Inter-VLAN Routing Methods

While Virtual Local Area Networks (VLANs) are essential for segmenting network traffic into logical broadcast domains for security and performance, their isolation creates a problem: hosts in different VLANs cannot communicate. To enable this necessary communication—like allowing a marketing PC in VLAN 10 to access a file server in VLAN 20—you must route traffic between the VLANs. This process is called Inter-VLAN Routing. Mastering its methods is a cornerstone of modern network design and a critical skill for the CCNA certification.

Core Concept: The Need for a Router

At its heart, inter-VLAN routing is a Layer 3 function. Because VLANs operate at Layer 2, frames are confined to their native VLAN. To move a packet from one VLAN to another, the traffic must be passed to a Layer 3 device, typically a router or a Layer 3 switch. This device strips off the Layer 2 frame header, examines the Layer 3 IP address, makes a routing decision, and then re-encapsulates the packet into a new Layer 2 frame for the destination VLAN. There are three primary architectural methods to accomplish this, each with its own use cases and trade-offs.

Method 1: Legacy Inter-VLAN Routing (Router with Multiple Physical Interfaces)

The traditional method uses a router with multiple physical interfaces. Each router interface is connected to a separate access switch port, and each of those switch ports is assigned to a different VLAN. The router interface is assigned an IP address that serves as the default gateway for all hosts in that connected VLAN.

For example, if you have VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24), you would connect the router's GigabitEthernet0/0 to a switch port in VLAN 10 and assign it IP 192.168.10.1. You would then connect GigabitEthernet0/1 to a switch port in VLAN 20 and assign it IP 192.168.20.1. The router's routing table now has directly connected routes for both networks and can route between them.

When is it appropriate? This method is largely legacy. It is inefficient, as it consumes a physical router interface and a switch port for every single VLAN. It doesn't scale beyond a handful of VLANs and is rarely used in modern networks except for specific, simple scenarios or for conceptual understanding. Its primary value today is as a foundational model for understanding the router's core role in the process.

Method 2: Router-on-a-Stick (ROAS)

The router-on-a-stick model solves the scalability issue of the legacy method by using a single physical router interface to route traffic for multiple VLANs. This is achieved by dividing the single physical interface into multiple logical subinterfaces. Each subinterface is configured to belong to a specific VLAN using the IEEE 802.1Q trunking protocol.

On the switch side, the port connecting to the router is configured as an 802.1Q trunk port. This allows it to carry traffic for multiple VLANs, tagging each frame with a VLAN ID (except for a designated native VLAN). On the router, you create subinterfaces (e.g., GigabitEthernet0/0.10, GigabitEthernet0/0.20) and assign each an IP address from its respective VLAN's subnet. You must also configure the encapsulation dot1Q *vlan_id* command on each subinterface to associate it with the correct VLAN.

Here’s a basic configuration snippet for a router routing between VLAN 10 and VLAN 20:

interface GigabitEthernet0/0
 no shutdown
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

When is it appropriate? Router-on-a-stick is ideal for small to medium-sized businesses where a dedicated Layer 3 switch is not available or justified. It is cost-effective, utilizes existing router hardware, and is a perfect solution for a network with a modest number of VLANs. However, all inter-VLAN traffic must traverse the single physical link to the router, which can become a bottleneck if the volume of traffic is high.

Method 3: Inter-VLAN Routing with a Layer 3 Switch

The most performant and scalable method uses a multilayer switch or Layer 3 switch. These devices combine the switching capabilities of a Layer 2 switch with the routing capabilities of a router in a single chassis. Instead of using physical router interfaces or subinterfaces, routing is performed internally between virtual interfaces called Switched Virtual Interfaces (SVIs).

An SVI is a logical Layer 3 interface that represents a VLAN on the switch. To configure inter-VLAN routing, you simply create an SVI for each VLAN (using the interface vlan *vlan_id* command), assign it an IP address, and ensure it's in an "up/up" state (which requires at least one active switch port in that VLAN and the VLAN itself to exist). The Layer 3 switch maintains a routing table and can make routing decisions at wire speed, as traffic never needs to leave the switch chassis to be routed.

Configuration is straightforward:

vlan 10
 name Marketing
!
vlan 20
 name Engineering
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!
ip routing  ! This command globally enables IP routing on the switch

When is it appropriate? This is the enterprise standard for inter-VLAN routing. It offers the highest performance and lowest latency because routing happens in hardware (ASICs). It is mandatory for any network with moderate to high volumes of inter-VLAN traffic, such as data centers, large campuses, or any environment where performance is critical.

Common Pitfalls

After configuring any inter-VLAN routing method, you must verify functionality. Key verification commands include:

• show ip route on the router or Layer 3 switch to check for directly connected routes to the VLAN subnets.
• show interfaces trunk on the switch to verify 802.1Q trunking is operational in a router-on-a-stick topology.
• show vlan brief to confirm VLANs exist and ports are assigned correctly.
• ping from a host in one VLAN to the default gateway and then to a host in another VLAN.

Troubleshooting often revolves around a few common pitfalls:

1. Missing Trunk Configuration: In a router-on-a-stick setup, the switch port must be configured as a trunk (switchport mode trunk). If it's left as an access port, VLAN tags are not passed, and routing fails.
2. Mismatched Native VLAN: The native VLAN on the router's subinterface (configured with encapsulation dot1Q *vlan_id* native) must match the native VLAN configured on the switch's trunk port. A mismatch can cause loss of untagged traffic.
3. SVI is Down: On a Layer 3 switch, an SVI will remain in a down/down state if there are no active Layer 2 ports in its associated VLAN. Ensure at least one access port is active and assigned to that VLAN.
4. Incorrect IP Addressing: Hosts must have the correct IP address and subnet mask for their VLAN, and their default gateway must be set to the IP address of the router interface or SVI for that VLAN. A simple misconfiguration here is the most common cause of failure.

Summary

• Inter-VLAN routing is the process of enabling communication between different VLANs, which is a required Layer 3 function performed by a router or Layer 3 switch.
• The three primary methods are: Legacy routing (one router interface per VLAN, non-scalable), Router-on-a-Stick (uses subinterfaces and a single trunk link, good for small networks), and Layer 3 Switch routing (uses high-performance SVIs, the enterprise standard).
• Router-on-a-Stick relies on configuring 802.1Q trunking on a switch port and creating logical subinterfaces with the encapsulation dot1Q command on the router.
• A Layer 3 switch performs inter-VLAN routing by creating Switched Virtual Interfaces (SVIs), which are virtual Layer 3 interfaces for each VLAN, enabling wire-speed internal routing.
• Successful troubleshooting requires verifying trunk configuration, native VLAN consistency, SVI status, and end-host IP configuration.