MS Layer 3 Switching and Routing
Layer 3 (L3) Routing Overview
A typical network design segments/divides the network based on the group that a device belongs or the function it performs. For example, a Corporate or a Production VLAN only has devices that belong to your own Organization; on the other hand, a Guest-WIFI VLAN only has visitor devices that are connected to the a Guest wireless network (Guest SSID).
In such use-cases, VLANs separate devices into different broadcast domains and Layer 3 (L3) subnets. Network switches typically move data forward to destination based on Layer 2 (L2) packet attributes like VLAN-ID and MAC Address. Network switches that perform this forwarding operation are known as L2 switches. Devices within the same VLAN can communicate with each other without the need for routing because they live within the same broadcast domain and L3 subnet.
As a result, devices in separate VLANs require a Layer 3 forwarding device (e.g.: a router) to communicate with each other. The L3 device can be external to the switch or it can be a feature in the same switch. Layer2-only switches require an external L3 routing device to provide communication between VLANs because they don't have L3 routing feature - i.e.: they don't move data forward to destination based on L3 attributes like destination IP address.
Many Cisco Meraki switches have Layer 3 routing capability within the switch itself. E.g.: switch receives a packet, determines that the packet belongs to another VLAN, and sends the packet to the appropriate port within the destination VLAN. This is called L3 routing and a switch capable of doing this is known as a Layer 3 (L3) switch. L3 routing is possible thanks to a special kind of internal interface called "Switched Virtual Interface" or SVI for short.
When you enable Layer 3 Routing on your switch, you'll be creating an SVI per VLAN and subnet that will move data based on L3 attribute destination IP address. After that, the devices living within each VLAN can talk to one another without the need for all them to be in the same broadcast domain or to have a router operating as gateway.
Layer 3 routing capabilities are available on most Cisco Meraki switches. This allows the switches to route traffic between VLANs in a network without the need for an additional layer 3 device. This feature also allows you to control traffic between VLANs using Access Control Lists (ACLs) while reducing workload on your Router or Firewall. In addition, the Cisco Meraki L3 switch can also offer simple DHCP services through its SVIs.
Learn more with this free online training course on the Meraki Learning Hub:
Supported Models
In order to enable and configure layer 3 routing on MS switches, a layer 3 capable switch is required.
The alert, "This switch is routing for too many hosts. Performance may be affected" will be displayed if the current number of routed clients exceeds the values listed in the table below.
| Model | Layer 3 Interfaces | Routes | Maximum Routable Clients | Features |
|---|---|---|---|---|
| MS210 | 16 | 16 static routes | 8192 |
Static Routing |
| MS225 | 16 | 16 static routes | 8192 | Static Routing DHCP Relay |
| MS250 | 256 | 1024 1 (256 static routes) | 8192 | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS350 | 256 | 16384 1 (256 static routes) | 24K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS350X | 256 | 8192 (256 static routes) | 45K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS355 | 256 | 8192 (256 static routes) | 68K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS390 | 256 | 8192 (256 static routes) | 24K | Static Routing OSPFv2 DHCP Server + Relay Multicast Routing (PIM-SM) IPv6 Layer-3 Interfaces & Static Routing 3 |
| C9300-M | 256 | 8192 (256 static routes) | 24K | Static Routing OSPFv2 DHCP Server + Relay Multicast Routing (PIM-SM) IPv6 Layer-3 Interfaces & Static Routing 3 |
| MS410 | 256 | 16384 1 (256 static routes) | 24K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS425 | 256 | 8192 (256 static routes) | 212K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
| MS450 | 256 | 8192 (256 static routes) | 68K | Static Routing OSPFv2 DHCP Server + Relay Warm Spare (VRRP) Multicast Routing (PIM-SM) |
1 To prevent hardware TCAM exhaustion, the following platform limitations are enforced on the number of dynamically (OSPF) learned routes
MS250: 900
MS350, MS410: 15000
If the limit is reached, routes will be rejected indiscriminately and may result in erratic routing behavior. To minimize the impact of this, the default route will not be affected by the limit and will be accepted regardless.
3 Supported only on the specified switches series, on firmware versions CS 15.21.1 and higher.
Initializing Layer 3 Routing
You must create Layer 3 Interfaces in order to route traffic between VLANs. These special interfaces are called "Switched Virtual Interface" or SVI for shoft. Only VLANs that have an SVI configured will be able to route traffic on the switch. An SVI is a kind of Layer 3 Routing interface and the term Layer 3 / L3 interface and SVI / SVI interface are used interchangeably.
Note: only clients/devices configured to use the correct SVI IP address as their gateway or next-hop will have its packets routed by your switch SVI. If a client/device within a VLAN use another IP address as their gateway, then your switch won't be doing the Layer 3 packet forwarding decision.
To start using layer 3 routing, navigate to the Switching > Configure > Routing & DHCP page. Alternatively, you could go to Switching > Monitor > Switches and click on the switch to be configured. Under L3 routing tab, click Configure - which takes you to the same Routing & DHCP page as above.
On the Routing & DHCP page, you will have the option to either "create interface" or to add an interface, if any layer 3 interfaces (SVI) already exist in the network. Clicking on the available option will bring up the Interface Editor UI. Use the Interface Editor to configure your SVI.
Configuring an IPv4 L3 Interface (IPv4 SVI)
- Interface name: A friendly name/description for the interface/VLAN.
- VLAN: The VLAN this layer 3 interface is in.
- Subnet: The network that this layer 3 interface is in, in CIDR notation (ex. 10.1.1.0/24).
- Interface IP: The IP address this switch will use for layer 3 routing on this VLAN/subnet. This cannot be the same as the switch's management IP.
- Multicast support: Enable multicast support if multicast routing between VLANs is required.
- Default gateway: When creating the first IPv4 interface on a switch, you will be prompted to enter a default gateway address. This is the next hop IPv4 address of another device on the network, used for any traffic that isn't going to a directly connected subnet or over a static route. This IP address must exist in a subnet with a layer 3 interface, and will be used for the default route next hop IP address.
- DHCP settings: If DHCP on this VLAN should be handled by the switch or forwarded to a server, make the appropriate selections. See the article on Configuring DHCP Services for more details.
- OSPF settings: This VLAN can be distributed via OSPF. See the MS OSPF Overview article for more details.
When complete, click Save or Save and add another to configure additional layer 3 interfaces.
Configuring an IPv6 L3 Interface (IPv6 SVI)
Note: This feature is only supported on the MS390 and C9300-M models.
- Interface name: A friendly name/description for the interface/VLAN.
- VLAN: The VLAN this layer 3 interface is in.
- Prefix: The IPv6 subnet that this layer 3 interface is in, in CIDR notation (ex. 2001:db8::/32).
- IPv6 EUI64: Option to use EUI (extended unique identifier) allowing the switch to automatically dervice the interface IPv6 address from the switch's MAC address. This option can only be used if the prefix length is /64.
- Interface IPv6: The IPv6 address this switch will use for layer 3 routing on this VLAN/subnet. This cannot be the same as the switch's management IPv6 address. If the interace is configure to use EUI64, this option will be disabled.
- Default gateway: When creating the first IPv6 interface on a switch, you will be prompted to enter a default gateway address. This is the next hop IPv6 of a another device on the network, used address for any traffic that isn't going to a directly connected subnet or over a static route. This IP address must exist in a subnet with a layer 3 interface, and will be used for the default route next hop IP address.
Once created, any layer 3 interfaces or static routes will appear under Switching > Configure > Routing & DHCP.
Note: Each switch can only have a single layer 3 interface per VLAN.
Configuring Static Routes
In order to route traffic elsewhere in the network, static routes must be configured for subnets that are not being routed by the switch or would not be using the default route already configured, such as if another portion of the network was located behind a router or another layer 3 switch is downstream from the Cisco Meraki layer 3 switch being configured.
To create a new static route:
- Navigate to Switching > Configure > Routing & DHCP.
- Click Add a static route.
- Select the Switch it should be applied to.
- Provide the following information:
- Name: A friendly name/description for the static route.
- Subnet: The network that this static route is for, in CIDR notation (ex. 10.1.1.0/24 or 2001:db8::/32).
- Next hop IP: The IP address of the next layer 3 device along the path to this network. This address must exist in a subnet with a layer 3 interface. On switches that support IPv6 static routing, an IPv6 global unicast address can be entered as the next hop IP.
- Click Save or Save and add another if additional static routes are needed.
Note: A default route cannot point to an SVI configured on that same switch. Likewise, avoid configuring any static route with a Next-Hop which is the IP address of another SVI in the same switch. Doing this can create a Layer 3 routing loop and consequent network outages.
Editing an Existing Layer 3 Interface (SVI) or Static Route
To modify an existing layer 3 interface or static route on a specific switch:
- Navigate to Switching > Configure > Routing & DHCP.
- Click on the desired Interface or Route.
- Make any desired changes.
- Click Save.
Moving a Layer 3 Interface (SVI) to Another Switch
To move a layer 3 interface from one switch to another:
- Navigate to Switching > Configure > Routing & DHCP.
- Select the layer 3 interfaces that will be moved.
- Click Edit > Move...
- Select destination switch or switch stack, then click Submit.
Deleting a Layer 3 Interface (SVI) or Static Route
In order to delete a layer 3 interface or static route:
- Navigate to Switching > Configure > Routing & DHCP.
- Click on the desired Interface or Route.
- Click Delete Interface/Route, then click Confirm delete.
Note: A switch must retain at least one layer 3 interface and the default route. The default route cannot be manually deleted.
Disabling Layer 3 Routing
In order to disable layer 3 routing, any configured static routes and layer 3 interfaces must be deleted in a specific order.
- Navigate to Switching > Configure > Routing & DHCP.
- Delete any static routes other than the Default route for the desired switch.
- Delete any layer 3 interfaces other than the one which contains the next hop IP for the default route on the desired switch.
- Delete the last layer 3 interface to disable layer 3 routing.
Performing these steps out of order will result in an error and will not allow the route/interface to be deleted.
Layer 3 Interface (SVI) Caveats
Switch Management IP and Layer 3 Interfaces (SVIs)
The management IP is treated entirely different from the SVIs and must be a different IP address. It can be placed on a routed or non-routed VLAN (e.g.: a management VLAN independent from client traffic). Traffic from the management IP address to the Cisco Meraki Cloud Controller will not use the layer 3 routing settings; instead, it will be using its configured default gateway. Therefore, it is important that the IP address, VLAN, and default gateway configured in your switch management IP can still provide connectivity to the internet independently from the switche's own L3 routing settings.
The Switch (or Stack) management IP configuration cannot have Gateway address defined as one of its own SVI address when it is performing Layer 3 routing. It will not be able to check in using the assigned management IP when the gateway is pointed to itself. For example, if 192.168.1.1 is one of the L3 interfaces (SVI) on a switch (or stack), you cannot have 192.168.1.1 as the gateway for its management IP (Switching > Switches > LAN IP).
For switch stacks performing L3 routing, ensure that the management IP subnet does not overlap with the subnet of any of it's own configured L3 interfaces. Overlapping subnets on the management IP and L3 interfaces can result in packet loss when pinging or polling (via SNMP) the management IP of stack members.
Note: The overlapping subnet limitation does not apply to Catalyst switches (MS390/C9300-M).
Pings Destined for a Layer 3 Interface
MS Switches with Layer 3 enabled will prioritize forwarding traffic over responding to pings. As a result, packet loss and/or latency may be observed for pings destined to an SVI address. Therefore, it's recommended to ping another device in a given subnet to check network stability and reachability.
Note: Meraki MS classic switches (excluding MS390) are unable to ping their own Layer 3 Interface.