Computer NetworksVLANs

Virtual LANs (VLANs)

LevelIntermediate

Duration75 mins

TopicVLANs

5 / 5

Inter-VLAN Routing

Connecting Isolated Domains

VLANs create powerful isolation—devices in VLAN 10 cannot communicate with devices in VLAN 20 at Layer 2. But complete isolation is rarely the goal. The finance department needs access to the file server in the server VLAN. Engineering needs to reach the internet through the edge VLAN. Guests need controlled access to web resources.

Inter-VLAN routing is the mechanism that enables controlled communication between VLANs while maintaining the security and segmentation benefits that VLANs provide. By requiring traffic between VLANs to pass through a Layer 3 device, we create an enforcement point where policies, access controls, and inspection can be applied.

This page explores all methods of inter-VLAN routing, from historical approaches to modern enterprise patterns, providing the depth needed to design and implement sophisticated multi-VLAN networks.

What You Will Learn

By the end of this page, you will understand why Layer 3 is required for VLAN communication, master router-on-a-stick configuration, understand Layer 3 switch SVIs, compare different inter-VLAN routing methods, and apply best practices for scalable, secure inter-VLAN architectures.

Why Routing is Required

Understanding why VLANs require routing for inter-VLAN communication is fundamental to network architecture. This isn't an arbitrary design decision—it's a consequence of how Ethernet and IP networks function.

The Layer 2 Boundary:

Switches are fundamentally Layer 2 devices. They forward frames based on MAC addresses using the MAC address table (CAM table). The MAC table maps MAC addresses to switch ports. Crucially, the MAC table is partitioned by VLAN—each VLAN has its own MAC learning and forwarding domain.

When a switch receives a frame in VLAN 10:

It looks up the destination MAC in VLAN 10's MAC table partition
If found, it forwards to that port
If unknown, it floods to all VLAN 10 ports

The switch never consults VLAN 20's MAC table. There is no Layer 2 path between VLANs.

The IP Subnet Relationship:

Each VLAN typically maps to one IP subnet:

VLAN 10 → 10.10.10.0/24
VLAN 20 → 10.10.20.0/24
VLAN 30 → 10.10.30.0/24

Devices in VLAN 10 have IP addresses like 10.10.10.x. Devices in VLAN 20 have 10.10.20.x. When 10.10.10.5 wants to reach 10.10.20.15:

Source device checks: Is destination in my subnet?
Subnet comparison: 10.10.20.15 is NOT in 10.10.10.0/24
Conclusion: Must route via default gateway
Device ARPs for default gateway MAC
Sends frame to gateway MAC with destination IP 10.10.20.15
Gateway routes the packet to the correct VLAN/subnet

Converting Mermaid diagram...

The Gateway is Key

Every device in a VLAN must have a default gateway pointing to the Layer 3 device interface for that VLAN. Without a gateway, devices can only communicate within their own subnet (VLAN). The gateway provides the 'exit' from the VLAN.

Security Benefit of Required Routing:

The routing requirement isn't a limitation—it's a feature. Because all inter-VLAN traffic must pass through a Layer 3 device:

Access Control Lists (ACLs) can filter traffic between VLANs
Firewalls can inspect inter-VLAN flows
IDS/IPS can detect threats crossing VLAN boundaries
Logging captures all inter-VLAN communication
Rate limiting can prevent one VLAN from flooding another
QoS policies can prioritize inter-VLAN traffic

If VLANs could communicate at Layer 2, all these controls would be bypassed. The routing requirement creates a natural enforcement point.

Router-on-a-Stick

Router-on-a-Stick is a method of inter-VLAN routing where a single router interface connects to a switch trunk port. The router uses sub-interfaces—logical subdivisions of a physical interface—to handle multiple VLANs.

Topology:

[Switch]────────Trunk (Gi0/24)────────[Router]
                    │
                    └── Carries VLANs 10, 20, 30

The router's single physical interface (e.g., Gi0/0) is divided into sub-interfaces (Gi0/0.10, Gi0/0.20, Gi0/0.30), each assigned to one VLAN.

Router Configuration:

! Enable the physical interface
interface GigabitEthernet0/0
  no shutdown

! Sub-interface for VLAN 10
interface GigabitEthernet0/0.10
  description Gateway for VLAN 10 - MANAGEMENT
  encapsulation dot1q 10
  ip address 10.10.10.1 255.255.255.0

! Sub-interface for VLAN 20  
interface GigabitEthernet0/0.20
  description Gateway for VLAN 20 - SERVERS
  encapsulation dot1q 20
  ip address 10.10.20.1 255.255.255.0

! Sub-interface for VLAN 30
interface GigabitEthernet0/0.30
  description Gateway for VLAN 30 - ENGINEERING
  encapsulation dot1q 30
  ip address 10.10.30.1 255.255.255.0

Key configuration elements:

encapsulation dot1q <vlan-id>: Associates sub-interface with VLAN
Each sub-interface gets an IP address (the gateway for that VLAN)
Physical interface has no IP; sub-interfaces carry the configuration

Switch Configuration:

! Configure trunk to router
interface GigabitEthernet0/24
  description Trunk to Router - Router-on-a-Stick
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,30
  switchport trunk native vlan 999
  switchport nonegotiate

Traffic Flow Example:

PC-A (10.10.10.5 in VLAN 10) wants to reach PC-B (10.10.20.15 in VLAN 20):

PC-A determines 10.10.20.15 is in a different subnet
PC-A sends frame to gateway MAC (10.10.10.1)
Frame arrives at switch, forwarded to trunk port (VLAN 10 tag added)
Router receives tagged frame on Gi0/0.10
Router performs routing decision: 10.10.20.0/24 → Gi0/0.20
Router ARPs for 10.10.20.15 if needed (or uses ARP cache)
Router sends frame out Gi0/0.20 (VLAN 20 tag applied)
Switch receives tagged frame, forwards to PC-B's access port
PC-B receives frame with source MAC of router

Advantages of Router-on-a-Stick:

Router-on-a-Stick Benefits

•Low hardware cost: Single router interface serves multiple VLANs
•Simple switch requirements: Only Layer 2 switch capability needed
•Full routing features: Access to router's ACLs, NAT, VPN, etc.
•Firewall integration: Easy to position firewall as routing device
•Good for small networks: Sufficient performance for < 100 Mbps aggregate inter-VLAN traffic

Router-on-a-Stick Limitations

The single trunk link is a bottleneck. All inter-VLAN traffic competes for one link's bandwidth. In a 1 Gbps trunk scenario with 5 VLANs each generating 500 Mbps inter-VLAN traffic, the trunk saturates at 40% of demand. This architecture doesn't scale for high-traffic environments or large VLAN counts.

Layer 3 Switch Inter-VLAN Routing

Layer 3 switches (multilayer switches) combine switching and routing functions in a single device. They perform inter-VLAN routing in hardware at wire speed, eliminating the bottleneck of router-on-a-stick designs.

Switch Virtual Interfaces (SVIs):

Layer 3 switches use SVIs (Switch Virtual Interfaces or VLAN interfaces) to enable routing for VLANs. An SVI is a virtual Layer 3 interface associated with a VLAN, serving as that VLAN's gateway.

SVI Configuration:

! Enable IP routing on the switch
Switch(config)# ip routing

! Create SVI for VLAN 10
Switch(config)# interface Vlan10
Switch(config-if)# description Gateway for VLAN 10 - MANAGEMENT
Switch(config-if)# ip address 10.10.10.1 255.255.255.0
Switch(config-if)# no shutdown

! Create SVI for VLAN 20
Switch(config)# interface Vlan20
Switch(config-if)# description Gateway for VLAN 20 - SERVERS
Switch(config-if)# ip address 10.10.20.1 255.255.255.0
Switch(config-if)# no shutdown

! Create SVI for VLAN 30
Switch(config)# interface Vlan30
Switch(config-if)# description Gateway for VLAN 30 - ENGINEERING
Switch(config-if)# ip address 10.10.30.1 255.255.255.0
Switch(config-if)# no shutdown

Critical requirement: ip routing must be enabled globally, or the switch won't forward packets between SVIs.

Layer 3 Switch vs. Router-on-a-Stick
Characteristic	Router-on-a-Stick	Layer 3 Switch (SVI)
Performance	Single link bottleneck	Wire-speed routing via backplane
Scalability	Limited by trunk bandwidth	Scales to switch backplane capacity
Hardware Required	L2 switch + router	Single L3 switch
Configuration Complexity	Moderate	Simple
Cost (initial)	Lower if router exists	L3 switch premium
Cost (scaled)	Higher (separate devices)	Lower (consolidated)
Typical Use	Small networks, SOHO	Enterprise, Data Center

SVI Requirements:

For an SVI to be operational ("up/up" status):

VLAN must exist in the VLAN database
At least one port must be assigned to the VLAN and be in forwarding state
SVI must not be shutdown (no shutdown command)
IP routing must be enabled (for routing, not just management)

Verifying SVI Status:

Switch# show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 10.10.10.1      YES manual up                    up
Vlan20                 10.10.20.1      YES manual up                    up
Vlan30                 10.10.30.1      YES manual up                    up

Switch# show ip route

Gateway of last resort is not set

C    10.10.10.0/24 is directly connected, Vlan10
C    10.10.20.0/24 is directly connected, Vlan20
C    10.10.30.0/24 is directly connected, Vlan30

Traffic Flow with SVIs:

PC-A (10.10.10.5 in VLAN 10) reaching PC-B (10.10.20.15 in VLAN 20):

PC-A sends frame to gateway MAC (SVI Vlan10)
Switch receives frame on access port, recognizes L3 processing needed
Switch's routing engine determines next-hop: direct connect via Vlan20
Switch rewrites frame: new source MAC (SVI Vlan20), destination MAC (PC-B)
Frame is switched to PC-B's access port
Key difference: Frame never leaves the switch! Inter-VLAN routing is internal.

This internal routing uses the switch's fabric backplane, which typically offers 100s of Gbps capacity—eliminating the bottleneck.

Distributed Inter-VLAN Routing

In large networks with multiple L3 switches, each switch can route for its local VLANs. This distributes routing load and keeps local inter-VLAN traffic local. Only traffic destined for remote subnets traverses uplinks. This is far more scalable than funneling all inter-VLAN traffic through a central router.

Routed Ports and L3 EtherChannel

Layer 3 switches offer another option: routed ports. A routed port is a physical switch port converted to act as a router interface, not associated with any VLAN.

Routed Port Configuration:

interface GigabitEthernet1/0/1
  description Point-to-Point Link to Core Router
  no switchport
  ip address 10.255.1.1 255.255.255.252

The no switchport command converts the port from Layer 2 switching mode to Layer 3 routing mode. This port:

No longer participates in VLANs or STP
Has its own IP address and subnet
Functions like a traditional router interface

Common Use Cases for Routed Ports:

•Point-to-point links to other routers or L3 switches (no VLAN needed)
•WAN connections where routing protocol adjacency is required
•Firewall connections using dedicated IP links
•Direct server connections for high-performance servers needing Layer 3

Layer 3 EtherChannel (Port Channel):

For high-bandwidth Layer 3 connections, multiple routed ports can be aggregated into a Layer 3 EtherChannel:

! Create port-channel as routed interface
interface Port-channel1
  description L3 Link to Core - Aggregated
  no switchport
  ip address 10.255.1.1 255.255.255.252

! Assign physical interfaces to port-channel
interface range GigabitEthernet1/0/23 - 24
  description Member of Po1 - L3 EtherChannel
  no switchport
  channel-group 1 mode active

This bundles two Gigabit interfaces into a 2 Gbps Layer 3 link with redundancy.

Routed Port vs. SVI Decision:

Use SVI When	Use Routed Port When
Many hosts in a VLAN need connectivity	Point-to-point connection
VLAN already exists for switching	No VLAN context needed
Hosts require switch port features	Maximum performance needed
Standard access layer topology	Dedicated high-speed uplink

Port Type Summary

Layer 3 switches have three port types: ACCESS ports (single VLAN, untagged, L2), TRUNK ports (multiple VLANs, tagged, L2), and ROUTED ports (L3 only, no VLAN, acts like router interface). Know when to use each.

Routing Protocol Integration

For inter-VLAN routing to work in complex networks, Layer 3 switches must integrate with routing protocols to learn about remote networks.

Static Routing:

Simplest approach—manually configure routes:

! Default route to core router
ip route 0.0.0.0 0.0.0.0 10.255.1.2

! Route to remote site via WAN router
ip route 10.20.0.0 255.255.0.0 10.255.1.2

OSPF Configuration:

router ospf 1
  router-id 10.0.0.1
  network 10.10.10.0 0.0.0.255 area 0
  network 10.10.20.0 0.0.0.255 area 0
  network 10.10.30.0 0.0.0.255 area 0
  network 10.255.1.0 0.0.0.3 area 0
  passive-interface Vlan10
  passive-interface Vlan20
  passive-interface Vlan30

Key points:

VLAN subnets are advertised to OSPF neighbors
passive-interface prevents OSPF hello on user VLANs (security)
Link to core (10.255.1.x) is active for OSPF adjacency

EIGRP Configuration:

router eigrp 100
  network 10.0.0.0
  passive-interface Vlan10
  passive-interface Vlan20
  passive-interface Vlan30

Routing Protocol Best Practices

•Use passive interfaces on user-facing VLANs—no need to form adjacencies with workstations
•Summarize routes at distribution layer to reduce routing table size
•Implement authentication on routing protocol adjacencies
•Design for redundancy with multiple paths to critical destinations
•Monitor adjacencies and route changes for troubleshooting

Default Gateway Redundancy:

For high availability, multiple Layer 3 switches should share gateway duties using First Hop Redundancy Protocols:

HSRP (Cisco Hot Standby Router Protocol):

! Switch A - Active
interface Vlan10
  ip address 10.10.10.2 255.255.255.0
  standby 10 ip 10.10.10.1
  standby 10 priority 110
  standby 10 preempt

! Switch B - Standby
interface Vlan10
  ip address 10.10.10.3 255.255.255.0
  standby 10 ip 10.10.10.1
  standby 10 priority 100

Virtual IP 10.10.10.1 is the gateway hosts use
Switch A (priority 110) is active
If Switch A fails, Switch B takes over immediately
Users perceive no gateway failure

Similar protocols: VRRP (vendor-neutral), GLBP (Cisco, load balancing).

Gateway Design

Always design gateways with redundancy for production networks. A single Layer 3 switch failure shouldn't isolate an entire VLAN. HSRP/VRRP provides sub-second failover with minimal configuration complexity.

Inter-VLAN Access Control

The primary security benefit of VLANs is the ability to control traffic between them. This control is implemented through ACLs, firewall policies, and traffic engineering at the inter-VLAN routing point.

ACL Application on SVIs:

! ACL permitting HR to access HR servers, denying access from other VLANs
access-list 110 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 deny ip any 10.10.20.128 0.0.0.127
access-list 110 permit ip any any

interface Vlan20
  ip access-group 110 out

This applies the ACL to traffic exiting VLAN 20's SVI—traffic going TO the servers VLAN.

Common Inter-VLAN Policy Patterns:

Inter-VLAN Access Policy Examples
Policy	Implementation	Effect
Guest isolation	Deny guest VLAN to all internal VLANs; permit to internet only	Guests access web only, no internal resources
Server access control	Permit specific VLANs to specific server ports	Only authorized departments reach sensitive servers
Management protection	Deny all except admin VLAN to management VLAN	Network devices only accessible from secure VLAN
PCI compliance	Isolated payment VLAN with minimal permitted flows	Credit card processing isolated per compliance
IoT quarantine	IoT VLAN reaches only cloud services (specific IPs)	IoT devices can't roam internal network

Firewall as Gateway:

For maximum security, some organizations route all inter-VLAN traffic through a firewall:

Architecture:

[Access Switch - VLAN 10] ──── [L3 Switch or Trunk] ──── [Firewall]
[Access Switch - VLAN 20] ────────────────────────────────────|
[Access Switch - VLAN 30] ────────────────────────────────────|

The firewall terminates SVIs for each VLAN and applies stateful inspection, threat prevention, and logging to all inter-VLAN traffic.

Advantages:

Full Layer 7 inspection between VLANs
IPS/IDS capabilities
Detailed logging and forensics
Advanced threat detection
Consistent policy engine for all traffic

Disadvantages:

Firewall becomes throughput bottleneck
Higher latency than L3 switch routing
Firewall failure affects all inter-VLAN traffic
Cost of firewall capacity for line-rate traffic

Hybrid Approach:

Many organizations use a hybrid model:

L3 switches route between "trusted" internal VLANs (e.g., Engineering to Servers)
Firewall routes for "sensitive" boundaries (e.g., User VLANs to Production Servers)
Firewall mandatory for any external/DMZ traffic

ACL Performance

While modern L3 switches process ACLs in hardware (TCAM), TCAM space is limited. Very long ACL lists can exhaust TCAM, causing performance degradation or ACL installation failure. Design ACLs to be efficient—order entries by hit frequency, summarize where possible, and monitor TCAM utilization.

Enterprise Design Patterns

Enterprise networks use standardized design patterns for inter-VLAN routing that provide scalability, redundancy, and manageability.

Three-Tier Hierarchical Design:

                    [Core Layer]
                    (Routing aggregation)
                         │
              ┌──────────┼──────────┐
              │          │          │
        [Distribution] [Distribution] [Distribution]
        (L3 routing)   (L3 routing)   (L3 routing)
              │          │          │
    ┌────┬────┘     ┌────┴────┐     └────┬────┐
[Access][Access] [Access][Access] [Access][Access]
(L2 VLANs)       (L2 VLANs)       (L2 VLANs)

Key characteristics:

Access layer: Layer 2 switches, VLANs defined here, connect end devices
Distribution layer: Layer 3 switches with SVIs, inter-VLAN routing occurs here
Core layer: High-speed routing backbone, aggregates distribution traffic

VLANs typically don't span beyond their distribution switch pair, keeping failure domains small.

Design Principles

•Keep VLANs local — VLANs should not extend past distribution layer; limits STP scope and failure domains
•Route at distribution — Inter-VLAN routing at distribution layer; access layer remains pure L2
•Redundant gateways — HSRP/VRRP between distribution switch pairs
•Summarize at boundaries — Distribution layer summarizes access layer subnets to core
•Equal-cost paths — Use ECMP (Equal-Cost Multi-Path) for redundancy and load distribution

Collapsed Core (Two-Tier) Design:

Smaller environments combine distribution and core functions:

            [Distribution/Core]
            (L3 routing, aggregation)
                    │
    ┌───────┬───────┼───────┬───────┐
[Access] [Access] [Access] [Access] [Access]

Simpler, fewer devices
Distribution switches handle both routing and backbone
Suitable for single buildings or small campuses

Spine-Leaf (Data Center) Design:

Modern data centers use spine-leaf architecture:

    [Spine] [Spine] [Spine]
      │  \   │   /   │
      │   \ │  /    │
      │    \│/     │
    [Leaf] [Leaf] [Leaf] [Leaf]

Every leaf connects to every spine (full mesh)
Consistent latency (max 2 hops between any two leaves)
Routing at every layer (usually BGP or OSPF)
VLANs may extend across leaves via VXLAN overlay

Design Evolution

Traditional three-tier campus designs are evolving toward SD-Access and intent-based networking, while data center designs use spine-leaf with VXLAN overlays. The fundamentals of SVIs and inter-VLAN routing remain, but the control plane becomes software-defined. Understanding manual configuration provides the foundation for these advanced architectures.

Inter-VLAN Routing Summary

Inter-VLAN routing transforms isolated VLAN segments into a cohesive, controlled network. The choice of routing method—router-on-a-stick, Layer 3 switches, or firewall—depends on performance requirements, security needs, and existing infrastructure.

Key Inter-VLAN Routing Takeaways

•VLANs require routing for inter-VLAN communication—this is by design, not limitation
•Router-on-a-stick uses sub-interfaces on a trunk; simple but limited bandwidth
•Layer 3 switches with SVIs provide wire-speed inter-VLAN routing; enterprise standard
•Routed ports convert switch ports to L3 router interfaces for point-to-point links
•HSRP/VRRP provides gateway redundancy; essential for production networks
•ACLs on SVIs enable traffic filtering between VLANs at the routing point
•Enterprise designs use hierarchical topologies with routing at distribution layer
•Routing protocols integrate L3 switches into larger routed networks

VLAN Module Complete

You have completed the comprehensive VLAN module. You now understand VLAN concepts, benefits, implementation, 802.1Q tagging, and inter-VLAN routing. This knowledge forms the foundation for enterprise network design and operation, enabling you to architect, deploy, and troubleshoot VLAN-based infrastructures.

Module Summary:

Across five pages, we have explored:

Virtual LAN Concept — The logical segmentation paradigm, decoupling physical and logical topology
VLAN Benefits — Security, broadcast control, flexibility, manageability, and cost optimization
VLAN Implementation — Access/trunk ports, VLAN databases, VTP, and best practices
VLAN Tagging (802.1Q) — Frame format, tag structure, processing rules, and advanced scenarios
Inter-VLAN Routing — Router-on-a-stick, L3 switches, SVIs, and enterprise design patterns

This comprehensive understanding prepares you for the next chapter's topics: comparing switches and routers in detail, exploring Layer 2 versus Layer 3 operation, and understanding multilayer switching architectures.

5 / 5

Loading learning content...

Computer NetworksVLANs

Virtual LANs (VLANs)

LevelIntermediate

Duration75 mins

TopicVLANs

5 / 5

Inter-VLAN Routing

Connecting Isolated Domains

This page explores all methods of inter-VLAN routing, from historical approaches to modern enterprise patterns, providing the depth needed to design and implement sophisticated multi-VLAN networks.

What You Will Learn

Why Routing is Required

The Layer 2 Boundary:

When a switch receives a frame in VLAN 10:

It looks up the destination MAC in VLAN 10's MAC table partition
If found, it forwards to that port
If unknown, it floods to all VLAN 10 ports

The switch never consults VLAN 20's MAC table. There is no Layer 2 path between VLANs.

The IP Subnet Relationship:

Each VLAN typically maps to one IP subnet:

VLAN 10 → 10.10.10.0/24
VLAN 20 → 10.10.20.0/24
VLAN 30 → 10.10.30.0/24

Devices in VLAN 10 have IP addresses like 10.10.10.x. Devices in VLAN 20 have 10.10.20.x. When 10.10.10.5 wants to reach 10.10.20.15:

Source device checks: Is destination in my subnet?
Subnet comparison: 10.10.20.15 is NOT in 10.10.10.0/24
Conclusion: Must route via default gateway
Device ARPs for default gateway MAC
Sends frame to gateway MAC with destination IP 10.10.20.15
Gateway routes the packet to the correct VLAN/subnet

Converting Mermaid diagram...

The Gateway is Key

Security Benefit of Required Routing:

The routing requirement isn't a limitation—it's a feature. Because all inter-VLAN traffic must pass through a Layer 3 device:

Access Control Lists (ACLs) can filter traffic between VLANs
Firewalls can inspect inter-VLAN flows
IDS/IPS can detect threats crossing VLAN boundaries
Logging captures all inter-VLAN communication
Rate limiting can prevent one VLAN from flooding another
QoS policies can prioritize inter-VLAN traffic

If VLANs could communicate at Layer 2, all these controls would be bypassed. The routing requirement creates a natural enforcement point.

Router-on-a-Stick

Topology:

[Switch]────────Trunk (Gi0/24)────────[Router]
                    │
                    └── Carries VLANs 10, 20, 30

The router's single physical interface (e.g., Gi0/0) is divided into sub-interfaces (Gi0/0.10, Gi0/0.20, Gi0/0.30), each assigned to one VLAN.

Router Configuration:

! Enable the physical interface
interface GigabitEthernet0/0
  no shutdown

! Sub-interface for VLAN 10
interface GigabitEthernet0/0.10
  description Gateway for VLAN 10 - MANAGEMENT
  encapsulation dot1q 10
  ip address 10.10.10.1 255.255.255.0

! Sub-interface for VLAN 20  
interface GigabitEthernet0/0.20
  description Gateway for VLAN 20 - SERVERS
  encapsulation dot1q 20
  ip address 10.10.20.1 255.255.255.0

! Sub-interface for VLAN 30
interface GigabitEthernet0/0.30
  description Gateway for VLAN 30 - ENGINEERING
  encapsulation dot1q 30
  ip address 10.10.30.1 255.255.255.0

Key configuration elements:

encapsulation dot1q <vlan-id>: Associates sub-interface with VLAN
Each sub-interface gets an IP address (the gateway for that VLAN)
Physical interface has no IP; sub-interfaces carry the configuration

Switch Configuration:

! Configure trunk to router
interface GigabitEthernet0/24
  description Trunk to Router - Router-on-a-Stick
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,30
  switchport trunk native vlan 999
  switchport nonegotiate

Traffic Flow Example:

PC-A (10.10.10.5 in VLAN 10) wants to reach PC-B (10.10.20.15 in VLAN 20):

PC-A determines 10.10.20.15 is in a different subnet
PC-A sends frame to gateway MAC (10.10.10.1)
Frame arrives at switch, forwarded to trunk port (VLAN 10 tag added)
Router receives tagged frame on Gi0/0.10
Router performs routing decision: 10.10.20.0/24 → Gi0/0.20
Router ARPs for 10.10.20.15 if needed (or uses ARP cache)
Router sends frame out Gi0/0.20 (VLAN 20 tag applied)
Switch receives tagged frame, forwards to PC-B's access port
PC-B receives frame with source MAC of router

Advantages of Router-on-a-Stick:

Router-on-a-Stick Benefits

•Low hardware cost: Single router interface serves multiple VLANs
•Simple switch requirements: Only Layer 2 switch capability needed
•Full routing features: Access to router's ACLs, NAT, VPN, etc.
•Firewall integration: Easy to position firewall as routing device
•Good for small networks: Sufficient performance for < 100 Mbps aggregate inter-VLAN traffic

Router-on-a-Stick Limitations

Layer 3 Switch Inter-VLAN Routing

Switch Virtual Interfaces (SVIs):

Layer 3 switches use SVIs (Switch Virtual Interfaces or VLAN interfaces) to enable routing for VLANs. An SVI is a virtual Layer 3 interface associated with a VLAN, serving as that VLAN's gateway.

SVI Configuration:

! Enable IP routing on the switch
Switch(config)# ip routing

! Create SVI for VLAN 10
Switch(config)# interface Vlan10
Switch(config-if)# description Gateway for VLAN 10 - MANAGEMENT
Switch(config-if)# ip address 10.10.10.1 255.255.255.0
Switch(config-if)# no shutdown

! Create SVI for VLAN 20
Switch(config)# interface Vlan20
Switch(config-if)# description Gateway for VLAN 20 - SERVERS
Switch(config-if)# ip address 10.10.20.1 255.255.255.0
Switch(config-if)# no shutdown

! Create SVI for VLAN 30
Switch(config)# interface Vlan30
Switch(config-if)# description Gateway for VLAN 30 - ENGINEERING
Switch(config-if)# ip address 10.10.30.1 255.255.255.0
Switch(config-if)# no shutdown

Critical requirement: ip routing must be enabled globally, or the switch won't forward packets between SVIs.

Layer 3 Switch vs. Router-on-a-Stick
Characteristic	Router-on-a-Stick	Layer 3 Switch (SVI)
Performance	Single link bottleneck	Wire-speed routing via backplane
Scalability	Limited by trunk bandwidth	Scales to switch backplane capacity
Hardware Required	L2 switch + router	Single L3 switch
Configuration Complexity	Moderate	Simple
Cost (initial)	Lower if router exists	L3 switch premium
Cost (scaled)	Higher (separate devices)	Lower (consolidated)
Typical Use	Small networks, SOHO	Enterprise, Data Center

SVI Requirements:

For an SVI to be operational ("up/up" status):

VLAN must exist in the VLAN database
At least one port must be assigned to the VLAN and be in forwarding state
SVI must not be shutdown (no shutdown command)
IP routing must be enabled (for routing, not just management)

Verifying SVI Status:

Switch# show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 10.10.10.1      YES manual up                    up
Vlan20                 10.10.20.1      YES manual up                    up
Vlan30                 10.10.30.1      YES manual up                    up

Switch# show ip route

Gateway of last resort is not set

C    10.10.10.0/24 is directly connected, Vlan10
C    10.10.20.0/24 is directly connected, Vlan20
C    10.10.30.0/24 is directly connected, Vlan30

Traffic Flow with SVIs:

PC-A (10.10.10.5 in VLAN 10) reaching PC-B (10.10.20.15 in VLAN 20):

PC-A sends frame to gateway MAC (SVI Vlan10)
Switch receives frame on access port, recognizes L3 processing needed
Switch's routing engine determines next-hop: direct connect via Vlan20
Switch rewrites frame: new source MAC (SVI Vlan20), destination MAC (PC-B)
Frame is switched to PC-B's access port
Key difference: Frame never leaves the switch! Inter-VLAN routing is internal.

This internal routing uses the switch's fabric backplane, which typically offers 100s of Gbps capacity—eliminating the bottleneck.

Distributed Inter-VLAN Routing

Routed Ports and L3 EtherChannel

Layer 3 switches offer another option: routed ports. A routed port is a physical switch port converted to act as a router interface, not associated with any VLAN.

Routed Port Configuration:

interface GigabitEthernet1/0/1
  description Point-to-Point Link to Core Router
  no switchport
  ip address 10.255.1.1 255.255.255.252

The no switchport command converts the port from Layer 2 switching mode to Layer 3 routing mode. This port:

No longer participates in VLANs or STP
Has its own IP address and subnet
Functions like a traditional router interface

Common Use Cases for Routed Ports:

•Point-to-point links to other routers or L3 switches (no VLAN needed)
•WAN connections where routing protocol adjacency is required
•Firewall connections using dedicated IP links
•Direct server connections for high-performance servers needing Layer 3

Layer 3 EtherChannel (Port Channel):

For high-bandwidth Layer 3 connections, multiple routed ports can be aggregated into a Layer 3 EtherChannel:

! Create port-channel as routed interface
interface Port-channel1
  description L3 Link to Core - Aggregated
  no switchport
  ip address 10.255.1.1 255.255.255.252

! Assign physical interfaces to port-channel
interface range GigabitEthernet1/0/23 - 24
  description Member of Po1 - L3 EtherChannel
  no switchport
  channel-group 1 mode active

This bundles two Gigabit interfaces into a 2 Gbps Layer 3 link with redundancy.

Routed Port vs. SVI Decision:

Use SVI When	Use Routed Port When
Many hosts in a VLAN need connectivity	Point-to-point connection
VLAN already exists for switching	No VLAN context needed
Hosts require switch port features	Maximum performance needed
Standard access layer topology	Dedicated high-speed uplink

Port Type Summary

Routing Protocol Integration

For inter-VLAN routing to work in complex networks, Layer 3 switches must integrate with routing protocols to learn about remote networks.

Static Routing:

Simplest approach—manually configure routes:

! Default route to core router
ip route 0.0.0.0 0.0.0.0 10.255.1.2

! Route to remote site via WAN router
ip route 10.20.0.0 255.255.0.0 10.255.1.2

OSPF Configuration:

router ospf 1
  router-id 10.0.0.1
  network 10.10.10.0 0.0.0.255 area 0
  network 10.10.20.0 0.0.0.255 area 0
  network 10.10.30.0 0.0.0.255 area 0
  network 10.255.1.0 0.0.0.3 area 0
  passive-interface Vlan10
  passive-interface Vlan20
  passive-interface Vlan30

Key points:

VLAN subnets are advertised to OSPF neighbors
passive-interface prevents OSPF hello on user VLANs (security)
Link to core (10.255.1.x) is active for OSPF adjacency

EIGRP Configuration:

router eigrp 100
  network 10.0.0.0
  passive-interface Vlan10
  passive-interface Vlan20
  passive-interface Vlan30

Routing Protocol Best Practices

•Use passive interfaces on user-facing VLANs—no need to form adjacencies with workstations
•Summarize routes at distribution layer to reduce routing table size
•Implement authentication on routing protocol adjacencies
•Design for redundancy with multiple paths to critical destinations
•Monitor adjacencies and route changes for troubleshooting

Default Gateway Redundancy:

For high availability, multiple Layer 3 switches should share gateway duties using First Hop Redundancy Protocols:

HSRP (Cisco Hot Standby Router Protocol):

! Switch A - Active
interface Vlan10
  ip address 10.10.10.2 255.255.255.0
  standby 10 ip 10.10.10.1
  standby 10 priority 110
  standby 10 preempt

! Switch B - Standby
interface Vlan10
  ip address 10.10.10.3 255.255.255.0
  standby 10 ip 10.10.10.1
  standby 10 priority 100

Virtual IP 10.10.10.1 is the gateway hosts use
Switch A (priority 110) is active
If Switch A fails, Switch B takes over immediately
Users perceive no gateway failure

Similar protocols: VRRP (vendor-neutral), GLBP (Cisco, load balancing).

Gateway Design

Inter-VLAN Access Control

ACL Application on SVIs:

! ACL permitting HR to access HR servers, denying access from other VLANs
access-list 110 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 110 deny ip any 10.10.20.128 0.0.0.127
access-list 110 permit ip any any

interface Vlan20
  ip access-group 110 out

This applies the ACL to traffic exiting VLAN 20's SVI—traffic going TO the servers VLAN.

Common Inter-VLAN Policy Patterns:

Inter-VLAN Access Policy Examples
Policy	Implementation	Effect
Guest isolation	Deny guest VLAN to all internal VLANs; permit to internet only	Guests access web only, no internal resources
Server access control	Permit specific VLANs to specific server ports	Only authorized departments reach sensitive servers
Management protection	Deny all except admin VLAN to management VLAN	Network devices only accessible from secure VLAN
PCI compliance	Isolated payment VLAN with minimal permitted flows	Credit card processing isolated per compliance
IoT quarantine	IoT VLAN reaches only cloud services (specific IPs)	IoT devices can't roam internal network

Firewall as Gateway:

For maximum security, some organizations route all inter-VLAN traffic through a firewall:

Architecture:

[Access Switch - VLAN 10] ──── [L3 Switch or Trunk] ──── [Firewall]
[Access Switch - VLAN 20] ────────────────────────────────────|
[Access Switch - VLAN 30] ────────────────────────────────────|

The firewall terminates SVIs for each VLAN and applies stateful inspection, threat prevention, and logging to all inter-VLAN traffic.

Advantages:

Full Layer 7 inspection between VLANs
IPS/IDS capabilities
Detailed logging and forensics
Advanced threat detection
Consistent policy engine for all traffic

Disadvantages:

Firewall becomes throughput bottleneck
Higher latency than L3 switch routing
Firewall failure affects all inter-VLAN traffic
Cost of firewall capacity for line-rate traffic

Hybrid Approach:

Many organizations use a hybrid model:

L3 switches route between "trusted" internal VLANs (e.g., Engineering to Servers)
Firewall routes for "sensitive" boundaries (e.g., User VLANs to Production Servers)
Firewall mandatory for any external/DMZ traffic

ACL Performance

Enterprise Design Patterns

Enterprise networks use standardized design patterns for inter-VLAN routing that provide scalability, redundancy, and manageability.

Three-Tier Hierarchical Design:

                    [Core Layer]
                    (Routing aggregation)
                         │
              ┌──────────┼──────────┐
              │          │          │
        [Distribution] [Distribution] [Distribution]
        (L3 routing)   (L3 routing)   (L3 routing)
              │          │          │
    ┌────┬────┘     ┌────┴────┐     └────┬────┐
[Access][Access] [Access][Access] [Access][Access]
(L2 VLANs)       (L2 VLANs)       (L2 VLANs)

Key characteristics:

Access layer: Layer 2 switches, VLANs defined here, connect end devices
Distribution layer: Layer 3 switches with SVIs, inter-VLAN routing occurs here
Core layer: High-speed routing backbone, aggregates distribution traffic

VLANs typically don't span beyond their distribution switch pair, keeping failure domains small.

Design Principles

•Keep VLANs local — VLANs should not extend past distribution layer; limits STP scope and failure domains
•Route at distribution — Inter-VLAN routing at distribution layer; access layer remains pure L2
•Redundant gateways — HSRP/VRRP between distribution switch pairs
•Summarize at boundaries — Distribution layer summarizes access layer subnets to core
•Equal-cost paths — Use ECMP (Equal-Cost Multi-Path) for redundancy and load distribution

Collapsed Core (Two-Tier) Design:

Smaller environments combine distribution and core functions:

            [Distribution/Core]
            (L3 routing, aggregation)
                    │
    ┌───────┬───────┼───────┬───────┐
[Access] [Access] [Access] [Access] [Access]

Simpler, fewer devices
Distribution switches handle both routing and backbone
Suitable for single buildings or small campuses

Spine-Leaf (Data Center) Design:

Modern data centers use spine-leaf architecture:

    [Spine] [Spine] [Spine]
      │  \   │   /   │
      │   \ │  /    │
      │    \│/     │
    [Leaf] [Leaf] [Leaf] [Leaf]

Every leaf connects to every spine (full mesh)
Consistent latency (max 2 hops between any two leaves)
Routing at every layer (usually BGP or OSPF)
VLANs may extend across leaves via VXLAN overlay

Design Evolution

Inter-VLAN Routing Summary

Key Inter-VLAN Routing Takeaways

•VLANs require routing for inter-VLAN communication—this is by design, not limitation
•Router-on-a-stick uses sub-interfaces on a trunk; simple but limited bandwidth
•Layer 3 switches with SVIs provide wire-speed inter-VLAN routing; enterprise standard
•Routed ports convert switch ports to L3 router interfaces for point-to-point links
•HSRP/VRRP provides gateway redundancy; essential for production networks
•ACLs on SVIs enable traffic filtering between VLANs at the routing point
•Enterprise designs use hierarchical topologies with routing at distribution layer
•Routing protocols integrate L3 switches into larger routed networks

VLAN Module Complete

Module Summary:

Across five pages, we have explored:

Virtual LAN Concept — The logical segmentation paradigm, decoupling physical and logical topology
VLAN Benefits — Security, broadcast control, flexibility, manageability, and cost optimization
VLAN Implementation — Access/trunk ports, VLAN databases, VTP, and best practices
VLAN Tagging (802.1Q) — Frame format, tag structure, processing rules, and advanced scenarios
Inter-VLAN Routing — Router-on-a-stick, L3 switches, SVIs, and enterprise design patterns

5 / 5