Quick Notes - Layer 3 Switch
Layer 3 Switch (Multilayer) - Cheat Sheet
Section titled “Layer 3 Switch (Multilayer) - Cheat Sheet”1. Base Activation
Section titled “1. Base Activation”An L3 switch acts as an L2 device by default. Routing must be enabled globally.
Switch(config)# ip routing2. Ports and IP Addressing
Section titled “2. Ports and IP Addressing”Two methods to configure L3 addressing:
A. SVI (Switch Virtual Interface) Acts as the Default Gateway for devices within a VLAN.
Switch(config)# interface vlan 10Switch(config-if)# ip address 192.168.10.1 255.255.255.0Switch(config-if)# no shutdownB. Routed Port Converts a switch port into a physical router port (used for point-to-point links).
Switch(config)# interface g0/1Switch(config-if)# no switchportSwitch(config-if)# ip address 10.0.0.1 255.255.255.252Switch(config-if)# no shutdown3. DHCP Relay Agent
Section titled “3. DHCP Relay Agent”Converts Broadcast DHCP messages into Unicast to forward them to a server on a different network.
Switch(config)# interface vlan 10Switch(config-if)# ip helper-address 10.0.0.504. Default Route (Internet Access)
Section titled “4. Default Route (Internet Access)”Defines where to send unknown traffic (e.g., towards the ISP router). (In L3, do not use ip default-gateway).
Switch(config)# ip route 0.0.0.0 0.0.0.0 192.168.100.15. Security: Isolate VLANs with Internet Access
Section titled “5. Security: Isolate VLANs with Internet Access”Block native Inter-VLAN routing using an extended ACL, while permitting all other traffic.
Create the rule:
Switch(config)# ip access-list extended ISOLATE_VLANSSwitch(config-ext-nacl)# deny ip any 192.168.0.0 0.0.255.255 ! Blocks internal trafficSwitch(config-ext-nacl)# permit ip any any ! Permits InternetSwitch(config-ext-nacl)# exitApply the rule (as an inbound filter on the SVI):
Switch(config)# interface vlan 10Switch(config-if)# ip access-group ISOLATE_VLANS in