SkarpSkarp

Chapter 14 of 27

Inter-VLAN Routing and Router-on-a-Stick

Bridge the gap between VLANs by configuring inter-VLAN routing using router-on-a-stick and Layer 3 switching so hosts in different VLANs can communicate.

27 min readen

Why Inter-VLAN Routing Exists

VLAN Segmentation Recap

A VLAN is a logical Layer 2 subdivision that creates its own broadcast domain. Each VLAN is usually mapped to its own IP subnet, isolating traffic at Layer 2.

Why Routing Is Needed

Devices in different VLANs are in different IP subnets. Layer 2 switching and ARP only work within a subnet, so inter-VLAN communication requires Layer 3 routing.

Role of the Default Gateway

A host sends packets for remote subnets to its default gateway, which is a router interface on the local segment. That router performs inter-VLAN routing.

Two Main Approaches

Inter-VLAN routing is typically done using router-on-a-stick (router subinterfaces on a trunk) or Layer 3 switches using SVIs. You will configure and verify both.

Topology and Addressing: The Mental Picture

Devices in the Lab

We will use one access switch, one router, later a Layer 3 switch, and two PCs: PC-A in VLAN 10 and PC-B in VLAN 20. This mirrors classic CCNA topologies.

VLANs and Subnets

VLAN 10 uses subnet 192.168.10.0/24 with gateway 192.168.10.1. VLAN 20 uses subnet 192.168.20.0/24 with gateway 192.168.20.1. Each VLAN maps to its own subnet.

Switch Ports and Trunk

SW1 F0/1 is an access port in VLAN 10 for PC-A. SW1 F0/2 is in VLAN 20 for PC-B. SW1 G0/1 is a trunk toward router R1 G0/0, carrying VLANs 10 and 20.

Router Subinterfaces

R1 G0/0.10 will serve VLAN 10 with IP 192.168.10.1, and G0/0.20 will serve VLAN 20 with IP 192.168.20.1. These subinterfaces act as the default gateways.

Router-on-a-Stick Theory: 802.1Q and Subinterfaces

What Is Router-on-a-Stick?

Router-on-a-stick uses a single physical router interface as an 802.1Q trunk. Multiple logical subinterfaces on that port route between VLANs.

802.1Q Trunk Role

The switch-router link is a trunk. Frames crossing it are tagged with VLAN IDs, allowing the router to distinguish traffic from different VLANs.

Router Subinterfaces

Each subinterface, like G0/0.10, uses `encapsulation dot1Q vlan-id` and gets an IP address. It acts as the Layer 3 gateway for that VLAN.

End-to-End Flow

A host sends traffic to its gateway. The switch tags the frame, the router routes between VLAN subinterfaces, then sends it back tagged for the destination VLAN.

Configuring Router-on-a-Stick and VLANs (Step-by-Step)

Step 1: VLANs and Access Ports

Create VLAN 10 and 20, name them, and set F0/1 as an access port in VLAN 10 for PC-A and F0/2 as an access port in VLAN 20 for PC-B.

Step 2: Configure the Trunk

On SW1, configure G0/1 as an 802.1Q trunk, allow VLANs 10 and 20, and enable the interface. This link carries both VLANs to R1.

Step 3: Router Subinterfaces

On R1, enable G0/0, then create subinterfaces G0/0.10 and G0/0.20 with `encapsulation dot1Q` and IP addresses 192.168.10.1 and 192.168.20.1.

Step 4: Host IP Settings

Configure PC-A with 192.168.10.11/24 and gateway 192.168.10.1, and PC-B with 192.168.20.22/24 and gateway 192.168.20.1. Then test connectivity.

Verifying and Troubleshooting Router-on-a-Stick

Step 1: Verify VLANs and Trunks

Use `show vlan brief` and `show interfaces trunk` on SW1 to confirm VLANs exist, access ports are correct, and the trunk is up with VLANs 10 and 20 allowed.

Step 2: Verify Subinterfaces

On R1, `show ip interface brief` and `show running-config interface g0/0.x` confirm subinterfaces are up and have correct IP addresses and 802.1Q VLAN IDs.

Step 3: Test Connectivity

From PC-A, ping its gateway, the other VLAN’s gateway, then PC-B. Use traceroute to see the hop via R1. This validates inter-VLAN routing.

Common Misconfigurations

Typical faults: no trunk, wrong VLAN IDs, missing encapsulation, shutdown subinterfaces, or hosts with incorrect default gateways. Check each layer in order.

Layer 3 Switches and SVIs

What Is a Layer 3 Switch?

A Layer 3 switch is a switch that can also perform routing in hardware. It supports SVIs and dynamic routing, ideal for modern campus designs.

SVI Concept

An SVI is a logical Layer 3 interface bound to a VLAN. For example, `interface vlan 10` with IP 192.168.10.1 can be the default gateway for VLAN 10 hosts.

Routing with SVIs

Once IP routing is enabled, the Layer 3 switch routes between SVI interfaces internally, providing inter-VLAN routing without a separate router.

Benefits vs Router-on-a-Stick

SVIs avoid a single trunk bottleneck and keep routing on the switch backplane, giving higher performance and simpler wiring in larger networks.

Configuring SVIs and Inter-VLAN Routing on a Layer 3 Switch

Step 1: Enable IP Routing

On many Layer 3 switches, you must enable routing with `ip routing` globally; otherwise SVIs will not route between VLANs.

Step 2: VLANs and Ports

Create VLANs 10 and 20 and assign F0/1 to VLAN 10 and F0/2 to VLAN 20, just like on an access switch, to place PCs into their VLANs.

Step 3: Create SVIs

Configure `interface vlan 10` and `interface vlan 20` with IP addresses 192.168.10.1 and 192.168.20.1 and bring them up with `no shutdown`.

Step 4: Verify and Test

Use `show ip interface brief` and `show vlan brief`, then ping from SW3 to the PCs and between PCs to confirm inter-VLAN routing works.

Thought Exercise: Choosing Between Router-on-a-Stick and SVIs

Imagine you are designing the network for a small office and then for a mid-size campus. Think through which inter-VLAN routing method fits better in each case.

Scenario A: Small Office

  • 1 access switch
  • 2 VLANs (Users and Servers)
  • Internet edge router already present
  • Low traffic between VLANs

Questions to consider:

  • Would adding router-on-a-stick on the existing router be enough?
  • Are you likely to hit a bandwidth bottleneck on the single trunk?

Scenario B: Mid-size Campus

  • 10 access switches
  • 8 VLANs
  • High east-west traffic between VLANs
  • Dedicated core/distribution switches

Questions to consider:

  • Would you centralize inter-VLAN routing on a pair of Layer 3 switches using SVIs?
  • How would routing protocols like OSPFv2 integrate with these Layer 3 switches?

Your task:

  1. Write down (mentally or on paper) which solution you would choose for each scenario and why.
  2. Identify one potential failure point and one scalability concern for router-on-a-stick.
  3. Identify one operational complexity introduced by SVIs and Layer 3 switching.

Use this to build an exam-ready mental model: router-on-a-stick is simple and cheap; Layer 3 switching scales better but adds design decisions.

Quiz 1: Router-on-a-Stick Fundamentals

Answer this question to check your understanding of router-on-a-stick and VLAN gateways.

On a router-on-a-stick setup, hosts in VLAN 30 cannot ping their default gateway 192.168.30.1. Which of the following misconfigurations is the MOST likely root cause?

  1. The switchport connected to the router is configured as an access port in VLAN 30 instead of a trunk.
  2. The router physical interface is missing the `ip routing` command.
  3. The router subinterface for VLAN 30 has an IP address from VLAN 20’s subnet.
  4. The switch has not been configured with Spanning Tree Protocol.
Show Answer

Answer: A) The switchport connected to the router is configured as an access port in VLAN 30 instead of a trunk.

For router-on-a-stick, the switchport facing the router must be an 802.1Q trunk carrying all relevant VLANs. If it is configured as an access port in VLAN 30, the router will only receive untagged traffic for that VLAN and cannot correctly handle multiple VLANs. While a wrong IP subnet on the subinterface would also break connectivity, the question asks for the MOST likely single root cause; an access port instead of a trunk is a classic configuration error directly preventing proper router-on-a-stick operation. The `ip routing` command is used on Layer 3 switches, not on routers. STP absence does not by itself prevent a single path from working.

Quiz 2: SVIs and Layer 3 Switching

Test your understanding of SVIs and inter-VLAN routing on Layer 3 switches.

You configured `interface vlan 10` and `interface vlan 20` with correct IP addresses on a Layer 3 switch, assigned access ports to those VLANs, and hosts have correct default gateways. Hosts in VLAN 10 still cannot reach hosts in VLAN 20. What is the MOST likely missing configuration?

  1. The switch needs `encapsulation dot1Q` on all access ports.
  2. The switch needs `ip routing` enabled globally.
  3. Each SVI needs to be configured as `switchport mode trunk`.
  4. The switch needs an ACL applied inbound on each SVI.
Show Answer

Answer: B) The switch needs `ip routing` enabled globally.

On many Cisco Layer 3 switches, SVIs will not route between VLANs unless `ip routing` is enabled globally. Access ports do not use `encapsulation dot1Q`, only trunks do. SVIs are Layer 3 interfaces and are not configured with `switchport` commands. An ACL could block traffic, but there is no mention of one being configured; the most fundamental missing piece is enabling IP routing.

Key Term Flashcards: Inter-VLAN Routing

Flip through these cards to reinforce key terms and concepts before moving on.

VLAN (definition)
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
default gateway (definition)
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Router-on-a-stick
A design where a single physical router interface is configured as an 802.1Q trunk with multiple subinterfaces, each subinterface acting as the Layer 3 gateway for a VLAN to provide inter-VLAN routing.
Subinterface
A logical interface created under a physical router interface (for example, G0/0.10) that can be assigned its own encapsulation type and IP address, often used for router-on-a-stick.
802.1Q trunk
A Layer 2 link that carries traffic for multiple VLANs by tagging frames with a VLAN ID, allowing switches and routers to distinguish which VLAN each frame belongs to.
SVI (Switch Virtual Interface)
A logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for hosts in that VLAN.
Layer 3 switch
A network switch that can also perform routing functions, supporting SVIs and dynamic routing protocols to route traffic between VLANs at high speed.
Command: `ip routing`
Global configuration command used on Layer 3 switches to enable Layer 3 forwarding between SVIs and routed interfaces; without it, the switch will not route between VLANs.
Verification command: `show vlan brief`
Displays VLANs configured on a switch and the ports assigned to each VLAN, useful for validating access port-to-VLAN mappings in inter-VLAN routing setups.
Verification command: `show interfaces trunk`
Shows which interfaces are operating as trunks, the VLANs they allow, and their status, critical for troubleshooting router-on-a-stick and multi-VLAN links.

Connecting Inter-VLAN Routing to OSPF and the Bigger Picture

Local vs Wide-Area Routing

Inter-VLAN routing connects subnets within a site. OSPFv2 then advertises those subnets across the larger routed network so other routers can reach them.

Router-on-a-Stick and OSPFv2

A router-on-a-stick device can run OSPFv2 on its subinterfaces, advertising VLAN networks like 192.168.10.0/24 and 192.168.20.0/24 to neighbors.

SVIs and OSPFv2

On a Layer 3 switch, each SVI can participate in OSPFv2. You include SVI IP networks in OSPF `network` commands to propagate VLAN routes.

Exam Mindset

Expect scenarios where you must tie together VLANs, SVIs or subinterfaces, and OSPFv2. Ensure every VLAN subnet has a gateway and is advertised in routing.

Key Terms

VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
802.1Q trunk
A Layer 2 link that carries traffic for multiple VLANs by tagging frames with a VLAN ID, allowing devices to distinguish which VLAN each frame belongs to.
Subinterface
A logical interface created under a physical router interface that can be assigned its own encapsulation type and IP address, often used for router-on-a-stick.
Layer 3 switch
A network switch that can also perform routing functions, supporting SVIs and dynamic routing protocols to route traffic between VLANs at high speed.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Router-on-a-stick
A design where a single physical router interface is configured as an 802.1Q trunk with multiple subinterfaces, each subinterface acting as the Layer 3 gateway for a VLAN to provide inter-VLAN routing.
SVI (Switch Virtual Interface)
A logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for hosts in that VLAN.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself