as best i can tell, we can accomplish the same thing by having an SVI for each vlan on a trunk...or we can just use subinterfaces.

i like the flexibility of SVIs so that I can add ports to the vlan, but i'm wondering if there are disadvantages. why would you need to use subinterfaces on a l3 switch?

the same reason that makes you create a subinterfaces on a router, will make you create a subinterface on a routed interface on a switch.

well here is a scenario, you want to route traffic for 2 different subnets or vlans from 4500 to 4500 switches, over a regular layer 2 switch, you have to create subinterfaces, since svi supports one vlan per interface where you want two vlans on single interface.

i've never had a problem creating an svi for every vlan on a trunk port. using a l3 subinterface limits the vlan to just that one port, whereas the svi gives me the flexibility to extend that vlan out to other ports.

could it be that some hardware or ios limits the number of svi per interface? i'm used to seeing this on 6500s & 3750s and i've never run into a limit on the number of svis.

are there any sort of performance differences when using a bunch of SVIs versus subinterfaces?

well, one of the reasons is security, when using trunk ports with svi you have to create some sort of filtering mechanism along with it, while using subinterfaces by nature eliminate that.

Frankly, it is a habit, use what you are comfortable with, but know them both, some rare scenarios will force you to use one of them, perhaps the network designer will require that without mentioning the reason.

Personally, I prefer subinterfaces, for the similarity with the routers.

i think a lot of what i'm seeing is coming from legacy hybrid cat/ios Sup1 configurations. When they upgraded to Sup720, the SVIs were just copied over and all the interfaces are just configured as l2 switchports that were translated from catos.

i'm wondering if its worth the effort to bother changing to subinterfaces where i can. what kind of security issues do the SVIs raise? what filtering mechanisms are you referencing? i don't think we have anything like that implemented.

Thanks!

You will eliminate all security issues that relates to regular Trunks, native vlan issues, vlan tagging security issues, DTP, VTP, allowed vlans over trunk ports and so on. When you use sub-interface all those issues disappear without any further configuration, perhaps a minor management effort is required.

For highest security implementations, trunk ports must not be used as possible, all layer 2 switches are mapped to single vlan or multiple switches per vlan, default native vlan must be changed, never use the native vlan, you have to use routed interfaces with l3 switches as possible, separate the management domains physically as possible, the recommendation list goes longer. There are a lot of recommendations do not appear in the books, rather you conclude them when you deal with high experienced people working on big projects.

IIBN is one of the projects that was administered directly by the World Bank, aimed toward highest security and availability. The project implemented by our company under my technical supervision. Network designs provided from a third party company, that helped me a lot to understand way more security best practices than I ever read, or maybe will ever read.

So I said it is more a habit/best practice than a must to use routed ports with subinterfaces instead of trunk ports with svis, however from my point of view it is easier/better for me to use routed ports with subinterfaces than use ordinary trunk ports. Perhaps you believe that the SVIs are more flexible, let it be, there is no problem at all, performance is the same for both methods..

I will be happy to receive your feedback, cheers..

ok, i see....yes, as standard policy we always turn off DTP, use VTP transaparent and we manually manage which vlans are allowed on each trunk. we also use non-default/non-routed native vlans.

we try to have every access switch directly connected to a pair of l3 dist switches and typically have only one vlan per switch, but there are cases where a vlan needs to appear on multiple switches that aren't directly to each other, so we accomplish that by using SVIs on the l3 distribution switch.

thanks again for your insight.