[nsp] Multi-layer switches - switching at L2, or sending up to L3 first?

Alastair Galloway ag at a.co.nz
Fri Jan 10 13:11:02 EST 2003 

Hi,

I've got a question about how multi-layer switching devices (eg Cisco
3550s) handle traffic as it shifts between layers two and three.  I've
had a bit of a look at CCO but it's such a general question that I
haven't found the answer. 

I will have a distribution router/switch (Cisco 3550) attached to a number
of access switches (Cisco 1924s, 2924s and 2950s).  Each access switch
is in a classroom and has two VLANs (not including the management
VLAN) - one for staff and one for students.  This split allows some
layer 3 access-lists to control where staff and students can send IP
traffic.  I'd like to re-use the same VLAN tags on each access switch
without joining the like-tagged VLANs together.  Before multi-layer
switches I think that this would have worked fine (eg on a Cisco 2621):

int FastEthernet 0/1
 description Access switch 1
 switchport mode trunk
 switchport trunk encapsulation isl
!
int FastEthernet 0/1.100
 description Staff VLAN (100) on access switch 1
 encapsulation isl 100
 ip address 192.168.0.1 255.255.255.0
 ip access-group from-192-168-0--24 in
!
int FastEthernet 0/1.200
 description Student VLAN (200) on access switch 1
 encapsulation isl 200
 ip address 192.168.128.1 255.255.255.0
 ip access-group from-192-168-128--24 in
!
int FastEthernet 0/2
 description Access switch 2
 switchport mode trunk
 switchport trunk encapsulation isl
!
int FastEthernet 0/2.100
 description Staff VLAN (100) on access switch 2
 encapsulation isl 100
 ip address 192.168.1.1 255.255.255.0
 ip access-group from-192-168-1--24 in
!
int FastEthernet 0/2.200
 description Student VLAN (200) on access switch 2
 encapsulation isl 200
 ip address 192.168.129.1 255.255.255.0
 ip access-group from-192-168-129--24 in
!

In this case hosts in VLAN 200 on access switch 1 could only talk at
the Layer 2 level to other hosts in the same VLAN on the same switch.  Even
though Ethernet frames tagged with VLAN 200 came into two different
interfaces on the distribution router (F0/1 and F0/2), the two
like-tagged VLANs could only talk to each other by going through the
Layer 3 process, which applied the access lists.

However, I'm not sure about multi-layer switches.  My question is
would the above config work on Cisco 3550 to keep the traffic in the
like-tagged VLANs, but on different physical interfaces, separate?  Or
would the switch/router "helpfully" switch all the like-tagged VLANs
between physical interfaces at Layer 2, without making them go via
Layer 3 (and it's access-lists)?

If it turns out that the frames are switched at Layer 2 then I'll just
have to say that staff VLANs are 200-299, rather than just 200, eg
(lines snipped to make it shorter):

!
int FastEthernet 0/1.100
 description Staff VLAN (100) on access switch 1
 encapsulation isl 100
!
int FastEthernet 0/1.200
 description Student VLAN (200) on access switch 1
 encapsulation isl 200
!
int FastEthernet 0/2.101
 description Staff VLAN (101) on access switch 2
 encapsulation isl 101
!
int FastEthernet 0/2.201
 description Student VLAN (201) on access switch 2
 encapsulation isl 201
!


Cheers,

Alastair Galloway

More information about the cisco-nsp mailing list