Layer 3 Switching 2

By certskills September 5, 2016 09:05

This next lab is one of the longer labs in this config lab series. The lab includes some simple tasks to configure 802.1Q trunking and to create VLANs. The big focus of the lab however is to enable layer 3 switching on two distribution switches using VLAN interfaces (that is, SVIs). The lab itself requires a few dozen configuration commands, so it will take a little longer than the usual 5-10 minutes. As always, it is best to try these after you have read about the topic in your study materials.


In this design, you will create the routing configuration required to support four user VLANs for PCs and two voice VLANs for IP phones. Two user data VLANs exist on switch Access1 (VLANs 10 and 20), and two user data VLANs exist on switch Access2 (VLANs 30 and 40). Additionally, all IP phones off switch Access1 should be assigned to voice VLAN 100, and all IP phones off switch Access 2 should be assigned to voice VLAN 200. The two distribution switches route between those VLANs, even using a link between the two switches to route packets between the distribution switches.

The specific rules for this lab are:

  • Configure the access switches (Access1 and Access2):
    • As layer 2 switches
    • Create the necessary VLANs (data and voice) per the figure
    • Assume VTP Transparent mode is in use on all switches
    • Configure the ports on the bottom of the access switches (in the figure) to be access ports in the listed VLANs
  • Configure trunks:
    • Make the link from switch Dist1 to Access1 a manual 802.1Q trunk
    • Make the link from switch Dist2 to Access2 a manual 802.1Q trunk
    • (Do NOT make the Dist1 to Dist2 link a trunk)
  • Configure the distribution switches (Dist1 and Dist2)
    • As layer 3 switches
    • Use SVIs for the switches’ layer 3 interfaces (that is, VLAN interfaces)
    • Use the IP addresses listed in the figure
    • Create the necessary VLANs (data and voice) per the figure
    • Assume VTP transparent mode
    • Use the IP addresses listed in the figure
  • Configure the link between the distribution switches
    • Do not trunk on this link
    • Make this link an access link in VLAN 500
    • Route between switches Dist1 and Dist2 over this link between the switches
  • Enable all SVI/VLAN interfaces
  • Note that RIPv2 and IPv4 routing have been pre-configured in preparation for your layer 3 switching configuration

Figure 1: Topology in Which to Add new IP Phones to Voice VLAN 100


Initial Configuration

Examples 1, 2, 3 and 4 shows the beginning configuration state of Dist1, Dist2, Access1 and Access2.


Example 1: Dist1 Config


Example 2: Dist2 Config


Example 3: Access1 Config


Example 4: Access2 Config


Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

To test your solution if you happen to try it with VIRL or real gear, you can check using a couple of different commands. On the Distribution switches check that the VLANs have been created by using the show vlan brief command, then check that the VLAN interfaces were configured with the show ip interfaces brief and/or show running-config commands. Also check that the trunks are operational using the show interfaces trunk command. On the Access switches, check that the VLANs have been created and assigned properly using the show vlan brief command and verify that the trunks are operational using the show interfaces trunk command.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!

All interfaces in topology match the lab figure. The VIRL topology also includes hosts (but no phones) to allow testing of the design. For instance, you can ping between the four PCs to test your configuration.

Configuration Note:

If you do use VIRL, note that to make trunking work, you need to also choose the trunking protocol with the switchport trunk encapsulation dot1q interface subcommand. The VIRL switch IOS image happens to be based on a Cisco switch that supports both the older ISL and the new 802.1Q, so you have to specify which protocol to use.

Host device info:

This table lists host information pre-configured in VIRL, information that might not be required by the lab but may be useful to you.

Device IP Address Gateway User/password
PC1 cisco/cisco
PC2 cisco/cisco
PC3 cisco/cisco
PC4 cisco/cisco



Handy Host Commands:

To see PC IP address: ifconfig eth1

Ping example: ping -c 4

Trace example: tracepath

To connect to another node within the topology: telnet

Answers: Local SPAN 1
IPv6 Standard ACL 1
By certskills September 5, 2016 09:05
Write a comment


  1. oliver September 6, 09:56

    Hi Mr. Wendell,

    Nice to have this scenario. Thanks.
    I have question regarding vlan500, as per your requirements int his network, between 2 layer3 switches. D1 D2 /29

    g0/1 – ip address

    g0/1 – ip address

    I don’t why there is a VLAN 500?
    I was confused because this port is routed port to be able put layer3 addresses.

    Please enlighten me.


    Reply to this comment
  2. oliver September 6, 10:03

    No problem thanks, i get it now.

    Reply to this comment
  3. oliver September 6, 10:19

    Sorry I tried, but failed. Please enlighten me.

    Reply to this comment
    • CCENTSkills October 19, 08:19

      Hi Oliver,
      I originally thought you had figured out your own problem, and didn’t need a reply. Looking here again these weeks later, I think you might have wanted a reply.

      Short version, assuming your first comment detailed the issue, the link between the switches isn’t a routed port. A fine reading of the exam topics puts any mention of routed ports into the ICND2 half of the material, which is why I made that switch-switch link just be an access link, using VLAN interfaces. In real life, I’d make them routed ports, as you were thinking. So the lab is admittedly a bit of an exercise in thinking about the commands, as opposed to a guide to best config practices.
      Hope this helps…

      Reply to this comment
  4. bobc1978 February 24, 12:17

    Am I able to use Packet Tracer for these labs?

    Reply to this comment
    • CCENTSkills February 27, 07:48

      Hi Bob,
      I would imagine your could. I haven’t tested them, given that PT is meant for Academy folks only, and that’s a small subset of the audience. But from what I hear most everything you’d want to do for CCNA can be done well with PT.

      Reply to this comment
  5. Gjorgi November 19, 01:38

    Thank you for the layout, yes it all works as expected, all “show” commands indicate the setup as it was required.
    This is also a great setup to practice the “show” commands to inspect learned vs. directly connected routes, setup RIPv2, VLAN and trunking setups, etc.
    I was able to do this exercise on Packet Tracer 7.1, with a tiny caveat- distribution switches cannot be 2960, you’ll have to pick a multilayer switch model. Other than that, it is all doable within Packet Tracer.
    Yes, it was tempting to just go for the routed port setup…

    Reply to this comment
  6. Austin July 16, 11:56

    why is VLAN 50 required between the 2 Distro layer switches?

    Reply to this comment
    • certskills Author July 16, 14:15

      I’m sure I’m not getting the true meaning of your question. Do you mean why “50” vs some other number? Somewhat arbitrary, just needed a VLAN number to use. If you mean something else, feel free to follow up.

      Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.