A few months ago, I wrote an article explaining the benefits of a hybrid enterprise access edge design which allows for both routed and switched traffic at the access layer. Reading over some of the comments on that post, it's clear a number of readers did not understand the motivation behind such a design. This was partly my fault, as I underestimated the need for more illustrative topology diagrams. So, today I'm taking another shot at it, in an effort to both convey the idea more clearly and to address concerns raised in comments on the first post.
L2 vs L3 at the Access Edge
Legacy enterprise campus designs employ routed links only within the core and between the core and distribution layers of a network. The bottom access layer functions entirely at layer two, with VLANs extended from distribution switches down to the end hosts.
Routed SVIs (VLAN interfaces) configured on the distribution switches serve as end hosts' default gateways. This design works well enough, but does not provide true load balancing across access-distribution links due to L2 topology limitations (i.e. Spanning Tree blocking).
Then, along came multilayer switches like the Catalyst 3550 and 3560/3750, which made it possible to extend layer three functionality down to the access layer. The major benefits of such a design were the possibility of true equal cost path load-balancing across access-distribution links and faster failover times.
A third, recently developed access edge design employs virtual switches and multi-chassis link aggregation at the distribution edge. However, we'll only be looking at the first two designs mentioned in this article.
Of the two designs discussed above, the latter is generally preferred. However, many organizations find themselves bound to the layer two design in order to support legacy systems which require a contiguous L2 domain throughout large portions of the network. Such examples might include legacy "fat" wireless access points, security devices, HVAC sensors, and so on. In these cases, many organizations opt to implement a hybrid design which is able to provide L2 connectivity where required and L3 connectivity where possible.
A Hybrid Approach
We can support both L2 and L3 connectivity at the access layer by implementing point-to-point links within VLANs on the access-distribution IEEE 802.1Q trunk links and relocating SVIs for the routed VLANs down to the access layer.
In the above topology, VLANs 101, 102, and 103 each terminate on their respective access switches. VLAN 5 is carried through the 802.1Q trunks up to the distribution layer where it can span multiple access switches. VLANs 10 and 11 each serve as independent point-to-point links (configured with an IPv4 /31) between the first access switch and either of the two upstream distribution switches. Both of the other access switches also have point-to-point VLANs configured to the distribution switches, for a total of six point-to-point links between the access and distribution layers.
A configuration on the leftmost access switch in the above example might look like this:
interface FastEthernet0/1 description User Workstation switchport access vlan 101 switchport mode access ! interface FastEthernet0/2 description Legacy L2 Access Device switchport access vlan 5 switchport mode access ! ... ! interface GigabitEthernet0/1 description Uplink to Distribution Switch A switchport trunk encapsulation dot1q switchport trunk allowed vlan 5,10 switchport mode trunk ! interface GigabitEthernet0/2 description Uplink to Distribution Switch B switchport trunk encapsulation dot1q switchport trunk allowed vlan 5,11 switchport mode trunk ! interface Vlan10 description Point-to-Point Subnet for Distribution Switch A ip address 10.0.0.2 255.255.255.254 ipv6 address 2001:db8:0:10::2/64 ! interface Vlan11 description Point-to-Point Subnet for Distribution Switch B ip address 10.0.0.4 255.255.255.254 ipv6 address 2001:db8:0:11::2/64 ! interface Vlan101 description User Access VLAN ip address 10.0.101.1 255.255.255.0 ipv6 address 2001:db8:0:65::1/64 ! router ospf 1 router-id 172.18.0.101 network 0.0.0.0 0.0.0.0 area 1
VLAN 5 traffic from one access switch to another is switched into the distribution layer and back down, never leaving VLAN 5. The path from source to destination is a single hop.
Traffic from VLAN 101 to VLAN 102 is removed from the access VLAN and routed out the SVI on the access switch. From there it is routed via the point-to-point VLAN in the trunk up to the distribution switch, and via a second point-to-point link down to the access switch for VLAN 102. The path from source to destination is three hops in length.
Questions Raised in Previous Comments
Why not simply go pure L3 links to the access edge?
If you can, do it! Again, this design is intended for situations where there still exists a requirement for L2 access between points within the access layer.
How well will this scale?
If implemented properly, very well. VLAN IDs used for access layer SVIs can be reused in a standard template, such that e.g. VLAN 101 is for workstations, VLAN 102 is for wireless APs, etc. Only the IP subnets need be unique.
This design seems too complex to manage and troubleshoot.
If you can manage a layer two network and you can manage a layer three network, you can manage this design. If you can't manage either of the first two networks, it's time to hit the books or look for a new job.
Vendor X doesn't recommend this design.
That's because this isn't an ideal solution, as already stated. The ideal solution is to remove the requirement for L2 access at the edge. Network design is a compromise between the ideal and the practical, heavily in favor of the practical.
A loop within the layer two topology can still bring down the network.
Again, this solution does not try to remove the downsides of a layer two topology. It simply allows us to take advantage of the benefits of a layer three access edge where we can. To remove the STP limitations, remove the need for L2 access.
It is also worth noting that while STP runs on the point-to-point VLANs between the access and distribution layers, these links by definition cannot form a loop (erroneous configuration issues aside).
Users will want to move among access blocks and keep their IP address.
Practical impediments to the roaming of wired clients aside, only the L2 VLAN(s) (VLAN 5 in the example above) would support this. Generally speaking, end users should always reside on the VLANs terminated on access layer switches. Further, it is up to your organization, not your network design, to decide on and enforce network policy.
How should VTP domains be arranged?
Unless you have a very good reason to use VTP, don't. Still, if you feel compelled to employ VTP, do so exercising the cautions you would on an all-L2 access layer design.