Layer-3 Switching or Layer-2 Switching?

2023 SEASON SALE Networking and Security Showcase In-stock ICT products at exclusive discounts

Have you ever faced designing a campus network or similar network of hospitals, factories and organizations? How to design a better network? What factors you need to count in? Here we found a case study provided by Ivan Pepelnjak (CCIE No. 1354, is a veteran of the networking industry). What are your ideas? You can share them with us. So firstly let’s see the case and solutions of designing a campus network.

The case was offered by Michael: “I work in a rather large enterprise facing a campus network redesign. I am in favor of using a routed access for floor LANs, and make Ethernet segments rather small (L3 switching on access devices). My colleagues seem to like L2 switching to VSS (distribution layer for the floor LANs). OSPF is in use currently in the backbone as the sole routing protocol. So basically I need some additional pros and cons for VSS vs Routed Access.”

The follow-up questions confirmed he has L3-capable switches in the access layer connected with redundant links to a pair of Cisco Cat6500s:


What are the options of designing the campus network?

In fact, Michael could use two fundamental designs: Layer-3 switching and Layer-2 switching

Layer-3 switching (also known as routing) in the access layer. VLANs would be terminated at the access-layer switch (no user-to-switch redundancy, thus no HSRP), the links between access and distribution layer would be P2P L3 links (routed interfaces) and every single switch would participate in the OSPF routing.


Layer-2 switching (also known as bridging) in the access layer. VLANs would be terminated at the distribution layer; the access layer switches would run as pure bridges. Half of the uplinks would be blocked due to the spanning tree limitations, unless you aggregate them with multi-chassis link aggregation (MLAG), which requires VSS on the Cisco 6500. You would still run STP with MLAG to prevent forwarding loops due to configuration or wiring errors.


When you configure VSS on Catalyst 6500s, they appear as a single IP device, so yet again you don’t need HSRP.

Which network design is better?

Both designs have minor benefits and drawbacks. For example, L3 design is more complex and has larger OSPF areas, L2 design requires VSS on Cat6500. The major showstopper is usually the requirement for multiple security zones (for example, users in different departments or guest VLANs).

You might be lucky enough and satisfy the security requirements by installing packet filters in every access VLANs, but more often than not you have to implement path separationthroughout the network–for example, the guest VLAN traffic should stay separated from internal traffic.

The proper L3 solution to path separation is full-blown MPLS/VPN with label-based forwarding in the L3 part of the network … but HP seems to be the only vendor with MPLS/VPN support on low-end A-series switches.

Without MPLS/VPN you’re left with the Multi-VRF kludge (assuming your access layer switch support VRFs–not all do), where you have to create numerous P2P L3 interfaces (using VLANs) between access and core switches.


Obviously the MultiVRF-based path separation doesn’t scale, so it might be easier to go with the L2 design: terminate VLANs on the Cat6500, where you can use centralized packet filters, VRFs and even MPLS/VPN if you need to retain the path separation across the network core.


L2 or L3 switching, which one you prefer in access network? Do you believe in “route where you must, bridge where you can” or in “route as much as possible”? What are your ideas? Share your ideas.

Notes: There are more comments of discussing Layer-3 switching or Layer-2 switching in the original page

More Networking Topics:

Routers vs. Network Switches

Switch Types and LAN Switching

Router vs. Layer 3 Switches

Share This Post

Post Comment