The process of routing traffic between different VLANs (and therefore different IP subnets) using a Layer 3 device such as a router or multilayer switch.

A design where a single physical router interface connects to a switch via an 802.1Q trunk, and multiple router subinterfaces (one per VLAN) provide inter-VLAN routing.

A switch port that carries traffic for multiple VLANs, usually using 802.1Q tagging, and is required toward a router in a router-on-a-stick design.

Default gateway (definition)

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

A Switched Virtual Interface (SVI) is a logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for that VLAN.

A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.

Inter-VLAN Routing and Layer 3 Switching — CCNA 200-301 Deep-Dive Masterclass: Network Fundamentals, Security, and Automation

Big Picture: Why We Need Inter-VLAN Routing

From VLANs to Routing

VLANs create multiple broadcast domains on a switch, but by default hosts in different VLANs cannot communicate. A pure Layer 2 switch forwards only within each VLAN.

What Is Inter-VLAN Routing?

Inter-VLAN routing is routing between VLANs: a Layer 3 device receives traffic from one VLAN, uses its routing table, and forwards it toward another VLAN/subnet.

Two Main Approaches

For CCNA, focus on two methods: router-on-a-stick (router with 802.1Q subinterfaces) and Layer 3 switches using SVIs (virtual Layer 3 interfaces on the switch).

Role of the Default Gateway

Each host uses a default gateway, which is the IP address of a router interface on the local segment, to reach remote networks and other VLANs.

Conceptual Model: How Inter-VLAN Routing Works

Two VLANs, Two Subnets

Example: VLAN 10 uses 192.168.10.0/24 with gateway 192.168.10.1; VLAN 20 uses 192.168.20.0/24 with gateway 192.168.20.1. Each VLAN is its own subnet.

Packet Flow Overview

When PC-A in VLAN 10 pings PC-B in VLAN 20, PC-A sends to its default gateway. The Layer 3 device receives on VLAN 10, routes, then forwards out VLAN 20.

Routing Table Role

The Layer 3 device has directly connected routes for each VLAN subnet. It checks the table, finds the VLAN 20 network, and forwards accordingly.

Key Design Rules

Each VLAN must have a unique subnet and a Layer 3 interface. Hosts must point their default gateway at that interface for inter-VLAN communication to work.

Router-on-a-Stick: Concept and Topology

What Is Router-on-a-Stick?

Router-on-a-stick uses one physical router interface connected by an 802.1Q trunk to a switch. Subinterfaces on the router handle multiple VLANs.

Topology Picture in Words

Imagine a switch with VLAN 10 and 20, connected by one cable to a router. The switch port is a trunk; the router splits its port into G0/0.10 and G0/0.20.

Role of Subinterfaces

Each subinterface uses `encapsulation dot1Q vlan-id` and has an IP address that acts as the default gateway for that VLAN's hosts.

When It Is Used

Router-on-a-stick fits small networks with one main switch and modest inter-VLAN traffic, where a separate router also handles WAN connectivity.

Hands-On: Configure Router-on-a-Stick (Cisco IOS)

Follow this step-by-step configuration example for router-on-a-stick using Cisco IOS-like syntax. Assume:

Router interface to switch: `G0/0`
VLAN 10 (Sales): 192.168.10.0/24, gateway 192.168.10.1
VLAN 20 (HR): 192.168.20.0/24, gateway 192.168.20.1

On the switch:

Create VLANs
Assign access ports
Configure the trunk toward the router

On the router:

Enable the physical interface
Create subinterfaces with 802.1Q encapsulation
Assign IP addresses

Pay attention to common exam traps:

Forgetting `no shutdown` on the physical router interface or subinterfaces.
Missing `switchport mode trunk` on the switch port.
Using the wrong VLAN ID in `encapsulation dot1Q`.
Giving the gateway IP an address that does not match the host subnet mask.

Layer 3 Switches and SVIs

What Is a Layer 3 Switch?

A multilayer (Layer 3) switch can both switch at Layer 2 and route at Layer 3 in hardware, often replacing external routers for inter-VLAN routing.

What Is an SVI?

A Switched Virtual Interface (SVI) is a logical Layer 3 interface tied to a VLAN, like `interface vlan 10` with an IP that serves as that VLAN's default gateway.

SVI Requirements

The VLAN must exist and be active, and usually at least one port in that VLAN must be up for the SVI to be up/up and able to route.

Enabling Routing

On Cisco Layer 3 switches you often enable Layer 3 routing globally with `ip routing` so the switch can route between SVIs.

Hands-On: Configure Inter-VLAN Routing with SVIs

Here is a typical configuration on a Cisco Layer 3 switch that performs inter-VLAN routing using SVIs. We will:

Create VLANs 10 and 20
Assign access ports to each VLAN
Configure SVIs with IP addresses (default gateways)
Enable IP routing on the switch

Assume:

VLAN 10 subnet: 192.168.10.0/24, gateway 192.168.10.1
VLAN 20 subnet: 192.168.20.0/24, gateway 192.168.20.1

You might also connect this Layer 3 switch upstream to a router or firewall via a routed port (not a trunk) using `no switchport` on that interface, but the core inter-VLAN routing happens between the SVIs.

Thought Exercise: Choosing Between Router-on-a-Stick and Layer 3 Switch

Work through these scenarios mentally. Decide which design you would choose and why.

Small Office, One Switch, One Router

1 access switch
1 branch router providing WAN connectivity
3 VLANs (Data, Voice, Guest), low traffic
Budget is tight
Question: Would you use router-on-a-stick or a Layer 3 switch? Why?

Think: You already have a router, traffic is low, and buying a Layer 3 switch might be expensive.

Campus Core, High Traffic

Multiple access switches
Central core/distribution switch
Many VLANs (e.g., 20+), lots of inter-VLAN traffic
Need high throughput and fast convergence
Question: Which design fits better here, and where would you place the routing function?

Think: Hardware-based routing on a multilayer switch scales better than a single router interface.

Security Segmentation

You must apply detailed ACLs between VLANs
You might later add features like DHCP relay, QoS, and policy-based routing
Question: Does it matter whether you use a router or a Layer 3 switch for these policies?

Hint: Both can apply ACLs, but placing routing and policies close to the access layer can simplify designs.

Pause and write down your answers. Then compare:

Scenario 1: router-on-a-stick is usually sufficient and cheaper.
Scenario 2: a Layer 3 core switch with SVIs is the typical enterprise design.
Scenario 3: either works, but Layer 3 switches let you distribute policy closer to users.

Quick Check: Fundamentals of Inter-VLAN Routing

Answer this to confirm you have the core idea.

Which statement best describes inter-VLAN routing in a typical campus network?

It allows switches to forward frames between VLANs using MAC addresses only.
It uses a Layer 3 device with an interface in each VLAN's subnet to route traffic between those VLANs.
It uses Spanning Tree Protocol to unblock redundant links between VLANs.
It allows a single VLAN to span multiple switches without losing segmentation.

Show Answer

Answer: B) It uses a Layer 3 device with an interface in each VLAN's subnet to route traffic between those VLANs.

Inter-VLAN routing requires a Layer 3 device (router or multilayer switch) with a Layer 3 interface in each VLAN's subnet. The device routes traffic between VLANs using IP, not just MAC addresses. Option 1 is pure Layer 2 switching, option 3 describes STP, and option 4 describes VLAN trunking, not routing.

Quiz: Router-on-a-Stick and SVIs

Test your understanding of configuration details.

On a router-on-a-stick configuration, hosts in VLAN 30 cannot reach hosts in VLAN 40. The router subinterfaces G0/0.30 and G0/0.40 are configured with IP addresses, but pings still fail. Which of the following is the MOST likely cause?

The switch port connected to the router is configured as an access port in VLAN 30.
The router is missing a static route between VLAN 30 and VLAN 40.
The router's physical interface G0/0 is configured with `no shutdown`.
The switch has Spanning Tree Protocol enabled on the trunk port.

Show Answer

Answer: A) The switch port connected to the router is configured as an access port in VLAN 30.

For router-on-a-stick, the switch port facing the router must be an 802.1Q trunk. If it is configured as an access port in VLAN 30, only VLAN 30 traffic will pass, and VLAN 40 traffic will never reach the router. No static route is needed because both VLANs are directly connected. `no shutdown` being present is good, not a problem. STP running is normal and not by itself a cause of this specific issue.

Default Gateways and End-to-End Connectivity

Default Gateway Role

Each host uses the IP of its VLAN's router interface (SVI or subinterface) as its default gateway to reach remote networks and other VLANs.

Correct Pairing

The default gateway must be in the same subnet as the host. Example: host 192.168.10.50/24 uses gateway 192.168.10.1, not 192.168.20.1.

Common Errors

Typical mistakes: wrong gateway subnet, gateway IP not configured anywhere, or pointing to a device that does not route internal VLANs.

Troubleshooting Steps

Check same-VLAN pings, then pings to the gateway, then routing and ACLs on the Layer 3 device, validating with `show ip int brief` and `show ip route`.

Systematic Troubleshooting of Inter-VLAN Connectivity

Start with Layer 2

First confirm VLANs and port membership using `show vlan brief` and `show interfaces switchport`. Wrong VLANs mean inter-VLAN routing cannot even start.

Check SVIs and Routing

On the Layer 3 switch, use `show ip interface brief` and `show ip route` to confirm SVIs are up with correct IPs and that routing is enabled.

Validate Host Settings

On each host, verify IP address, subnet mask, and default gateway. A wrong gateway or mask is a very common cause of failure.

Consider ACLs

If all else looks good, look for ACLs on SVIs. An ACL is an ordered set of permit and deny statements that may be blocking inter-VLAN traffic.

Key Term and Concept Review

Flip through these cards to reinforce critical inter-VLAN routing concepts.

Inter-VLAN routing: The process of routing traffic between different VLANs (and therefore different IP subnets) using a Layer 3 device such as a router or multilayer switch.
Router-on-a-stick: A design where a single physical router interface connects to a switch via an 802.1Q trunk, and multiple router subinterfaces (one per VLAN) provide inter-VLAN routing.
Switched Virtual Interface (SVI): A logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for that VLAN.
Trunk port: A switch port that carries traffic for multiple VLANs, usually using 802.1Q tagging, and is required toward a router in a router-on-a-stick design.
Default gateway (definition): A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Requirement for inter-VLAN routing: Each VLAN must have its own IP subnet and a Layer 3 interface (router subinterface or SVI) with an IP address in that subnet.
Command to enable routing on a Layer 3 switch (Cisco IOS): `ip routing` in global configuration mode.
Common router-on-a-stick misconfiguration: Switch port toward the router configured as an access port instead of an 802.1Q trunk, preventing multiple VLANs from reaching the router.
How to bind a router subinterface to a VLAN (Cisco IOS): Use `encapsulation dot1Q <vlan-id>` under the subinterface configuration.
ACL (definition): An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

Key Terms

ACL: An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
SVI: A Switched Virtual Interface (SVI) is a logical Layer 3 interface on a switch that is associated with a VLAN and typically provides the default gateway IP address for that VLAN.
VLAN: A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
802.1Q: An IEEE standard for VLAN tagging on Ethernet frames, used on trunk links to identify the VLAN to which each frame belongs.
Trunk port: A switch port configured to carry traffic for multiple VLANs using a tagging protocol such as IEEE 802.1Q.
ip routing: A Cisco IOS global configuration command that enables Layer 3 routing functionality on a switch so it can route between SVIs and routed interfaces.
Layer 3 switch: A multilayer switch capable of both Layer 2 switching and Layer 3 routing, often using SVIs for inter-VLAN routing.
default gateway: A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Router-on-a-stick: A design where a single physical router interface is connected to a switch via an 802.1Q trunk, and multiple router subinterfaces (one per VLAN) provide inter-VLAN routing.
Inter-VLAN routing: Routing of IP traffic between different VLANs (and their associated IP subnets) using a Layer 3 device such as a router or multilayer switch.