Is Layer-3 Switch More than a Router?
Very short answer: no.
You might think that layer-3 switches perform bridging and routing, while routers do only routing. That hasn’t been the case at least since Cisco introduced Integrated Routing and Bridging in IOS release 11.2 more than 15 years ago. However, Simon Gordon raised an interesting point in a tweet: “I thought IP L3 switching includes switching within subnet based on IP address, routing is between subnets only.”
Layer-3 switches and routers definitely have to perform some intra-subnet layer-3 functions, but they’re usually not performing any intra-subnet L3 forwarding.
Let’s start with the intra-subnet functions the layer-3 forwarding devices (whether you call them switches or routers) do:
- Dynamic neighbor discovery through ARP/ND for packets sent to hosts in directly attached subnets (glean adjacencies in CEF terminology);
- Generation of host routes based on ARP/ND results (cached adjacencies in CEF terminology);
- Forwarding of IP packet to directly attached IP hosts based on ARP/ND-generated host routes.
However, if a layer-3 forwarding device performs MAC-based forwarding in combination with IP-based forwarding, it usually uses the destination MAC address to figure out which forwarding method to use:
- Layer-2 frames sent to router’s own MAC address are passed up the protocol stack into the IP forwarding code (and if the IP packet is sent to router’s IP address, the packet is sent to the control plane for further processing);
- Layer-2 frames sent to other destination MAC addresses are passed to MAC forwarding code, which performs MAC address table (or TCAM) lookup and forwards, floods or drops the packet.
I haven’t seen a device (yet) that would use IP protocol type (0x0800) in Ethernet header to decide whether to use MAC-based or IP-based forwarding. If you’ve seen one, please write a comment (overzealous DSL concentrators that violate layering by peeking inside PPPoE sessions don’t count).
Summary: There’s no difference in intra-subnet (intra-VLAN) forwarding between a router (layer-3 switch) and a simple bridge (layer-2 switch). However, an IP-aware device (even a more sophisticated layer-2 switch) might support IP-based port access lists or DSCP- or ACL-based QoS.
Layer-2 and Layer-3 interfaces
Some switches have physical layer-2 and layer-3 interfaces. Layer-2 interfaces behave as I described above, with the internal router being connected with one of its interfaces (example: VLAN or SVI interface) to the internal bridge:
Physical layer-3 interfaces connect directly to the internal router. If a physical layer-3 interface receives an Ethernet frame sent to a third party MAC address, the frame is dropped.
Some switches (example: Catalyst 6500) use hidden VLANs to implement layer-3 interfaces. You might think that detail doesn’t matter ... until you run out of VLANs.
Finally, some devices have layer-3 subinterfaces. These interfaces modify the frame forwarding rules on per-VLAN basis: if the parent physical interface receives an Ethernet frame belonging to the subinterface VLAN, the router uses the IP forwarding path (and drops the Ethernet frame on destination MAC mismatch), whereas the destination MAC address selects the forwarding method (L2 or L3) used for frames belonging to other VLANs.
The diagrams used in this post are part of the Data Center 3.0 for Networking Engineers webinar. If you’re interested in modern data center switching solutions, that webinar would be a great place to start, with Data Center Fabric Architectures and Clos Fabrics Explained webinars providing further details. All three webinars are part of the yearly subscription.
If you’d like to discuss various technology options or have a short review of your data center network design, check out the ExpertExpress service.
Brouter;) Remember that one?
Fabswrout - fabric-switch-router;)
Most (not all) switches cannot handle an OC3.
And routing protocol support on some cheaper L3 switches, or products like Brocade's latest ICX where the base L3 package includes only RIP and OSPF, and you need the advanced L3 package to get BGP.
So are they switches?
The only time a transit LSR tries to figure out the payload type is when it's trying to send ICMP TTL exceeded.
Now, if the control plane takes a hit and crashes due to a bug, a router crashes and goes offline or reboots. However, a switch can start flooding in some sort of 'hub-mode' if the data plane is still working. It means that any frame (data, CDP, BPDU) entering one ports exits all other ports, whether these ports where part of the same VLAN, a trunk, another VLAN access port, or a layer 3 port. It just floods.
In other words: a layer 3 switch can become a layer 1 failure domain, regardless of the design of the higher layers. I have yet to see that happen to a router.