Layer 3 Switch Routing – Concepts, Configuration, and Best Practices

1. What Is a Layer 3 Switch?

A Layer 3 switch is a high-performance network device that combines the port density and wire-speed forwarding of a Layer 2 switch with the IP routing intelligence of a router. It makes forwarding decisions based on both MAC addresses (Layer 2) and IP addresses (Layer 3), using dedicated ASIC hardware for both operations at line rate.

The primary use case is inter-VLAN routing inside a campus or data-centre LAN — routing traffic between VLANs internally without needing an external router. Layer 3 switches also support static routes and dynamic routing protocols (OSPF, EIGRP, RIP) to exchange routes with the rest of the network. 

  ┌───────────────────────────────────────────────────┐
  │              Layer 3 Switch                        │
  │                                                   │
  │  VLAN 10 ──► SVI 10 (192.168.10.1) ──┐            │
  │  VLAN 20 ──► SVI 20 (192.168.20.1) ──┤ Routing    │
  │  VLAN 30 ──► SVI 30 (192.168.30.1) ──┘ (ASIC)    │
  │                                                   │
  │  Routed Port ──► Uplink to WAN Router              │
  └───────────────────────────────────────────────────┘

Related pages: Router-on-a-Stick | VLANs & Trunking | Access & Trunk Ports | HSRP | VRRP & GLBP | DHCP Relay | ACL Overview

2. Layer 2 Switch vs. Layer 3 Switch vs. Router

Feature Layer 2 Switch Layer 3 Switch Router
Forwarding basis MAC address (CAM table) MAC address and IP address IP address (routing table)
Inter-VLAN routing Not supported — requires external router Native via SVIs — no external device needed Via sub-interfaces (Router-on-a-Stick)
Hardware forwarding ASIC (L2 only) ASIC (L2 & L3) ASIC or software (model dependent)
Routing protocols None OSPF, EIGRP, RIP (BGP on high-end) Full protocol suite incl. BGP, MPLS
WAN interfaces None Very limited or none Full WAN support (Serial, DSL, 4G)
VPN / advanced security None Limited (ACLs) Full (IPsec VPN, Zone-Based Firewall)
Port density High (24–48+ ports typical) High (24–48+ ports typical) Low (4–8 LAN ports typical)
Best deployed at Access layer Distribution / core layer WAN / Internet edge

3. Switch Virtual Interfaces (SVIs)

An SVI (Switch Virtual Interface) is a logical Layer 3 interface created on a switch and associated with a specific VLAN. It serves as the default gateway for all hosts in that VLAN and as the routing interface the switch uses to forward packets between VLANs.

  • One SVI per VLAN that requires Layer 3 routing
  • The SVI is up/up only when the associated VLAN exists, has at least one active access or trunk port, and no shutdown is configured
  • SVIs can also be used as the switch management interface (typically VLAN 1 or a dedicated management VLAN)
  • SVIs are also the interface on which DHCP relay (ip helper-address) is configured for each VLAN. See DHCP Relay Agent Configuration.
! Step 1 — Enable IP routing (required on Cisco switches)
ip routing

! Step 2 — Create VLANs
vlan 10
 name Staff
vlan 20
 name Students
vlan 30
 name Servers

! Step 3 — Configure SVIs
interface vlan 10
 ip address 192.168.10.1 255.255.255.0
 no shutdown

interface vlan 20
 ip address 192.168.20.1 255.255.255.0
 no shutdown

interface vlan 30
 ip address 192.168.30.1 255.255.255.0
 no shutdown

4. Inter-VLAN Routing on a Layer 3 Switch

When a host in VLAN 10 sends a packet to a host in VLAN 20, the Layer 3 switch handles the entire routing process internally — no traffic leaves the switch chassis. This makes it significantly faster than Router-on-a-Stick, which requires all inter-VLAN traffic to traverse an external trunk link to a router and back. 

  PC1 (192.168.10.10 / VLAN 10)
      │
      │ Access port (VLAN 10)
      │
  ┌───┴───────────────────────────────────┐
  │  Layer 3 Switch                        │
  │                                       │
  │  SVI 10: 192.168.10.1  ◄── default GW │
  │          │  (routing decision in ASIC) │
  │  SVI 20: 192.168.20.1  ──► default GW │
  └───────────────────────┬───────────────┘
                          │ Access port (VLAN 20)
                          │
                      PC2 (192.168.20.20 / VLAN 20)

Packet flow: PC1 sends to its gateway (SVI 10: 192.168.10.1) → switch looks up 192.168.20.20 in its routing table → matches directly connected route via SVI 20 → ARP resolves PC2’s MAC → frame forwarded out the VLAN 20 access port to PC2.

See also: Step-by-Step: Inter-VLAN Routing on a Layer 3 Switch | Step-by-Step: Router-on-a-Stick

5. Routed Ports

In addition to SVIs, a Layer 3 switch can configure individual physical ports as routed ports — behaving exactly like a router interface rather than a switch port. A routed port has no VLAN membership and is used primarily for uplinks to routers, firewalls, or other Layer 3 devices. 

! Convert a switch port to a routed (Layer 3) port
interface GigabitEthernet1/0/24
 no switchport
 ip address 10.0.0.2 255.255.255.252
 no shutdown

When to use routed ports vs SVIs:

Use Case Recommended Interface Type
Default gateway for a VLAN (multiple hosts) SVI (interface vlan X)
Point-to-point uplink to a router or firewall Routed port (no switchport)
Point-to-point link between two Layer 3 switches Routed port or /30 subnet SVI

6. Static Routing on a Layer 3 Switch

Static routes are used for networks not reachable through directly connected SVIs — most commonly a default route pointing upstream to the WAN router for Internet-bound traffic. 

! Default route (all unknown destinations to WAN router)
ip route 0.0.0.0 0.0.0.0 10.0.0.1

! Specific static route to a remote subnet via next-hop
ip route 10.1.0.0 255.255.0.0 192.168.30.2

! Specific static route using exit interface (point-to-point only)
ip route 172.16.0.0 255.255.0.0 GigabitEthernet1/0/24

See also: Static Routing | Default Routes | Administrative Distance

7. Dynamic Routing Protocol Support

Most enterprise-grade Layer 3 switches support the same IGPs as routers. Dynamic routing is essential when the switch must exchange routes with upstream routers, other distribution switches, or across a campus network.

Protocol Support Level Typical Use on L3 Switch
OSPF Universal — all enterprise L3 switches Advertise SVI subnets; peer with distribution/core routers
EIGRP Cisco proprietary — Catalyst, Nexus Fast convergence in Cisco-only campus networks
RIPv2 Most L3 switches Legacy or very simple networks only; not recommended for production
BGP High-end switches only (Nexus, Catalyst 9000) Data-centre leaf-spine fabrics; enterprise internet edge 
! Enable IP routing first
ip routing

! OSPF — advertise all three SVI subnets into area 0
router ospf 1
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface GigabitEthernet1/0/24  ! Uplink to router

! EIGRP (named mode, Cisco IOS 15.0+)
router eigrp CAMPUS
 address-family ipv4 unicast autonomous-system 100
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
  network 192.168.30.0 0.0.0.255

See also: OSPF Single-Area | OSPF Areas & LSAs | EIGRP Configuration | Step-by-Step: OSPF

8. Hardware Forwarding – ASIC and the CEF Process

Unlike a software router that processes each packet in the CPU, a Layer 3 switch uses ASICs (Application-Specific Integrated Circuits) to forward frames and route packets in hardware at wire speed. Cisco’s implementation uses CEF (Cisco Express Forwarding) as the software control plane that populates two hardware tables:

Table Contents Used For
FIB (Forwarding Information Base) Compiled copy of the IP routing table, optimised for hardware lookup Layer 3 next-hop lookup at line rate
Adjacency Table Layer 2 rewrite information (destination MAC, egress interface) for each next-hop Encapsulating the outgoing Ethernet frame without ARP at forwarding time

The result: once a flow is established, every packet is forwarded entirely in hardware without CPU involvement, giving throughputs of tens to hundreds of Gbps on modern campus switches. 

! Verify CEF is active (enabled by default on IOS)
show ip cef
show ip cef 192.168.20.0/24 detail

9. Complete Configuration Example

Scenario: Three VLANs (Staff, Students, Servers), uplink to WAN router, OSPF to exchange routes. Each VLAN SVI also serves as the DHCP relay agent for its VLAN — see DHCP Relay Agent Configuration and DHCP Server Configuration. 

! ---- Global ----
hostname DIST-SW1
ip routing

! ---- VLANs ----
vlan 10
 name Staff
vlan 20
 name Students
vlan 30
 name Servers

! ---- SVIs (inter-VLAN gateways) ----
interface vlan 10
 description Staff Gateway
 ip address 192.168.10.1 255.255.255.0
 no shutdown

interface vlan 20
 description Students Gateway
 ip address 192.168.20.1 255.255.255.0
 no shutdown

interface vlan 30
 description Servers Gateway
 ip address 192.168.30.1 255.255.255.0
 no shutdown

! ---- Routed uplink to WAN router ----
interface GigabitEthernet1/0/24
 description Uplink to WAN-Router
 no switchport
 ip address 10.0.0.2 255.255.255.252
 no shutdown

! ---- Default route upstream ----
ip route 0.0.0.0 0.0.0.0 10.0.0.1

! ---- OSPF (share internal subnets with router) ----
router ospf 1
 router-id 1.1.1.1
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 network 10.0.0.0 0.0.0.3 area 0
 passive-interface vlan 10
 passive-interface vlan 20
 passive-interface vlan 30

Hosts in each VLAN use the respective SVI IP as their default gateway. Assign addresses dynamically using DHCP — see DHCP Server Configuration.

10. Layer 3 Switch vs. Router – When to Use Which

Criterion Layer 3 Switch Router
Inter-VLAN routing (LAN) ✔ Preferred — hardware-speed, no external link Possible but slower (Router-on-a-Stick bottleneck)
LAN throughput ✔ Very high (ASIC, 10/25/100G ports) Lower — WAN ports typically 1G or less
WAN connectivity ✖ Very limited — no Serial/DSL/4G interfaces ✔ Full WAN interface support
IPsec VPN ✖ Not supported on most switches ✔ Native VPN engine (IOS, ISR)
Zone-Based Firewall / IPS ✖ Not available ✔ Supported on ISR/ASR platforms
BGP for Internet routing High-end only (Nexus, Catalyst 9000) ✔ All enterprise routers
Cost per port Lower (switched ports are cheap) Higher (few ports, purpose-built)

Rule of thumb: Deploy Layer 3 switches at the distribution and core layers for high-speed inter-VLAN routing. Deploy routers at the WAN/Internet edge for connectivity, VPNs, and advanced security. See also: Routers | Switches

11. Security – ACLs on SVIs

ACLs applied to SVIs control which traffic is permitted to cross VLAN boundaries, implementing a policy similar to a firewall at the distribution layer. An ACL applied inbound on an SVI filters traffic as it enters the routing engine from that VLAN. See Applying ACLs for placement rules. 

! Prevent Students (VLAN 20) from reaching Servers (VLAN 30)
! but allow all other traffic

ip access-list extended PROTECT_SERVERS
 deny   ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
 permit ip any any

interface vlan 20
 ip access-group PROTECT_SERVERS in

! Allow only SSH from Staff to management (VLAN 30)
ip access-list extended STAFF_TO_SERVERS
 permit tcp 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 eq 22
 deny   ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
 permit ip any any

interface vlan 10
 ip access-group STAFF_TO_SERVERS in

See also: ACL Overview | Applying ACLs | Standard ACLs | Named ACLs | Step-by-Step: Extended ACLs

12. High Availability and Redundancy

In production networks, a single Layer 3 switch is a single point of failure. Three complementary mechanisms provide redundancy:

Mechanism Purpose Configured On
HSRP / VRRP / GLBP Gateway redundancy — if the active switch fails, the standby assumes the virtual IP with no host reconfiguration SVIs on both distribution switches
EtherChannel Bundles multiple physical links into one logical link — provides both redundancy and bandwidth aggregation Uplinks between access and distribution, or distribution to core
Dual distribution switches Each access switch uplinks to two distribution switches; FHRP ensures only one is the active gateway per VLAN Campus three-tier architecture 
! HSRP on DIST-SW1 (active for VLAN 10)
interface vlan 10
 ip address 192.168.10.2 255.255.255.0
 standby 10 ip 192.168.10.1      ! Virtual IP = hosts' default gateway
 standby 10 priority 110
 standby 10 preempt
 no shutdown

! HSRP on DIST-SW2 (standby for VLAN 10)
interface vlan 10
 ip address 192.168.10.3 255.255.255.0
 standby 10 ip 192.168.10.1
 standby 10 priority 100
 no shutdown

See also: Step-by-Step: FHRP (HSRP / VRRP / GLBP) | Step-by-Step: EtherChannel LACP

13. Verification and Troubleshooting

Command Purpose What to Look For
show ip route Display the full routing table Confirm directly connected (C), static (S), and dynamic (O/D) routes are present; check for missing subnets
show ip interface brief Status and IP of all interfaces including SVIs SVIs should be up/up; “down/down” means the VLAN has no active ports; “up/down” means administratively shut
show vlan brief Verify VLANs exist and which ports are assigned VLANs must exist in the database for their SVIs to come up
show interfaces vlan [id] Detailed status of a specific SVI Check for “line protocol is down” — indicates no active ports in the VLAN
show running-config Verify ip routing, SVI IPs, ACLs, routing protocol config Confirm ip routing is present; check for typos in network statements
show ip ospf neighbor Confirm OSPF adjacencies are established Neighbour should be in FULL state; anything else needs investigation
show ip cef Verify CEF hardware forwarding table Entries should match the routing table; “no route” means CEF will drop the packet
ping [ip] source vlan [id] Test inter-VLAN reachability from a specific SVI Successful ping confirms routing and ARP are working for that VLAN pair
traceroute [ip] Trace the routing path to a destination Identify where packets are being dropped or looping

Common Troubleshooting Checklist

  • ip routing missing? — Without this global command, the switch acts as a pure Layer 2 device and all SVIs will reject routed traffic
  • SVI is down/down? — The VLAN must exist (show vlan brief) and have at least one active access or trunk port assigned to it
  • Hosts cannot reach the gateway? — Confirm the host’s default gateway matches the SVI IP and VLAN assignment is correct on the access port
  • One-way routing? — Check return routes exist with show ip route; a missing route in one direction produces asymmetric or dropped traffic
  • ACL blocking traffic? — Run show ip access-lists and look for unexpected match counters on deny entries
  • Hosts not getting IPs? — Verify DHCP relay (ip helper-address) is configured on each SVI. See DHCP Relay Agent Configuration.

See also: Step-by-Step: Troubleshooting Layer 3 Routing | Step-by-Step: Troubleshooting VLANs & Trunks

14. Key Points & CCNA Exam Tips

  • ip routing must be entered in global config — without it, no routing occurs regardless of SVI configuration
  • An SVI is up/up only when: the VLAN exists, has at least one active port, and no shutdown is set
  • Layer 3 switch inter-VLAN routing is always faster than Router-on-a-Stick because all routing is internal hardware (no trunk bottleneck)
  • Use routed ports (no switchport) for point-to-point uplinks to routers or firewalls
  • OSPF passive-interface should be applied to all SVI interfaces — only enable OSPF hellos on interfaces that face other routers
  • ACLs on SVIs filter traffic as it enters the routing engine — inbound on the source VLAN’s SVI is the most common and efficient placement
  • FHRP (HSRP/VRRP/GLBP) provides gateway redundancy when two distribution switches share SVI responsibilities
  • CEF must be enabled (default on IOS) for hardware forwarding — use show ip cef to verify
  • show ip route, show ip interface brief, and show vlan brief are the three essential troubleshooting commands
  • Layer 3 switches do not replace routers at the WAN edge — they lack WAN interfaces, IPsec VPN, and advanced security features
  • Configure DHCP relay (ip helper-address) on each SVI so hosts receive IP addresses from a centralised DHCP server

Layer 3 Switch Routing Quiz

1. What main function does a Layer 3 switch perform besides Layer 2 switching?

Correct answer is C. A Layer 3 switch combines hardware-speed Layer 2 switching with IP routing, allowing it to route packets between VLANs internally without any external router.

2. What is a Switch Virtual Interface (SVI)?

Correct answer is A. An SVI (interface vlan X) is a logical Layer 3 interface on a switch. It is assigned an IP address that serves as the default gateway for all hosts in that VLAN.

3. How does inter-VLAN routing work on a Layer 3 switch?

Correct answer is D. The switch routes packets between VLANs entirely in hardware using its internal SVIs — no traffic needs to leave the chassis, making it significantly faster than Router-on-a-Stick. See Step-by-Step: Inter-VLAN Routing on a Layer 3 Switch.

4. Which command enables Layer 3 routing on a Cisco switch?

Correct answer is B. ip routing is entered in global configuration mode. Without it, the switch ignores all SVI IP addresses for routing purposes and cannot forward packets between VLANs.

5. What routing protocols are commonly supported on Layer 3 switches?

Correct answer is C. Most enterprise Layer 3 switches support OSPF, EIGRP, and RIPv2. BGP is only available on high-end platforms such as the Cisco Nexus or Catalyst 9000 series.

6. Which command shows the routing table on a Layer 3 switch?

Correct answer is A. show ip route displays the routing table, showing directly connected (C), static (S), OSPF (O), and EIGRP (D) routes. It is the primary command for verifying Layer 3 reachability.

7. Why are Layer 3 switches preferred over traditional routers for inter-VLAN routing in a campus LAN?

Correct answer is D. A Layer 3 switch performs both L2 switching and L3 routing in ASIC hardware, optimised for high-density LAN environments. Traditional routers prioritise WAN connectivity, VPN, and advanced security features over raw LAN port density.

8. How can ACLs be used on a Layer 3 switch?

Correct answer is B. Extended ACLs applied inbound on an SVI filter traffic as it enters the routing engine from that VLAN. This is the standard method for controlling inter-VLAN access at the distribution layer. See Applying ACLs.

9. What is a typical limitation of Layer 3 switches compared to routers?

Correct answer is C. Layer 3 switches are optimised for LAN performance and typically lack WAN interfaces (Serial, DSL, 4G), IPsec VPN engines, and advanced security features like Zone-Based Firewall. These remain the domain of dedicated routers.

10. Which command displays the IP addresses and status of SVIs on a Layer 3 switch?

Correct answer is A. show ip interface brief lists all interfaces including SVIs with their IP address, Layer 1 status, and Layer 2 protocol status. An SVI shows “up/up” only when the VLAN exists and has at least one active port.

← Back to Home