Layer 3 interface

what is the difference between a proper L3 interface on an L3 switch & a switched virtual Lan interface on L3?
which situations would justify either of them.
Thanks!

A "proper" L3 interface would only have one port on the L3 subnet. A SVI could have many ports on the L3 subnet. When supporting multiple hosts on a subnet, you would use a SVI. If the port connects to another router, you might just use "proper" dedicated L3 ports.
A SVI can also only have one defined port, then it generally behaves much like your "proper" port. This being so, why defined a port to only support one L3 subnet? Precludes the mistake of defining multiple ports to a subnet. The big advantage of a single port subnet, when the port is down, the device considers the subnet unreachable.

Similar Messages

  • Web Authentication on Layer 3 interface with Cat 3750 - doc is wrong?

    Cisco 3750 with IP Service Image 12.2.55
    Trying to enable Web Authentication on Layer 3 interface:
    ip auth-proxy name bp_auth_proxy http inactivity-time 60
    interface GigabitEthernet1/0/5
    no switchport
    ip address 192.168.1.27 255.255.255.0
    ip access-group 101 in
    ip admission bp_auth_proxy
    last line fails:
    % This config is not supported on this platform. Try configuring a new rule.
    I also tried to set this on vlan interface, same result.
    The line works on layer 2 interface, but this is not what I need.
    Doc says everything must work with Layer 3 i/f, since 12.2.52:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html#wp1104204
    Am I doing something wrong?
    Thanks a lot for help!
    Sergey

    Hi, I'm having the same issue issue in 12.2(55)SE6 IP services, did you ever get it working or find a work around?
    Web-Auth-TestSW1(config-if)#int fa3/0/1
    Web-Auth-TestSW1(config-if)#no sw
    Web-Auth-TestSW1(config-if)# ip address 10.x.x.x 255.255.255.128
    Web-Auth-TestSW1(config-if)# ip admission webauth1
    % This config is not supported on this platform. Try configuring a new rule

  • ABAP-OO: Another Layer (1 Interface) vs. extending N Interfaces?

    Hello,
    this is a crosspost from Stackoverflow, any advice greatly appreciated.
    I have an Data-Access Layer (SAP ABAP, but the language does not matter here) where I have 1 interface per entity/database-table, like
    IF_DATA_CONTRACT_HEAD->get_contract_header( )
    IF_DATA_OBJECT_CALC->get_object_calculations( )
    40 more ...
    These interfaces are implemented by the actual database-access class-impls and a generated caching-layer, which is pretty simple since the methods really do not have any parameters and just return "the relevant" data.In certain consumers however, I require a filtered access to the returned data, specifically I need to get the data of all interfaces (~50) constrained by contract-position.So, do you recommend to
    A) extend all interfaces by an optional parameter like IF_DATA_CONTRACT_POSITION->get_contract_positions() which means my impl and my caching-layer gets more complex
    B) should I create another interface IF_DATA_FILTER_CONTRACT_POSITION->set_contract_position_filter? for the sole purpose of explicitly filtering data-acesss
    A) When extending every existing interface (the ~40-50 listed above) with the optional contract-position filter/constraint, the API is quite clean and would look like the following:
    result = lo_data_object_calc->get_object_calculations( <FILTER> ).
    As already mentioned, it would require me to extend every implementation, the data-access as well as the generated caching-layer.
    B) With the explicit filter-interface IF_DATA_FILTER_CONTRACT_POSITION on the other hand, I would have yet another interface-layer around data-access and I could generate the uncoupled filtering impls. I would neither need to touch the actual data-access impl nor the generated cache-layer. However, the usage would be a little more clumsy, like
    TRY. " down-cast from data-interface to filter-interface
    DATA lo_object_filter ?= lo_data_object_calc.
    lo_object_filter->set_contract_position_filter( <FILTER> ).
    CATCH could_not_cast.
    RAISE i-need-a-filter-impl!
    ENDTRY.
    result = lo_data_object_calc->get_object_calculations( ).

    Update 05.08.2014: I decided to go with
    C) create a seperate filter-object which explicitly filters the tables retrieved by e.g. get_object_calculations( ).
    Reasoning: Separation of Concerns, explicit semantic of filtering, no need to update all interfaces or regenerate caching-layer.

  • Can configure layer 2 interface at 7600+rsp720+sip400+SPA-2X1GE-V2

    HI guys:
    SPA-2X1GE-V2 module interface can work L2 switchport?Thank's
    same:
    interface GigabitEthernet5/1/1
    switchport
    switchport access vlan 20
    switchport mode access

    Hi there,
    no the SIP400 cannot be configured as L2 switchport (it does not make any difference which SPA you actually use).
    However you can have multipoint Layer 2 bridging service by using bridge-domain under service instance configuration (EVC)
    something like:
    interface GigabitEthernet5/1/1
    service instance 1 ethernet
      encapsulation dot1q 20
      bridge-domain 20
    Internally one bridge-domain is mapped to one of the 4K global VLAN resource; meaning that you still need a SVI for the L3 termination.
    i.e:
    Interfaca vlan 20
    ip address 10.0.0.0 255.255.255.0
    regards,
    Riccardo

  • Port channel as a layer 3 interface

    I have just inherited a very complex network and noticed in the config, for a cat-6513 with layer 3, the following:
    interface Port-channel34
    ip address 10.20.4.10 255.255.255.252
    What would be a rationale for making a port-channel a layer 3 port?
    thanks.

    in the case of a portChannel as an L3 entity, it allows for the added capacity/redundancy of the link as well as provides the layer 3 topology either wanted or in some instances, required, such as when you need to make a multilink connection to a router from your switch.
    or perhaps you have a routed core infrastructure created in your L3 environment and you wish to increase the capacity of the links between devices without using VTP/trunking.

  • Can configure layer 2 interface mode at 7600+rsp720+sip400+SPA-2X1GE-V2

    HI guys:
    SPA-2X1GE-V2 module interface can work L2 switchport?
    same:
    interface GigabitEthernet5/1/1
    switchport
    switchport access vlan 20
    switchport mode access

    Thank's in mpls section

  • Problem with FWSM and L3 interface in same switch

    I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
    I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
    The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
    The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
    A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
    Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
    This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
    If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
    Thanks.
    Keith

    I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
    I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
    I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
    Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
    Thanks.

  • Which interface does "crypto map vpn" get assigned to?

    I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

    Sander
    If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
    If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
    HTH
    Rick
    Sent from Cisco Technical Support iPhone App

  • Calling user function from Interface mapping

    I am getting error "Bad query:ORA-00904: invalid identifier" while calling function in the mapping of an interface.
    Can some one provide the syntax of calling user function from interface mapping.
    Thanks,
    RP

    user452108 wrote:
    Can some one provide the syntax of calling user function from interface mapping.Oracle's Call Iinterface, the OCI, does not work differently when coding using a Dvorak keyboard, or writing code using a pretty pink font in the editor.. or coding the call from an interface mapping (whatever the hell that that is).
    You have 2 types of calls. SQL and PL/SQL.
    To call a function via SQL, it can be done using a the standard cursor interface. E.g.
    select MyFunkyFunction from dualIt will return the function value via a single row with a single column. The standard cursor fetch and close cursor calls are used.
    To call it via PL/SQL, an anonymous PL/SQL block is needed, and the caller needs to use a bind variable to receive the value from the function. The anon block will look as follows:
    begin
      :bindVar := MyFunkyFunction;
    end;Refer to your client's abstract layer for interfacing with the Oracle Call Interface, on how to deal with bind variables.

  • Changing the IP address of the management interface

    Hi all,
    I need to make a change to a pair of Production wireless controllers. Basically the IP range that was assigned for the wireless LAN is no longer sufficient. The gateway for the controllers is a pair of Cisco 4500's that are running HSRP.
    I need to extend the LAN from a /23 to a /22. Unfortunately the range of addresses is completely different. To make matters worse I have to do this remotely, some distance away!
    The layer 3 interface on the switches uses .2 and .3 of the new address range with .1 as the gateway (standby ip).
    The controllers are setup as a Primary and Secondary device. With all the APs currently associated with the Primary.
    My plan was to change the IP address of the management and ap-manager (both are on the same subnet) on the Secondary controller, I'd then lose visibility of the Secondary controller, then change the IP addresses of the physical interfaces on the 4500's. Confirm reachabilty to the new IP addresses defined on the Secondary controller. Assuming this works, reconfigure the physical interfaces on the two interfaces to ensure the Primary is reachable again, make the IP changes to the Primary WLC, update the physical interfaces on the 4500's to use the new IP addresses and then both WLC's should be reachable. The AP's will hopefully have rebooted and obtained a new IP address from the new range defined for them.
    I'm really not sure of another way of doing this, other than adding a secondary IP address to the interfaces?
    I also wonder if there is a way to apply the initial configuration to the secondary controller, and if my changes don't work, reload the controller so it goes back to using the saved configuration and not the running configuration. Do the controllers support something similar to the 'reload in x' command like on Cisco switches? I've looked up the reset command but am not sure it achieves the same outcome?
    Any ideas?

    Hi Scott,
    Would you do the Primary or Secondary controller first? All the AP's are currently associated with the Primary controller.
    We don't have access to the console port on the controller remotely. We don't have a KVM/IP KVM there.
    What would be the safest method in your opinion?
    - Make the IP changes through the GUI on the Secondary controller.
    - Make the changes on the L3 switches.
    - Confirm reachability to the new ap-manager IP address and management IP address.
    - Adjust the configuration on the L3 switch so the Primary is reachable again.
    - Make the IP change through the GUI on the Primary controller.
    - Confirm reachability to the Primary and Secondary.
    Do the controllers support the 'reload in x' command or something similar? And is the 'Apply' command in the GUI like committing the change to the running-configuration but not the start-up configuration or if there is a major problem I can get somebody on-site to pull the power?
    Thanks

  • Layer 3 port on switch

    If I configure my switch as a router and put a port in layer 3 mode, will all vlans on the switch be able to see this ?

    Hi Carl,
    If all the other vlans are normal layer 2 vlans how will they see the router who will be in some other vlan or network.
    You vlans will be in other subnets/networks so they need to be routed to reach the subnet/network which router belongs to.
    So "ip routing" is requied and you need to have gateways for your clients in different vlans creating layer 3 interfaces for them.
    HTH, if yes please rate all helpfull post.
    Ankur

  • Interface Bridging Into GRE Tunnel

    Hello all, I was wondering if it is still possible as I know it was never supported to bridge a layer 2 interface directly into a GRE tunnel. I have a customer that currently has a dedicated L2 circuit and a new L3 connection, he wants to move his L2 device to his L3 link to save money on circuits. The issue that I have is he does not want to change his IP addresses and the layer 2 network terminates in another location 20 miles away. The layer 3 routed network is also between both buildings and I can create a GRE tunnel between the 2 locations without touching the Internet. I have tried this using a 2921 router runnning IOS 15.4(2)T1 but the bridge-group command is not available on the GRE tunnel interface.
    I have also looked at pseudowire and cannot find the commands related to this, do I need to upgrade my license to security?
    Cheers
    Stuart

    It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
    Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
    Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
    1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
    2. Create bridge:
    router(config)#bridge 1 protocol ieee
    3. Create a GRE tunnel interface (dont configure IP's):
    router(config)# interface tun0
    router(config-if)# tun source loopback x
    router(config-if)# tun destination <other router loopback ip>
    router(config-if)# bridge-group 1
    **This is a hidden cmd. You will get a warning message, but ignore it**
    3. Attach Physical Interface to Bridge as well:
    router(config)# interface Fa0/0
    router(config-if)# bridge-group 1
    4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
    You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
    Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
    HTH

  • Netflow command and interface

    Hi,
    I have a few simple questions regarding netflow. Would anyone please clarify them for me?
    1. I usually configured netflow with "ip route-cache flow" command. Anyway, I have seen articles mentioning "ip flow ingress" and "ip flow egress" commands. What is different exactly i.e. ip route-cache flow and ip flow ingress|egress? Which one should be used?
    2. I understand netflow needs to be configured on every interface to export completely netflow data. Is it correct?
    3. If there are 2 physical and 2 logical i.e. tunnel interfaces, how many/which interfaces should netflow be configured? Are only physical interfaces enough?
    Please let me know if I misunderstand anything.
    Thank you very much,
    Nitass

    AFAIK:
    1. "ip route-cache flow" is deprecated starting in 12.2(18)SXD. See this URL for other IOS trains: http://www.cisco.com/en/US/docs/ios/netflow/command/reference/nf_01.html#wp1049320
    2. It's generally correct, due to the unidirectional nature of NetFlow records. Otherwise, you run the risks such as only seeing one direction of a given "conversation".
    3. My understanding was NetFlow cache could only be enabled on layer-3 interfaces. However, on the catalyst 6000s (and sup720?), you can get layer-2 bridged traffic between hosts in the same VLAN, using the following config:
    ip flow ingress layer2-switched vlan
    ip flow export layer2-switched vlan
    Then, there's this recent thread that makes it sound promising that layer-2 ports could become NetFlow-enabled, though it's not clear (to me) how it works out in practice:
    https://supportforums.cisco.com/message/678612#678612
    So YMMV. The best bet is to actually attempt configuring it. Odds are the physical interfaces won't accept the "ip route-cache flow" or "ip flow ingress/egress" config.

  • Designing interfaces more effectively

    Hi,
    I'm having a requirement, where i need to design an interface. Currently we are having one concrete class which is going to implement that interface.
    for ex :
    public interface myintf
       public Object getMyData(String name) throws NameNotFoundException, DataAccessException;
    }Here the interface throws two exceptions, NameNotFoundException and DataAccessException,
    But i think this is a bad design, i know that the concrete class that i have now will interact with the database, thus may cause DataAccessException.
    But it seems i am trying to inject dependancy from my concrete class to the interface, because may be other classes which is going to implement the same interface in future may not be hitting the db for getting the data.
    Could you please tell me what and all i need to consider for exception clause while designing the interface.

    > But i think this is a bad design, i know that the concrete class that i have now will interact with the database, thus may cause DataAccessException.
    I don't think that's necessarily a bad design. "DataAccessException" to me sounds like a problem accessing data; it doesn't imply that there's a database involved. That said, you may want to examine the "layer" your interface is in and throw a single exception related to that layer that wraps underlying exceptions as the root cause.
    ~

  • Second ssid interface

    Hi,
    On an existing controller HA setup an ssid "PPS-WL" exists. We want to test another ssid over the same set of AP's.
    Can we setup another ssid "WPS-WL" & attach it to the same interface as PPS-WL ? or do i need a dedicate interface for this new ssid?
    Another query is , both controllers are in AP-SSO mode. I have read internal wlc dhcp doesn't work in SSO mode.
    In that case, should the small dhcp pool need to be created on connected switches or is there any other way?
    Thanks in advance.

    DHCP preferably would be on a dedicated dhcp server.  As long as dhcp proxy is enabled, the WLC will proxy the dhcp request.  If dhcp proxy is disabled, then you need ip helpers on your layer 3 interface.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

Maybe you are looking for

  • Playing games on dv6 6015tx.

    i had a dv6 6015tx with 4gb ram igb graphics nd 2nd generation i3. i used to paly heavy games like crysis2  which run without any lag.so i had hear that palying games will kill battery life so i just want to know how to use laptop during gaming to pr

  • S210 HDMI connection problem

    Hello.  I just bought one ideapad 210 touch. I tried to connect my LG tv using the hdmi cable. I used to do this with my old lenovo u350. When I connect the hdmi cable the screen on laptop blinks two times and I listen a sound but no signal in TV. I

  • Deleting text in bckrd

    i was using a 06 theme and in the backround it would say the name of the theme for example im using pass through and it says it in the backround even if i try puttin a picture over it still there?? any ideas

  • May be a bug.. please look into this

    Hi, for ex: there is a table like desc trade; trade_date date day_high number day_low number day_open number day_close number there are many records right from trade_date 01-jan-05 to till date. If i want to query records of any perticular date retur

  • Iweb personal domain

    Has anyone used Iweb to publish a personal website using personal domain? i just installed server osx for maverics. now I want to host a website. help?!