101
0/228
Loading content...
Throughout this module, we've examined switches and routers as distinct device categories—switches operating at Layer 2, routers at Layer 3. But modern network infrastructure has evolved beyond this simple dichotomy.
Multilayer switches (MLS) represent the convergence of switching and routing, combining the wire-speed forwarding of switches with the intelligent routing capabilities of routers. These devices have become the workhorses of enterprise networks, data centers, and campus deployments.
Understanding multilayer switches is essential because they dominate modern network deployments. The device you call a "switch" in an enterprise environment is almost certainly a multilayer switch capable of both Layer 2 switching and Layer 3 routing—and using both simultaneously.
By completing this page, you will understand the architecture of multilayer switches, how they perform both switching and routing in hardware, the configuration paradigms for Layer 2 and Layer 3 operation, and how to leverage these devices effectively in modern network designs.
A multilayer switch (MLS), also called a Layer 3 switch or routing switch, is a network device that combines the functionality of a traditional Ethernet switch with the routing capabilities of a router.
Key Definition:
┌─────────────────────────────────────────────────────────────────────────────┐
│ MULTILAYER SWITCH │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ A multilayer switch is a network device that: │
│ │
│ 1. Switches frames at Layer 2 (MAC-based forwarding) │
│ 2. Routes packets at Layer 3 (IP-based forwarding) │
│ 3. Performs BOTH functions in hardware at wire speed │
│ 4. On the SAME physical device, simultaneously │
│ │
│ NOT just a switch + router in one box │
│ The switching and routing are integrated at the ASIC level │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Historical Context:
Early networks had clear separation:
This created bottlenecks: traffic between VLANs had to leave the switch, traverse a router (often slower), and return. The router became a choke point.
The MLS Revolution:
Multilayer switches solved this by implementing routing logic in ASICs (Application-Specific Integrated Circuits):
The Result:
Today's multilayer switches can forward 100 Gbps+ with sub-microsecond latency, whether the traffic is being switched within a VLAN or routed between VLANs. The performance distinction between "switch" and "router" has largely disappeared.
Almost every enterprise-grade "switch" sold today is actually a multilayer switch. The Cisco Catalyst, Juniper EX, Arista, HP/Aruba, and similar product lines all support Layer 3 routing. "Pure" Layer 2 switches still exist but are typically found only in small office/home office (SOHO) environments.
Understanding how multilayer switches are built internally reveals why they can perform both functions at wire speed.
Internal Architecture:
┌─────────────────────────────────────────────────────────────────────────────┐
│ MULTILAYER SWITCH ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ UNIFIED FORWARDING ENGINE │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────────────────┐ │ │
│ │ │ TCAM (Ternary CAM) │ │ │
│ │ │ ┌───────────────────────────────────────────────────────┐ │ │ │
│ │ │ │ MAC Table │ Routing Table │ ACL Table │ │ │ │
│ │ │ │ (L2 forwarding) │ (L3 forwarding)│ (Filtering) │ │ │ │
│ │ │ └───────────────────────────────────────────────────────┘ │ │ │
│ │ └──────────────────────────────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌────────┴────────┐ │ │
│ │ │ Forwarding │ │ │
│ │ │ Decision │ │ │
│ │ │ Logic │ │ │
│ │ └────────┬────────┘ │ │
│ │ │ │ │
│ │ ┌──────────────────────────┴──────────────────────────────────┐ │ │
│ │ │ SWITCHING FABRIC │ │ │
│ │ │ (Crossbar / Shared Memory) │ │ │
│ │ └────┬──────┬──────┬──────┬──────┬──────┬──────┬──────┬───────┘ │ │
│ │ │ │ │ │ │ │ │ │ │ │
│ │ ┌──┴──┐┌──┴──┐┌──┴──┐┌──┴──┐┌──┴──┐┌──┴──┐┌──┴──┐┌──┴──┐ │ │
│ │ │Pt 1 ││Pt 2 ││Pt 3 ││Pt 4 ││Pt 5 ││Pt 6 ││Pt 7 ││Pt 8 │ │ │
│ │ │L2/L3││L2/L3││L2/L3││L2/L3││L2/L3││L2/L3││L2/L3││L2/L3│ │ │
│ │ └─────┘└─────┘└─────┘└─────┘└─────┘└─────┘└─────┘└─────┘ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ CONTROL PLANE CPU │ │
│ │ - Routing protocols (OSPF, BGP, EIGRP) │ │
│ │ - STP calculation │ │
│ │ - Management (SSH, SNMP, CLI) │ │
│ │ - Table population (pushes entries to TCAM) │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Key Architectural Components:
1. Unified TCAM (Ternary Content-Addressable Memory):
The TCAM stores multiple table types in a single memory structure:
All lookups happen in parallel, in a single pass, at wire speed.
2. Forwarding Decision Logic:
The ASIC implements forwarding logic that:
3. Per-Port Flexibility:
Each physical port can be independently configured as:
This flexibility allows the same device to serve as both access switch and router simultaneously.
The distinction matters: hardware forwarding in ASICs is orders of magnitude faster than software forwarding on a CPU. Multilayer switches perform the fast path (common cases) in hardware. Only exceptions (complex ACLs, certain protocols) may need CPU processing. Monitor for "software-switched" traffic—it indicates potential performance issues.
Multilayer switches offer flexible port configuration. Understanding port modes and SVIs is essential for effective MLS configuration.
Three Port Configuration Modes:
┌─────────────────────────────────────────────────────────────────────────────┐
│ PORT CONFIGURATION MODES │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. LAYER 2 ACCESS PORT │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ interface GigabitEthernet0/1 │ │
│ │ switchport mode access │ │
│ │ switchport access vlan 10 │ │
│ │ │ │
│ │ Behavior: Pure Layer 2 operation │ │
│ │ - Frames switched based on MAC address │ │
│ │ - No IP address on port │ │
│ │ - Belongs to single VLAN │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ 2. LAYER 2 TRUNK PORT │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ interface GigabitEthernet0/2 │ │
│ │ switchport mode trunk │ │
│ │ switchport trunk allowed vlan 10,20,30 │ │
│ │ │ │
│ │ Behavior: Carries multiple VLANs │ │
│ │ - Frames tagged with 802.1Q │ │
│ │ - No IP address on port directly │ │
│ │ - Connects to other switches or routers │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ 3. LAYER 3 ROUTED PORT │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ interface GigabitEthernet0/3 │ │
│ │ no switchport ◄── Key command! │ │
│ │ ip address 10.0.0.1 255.255.255.0 │ │
│ │ │ │
│ │ Behavior: Pure Layer 3 operation │ │
│ │ - Packets routed based on destination IP │ │
│ │ - Port has its own IP address │ │
│ │ - No VLAN association (exits Layer 2 entirely) │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Switch Virtual Interfaces (SVIs):
An SVI is a virtual Layer 3 interface associated with a VLAN. It provides the "gateway" for devices in that VLAN.
┌─────────────────────────────────────────────────────────────────────────────┐
│ SWITCH VIRTUAL INTERFACE (SVI) │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Configuration: │
│ interface Vlan10 ◄── SVI for VLAN 10 │
│ ip address 192.168.10.1 255.255.255.0 ◄── Default gateway for VLAN │
│ no shutdown │
│ │
│ Conceptual View: │
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ MULTILAYER SWITCH │ │
│ │ │ │
│ │ ┌───────────────────────────────────────────────────────────────┐ │ │
│ │ │ ROUTING ENGINE │ │ │
│ │ │ │ │ │
│ │ │ Routing Table: │ │ │
│ │ │ C 192.168.10.0/24 VLAN10 (via SVI) │ │ │
│ │ │ C 192.168.20.0/24 VLAN20 (via SVI) │ │ │
│ │ │ C 10.0.0.0/24 Gi0/3 (routed port) │ │ │
│ │ └───────────────────────────────────────────────────────────────┘ │ │
│ │ │ │ │ │
│ │ ┌─────┴─────┐ ┌─────┴─────┐ │ │
│ │ │ SVI │ │ SVI │ │ │
│ │ │ VLAN 10 │ │ VLAN 20 │ │ │
│ │ │192.168.10.1│ │192.168.20.1│ │ │
│ │ └─────┬─────┘ └─────┬─────┘ │ │
│ │ │ │ │ │
│ │ ┌─────┴─────────────────────────────┴─────────────────────────┐ │ │
│ │ │ LAYER 2 VLAN DATABASE │ │ │
│ │ │ │ │ │
│ │ │ VLAN 10 │ VLAN 20 │ │ │
│ │ │ ports 1,2,3 │ ports 4,5,6 │ │ │
│ │ └─────┬────────────────────────────┬──────────────────────────┘ │ │
│ └─────────┼────────────────────────────┼───────────────────────────┘ │
│ │ │ │ │
│ ┌──────┴──────┐ ┌──────┴──────┐ │
│ │ Ports 1,2,3 │ │ Ports 4,5,6 │ │
│ └─────────────┘ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
How SVIs Enable Inter-VLAN Routing:
Devices in VLAN 10 use 192.168.10.1 as their default gateway (the SVI). When they need to reach VLAN 20:
Access ports: Connect end devices. Trunk ports: Connect switches or routers carrying multiple VLANs. Routed ports: Connect to other routers or WAN links where no VLANs are needed. SVIs: Provide default gateway for VLANs without needing a routed port.
Inter-VLAN routing is one of the primary use cases for multilayer switches. There are several methods to achieve this, each with different tradeoffs.
Method 1: Router-on-a-Stick (Legacy)
Before multilayer switches, external routers performed inter-VLAN routing:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTER-ON-A-STICK │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ ROUTER │ │
│ │ │ │
│ │ interface Gig0/0.10 │ │
│ │ encapsulation dot1Q 10 │ │
│ │ ip address 192.168.10.1 255.255.255.0 │ │
│ │ │ │
│ │ interface Gig0/0.20 │ │
│ │ encapsulation dot1Q 20 │ │
│ │ ip address 192.168.20.1 255.255.255.0 │ │
│ └────────────────────┬────────────────────────────┘ │
│ │ │
│ Trunk│(VLANs 10,20) │
│ │ │
│ ┌────────────────────┴─────────────────────────────┐ │
│ │ LAYER 2 SWITCH │ │
│ │ (Cannot route between VLANs) │ │
│ └────────────────────┬─────────────────────────────┘ │
│ ┌─────────┴─────────┐ │
│ │ │ │
│ Access Port Access Port │
│ VLAN 10 VLAN 20 │
│ │
│ Traffic flow: VLAN10 → Switch → Router → Switch → VLAN20 │
│ Problem: All inter-VLAN traffic traverses single link twice │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Drawbacks: Bandwidth bottleneck on trunk link; latency through router; single point of failure.
Method 2: Multilayer Switch with SVIs (Modern Standard)
The multilayer switch handles all inter-VLAN routing internally:
┌─────────────────────────────────────────────────────────────────────────────┐
│ MLS WITH SVIs │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ MULTILAYER SWITCH │ │
│ │ │ │
│ │ ip routing ◄── Enable Layer 3 forwarding │ │
│ │ │ │
│ │ interface Vlan10 │ │
│ │ ip address 192.168.10.1 255.255.255.0 │ │
│ │ │ │
│ │ interface Vlan20 │ │
│ │ ip address 192.168.20.1 255.255.255.0 │ │
│ │ │ │
│ │ Traffic Flow (VLAN 10 → VLAN 20): │ │
│ │ ┌───────────────────────────────────────────────────────────────┐ │ │
│ │ │ │ │ │
│ │ │ [PC in VLAN10] ──► [SVI 10] ──► Routing ──► [SVI 20] ──► │ │ │
│ │ │ │ Engine │ │ │ │
│ │ │ └─────────────────────────────────────┘ │ │ │
│ │ │ ALL WITHIN SWITCH │ │ │
│ │ │ NO EXTERNAL HOPS │ │ │
│ │ │ WIRE SPEED │ │ │
│ │ └───────────────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ ┌─────────┬─────────┐ │
│ │ │ │ │
│ Access Port Access Port Access Port │
│ VLAN 10 VLAN 10 VLAN 20 │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Advantages: Full fabric bandwidth for inter-VLAN traffic; wire-speed routing; single device to manage.
| Method | Performance | Complexity | Cost | Use Case |
|---|---|---|---|---|
| Router-on-a-Stick | Limited by trunk link | Moderate | Lower (uses existing router) | Small networks, legacy |
| MLS with SVIs | Wire speed | Low | Switch cost | Most modern deployments |
| External Firewall | Firewall dependent | Higher | Higher | When inspection required |
On Cisco multilayer switches, Layer 3 routing between SVIs is disabled by default. The global command 'ip routing' enables the routing function. Without it, SVIs exist but the switch won't forward packets between them.
Multilayer switches fully support dynamic routing protocols, enabling them to participate in enterprise routing as core or distribution devices.
Supported Routing Protocols:
Example: OSPF on a Multilayer Switch
┌─────────────────────────────────────────────────────────────────────────────┐
│ MLS OSPF CONFIGURATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ! Enable routing │
│ ip routing │
│ │
│ ! Configure OSPF │
│ router ospf 1 │
│ router-id 10.0.0.1 │
│ network 192.168.10.0 0.0.0.255 area 0 │
│ network 192.168.20.0 0.0.0.255 area 0 │
│ network 10.0.0.0 0.0.0.255 area 0 │
│ │
│ ! SVIs participate in OSPF │
│ interface Vlan10 │
│ ip address 192.168.10.1 255.255.255.0 │
│ ip ospf 1 area 0 ◄── Explicit area assignment │
│ │
│ ! Routed uplink to core │
│ interface GigabitEthernet0/1 │
│ no switchport │
│ ip address 10.0.0.1 255.255.255.252 │
│ ip ospf 1 area 0 │
│ ip ospf network point-to-point ◄── Optimizes adjacency │
│ │
│ Resulting routing table: │
│ C 192.168.10.0/24 directly connected, Vlan10 │
│ C 192.168.20.0/24 directly connected, Vlan20 │
│ C 10.0.0.0/30 directly connected, GigabitEthernet0/1 │
│ O 172.16.0.0/16 [110/11] via 10.0.0.2, GigabitEthernet0/1 │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Routing Table Capacity:
Multilayer switches have finite TCAM space for routing entries:
| Switch Tier | Typical Route Capacity | Use Case |
|---|---|---|
| Access/Edge | 4K-16K routes | Local subnets, default route |
| Distribution | 16K-64K routes | Campus routing, summarization |
| Core/DC | 128K-1M+ routes | Full internet table, data center fabric |
Important: Unlike software routers that can use RAM for routing tables, MLS route capacity is limited by TCAM. Exceeding capacity causes routes to be software-forwarded (slow) or dropped.
Design implications:
If a switch's TCAM fills completely, new routes may be installed in software (slow forwarding) or dropped entirely. Monitor TCAM usage with 'show hardware tcam' or equivalent commands. Design networks to keep TCAM usage well below capacity.
Modern multilayer switches include many advanced features that blur the line between switch, router, and security appliance.
Hardware-Based ACLs:
ACLs applied in hardware at wire speed:
┌─────────────────────────────────────────────────────────────────────────────┐
│ HARDWARE ACL PROCESSING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ! Define ACL │
│ ip access-list extended BLOCK-TELNET │
│ deny tcp any any eq 23 │
│ permit ip any any │
│ │
│ ! Apply to interface (or VLAN) │
│ interface Vlan10 │
│ ip access-group BLOCK-TELNET in │
│ │
│ Processing: │
│ 1. ACL compiled into TCAM entries │
│ 2. Every packet checked against TCAM at ingress │
│ 3. Permit/deny decision made in hardware │
│ 4. No CPU involvement for matching traffic │
│ 5. Line-rate filtering with no performance impact │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Quality of Service (QoS):
MLS can classify, mark, queue, and police traffic:
Policy-Based Routing (PBR):
Route traffic based on criteria beyond destination IP:
┌─────────────────────────────────────────────────────────────────────────────┐
│ POLICY-BASED ROUTING │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ! Match traffic from guest VLAN │
│ route-map GUEST-POLICY permit 10 │
│ match ip address GUEST-TRAFFIC │
│ set ip next-hop 10.0.0.254 ◄── Force through firewall │
│ │
│ ! Apply to VLAN interface │
│ interface Vlan999 │
│ ip policy route-map GUEST-POLICY │
│ │
│ Result: Guest traffic always goes through firewall │
│ Employee traffic uses normal routing │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
First-Hop Redundancy Protocols (FHRP):
Multilayer switches support HSRP, VRRP, and GLBP for gateway redundancy:
Modern enterprise multilayer switches are comprehensive platforms that replace multiple device types. A single MLS can serve as access switch, distribution router, gateway, ACL enforcement point, QoS engine, and monitoring source—all in one device, all at wire speed.
Deploying multilayer switches effectively requires understanding best practices for configuration and architecture.
1. Enable Routing Deliberately
Don't enable routing on every switch. Consider the design:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTING PLACEMENT DECISION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ACCESS LAYER: │
│ - Usually Layer 2 only (no ip routing) │
│ - VLANs trunked to distribution │
│ - Simpler, lower cost switches possible │
│ │
│ DISTRIBUTION LAYER: │
│ - Enable routing (ip routing) │
│ - SVIs for each VLAN from access layer │
│ - Default gateway for end devices │
│ - ACLs, QoS, policy enforcement │
│ │
│ CORE LAYER: │
│ - Routed ports only (no switchports) │
│ - Pure Layer 3 switching │
│ - No VLANs traversing core │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Alternative: Routed Access
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTED ACCESS DESIGN │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ACCESS LAYER (each switch): │
│ - Enable routing │
│ - /24 subnet per closet │
│ - Routed uplinks (no trunks) │
│ - OSPF/BGP to distribution │
│ │
│ Benefits: │
│ - No spanning tree in uplinks │
│ - ECMP to distribution │
│ - Local default gateway (low latency) │
│ - Failure contained to single switch │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
2. VLAN and SVI Design
3. Uplink Design
| Uplink Type | When to Use | Configuration |
|---|---|---|
| Trunk | Access to distribution (L2) | switchport mode trunk |
| Routed | Distribution to core (L3) | no switchport; ip address |
| Routed | Core to core (L3) | no switchport; ip address |
| Port-channel | Any (redundancy) | EtherChannel + above mode |
4. Redundancy Considerations
Route if you can, switch if you must. Modern best practice pushes Layer 3 as close to the edge as practical. Large Layer 2 domains create more problems (STP complexity, broadcast storms, troubleshooting difficulty) than they solve. Use VLANs for local segmentation; use routing between closets and buildings.
This page concludes our exploration of multilayer switches—devices that have fundamentally changed network design by combining switching and routing in a single, high-performance platform.
Across five comprehensive pages, we have explored the fundamental distinction between Layer 2 and Layer 3 networking devices:
You now possess comprehensive knowledge of switches, routers, and multilayer switches. You understand their architectures, operations, and optimal use cases. This knowledge forms the foundation for designing networks that are scalable, secure, and efficient—from small offices to global data centers.