.0 and realises that client B is on the same network. It then arps out for client B's mac-address ( assuming it isn't in it's cache ).
Once it has it now sends a packet to B. The packet goes to floor 1 switch, is switched at layer 2 to dsitribution switch and then is switched again at layer 2 to floor 2 switch.
So two machines in same subnet can talk to each other across floors.
Layer 3 access-layer.
Taking the above scenario only this time with layer 3 uplinks. Note that you couldn't get it to work this way and this is the reason.
Client A does the same comparison of client B ip address against it's mac-address. Same network so it arps out but the vlan client A is on terminates on the access-layer on that floor. And of course client B cannot respond because the arp never gets to it.
Even if somehow client A could get the mac-address the 3750 on floor has the 192.168.5.0 network directly connected so it would never route this down to the 6500 distribution switch.
From the 6500 switch perspective it would see 2 advertisements for the same vlan, one from floor 1 and one from floor 2 so it would never know where a particular client was.
This is what is meant by extending a vlan across floors and undoubtedly it gives you more flexibility. It may seem from my original post that i favour layer3 in the access-layer. Sometimes yes, ie. we put Nortel phones into one of our offices and Nortel really don't like spanning-tree !.
But i would agree with the other guys on this post that there is absolutely nothing wrong with layer 2 at the access-layer, we have many buildings with this design.
I do still feel that for troubleshooting it is generally easier to trouebleshoot layer 3 than layer 2.
Hope this has answered your question
In many cases I prefer layer-2, but I seem to be swimming against the current.
You might want fixed IP addresses in your client PC for tighter management and security, rather than DHCP. In this case, layer-2 would give you greater portabilitiy. You would not have to change the IP address every time the PC moved office.
Another minor consideration is that there are some server load balancing schemes that do not work in a routed environment because they rely on distributing different ARP responses to different clients. That would not work through a router.
Finally, if you are running a distributed server cluster, with different nodes in different locations, it is easier to set up if your layer-2 VLANs cover both locations.
Assuming cost isn't an issue, why have a switched access layer?
You avoid some possible L3 performance issues. Modern L3 switches usually provide performance on par with L2 switches, but the operative word is usually.
You avoid large L3 topology issues. This can be often be addressed with L3 design techniques, but usage of such techniques may have been unnecessary until you grew the number of L3 devices.
You mention on you first post a WhitePaper regarding "Routed Access Layer". Could you please provide the link ?
The only document I've found so far is this one... http://www.cisco.com/en/US/netsol/ns340/ns394/ns147/ns17/networking_solutions_white_paper0900aecd804c6e73.shtml