CCNA 2 v7.

0 Curriculum: Module 4 – Inter-VLAN Routing

4.1 Inter-VLAN Routing Operation

4.1.1 What is Inter-VLAN Routing?

VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the
reason, hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a
Layer 3 switch to provide routing services.

Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.

There are three inter-VLAN routing options:

 Legacy Inter-VLAN routing – This is a legacy solution. It does not scale well.
 Router-on-a-Stick – This is an acceptable solution for a small to medium-sized network.
 Layer 3 switch using switched virtual interfaces (SVIs) – This is the most scalable solution for
medium to large organizations.

4.1.2 Legacy Inter-VLAN Routing

The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces. Each
router interface was connected to a switch port in different VLANs. The router interfaces served as the
default gateways to the local hosts on the VLAN subnet.

For example, refer to the topology where R1 has two interfaces connected to switch S1.

Notice in the example MAC address table of S1 is populated as follows:

 Fa0/1 port is assigned to VLAN 10 and is connected to the R1 G0/0/0 interface.

 Fa0/11 port is assigned to VLAN 10 and is connected to PC1.
 Fa0/12 port is assigned to VLAN 20 and is connected to the R1 G0/0/1 interface.
 Fa0/11 port is assigned to VLAN 20 and is connected to PC2.

1
MAC Address table for S1
When PC1 sends a packet to PC2 on another network, it forwards it to its default gateway 192.168.10.1.
R1 receives the packet on its G0/0/0 interface and examines the destination address of the packet. R1
then routes the packet out its G0/0/1 interface to the F0/12 port in VLAN 20 on S1. Finally, S1 forwards
the frame to PC2.

Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation. It is not
reasonably scalable because routers have a limited number of physical interfaces. Requiring one
physical router interface per VLAN quickly exhausts the physical interface capacity of a router.

In our example, R1 required two separate Ethernet interfaces to route between VLAN 10 and VLAN 20.
What if there were six (or more) VLANs to interconnect? A separate interface would be required for each
VLAN. Obviously, this solution is not scalable.

Note: This method of inter-VLAN routing is no longer implemented in switched networks and is included
for explanation purposes only.

4.1.3 Router-on-a-Stick Inter-VLAN Routing

The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN
routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs
on a network.

A Cisco IOS router Ethernet interface is configured as an 802.1Q trunk and connected to a trunk port on
a Layer 2 switch. Specifically, the router interface is configured using subinterfaces to identify routable
VLANs.

The configured subinterfaces are software-based virtual interfaces. Each is associated with a single
physical Ethernet interface. Subinterfaces are configured in software on a router. Each subinterface is
independently configured with an IP address and VLAN assignment. Subinterfaces are configured for
different subnets that correspond to their VLAN assignment. This facilitates logical routing.

When VLAN-tagged traffic enters the router interface, it is forwarded to the VLAN subinterface. After a
routing decision is made based on the destination IP network address, the router determines the exit
interface for the traffic. If the exit interface is configured as an 802.1q subinterface, the data frames are
VLAN-tagged with the new VLAN and sent back out the physical interface.

2
 The figure to view an animation of how a router-on-a-stick performs its routing function.

As seen in the animation, PC1 on VLAN 10 is communicating with PC3 on VLAN 30. When R1 accepts
the tagged unicast traffic on VLAN 10, it routes that traffic to VLAN 30, using its configured subinterfaces.
Switch S2 removes the VLAN tag of the unicast frame and forwards the frame out to PC3 on port F0/23.

Note: The router-on-a-stick method of inter-VLAN routing does not scale beyond 50 VLANs.

4.1.4 Inter-VLAN Routing on a Layer 3 Switch

The modern method of performing inter-VLAN routing is to use Layer 3 switches and switched virtual
interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the
figure.

Note: A Layer 3 switch is also called a multilayer switch as it operates at Layer 2 and Layer 3. However,
in this course we use the term Layer 3 switch.

Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The SVI
is created for a VLAN that exists on the switch. Although virtual, the SVI performs the same functions for
the VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are
sent to or from all switch ports associated with that VLAN.

3
The following are advantages of using Layer 3 switches for inter-VLAN routing:

 They are much faster than router-on-a-stick because everything is hardware switched and
routed.
 There is no need for external links from the switch to the router for routing.
 They are not limited to one link because Layer 2 EtherChannels can be used as trunk links
between the switches to increase bandwidth.
 Latency is much lower because data does not need to leave the switch in order to be routed
to a different network.
 They more commonly deployed in a campus LAN than routers.
The only disadvantage is that Layer 3 switches are more expensive.

4.2 Router-on-a-Stick Inter-VLAN Routing

4.2.1 Router-on-a-Stick Scenario

In the previous topic, three different ways to create inter-VLAN routing were listed, and legacy inter-
VLAN routing was detailed. This topic details how to configure router-on-a-stick inter-VLAN routing. You
can see in the figure that the router is not in the center of the topology but instead, appears to be on a
stick near the border, hence the name.

In the figure, the R1 GigabitEthernet 0/0/1 interface is connected to the S1 FastEthernet 0/5 port. The S1
FastEthernet 0/1 port is connected to the S2 FastEthernet 0/1 port. These are trunk links that are
required to forward traffic within and between VLANs.

To route between VLANs, the R1 GigabitEthernet 0/0/1 interface is logically divided into three
subinterfaces, as shown in the table. The table also shows the three VLANs that will be configured on the
switches.

4
4.2.2 S1 VLAN and Trunking Configuration

Complete the following steps to configure S1 with VLANs and trunking:

Step 1. Create and name the VLANs.

Step 2. Create the management interface.
Step 3. Configure access ports.
Step 4. Configure trunking ports.

The configuration step. ..*//

4.2.3 S2 VLAN and Trunking Configuration ..*//

4.2.4 R1 Subinterface Configuration

The router-on-a-stick method requires you to create a subinterface for each VLAN to be routed.

A subinterface is created using the interface interface_id subinterface_id global configuration mode
command. The subinterface syntax is the physical interface followed by a period and a subinterface
number. Although not required, it is customary to match the subinterface number with the VLAN number.
Each subinterface is then configured with the following two commands:

 encapsulation dot1q vlan_id [native] – This command configures the subinterface to respond to
802.1Q encapsulated traffic from the specified vlan-id. The native keyword option is only
appended to set the native VLAN to something other than VLAN 1.
 ip address ip-address subnet-mask – This command configures the IPv4 address of the
subinterface. This address typically serves as the default gateway for the identified VLAN.
Repeat the process for each VLAN to be routed. Each router subinterface must be assigned an IP
address on a unique subnet for routing to occur.

When all subinterfaces have been created, enable the physical interface using the no shutdown interface
configuration command. If the physical interface is disabled, all subinterfaces are disabled.
In the following configuration, the R1 G0/0/1 subinterfaces are configured for VLANs 10, 20, and 99.

///

4.2.5 Verify Connectivity Between PC1 and PC2

5
The router-on-a-stick configuration is complete after the switch trunk and the router subinterfaces have
been configured. The configuration can be verified from the hosts, router, and switch.

From a host, verify connectivity to a host in another VLAN using the ping command. It is a good idea to
first verify the current host IP configuration using the ipconfig Windows host command. \\

4.2.6 Router-on-a-Stick Inter-VLAN Routing Verification

In addition to using ping between devices, the following show commands can be used to verify and
troubleshoot the router-on-a-stick configuration.

 show ip route
Verify that the subinterfaces are appearing in the routing table of R1 by using the show ip
route command. Notice that there are three connected routes (C) and their respective exit interfaces
for each routable VLAN. The output confirms that the correct subnets, VLANs, and subinterfaces are
active. //

 show ip interface brief

Another useful router command is show ip interface brief, as shown in the output. The output
confirms that the subinterfaces have the correct IPv4 address configured, and that they are
operational. //

 show interfaces
Subinterfaces can be verified using the show interfaces subinterface-id command, as shown.//

 show interfaces trunk

The misconfiguration could also be on the trunking port of the switch. Therefore, it is also useful to verify
the active trunk links on a Layer 2 switch by using the show interfaces trunk command, as shown
in the output. The output confirms that the link to R1 is trunking for the required VLANs.
Note: Although VLAN 1 was not explicitly configured, it was automatically included because control traffic
on trunk links will always be forwarded on VLAN 1. //

4.3 Inter-VLAN Routing using Layer 3 Switches

4.3.1 Layer 3 Switch Inter-VLAN Routing

Modern, enterprise networks rarely use router-on-a-stick because it does not scale easily to meet
requirements. In these very large networks, network administrators use Layer 3 switches to configure
inter-VLAN routing.

Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small to medium-sized
organization. However, a large enterprise requires a faster, much more scalable method to provide inter-
VLAN routing.

Enterprise campus LANs use Layer 3 switches to provide inter-VLAN routing. Layer 3 switches use
hardware-based switching to achieve higher-packet processing rates than routers. Layer 3 switches are
also commonly implemented in enterprise distribution layer wiring closets.

Capabilities of a Layer 3 switch include the ability to do the following:

6
  Route from one VLAN to another using multiple switched virtual interfaces (SVIs).
 Convert a Layer 2 switchport to a Layer 3 interface (i.e., a routed port). A routed port is similar
to a physical interface on a Cisco IOS router.
To provide inter-VLAN routing, Layer 3 switches use SVIs. SVIs are configured using the same interface
vlan vlan-id command used to create the management SVI on a Layer 2 switch. A Layer 3 SVI must be
created for each of the routable VLANs.

4.3.2 Layer 3 Switch Scenario

In the figure, the Layer 3 switch, D1, is connected to two hosts on different VLANs. PC1 is in VLAN 10
and PC2 is in VLAN 20, as shown. The Layer 3 switch will provide inter-VLAN routing services to the two
hosts.

The table shows the IP addresses for each VLAN.//

4.3.3 Layer 3 Switch Configuration//

D1(config)#

4.3.4 Layer 3 Switch Inter-VLAN Routing Verification

Inter-VLAN routing using a Layer 3 switch is simpler to configure than the router-on-a-stick method. After
the configuration is complete, the configuration can be verified by testing connectivity between the hosts.

From a host, verify connectivity to a host in another VLAN using the ping command. It is a good idea to
first verify the current host IP configuration using the ipconfig Windows host command. The output
confirms the IPv4 address and default gateway of PC1.//

Next, verify connectivity with PC2 using the ping Windows host command, as shown in the output.
The ping output successfully confirms inter-VLAN routing is operating.//

C:\Users\PC1> ping 192.168.20.10

Pinging 192.168.20.10 with 32 bytes of data:

Reply from 192.168.20.10: bytes=32 time<1ms TTL=127ms C:\Users\PC1>

4.3.5 Routing on a Layer 3 Switch

7
If VLANs are to be reachable by other Layer 3 devices, then they must be advertised using static or
dynamic routing. To enable routing on a Layer 3 switch, a routed port must be configured.

A routed port is created on a Layer 3 switch by disabling the switchport feature on a Layer 2 port that is
connected to another Layer 3 device. Specifically, configuring the no switchport interface configuration
command on a Layer 2 port converts it into a Layer 3 interface. Then the interface can be configured with
an IPv4 configuration to connect to a router or another Layer 3 switch.

4.3.6 Routing Scenario on a Layer 3 Switch

In the figure, the previously configured D1 Layer 3 switch is now connected to R1. R1 and D1 are both in
an Open Shortest Path First (OSPF) routing protocol domain. Assume inter-VLAN has been successfully
implemented on D1. The G0/0/1 interface of R1 has also been configured and enabled. Additionally, R1
is using OSPF to advertise its two networks, 10.10.10.0/24 and 10.20.20.0/24.

Note: OSPF routing configuration is covered in another course. In this module, OSPF configuration
commands will be given to you in all activities and assessments. It is not required that you understand
the configuration in order to enable OSPF routing on the Layer 3 switch.

4.3.7 Routing Configuration on a Layer 3 Switch//

4.4 Troubleshoot Inter-VLAN Routing

4.4.1 Common Inter-VLAN Issues

By now, you know that when you configure and verify, you must also be able to troubleshoot. This topic
discusses some common network problems associated with inter-VLAN routing.

There are a number of reasons why an inter-VAN configuration may not work. All are related to
connectivity issues. First, check the physical layer to resolve any issues where a cable might be
connected to the wrong port. If the connections are correct, then use the list in the table for other
common reasons why inter-VLAN connectivity may fail. //

8
4.4.2 Troubleshoot Inter-VLAN Routing Scenario

Examples of some of these inter-VLAN routing problems will now be covered in more detail.

This topology will be used for all of these issues.

The VLAN and IPv4 addressing information for R1 is shown in the table.//

4.4.3 Missing VLANs

An inter-VLAN connectivity issue could be caused by a missing VLAN. The VLAN could be missing if it
was not created, it was accidently deleted, or it is not allowed on the trunk link.

For example, PC1 is currently connected to VLAN 10, as shown in the show vlan brief command
output.//

4.4.4 Switch Trunk Port Issues

Another issue for inter-VLAN routing includes misconfigured switch ports. In a legacy inter-VLAN
solution, this could be caused when the connecting router port is not assigned to the correct VLAN.

However, with a router-on-a-stick solution, the most common cause is a misconfigured trunk port.

For example, assume PC1 was able to connect to hosts in other VLANs until recently. A quick look at
maintenance logs revealed that the S1 Layer 2 switch was recently accessed for routine maintenance.
Therefore, you suspect the problem may be related to that switch. //

9
4.4.5 Switch Access Port Issues

When a problem is suspected with a switch access port configuration, use verification commands to
examine the configuration and identify the problem. Assume PC1 has the correct IPv4 address and
default gateway but is not able to ping its own default gateway. PC1 is supposed to be connected to a
VLAN 10 port.//

4.4.6 Router Configuration Issues

Router-on-a-stick configuration problems are usually related to subinterface misconfigurations. For

example, an incorrect IP address was configured or the wrong VLAN ID was assigned to the
subinterface. For example, R1 should be providing inter-VLAN routing for users in VLANs 10, 20, and 99.
However, users in VLAN 10 cannot reach any other VLAN.//

4.5.3 What did I learn in this module?

Inter-VLAN Routing Operation

Hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3
switch to provide routing services. Inter-VLAN routing is the process of forwarding network traffic from
one VLAN to another VLAN. Three options include legacy, router-on-a-stick, and Layer 3 switch using
SVIs. Legacy used a router with multiple Ethernet interfaces. Each router interface was connected to a
switch port in different VLANs. Requiring one physical router interface per VLAN quickly exhausts the
physical interface capacity of a router. The ‘router-on-a-stick’ inter-VLAN routing method only requires
one physical Ethernet interface to route traffic between multiple VLANs on a network. A Cisco IOS router
Ethernet interface is configured as an 802.1Q trunk and connected to a trunk port on a Layer 2 switch.
The router interface is configured using subinterfaces to identify routable VLANs. The configured
subinterfaces are software-based virtual interfaces, associated with a single physical Ethernet interface.
The modern method is Inter-VLAN routing on a Layer 3 switch using SVIs. The SVI is created for a VLAN
that exists on the switch. The SVI performs the same functions for the VLAN as a router interface. It
provides Layer 3 processing for packets being sent to or from all switch ports associated with that VLAN.

Router-on-a-Stick Inter-VLAN Routing

To configure a switch with VLANs and trunking, complete the following steps: create and name the
VLANs, create the management interface, configure access ports, and configure trunking ports. The
router-on-a-stick method requires a subinterface to be created for each VLAN to be routed. A
subinterface is created using the interface interface_id subinterface_id global configuration mode
command. Each router subinterface must be assigned an IP address on a unique subnet for routing to
occur. When all subinterfaces have been created, the physical interface must be enabled using the no
shutdown interface configuration command. From a host, verify connectivity to a host in another VLAN
using the ping command. Use ping to verify connectivity with the host and the switch. To verify and

10
troubleshoot use the show ip route, show ip interface brief, show interfaces, and show interfaces
trunk commands.
Inter-VLAN Routing using Layer 3 Switches
Enterprise campus LANs use Layer 3 switches to provide inter-VLAN routing. Layer 3 switches use
hardware-based switching to achieve higher-packet processing rates than routers. Capabilities of a Layer
3 switch include routing from one VLAN to another using multiple switched virtual interfaces (SVIs) and
converting a Layer 2 switchport to a Layer 3 interface (i.e., a routed port). To provide inter-VLAN routing,
Layer 3 switches use SVIs. SVIs are configured using the same interface vlan vlan-id command used to
create the management SVI on a Layer 2 switch. A Layer 3 SVI must be created for each of the routable
VLANs. To configure a switch with VLANS and trunking, complete the following steps: create the VLANS,
create the SVI VLAN interfaces, configure access ports, and enable IP routing. From a host, verify
connectivity to a host in another VLAN using the ping command. Next, verify connectivity with the host
using the ping Windows host command. VLANs must be advertised using static or dynamic routing. To
enable routing on a Layer 3 switch, a routed port must be configured. A routed port is created on a Layer
3 switch by disabling the switchport feature on a Layer 2 port that is connected to another Layer 3
device. The interface can be configured with an IPv4 configuration to connect to a router or another
Layer 3 switch. To configure a Layer 3 switch to route with a router, follow these steps: configure the
routed port, enable routing, configure routing, verify routing, and verify connectivity.

Troubleshoot Inter-VLAN Routing

There are a number of reasons why an inter-VAN configuration may not work. All are related to
connectivity issues such as missing VLANs, switch trunk port issues, switch access port issues, and
router configuration issues. A VLAN could be missing if it was not created, it was accidently deleted, or it
is not allowed on the trunk link. Another issue for inter-VLAN routing includes misconfigured switch ports.
In a legacy inter-VLAN solution, a misconfigured switch port could be caused when the connecting router
port is not assigned to the correct VLAN. With a router-on-a-stick solution, the most common cause is a
misconfigured trunk port. When a problem is suspected with a switch access port configuration,
use ping and show interfaces interface-id switchport commands to identify the problem. Router
configuration problems with router-on-a-stick configurations are usually related to subinterface
misconfigurations. Verify the subinterface status using the show ip interface brief command.

11