how-to block ads
|
| | | | FAQ Revisions | Editors: skj  , Covenant , aryoba , Phraxos
Last modified on 2009-11-24 06:45:45
| |
|
|
30.2 Between Router and Layer-3 Switch·What is the difference between a Layer-3 switch and a router?
·Should I use Layer-3 switch or router?
·Layer-3 Switch recommendation
·Various Network Design using Routers, Layer-3 Switches, and more
| | | Hopefully this will help settle the long running confusion about Layer-3 switches in this forum...
Some content part of this FAQ is taken out of the CiscoPress book Cisco LAN Switching, pp.451-453; authored by Kennedy Clark CCIE #2175 CCSI, and Kevin Hamilton CCSI Copyright© 1999 Cisco Press
In general, a Layer-3 switch (routing switch) is primarily a switch (a Layer-2 device) that has been enhanced or taught some routing (Layer 3) capabilities. A router is a Layer-3 device that simply do routing only. In the case of a switching router, it is primarily a router that uses switching technology (high-speed ASICs) for speed and performance (as well as also supporting Layer-2 bridging functions).
Several factors have created significant confusion surrounding the subject of Layer-3 switch and Layer-3 switching. Some of this bewilderment arises from the recent merging of several technologies. In the past, switches and routers have been separate and distinct devices. The term switch was reserved for hardware-based platforms that generally functioned at Layer-2. For example, ATM switches perform hardware-based forwarding of fixed-length cells whereas Ethernet switches use MAC addresses to make forwarding decisions. Conversely, the term router has been used to refer to a device that runs routing protocols to discover the Layer-3 topology and makes forwarding decisions based on hierarchical Layer-3 addresses. Because of the complexity of these tasks, routers have traditionally been software-based devices. Routers have also performed a wide variety of "high touch" and value added features such as tunneling, data-link switching (DLSw), protocol translation, access lists, and Dynamic Host Configuration Protocol (DHCP) relay.
As a broad category, routing switches use hardware to create shortcut paths through the middle of the network, by bypassing the traditional software-based router. However, unlike traditional routers that utilize general-purpose CPUs for both control-plane anddata-plane functions, Layer-3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. By removing CPUs from the data-plane forwarding path, wire-speed performance can be obtained. This results in a much faster version of the traditional router.
Some network topologies as illustrations
1. Single Router
Internet
|
| 1.1.1.0/24
|
Router
|
LAN 1 with Unmanaged Switch (UM)
10.0.1.0/24
2. Single Router with multiple LAN subnets
Internet
|
| 1.1.1.0/24
|
Router --- LAN 2 with UM 10.0.2.0/24
|
LAN 1 with UM
10.0.1.0/24
3. Single Router with single connection to a switch and with multiple LAN subnets (also known as "Router on A Stick" design)
Internet
|
| 1.1.1.0/24
|
Router
*
* Single Connection to a Switch using feature called Trunking
*
Layer-2 Managed Switch
| | |
| LAN 2 |
| with UM |
| 10.0.2.0/24 |
| |
LAN 1 LAN 3
with UM with UM
10.0.1.0/24 10.0.3.0/24
4. Single Router with Layer-3 Switch and with multiple LAN subnets
Internet
|
| 1.1.1.0/24
|
Internet Router
|
| 10.0.0.0/24
|
Layer-3 Switch
| | |
| LAN 2 |
| with UM |
| 10.0.2.0/24 |
| |
LAN 1 LAN 3
with UM with UM
10.0.1.0/24 10.0.3.0/24
5. Multiple Routers with multiple unmanaged (dumb) switches and with multiple LAN subnets
Internet
|
| 1.1.1.0/24
|
Internet Router
|
| 10.0.0.0/24
|
Unmanaged Switch (UM)
| | |
| Router 2 |
| | |
| LAN 2 |
| with UM |
| 10.0.2.0/24 |
| |
Router 1 Router 3
| |
LAN 1 LAN 3
with UM with UM
10.0.1.0/24 10.0.3.0/24
Of the variety of other switching devices and terminology released by vendors, Layer-4 and Layer-7 switching have received considerable attention. In general, these approaches refer to the capability of a switch to act on Layer 4 (transport layer) information contained in packets. For example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers can be used to make decisions affecting issues such as security and Quality of Service (QoS). However, rather than being viewed as a third type of campus switching devices, these should be seen as a logical extension and enhancement to the two types of switches already discussed. In fact, both routing switches and switching routers can perform these upper-layer functions.
For further understanding in differences between the topologies with advantages of one over the other and more, check out the following FAQ
»Cisco Forum FAQ »Should I use Layer-3 switch or router?
 feedback form
 feedback form
by rolande edited by aryoba
last modified: 2009-09-18 11:28:17 | | | In general, you want to use a router when most of the time the device does routing. Likewise, you want to use a switch when when most of the time the device does switching. This statement becomes more apparent when dealing with larger network like an ISP or large corporation.
Example in ISP is that they use router (at least 7600 series) to have full view of BGP (the edge router). As for their "internal network", they use layer-3 switches (usually Catalyst 6500 series).
The idea of creating Layer-3 switch is basically to efficiently do inter-VLAN routing or to do internal routing between multiple broadcast domains (multiple LAN where each LAN has its own subnet) while keeping Layer-2 features such as spanning tree and trunking. However to deal with "border" or "edge" of the network, a router is used since a router is basically designed to handle traffic across the border or the edge network.
For more info, you can check out the following FAQ:
»Cisco Forum FAQ »What is the difference between a Layer-3 switch and a router?
Following is illustration of using Layer-3 switch to do inter-VLAN routing.
Internet
|
Router
|
| 10.0.0.0/24
|
Layer-3 Switch
| | |
| LAN 2 |
| 10.0.2.0/24 |
| |
LAN 1 LAN 3
10.0.1.0/24 10.0.3.0/24
Sample Configuration of Layer-3 Switch design implementation
Router:
interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description To Layer-3 Switch
ip address 10.0.0.1 255.255.255.252
ip nat inside
!
ip route 10.0.0.0 255.0.0.0 10.0.0.2
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
Switch
vlan 1,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/7
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/8
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/9
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/12
description To Router
no switchport
ip address 10.0.0.2 255.255.255.252
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
Keep in mind that Layer-3 switches' prices in general are not cheap from SOHO users or small businesses' perspective since Layer-3 switches are designed for organizations that need physical hardware separation between router and switch when routing is in need. Therefore should there be cheap Layer-3 switches available, SOHO users or small businesses are more than welcome to use them.
When small businesses need to do inter-VLAN routing (i.e. data interchange between multiple departments) or internal routing between LAN subnets (multiple broadcast domains), there are some "cheap" and might still be reliable solutions beside using layer-3 switches.
One solution is to use a "Router On A Stick" design. Such design consists of a router and a layer-2 switch that are capable of doing trunking. Following is illustration.
Internet
|
Router with Trunking Capability
*
* Trunk between router and switch
*
Switch with Trunking Capability
| | | | |
| | | | |
| LAN 2 | LAN 4 |
| 10.0.2.0/24 | 10.0.4.0/24 |
| | |
LAN 1 LAN 3 LAN 5
10.0.1.0/24 10.0.3.0/24 10.0.5.0/24
Sample Configuration of "Router On A Stick" design implementation
Router:
interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Trunk to Switch
no ip address
!
interface FastEthernet0/1.2
description Native VLAN
ip address 10.0.0.1 255.255.255.252
encapsulation dot1q 2 native
ip nat inside
!
interface FastEthernet0/1.11
description LAN 1
ip address 10.0.1.1 255.255.255.0
encapsulation dot1q 11
ip nat inside
!
interface FastEthernet0/1.12
description LAN 2
ip address 10.0.2.1 255.255.255.0
encapsulation dot1q 12
ip nat inside
!
interface FastEthernet0/1.13
description LAN 3
ip address 10.0.1.1 255.255.255.0
encapsulation dot1q 13
ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
Switch
vlan 1-2,11-13
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/3
description LAN 3
switchport access vlan 13
switchport mode access
!
interface FastEthernet0/12
description Trunk to Router
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-2,11-13
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Native VLAN
ip address 10.0.0.2 255.255.255.252
!
Another solution that is probably cheaper is to setup multiple unmanaged (dumb) switches with also multiple routers. While "Router On A Stick" design means single router terminates multiple LAN subnets, this second solution means each router terminates its own LAN subnet. Following is illustration.
Internet
|
Internet Router
|
| 10.0.0.0/24
|
Unmanaged Switch
| | |
| Router 2 |
| | |
| LAN 2 |
| 10.0.2.0/24 |
| |
Router 1 Router 3
| |
LAN 1 LAN 3
10.0.1.0/24 10.0.3.0/24
Sample Configuration of multiple router design implementation
1. Static Routing
When there are only few LAN (broadcast domain), then static routing network design should be sufficient.
Internet Router:
interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Unmanaged Switch (LAN)
ip address 10.0.0.254 255.255.255.0
ip nat inside
!
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.2
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
Router 1
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.2.0 255.255.255.0 10.0.0.2
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!
Router 2
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/1
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.3.0 255.255.255.0 10.0.0.3
!
Router 3
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.3 255.255.255.0
!
interface FastEthernet0/1
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.0.254
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.2
!
2. Dynamic Routing
When there are more LAN (broadcast domain) in place, then network design based on dynamic routing with RIP might be more scalable than static route approach.
Internet Router:
interface FastEthernet0/0
description Internet
ip address dhcp
ip nat outside
!
interface FastEthernet0/1
description Unmanaged Switch (LAN)
ip address 10.0.0.254 255.255.255.0
ip nat inside
!
router rip
version 2
redistribute static route-map DEFAULT-ROUTE
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
access-list 10 remark Redistribute Default Route only
access-list 10 permit 0.0.0.0
!
route-map DEFAULT-ROUTE permit 10
match ip address 10
set metric 1
!
Router 1
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
Router 2
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.2 255.255.255.0
!
interface FastEthernet0/1
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
Router 3
interface FastEthernet0/0
description Unmanaged Switch
ip address 10.0.0.3 255.255.255.0
!
interface FastEthernet0/1
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
Whichever solution to choose, you should always use managed switch instead of unmanaged switch since in general, managed switch is more reliable and has more functionality to tune.
More Sample Design and Configuration
»Cisco Forum FAQ »Various Network Design using Routers, Layer-3 Switches, and more
feedback form
feedback form
by aryoba
last modified: 2009-07-31 16:38:30 | | | As this FAQ posted, the current Cisco Catalyst layer-3 switches are 3560, 3750, 4500 series, 4900 series, and 6500 series. The following are illustrations of layer-3 switch with examples of Catalyst 3550 and 3560 feature and capabilities. Note that Catalyst 3550 is considered EOL and the current replacement is the 3560.
»RE: can a l3 switch with full dynamic protocol set
»Layer 3 Switches? Recommendations
feedback form
feedback form
by aryoba
last modified: 2009-06-17 08:54:54 | | | Prerequisite reading
»Cisco Forum FAQ »Should I use Layer-3 switch or router?
The above FAQ link shows some basic network setup using routers and switches. Following is more network design samples that are also common in many organizations.
Sample 1:
Internet
|
|
Router
|
|
Firewall
|
|
Layer-3 Switch
| | |
| | |
Layer-2 | Layer-2
Switch | Switch
|
Layer-2 Switch
Background
* This sample configuration assumes the Router to do NAT/PAT, firewall to do statefull firewall, and Layer-3 Switch to act as both switch and router to route internal traffic. To learn more about NAT/PAT, check out the following FAQ for detail »Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices
Sample 1 Configuration
Router
PIX Firewall
Switch
Sample 2:
Internet
|
|
Router
|
|
Switch
| |
DMZ ----- Firewall - Firewall (two redundant firewalls)
1 2
| |
Layer-3 ---- Layer-3 (two redundant Layer-3 switches)
Switch 1 Switch 2
| | | | | |
| | | | | |
| | Layer-2 | |
| | Switch | |
| | | |
| Layer-2 Switch |
| |
| |
+- Layer-2 Switch -+
Background
Switch
* The Layer-3 switches act as Spanning-Tree Root Bridges of all switches and as HSRP service providers. For preliminary info on Root Bridge, check out the following link: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches. For preliminary info on HSRP, check out the following link: Hot Standby Router Protocol Features and Functionality
* Rapid Spanning Tree protocol is used to provide faster convergence yet stable network. For more info on Rapid Spanning Tree, check out the following link: Understanding Rapid Spanning Tree Protocol (802.1w)
* For some VLAN, the Layer-3 Switch 1 is the Root Bridge primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the Root Bridge primary while the Layer-3 Switch 1 is the backup.
* Similarly; for some VLAN, the Layer-3 Switch 1 is the HSRP primary while the Layer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the HSRP primary while the Layer-3 Switch 1 is the backup.
* For VLAN connection reliability, the same Layer-3 switch should be for both Root Bridge and HSRP primary
* In this sample configuration; VLAN 5, 7, 100 Root Bridge and HSRP primaries are at Layer-3 Switch 1 while VLAN 1, 20, 200 Root Bridge and HSRP primaries are at Layer-3 Switch 2
* To avoid unnecessary traffic flow, only some VLAN is allowed to pass through on some trunks between switches
* There is IP routing in place between Layer-3 switches and the firewalls
Firewall
* The firewall could be either PIX Firewall or ASA, running OS 7.x or later
* Firewall setup is LAN-based Active/Standby failover, which in a sense is similar to HSRP/VRRP mechanism where the firewall primary interface IP address is the "virtual" gateway for the interface subnet to reach other network. For more info on PIX/ASA Active/Standby failover, check out the following link: How Failover Works on the Cisco Secure PIX Firewall
* The firewall acts as both Internet firewall and IPSec VPN Concentrator. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
(The Internet or Outside) Router/Switch
* There is a basic Internet firewall at the router to filter absolute questionable inbound traffic from the Internet to the network. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature
* There is no need for the router to do stateful firewall since there is already the firewall appliance (PIX/ASA) to do the stateful firewall functionality
AAA Command Set
* All Cisco devices on this sample configuration uses proper AAA command set for security reason. For more info on this, check out the forum's FAQ »Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
Sample 2 Configuration
Router
Switch (Layer-3 capable)
Firewall 1 (Active)
Firewall 2 (Standby)
Layer 3 Switch 1
Layer 3 Switch 2
Sample 3:
Internet
| |
| |
Internet Internet
Router 1 Router 2
| |
| |
DMZ ----- Firewall Firewall (two redundant firewalls)
1 2
| |
| |
Bluecoat ProxySG1 int 0:0 --- Router 1 Router 2 --- Bluecoat ProxySG1 int 1:0
| \ / |
| \ / |
Layer-3 ---- Layer-3 (two redundant Layer-3 switches)
Switch 1 Switch 2
| | | | | |
| | | | | |
| | Layer-2 | |
| | Switch | |
| | | |
| Layer-2 Switch |
| |
| |
+-- WAN Router 1 --+
|
|
WAN Router 2
|
|
Bluecoat ProxySG2 int 0:0 ---- Layer-3 Switch --- Firewall --- Internet Router --- Internet
| | |
| | |
Layer-2 | Layer-2
Switch | Switch
|
Layer-2 Switch
Background
* The Bluecoat ProxySG appliances do WCCP with routers and switch that support WCCP version 2 "redirect out" command. More detail on WCCP can be found here: »Cisco Forum FAQ »WCCP with Router/MSFC and Blue Coat ProxySG
* Site that has two Internet connections (the HQ) does Internet traffic load share which some subnets take ISP 1 as primary and other subnets take ISP 2 as primary
* The ProxySG appliances intercept outbound traffic from Inside machines out to the Internet and initiate outbound connection using the appliances IP address on behalf of Inside machines as part of the proxy mechanism
* Note that the proxy mechanism could screw up the BGP load share mechanism. Therefore any BGP load share mechanism must occur before the traffic is intercepted or proxied. This is the reason why the HQ has Routers 1 and 2 to do the WCCP for the interception, redirection, and proxy mechanism and let the Layer-3 Switches 1 and 2 do the BGP load share mechanism.
* Similar Routers 1 and 2 are not needed in Branch site since the site only has single Internet connection and no Internet load share.
* All Outbound BGP load share mechanism at HQ site can be seen as "too complex" from Branch site perspective, hence the reason of HQ site has BGP Confederation in place. For more info on BGP Confederation, check out the following link: BGP Case Studies: BGP Confederation
Sample 3 Configuration
Internet Router 1:
Internet Router 2:
Firewall 1
Firewall 2
Router 1
Router 2
Blue Coat ProxySG1 configuration
1. Interface
interface 0:0
IP Address : 10.0.2.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.0.2.1
interface 1:0
IP Address : 10.0.3.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.0.3.1
2. WCCP
wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
3. Static Routes for Home Router IP Address Reachability
192.168.66.1 255.255.255.255 10.0.2.1
192.168.66.2 255.255.255.255 10.0.3.1
Layer-3 Switch 1
Layer-3 Switch 2
WAN 1 Router
WAN 2 Router
Layer-3 Switch
Blue Coat ProxySG2 configuration
1. Interface
interface 0:0
IP Address : 10.1.2.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.1.2.1
2. WCCP
wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
3. Static Routes for Home Router IP Address Reachability
192.168.67.1 255.255.255.255 10.1.2.1
Firewall
Internet Router:
feedback form
feedback form
by aryoba
last modified: 2009-08-01 06:49:37 |
|
