In modern enterprise networks, the boundary between routing and switching has blurred. Layer 3 switching is the technology that allows a switch to forward packets at near wire speed by performing routing in hardware. For the CCNA 200-301 exam (Objective 3.1: Layer 3 Switching), you must understand how a multilayer switch (MLS) makes forwarding decisions, the difference between routed ports and switched virtual interfaces (SVIs), and the critical role of the Ternary Content-Addressable Memory (TCAM). Mastering this topic is essential for designing efficient campus networks.
Jump to a section
Imagine a large city with a grid of local streets and a network of expressways. Cars (data packets) need to get from one neighborhood (subnet) to another. A traditional router is like a traffic cop at every intersection—each car must stop, the cop checks a map (routing table), and then directs the car. This works, but it’s slow, especially during rush hour. A Layer 3 switch is like an expressway on-ramp with an automated toll system. When a car first enters the expressway, it passes through a toll booth that reads its license plate and destination, looks up the route in a high-speed database (the routing table), and issues a fast-pass tag (the rewrite information). After that, every subsequent car from the same source to the same destination can whiz through without stopping—the toll system recognizes the tag and simply opens the gate. In networking terms, the first packet is routed by the CPU (the toll booth), which programs the hardware (TCAM) with a shortcut (adjacency entry). Subsequent packets are switched in hardware at wire speed. The local streets represent the Layer 2 switching fabric within a VLAN, where no routing is needed. The expressways represent the Layer 3 forwarding between VLANs. The key insight is that the toll booth (CPU) is only involved for the first packet; after that, the hardware takes over, just like the fast-pass lane bypasses the manual check.
What is Layer 3 Switching and Why Does It Exist?
A Layer 3 switch (multilayer switch) is a device that can perform both Layer 2 switching and Layer 3 routing in hardware. Traditional routers use a CPU to process every packet, which limits throughput. Layer 3 switches use Application-Specific Integrated Circuits (ASICs) and a specialized memory called TCAM to forward packets at line rate. The primary reason for Layer 3 switching is performance: it allows inter-VLAN routing without the bottleneck of a router-on-a-stick configuration. In a typical campus network, a Layer 3 switch acts as the default gateway for multiple VLANs, routing traffic between them at wire speed.
How It Works: Packet Flow Step by Step
When a host in VLAN 10 wants to send a packet to a host in VLAN 20, the following occurs:
Host A (VLAN 10) sends an ARP request for its default gateway IP (the SVI of VLAN 10 on the MLS). The MLS responds with its MAC address.
Host A sends the IP packet with destination IP of Host B, destination MAC of the MLS SVI (VLAN 10), source MAC of Host A.
The MLS receives the frame on an access port in VLAN 10. The switch performs a Layer 2 lookup: the destination MAC is its own SVI MAC, so it decapsulates the frame to extract the IP packet.
The MLS performs a Layer 3 lookup in the routing table for the destination IP. This is done by the CPU (or hardware if a flow is already cached). The routing table indicates the next-hop IP (if any) and the outgoing interface (VLAN 20 SVI).
The MLS performs an ARP lookup for the next-hop IP (or directly for Host B if it's on the same VLAN). It finds the MAC address in the ARP table (or sends an ARP request).
The MLS rewrites the frame: source MAC becomes the SVI MAC of VLAN 20, destination MAC becomes Host B's MAC. The TTL is decremented, and the IP checksum is recalculated.
The MLS forwards the frame out of the port in VLAN 20 to Host B.
For subsequent packets in the same flow, the MLS uses a hardware entry in the TCAM (FIB and adjacency tables) to bypass the CPU, achieving wire-speed forwarding.
Key Components: FIB, Adjacency Table, and TCAM
FIB (Forwarding Information Base): Derived from the routing table, optimized for hardware lookup. Contains destination prefixes and next-hop information.
Adjacency Table: Contains Layer 2 rewrite information for each next-hop (MAC address, outgoing interface).
TCAM (Ternary Content-Addressable Memory): A specialized high-speed memory that stores FIB entries and allows parallel lookups. It uses three states: 0, 1, and don't care (wildcard). This enables longest-prefix matching in hardware.
Types of Layer 3 Interfaces
Routed Port: A physical port configured with no switchport and assigned an IP address. Behaves like a router interface. It is not associated with any VLAN.
SVI (Switch Virtual Interface): A logical interface associated with a VLAN. Created with interface vlan <vlan-id>. Acts as the default gateway for hosts in that VLAN. Multiple SVIs can be created, one per VLAN.
Layer 3 EtherChannel: A bundle of routed ports or SVIs aggregated for redundancy and bandwidth.
Configuration Example
! Create VLANs
vlan 10
name Sales
vlan 20
name Engineering
! Create SVIs
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan 20
ip address 192.168.20.1 255.255.255.0
no shutdown
! Enable IP routing
ip routing
! Configure routed port
interface gigabitethernet0/1
no switchport
ip address 10.0.0.1 255.255.255.252
no shutdownVerification Commands
show ip route – Displays the routing table.
show ip interface brief – Shows IP addresses and status of Layer 3 interfaces.
show interfaces vlan <id> – Shows SVI statistics and status.
show ip arp – Displays the ARP table.
show platform tcam – Displays TCAM utilization (platform-specific).
show ip cef – Shows the CEF (Cisco Express Forwarding) FIB table.
show adjacency detail – Shows adjacency entries with rewrite information.
Example output for show ip route:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.0.2 to network 0.0.0.0
O 10.1.1.0/24 [110/2] via 10.0.0.2, 00:00:10, GigabitEthernet0/1
C 10.0.0.0/30 is directly connected, GigabitEthernet0/1
L 10.0.0.1/32 is directly connected, GigabitEthernet0/1
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.1/32 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20Interaction with Related Protocols
VLAN Trunking (802.1Q): SVIs can route between VLANs that are trunked to the switch. The SVI is associated with a VLAN, not a physical port.
Routing Protocols: Layer 3 switches run OSPF, EIGRP, etc., just like routers. The SVIs and routed ports participate in routing updates.
STP: Layer 3 interfaces are not affected by Spanning Tree; only Layer 2 interfaces are. However, SVIs are logical interfaces and do not run STP themselves, but the VLAN they belong to may have STP active on Layer 2 ports.
HSRP/VRRP: SVIs can be used as the virtual IP for First Hop Redundancy Protocols, providing gateway redundancy.
Enable IP Routing Globally
On a multilayer switch, IP routing is disabled by default. To enable it, use the global configuration command `ip routing`. This activates the routing engine and allows the switch to forward packets between VLANs. Without this command, the switch operates as a pure Layer 2 switch. Verify with `show ip route` – without `ip routing`, the output will be empty (except maybe for directly connected interfaces if SVIs are up, but no dynamic routes).
Create VLANs and SVIs
First, create the VLANs that need to be routed. Use `vlan <vlan-id>` in global config. Then create an SVI for each VLAN using `interface vlan <vlan-id>`. Assign an IP address to the SVI with `ip address <ip> <mask>`. This SVI will serve as the default gateway for hosts in that VLAN. Bring the interface up with `no shutdown`. Note: The SVI will only come up if at least one Layer 2 port in that VLAN is up (access or trunk).
Configure Layer 2 Ports in the VLANs
Assign switch ports to the appropriate VLANs. For access ports, use `switchport mode access` and `switchport access vlan <vlan-id>`. For trunk ports, use `switchport mode trunk`. This ensures that hosts can communicate with the SVI. Without this step, the SVI may remain down (if no ports are active in the VLAN). Verify with `show vlan brief` to see which ports are in which VLAN.
Configure a Routed Port (Optional)
To connect to another router or upstream Layer 3 switch, configure a physical port as a routed port. Enter interface configuration mode and use `no switchport`. Then assign an IP address. This removes the Layer 2 functionality and makes the port behave like a router interface. Routed ports are often used for WAN connections or uplinks to the core. Verify with `show ip interface brief` – the port will appear with an IP address and status up/up.
Verify Layer 3 Forwarding
After configuration, verify inter-VLAN routing by pinging from a host in one VLAN to a host in another. On the switch, use `show ip route` to confirm that the SVIs are in the routing table as directly connected networks. Use `show ip arp` to see MAC addresses of hosts. Use `show adjacency` to see hardware rewrite entries. If pings fail, check that SVIs are up, IP addresses are correct, and host default gateways point to the SVI IP.
Troubleshoot Common Issues
Common problems: (1) SVI is down – ensure at least one Layer 2 port in that VLAN is up. (2) Hosts cannot ping gateway – check VLAN assignment and trunking. (3) Routing between VLANs fails – verify `ip routing` is enabled and there are no ACLs blocking traffic. (4) Performance issues – check TCAM utilization with `show platform tcam` (if available). If TCAM is full, the switch may punt packets to the CPU, causing slowdowns.
In a typical campus network, the distribution layer switches are often Layer 3 switches that provide inter-VLAN routing for multiple access switches. For example, a university might have separate VLANs for students, faculty, and administration. The distribution switch (e.g., Cisco Catalyst 9300) runs OSPF to exchange routes with the core, and each SVI acts as the default gateway for its respective VLAN. This design eliminates the need for a separate router, saving cost and reducing latency.
Another common scenario is the collapsed core architecture, where a single Layer 3 switch (or a pair in a stack) performs both routing and switching for the entire building. This is typical in small to medium-sized enterprises. The switch has multiple SVIs for different departments and a routed port connecting to the WAN router. The network engineer must ensure that the TCAM is sized appropriately for the number of routes and adjacencies. For a campus with 100 VLANs and a full BGP table, the TCAM may need to be upgraded (via license) to handle the load.
Misconfiguration can lead to serious issues. For example, if an SVI is accidentally placed in the wrong VLAN, hosts may lose connectivity. If ip routing is not enabled, the switch will not route between VLANs, and all inter-VLAN traffic will be dropped. Another common mistake is forgetting to configure no switchport on a routed port, leaving it as a Layer 2 port and causing routing failures. In production, network engineers use show ip route and show ip interface brief as the first troubleshooting steps. They also monitor TCAM utilization to prevent hardware forwarding failures. When upgrading to a new switch model, verifying TCAM capacity is critical because some lower-end switches have limited TCAM for IPv4 routes.
For CCNA 200-301 Objective 3.1 (Layer 3 Switching), you must know:
The difference between a routed port and an SVI.
The command ip routing must be enabled for inter-VLAN routing.
SVIs require at least one active Layer 2 port in the VLAN to come up.
Routed ports are configured with no switchport.
The concept of CEF (Cisco Express Forwarding) and that it is enabled by default.
The role of TCAM in hardware forwarding.
Common wrong answers on the exam:
1. "A Layer 3 switch can route without enabling IP routing." – WRONG. Without ip routing, the switch acts as a Layer 2 device.
2. "SVIs can route between VLANs without any Layer 2 ports." – WRONG. The SVI will be down if no ports in the VLAN are up.
3. "Routed ports can be used as trunk ports." – WRONG. A routed port does not participate in trunking; it is a pure Layer 3 interface.
4. "Layer 3 switches use the CPU to forward all packets." – WRONG. They use hardware (ASIC/TCAM) for most packets; only the first packet in a flow is processed by the CPU.
Specific values and defaults:
- ip routing is disabled by default on Catalyst switches running IOS.
- CEF is enabled by default; no configuration needed.
- The default number of routes supported in TCAM varies by platform (e.g., Catalyst 2960-X supports 8000 IPv4 routes).
Calculation traps: There are no calculations specific to Layer 3 switching, but you may be asked to determine the number of SVIs needed based on VLANs.
Decision rule: If a question asks about inter-VLAN routing on a switch, the answer likely involves SVIs. If it involves connecting to another router, use a routed port. If the question mentions 'wire-speed routing', think of hardware forwarding via TCAM.
Layer 3 switching combines routing and switching in hardware for high performance.
Enable IP routing with `ip routing` global command.
SVIs are logical interfaces that act as default gateways for VLANs.
Routed ports are physical ports configured with `no switchport`.
CEF (Cisco Express Forwarding) is used for hardware forwarding; enabled by default.
TCAM provides parallel lookups for fast forwarding decisions.
An SVI will be down if no Layer 2 port in the VLAN is up.
These come up on the exam all the time. Here's how to tell them apart.
Routed Port
Physical interface configured with `no switchport`.
No VLAN association; acts like a router interface.
Comes up when the link is physically up.
Used for point-to-point links to routers or other Layer 3 switches.
Supports routing protocols directly.
SVI (Switch Virtual Interface)
Logical interface associated with a VLAN.
Requires at least one active Layer 2 port in the VLAN to be up.
Used as default gateway for hosts in the VLAN.
Can be used for inter-VLAN routing.
Supports routing protocols and HSRP/VRRP.
Mistake
Layer 3 switches can route between VLANs without any configuration.
Correct
You must enable `ip routing` globally and create SVIs with IP addresses. Without these, the switch operates at Layer 2 only.
Candidates assume that because the switch has 'Layer 3' in its name, routing is automatic.
Mistake
Routed ports can be used as trunk ports to carry multiple VLANs.
Correct
Routed ports are Layer 3 interfaces and do not support trunking. Trunking is a Layer 2 function. Use an SVI for inter-VLAN routing over a trunk.
Confusion between router-on-a-stick (using subinterfaces) and Layer 3 switching.
Mistake
The CPU handles all routing decisions on a Layer 3 switch.
Correct
The CPU only handles the first packet of a flow; subsequent packets are forwarded in hardware via TCAM. This is called 'route once, switch many'.
Candidates think of traditional routers where the CPU processes every packet.
Mistake
An SVI can be up even if no ports in the VLAN are active.
Correct
The SVI's line protocol is up only if at least one Layer 2 port in the VLAN is up (access or trunk). Otherwise, the SVI remains down.
Misunderstanding of the dependency between Layer 2 and Layer 3 interfaces.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, CEF (Cisco Express Forwarding) is enabled by default on all Cisco routers and Layer 3 switches running IOS. CEF provides the FIB and adjacency tables used for hardware forwarding. You can verify it is enabled with `show ip cef`. Disabling CEF is not recommended and would force all packets to be process-switched, severely degrading performance.
Yes, Layer 3 switches can run routing protocols such as OSPF, EIGRP, and BGP. The SVIs and routed ports participate in the routing process. You configure the routing protocol under the routing process configuration, just like on a router. For example, `router ospf 1` followed by `network` statements or `ip ospf` on interfaces.
A Layer 3 switch is optimized for high-speed packet forwarding within a LAN, using hardware ASICs and TCAM. It typically has many switch ports and supports both Layer 2 and Layer 3 functions. A router is designed for WAN connectivity, supports a wider variety of interface types (serial, T1, etc.), and often has more advanced features like NAT, VPN, and QoS. In many campus networks, Layer 3 switches replace routers for internal routing.
An SVI (Switch Virtual Interface) will remain in a down state if the VLAN it is associated with has no active Layer 2 ports. This means at least one switch port in that VLAN must be in an up/up state (access or trunk). Check `show vlan brief` to see if the VLAN has any ports assigned and if they are up. Also ensure the VLAN is not administratively down.
No. A trunk port is a Layer 2 interface that carries multiple VLANs. A routed port is a Layer 3 interface that cannot be a trunk. If you need to route between VLANs over a trunk, you must create an SVI for each VLAN. The trunk carries the VLANs, and the SVIs provide the Layer 3 gateway.
Use `show ip cef` to see the FIB table, and `show adjacency` to see hardware rewrite entries. On some platforms, `show platform tcam` shows TCAM utilization. A high number of 'punt' packets (shown in `show interface`) indicates that traffic is being processed by the CPU rather than hardware. You can also use `show ip route` to confirm that routes are installed.
TCAM (Ternary Content-Addressable Memory) is a specialized high-speed memory that stores FIB entries and ACLs. It allows parallel lookups on packet headers (e.g., destination IP) to find the best match in a single clock cycle. This enables wire-speed forwarding. Without TCAM, the switch would have to use the CPU for lookups, which is much slower.
You've just covered Layer 3 Switching — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?