Moving Layer 3 to the Network Edge

With the advent of new technologies as well as the ability to have multi-layer switches at the access layer, Cisco is starting to change the game.  New network designs are pushing layer 3 routing out to the access switches creating a routed edge.

Most campus and data center network designs have been following the standard 3 tier design model established by Cisco.   With this you have  Core, Distribution, and Access tiers that comprise the 3 tiers.  You would typically use layer 2 at the access, use vlans to segment traffic, spanning for loop avoidance and begin routing at the distribution tier.  Pretty standard stuff.  But there are some challenges to this design.

With the new routed edge designs all of that changes.

Issues with a Switched Access Layer

  • Vlans must span across multiple switches
  • Layer 2 Loops
  • Layer 2 and 3 running
  • Blocked Links
  • Must configure STP root
  • Must configure RootGuard, LoopsGuard, etc.
  • Must set HSRP tuning to load balance uplinks
  • Many moving parts increase instability


Moving to a Routed Access layer we can avoid many of these issues, have faster convergence, faster failover, improved stability, as well as increased security.

Benefits of a Routed Access Layer

  • EIGRP and OSPF converges < 200 msec
  • No Matching STP.HSRP/GLBP priority
  • No Layer 2 Loops
  • No blocked links
  • Single Control Plane and known tool set – (traceroute, show ip route, etc.)
  • Routed access network recovery dependant on L3 reroute
  • Flows based on Equal Cost Multi-Path (ECMP)
  • All fault recovery is ECMP-based (i.e, consistent and predictable)
  • Allows for VRF enabled designs (improved security over VLANs)
  • Relatively painless migration to L# using EIGRP (depending on address scheme)


As you can see there are some serious benefits to moving to a routed access especially if you have the capability at your access layer (i.e., 3750’s, 4948’s, or 4507’s – multilayer switches).  There are still challanges to this new design.  How do you management of configs, changed to ip addressing, training of personel, etc.,  With new technologies comes the need for new understanding of these technologies and how to support them.

With sub-200 msec of failover, especially when implementing IP telephony(VoIP) in your environment – a layer 3 access layer looks to be a must have.

What are your thoughts or commments on this new design?  Have you implemented this in your environment or do you think Cisco is just trying to drive equipment sales?  Leave your comment below and thanks for reading!



Senior Network Engineer, technology enthusiast, guitar and bass player. Joe Wilson is the creator of as well as other niche websites that can be found around on the Internets.

What do you think about this article?


  1. Hello i am writing from Venezuela (excuse me for my english)… I am planning a new infraestructure for my enterprise and we have less than 260 hosts and 10 servers. We are considering a collapsed core with a pair of 4506e, routed acces with 6 catalyst 3560x and for The data center and The internet edge, 1 catalyst 4948 for each framework… What do You recomend: 1. Keeping routed acces scheme for servers access and Dmz or, 2. Use a lawyer 2 catalyst switch like 2960tdl, bellow The catalyst 4948?

  2. Well, I belive that there is no way that L3 switching @ access can be affordable. Double the expenses and for what?

    For slighty better fail-over? Not with my managment board.

  3. The main issue with L3 to the edge is a lack of portability. You essentially create little "islands" that don't scale well. For instance without layer 2 extended to your edge in a large data center, you either have a very massive cabling mess, or you end up with parts of the data center that are very overcrowded due to the fact that you cant extend certain VLAN's where they are needed. Yes they load balance well, but you can get the same functionality with full layer 2 portability using vPC's (if you are running Nexus 7k/5k) and eliminate spanning tree issues.

    • Hi John,
      You're absolutely right. For Data Centers, the routed access does not work. A better solution is certainly a Nexus or some type of VSS to provide the virtual portability across multiple switches within the data center.

      A routed access layer works well for the user data segments, office areas, or possibly customer segments where you need to provide highly reliable fail-over for voice and video. For improved security you can use VRF's to segment traffic – this is especially good for customer or guest networks.

      Thanks for the great comment!

      • for DCs, i think RAL will work specially after VXLAN gets added to more and more devices. what are your thoughts on that

  4. I am actaully planning this right now. I think RAL is the way to go…

  5. Also does it mean that we do not have interface VLAN's or VLAN's "xconnect" to VFI's?

    • You still have VLAN's at the edge but really only to segment your services on a per port basis. For example you would have a Data
      VLAN, Voice VLAN, Guest VLAN etc. What you really don't have any more is spanning tree since your L2 stops right there at the access switch.

  6. Does it mean that STP can be disabled in Routed Access Layer ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About us

RouterFreak is a blog dedicated to professional network engineers. We
focus on network fundamentals, product/service reviews, and career advancements.


As an Amazon Associate, I earn from qualifying purchases.

RouterFreak is supported by its audience. We may receive a small commission from the affiliate links in this post, at no extra cost to our readers.