Cisco Switches layer 2/3?

All switches operate in layer 2.  So, you can safely say that each switch in your network is operating in layer 2 without even looking.

To determine if they are operating as layer 3 devices:

switch#show ip route

Select allOpen in new window

You should only see a default route/default gateway/gateway of last resort noted and no routes in table (if layer 2).  If you see any routes are in the route table, you are operating at layer 3.

In other words, If Layer 2, Then:

switch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is X.X.X.X

Select allOpen in new window

If Layer 3, Then:

switch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 4 subnets
B       1.1.1.1 [200/0] via 10.10.0.1, 00:20:24
B       1.1.0.1 [200/0] via 10.10.0.1, 00:20:24
B       1.1.0.2 [20/0] via 10.20.0.1, 00:15:03
B       1.1.2.1 [200/0] via 10.10.0.1, 00:20:24
     2.0.0.0/32 is subnetted, 4 subnets
B       2.1.2.1 [20/0] via 10.100.0.1, 07:41:53
B       2.1.3.1 [20/0] via 10.200.0.1, 07:41:53
B       2.1.1.1 [20/0] via 10.100.0.1, 07:41:53
B       2.1.4.1 [20/0] via 10.200.0.1, 07:41:53
     58.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
B       58.58.58.2/32 [200/0] via 10.65.12.2, 00:20:25
S       58.58.58.0/24 is directly connected, Null0
B       58.58.58.1/32 [200/0] via 10.65.11.2, 00:20:26
     10.0.0.0/8 is variably subnetted, 15 subnets, 3 masks
i L2    10.10.0.0/30 [115/10] via 10.65.0.1, FastEthernet0/0
C       10.0.0.2/32 is directly connected, Loopback0
i L2    10.0.1.2/32 [115/30] via 10.65.0.1, FastEthernet0/0
i L2    10.0.0.1/32 [115/20] via 10.65.0.1, FastEthernet0/0
C       10.20.0.0/30 is directly connected, FastEthernet1/0
i L2    10.65.11.0/30 [115/20] via 10.65.0.1, FastEthernet0/0
i L2    10.65.13.0/30 [115/20] via 10.65.0.1, FastEthernet0/0
i L2    10.65.12.0/30 [115/20] via 10.65.0.1, FastEthernet0/0
i L2    10.65.1.0/28 [115/20] via 10.65.0.1, FastEthernet0/0
B       10.65.12.12/32 [200/0] via 10.65.12.2, 00:20:26
B       10.65.11.11/32 [200/0] via 10.65.11.2, 00:20:26
C       10.65.0.0/28 is directly connected, FastEthernet0/0
C       10.100.0.0/30 is directly connected, FastEthernet2/0.100
C       10.200.0.0/30 is directly connected, FastEthernet2/0.200
B       10.10.200.0/30 [20/0] via 10.200.0.1, 07:41:57
     60.0.0.0/32 is subnetted, 1 subnets
B       60.0.0.60 [200/0] via 10.65.13.2, 00:20:27

Select allOpen in new window

To be double sure about layer 2, confirm the default gateway

show run | inc default-

Select allOpen in new window

The result should match your gateway of last resort statement in the previous.

there can be a mixture of both
there can be a configured router config which is unused
there can be many things you cannot deduce from simply reading the config

without more info, i'd try to identify the gateways of the connected machines. either the switch is the gateway and it is operating layer 3, or it just passes the traffic to the gateways/gateways and it operates layer 2

layer 3 means it takes part in the routing process : redirects packets to their next destination, reduce the TTL, ...

1. Look at the product code if it ends with EMI, its a layer 3 if its SMI its layer 2

2. on config t mode if you can config ip routing then its layer 3 if not then its layer 2

3.sh license detail all if the license level is either ip base or ip service then its layer 3.

Goodluck

There is a difference between "layer 3 capable" and "layer 3 operating".  A large majority of switches today are layer 3 capable but not all are configured as layer 3 operating.  Per the original question, I understood that the request was how to tell which devices are operating at layer 3, not which devices are just capable.

If capability is the desire then you will need to actually check each model against the manufacturer specs as the device can be capable of layer 3 but not have the necessary code/licensing installed.

If operation is what you are looking for, check the switches themselves for routing configured.  In my opinion, it wouldn't reflect well if you went walking out on the floor to check machines, servers and other connected equipment to confirm the DFG and then checking the switches for a corresponding match.

As an additional note.  If you are running cisco equipment, you can run the following to determine if layer 3 is turned on inside the switch

Switch#show run | inc ip rout

Select allOpen in new window

If it routing is enabled you will receive a return like this:

Switch#show run | inc ip rout
ip routing
ip route 10.103.201.0 255.255.255.0 10.103.192.12
ip route 10.103.202.0 255.255.255.0 10.103.192.12
ip route 10.103.204.0 255.255.255.0 10.103.192.12
ip route 10.103.205.0 255.255.255.0 10.103.192.12

Select allOpen in new window

The

ip routing

Select allOpen in new window

statement tells you routing is enabled and the

ip route X.X.X.X 255.255.255.0 X.X.X.X

Select allOpen in new window

statement(s) tell you what networks it is actually routing for.

If the switch is only layer 2, you will get no returns.

... and even if routing is actually configured, it does not mean it is actually used.

most managed layer2 operating switches will have a few routes setup in order to get the management gui to be accessible and many will have a bunch of useless routes and possibly ips in various vlans that may or may not be actually used.

also note that many layer2 switches are configured with an ip in each vlan as per the stupidest white-paper ever which can be used to efficiently evade the vlan securities.

All things considered, how would I interpret this information below:

#show run | inc default-
   default-router x.x.x.10
   default-router x.x.x.10


#show run | inc ip rout
ip routing
ip route 0.0.0.0 0.0.0.0 x.x.x.10
ip route x.x.x.x 255.255.240.0 x.x.x.10


#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.x.x to network 0.0.0.0

     x.x.x.x/24 is subnetted, 2 subnets
C       x.x.x.x is directly connected, Vlan1
S       x.x.x.x [1/0] via x.x.x.x
     x.x.x.x/24 is subnetted, 4 subnets
C       x.x.x.x is directly connected, Vlan xx
C       x.x.x.x is directly connected, Vlan xx
C       x.x.x.x is directly connected, Vlan xx
C       x.x.x.x is directly connected, Vlan xx

... as lots of Xs

... and as a clear demonstration of my above 2 statements :

1: it is configured, but there is nothing stating it is actuallly being used
2: the directly connected lines suggest __ unless i'm mistaken which is fairly possible in this case __ the switch has addresses on each vlan... which means that unless acls are in place the vlan isolation is severely compromised.

#show run | inc ip rout
ip routing
ip route 0.0.0.0 0.0.0.0 x.x.x.10
ip route x.x.x.x 255.255.240.0 x.x.x.10

These three statements show that the switch is being used for routing

ip routing  - Layer 3 services are turned on
ip route 0.0.0.0 0.0.0.0 x.x.x.10 (static routed default path)

The S in the show ip route statement indicates the presence of the static route in the table

The show run | inc default is useless to your endeavor and therefore unnecessary.
ip route x.x.x.x 255.255.240.0 x.x.x.10 (static route to the /20 in this statement)

These three statements show that the switch is being used for routing

it shows it is CONFIGURED.
turning on a feature does not mean you're actually using it.
you can stick this config and actually make the switch operate as a level 2 switch on a 172.16/12 address plan with machines that do not even have a default route or a totally different one.

actually, since people tend to buy or grab old hardware, it is very frequent to find unused config blocks when performing security audits, and quite frequent as well that they can actually be used to compromise network isolation... not even mentioning solving hard to debug network issues caused by such config blocks.

Your vlans are not going to show up as connected routes unless the switch is configured at layer3.  Yes the switch can be configured for layer 3 but not actually be routing the traffic (e.g. the connected nodes in a particular vlan are configured with a different gateway).  Nonetheless, layer 3 is still configured.  Same way with static routes.  If they are configured, you are running at layer 3 and that means that those routes will be used if the switch is queried for route decision.  If the config isn't needed, get rid of it but don't count on it "just being there" and not being used.

What is the exact issue you are facing now?