4 Replies Latest reply: May 12, 2010 11:46 PM by Milan RSS

    Layer 2 - layer 3 switching


      Lets say i have 2 switches connected like this via trunk


      switch1 |--------| switch2


      Switch1 config - Layer 3 switch


      int fa0/1 - trunk to switch 2
      switchport mode trunk
      switchport trunk encap dot1q


      int vlan 10
      ip address
      no shut


      int vlan 20
      ip address
      no shut


      Switch2 Config


      int fa0/1 - trunk to switch 1
      switchport mode trunk
      switchport trunk encap dot1q


      int vlan 10 - (management IP)
      ip address
      no shut


      QUESTION 1
      If on switch2 i have a management interface configured in vlan 10 like this


      int vlan 10 - (management IP)
      ip address
      no shut


      I should be able to connect to this switches management IP from vlan 20 on switch 1 or 2? What is the process of the packet from a host in vlan 20?


      QUESTION 2
      Lets say i decide to configure the ip of switch2 management interface to


      int vlan 10
      ip address
      no shut
      Whilst keeping the same gateway of last resort (


      If i ping the new management IP from a host on vlan 20 what would happen? Would arp play its course and get me to switch 2?


      Question 3


      Lets say i change switch 2 management interface to vlan 1 and configure IP
      Int vlan 1
      ip address
      no shut


      gateway of last resort - same gateway of last resort


      What would be the outcome? Could i ping/telnet to switch 2 from a host on vlan 20 on either switch 1 or 2?


      The reason i am asking is because right now i have majorly confused myself between layer 2 and layer 3. I dont have any lab equipment to practice this on either so its making it rather difficult.

        • 1. Re: Layer 2 - layer 3 switching
          Scott Morris - CCDE/4xCCIE/2xJNCIE

          1.  Switch 2 would either need "ip default-gateway" or "ip route" to be able to send traffic back.


          2.  You would probably ARP for it if you had no gateway installed, and proxy ARP may help.  Otherwise, if you had a gateway configured but it didn't respond you would simply get nowhere.


          3.  Probably the same of mostly not being reachable. 


          Layer 2 provides data link connectivity.  Which means you need the hardware address (MAC) of the device in question.  If we're talking IP, the way you get that information is to ARP.  No ARP or no ARP response, no communication is possible.  So even though you believe you know the L3 address of the other side, if you have no L2 path to get there, it doesn't do you any good.


          I know where the Eiffel Tower is (L3 destination).  However, if I have no plane ticket (L2 path) to get there, i'm kinda hosed!



          • 2. Re: Layer 2 - layer 3 switching
            Keith Barker - CCIE RS/Security, CISSP

            Scott is right on, as usual. 

            Milan -


            Regarding your questions, pretend that SW2 is a PC, and the answers may come easier for you.

            Q1.   If my PC is in VLAN 10, and has an IP address of and can reach its default gateway of, will the PC be able to reach any other destination, and can other destinations reach him.    YES, assuming the rest of the network is routing correctly.

            Q2.  If I put my PC on VLAN 10, give it an IP address of, and a default gateway of, (assuming we are not discussing proxy arp), will the PC be able to communicate outside of what it believes is the network?   NO.

            Q3. If I change the PC to VLAN 1, give it an IP from the 50.x.x.x network space, with a default gateway of, there won’t be too much talking over the fence their either.

            Best wishes,


            • 3. Re: Layer 2 - layer 3 switching
              Darby Weaver CCDP/CCNP x8



              The issue is one many contend with and that is "What is that Layer three address doing in the first place on a Layer 2 Switch?".




              Suppose we look at it like this:


              1. You can create as many vlans as you like (with no management interface configured and no ip address) can they talk to each other?


              Ans: No. Not between the vlans.  Host can speak to hosts on the same vlan.  Try it.


              2. Now suppose we want to manage the switch itself (think of it as a PC or other end-point device that we are going "to" as opposed to "thru" which is what happened in the first example).


              So we assign an ip address and a default gateway using one of the two methods mentioned above by Scott.




              So now we ping the "SWITCH", we can telnet to the switch, and basically manage the switch.  That's about it.


              Note I am going to use the work coincidentally - I think it is not used often enough...


              Coincidentally we happen to assign the management interface to a vlan which just "HAPPEN TO BE PASSING DATA with a given vlan tag" and that is the ONLY reason is reachable by the vlan in question in the first place.  Nothing else without some type of routing.


              I'm keeping my examples to the L2 switch since I've always felt it was never quite delivered as clearly as it could have been.



              L3 changes things a bit with Arp and L3 SVI's and then routing protocols but not so for VLANs that "TRAVERSE THROUGH" the switch.  Same rules apply.


              In other words - there is no requirement that the management IP on the switch exist in ANY of the vlans on the switch which will carry data...


              It just happens to be the "easy way" and leads to a **** of a lot of misunderstanding.

              • 4. Re: Layer 2 - layer 3 switching

                Thanks so much everyone for your help!


                I have just realised this.. I am at work now and was just setting up a layer to switch which all ports where in the access vlan. I had the management interface in a different vlan but i wasnt trunking to the switch above so i couldnt telnet to it. Soon as i changed the management vlan back to the access vlan then all worked fine and i could telnet to it.



                All these things you learn!