In a Layer 2 switched environment, VLANs separate devices into different collision domains and Layer 3 subnets. Devices in the same VLAN can communicate without any routing, and devices in different VLANs require routing to communicate with each other.
L2 switches require an L3 routing device to communicate between different VLANs, and the device is either an external router or Layer 3 module on the same chassis. Most of the Cisco switches have routing capabilities within the switch. When the switch receives a packet, it determines that it belongs to another VLAN, and the switch sends the packet to the appropriate port on the other VLAN.
This blog will discuss inter-VLAN routing configuration examples in Cisco routers and switches.
Download the guide and refer back to it at any time!
VLANs are used to segment Layer 2 networks. Hosts from one VLAN cannot communicate with hosts in another VLAN unless a router or a Layer 3 switch provides routing services.
Inter-VLAN routing is the technology for communicating network traffic from one VLAN to another VLAN.
There are two well-known inter-VLAN routing options:
The "router-on-a-stick" inter-VLAN routing technique needs only one physical interface to route traffic among multiple VLANs on a network. A router's physical interface is configured as an 802.1Q trunk and connected to the Layer 2 switch's trunk interface.
The router interface is configured using subinterfaces for passing multiple VLANs in one interface. The configured subinterfaces are software-based virtual interfaces, and each subinterface is associated with a single physical Ethernet interface. Each sub-interface is configured for different subnets that correspond to their VLAN assignment, which facilitates logical routing.
When VLAN-tagged traffic enters the router interface, the traffic is forwarded to the VLAN subinterface according to the VLAN tag ID. After a routing decision is performed based on the destination address, the router determines the egress interface for the traffic.
NOTE: The router-on-a-stick inter-VLAN method does not scale beyond 50 VLANs.
This section describes how to configure the router-on-a-stick inter-VLAN routing method. You can see in the image below that the router is connected with a switch using a single interface, and can pass multiple VLANs using that interface via a router-on-a-stick inter-VLAN routing configuration.
The router GigabitEthernet 0/0/0 interface is connected to the Layer 2 switch Ethernet 1/1 port. The Ethernet 1/1 is a trunk link that is required to forward traffic within and between VLANs.
To route between VLANs, the Router GigabitEthernet 0/0/0 interface is logically divided into two subinterfaces, as shown in the table below. The table also shows the two VLANs that will be configured on the switch.
| Subinterface | VLAN | IP Address |
|
G0/0/0.100 |
100 |
10.1.100.1/24 |
|
G0/0/0.200 |
200 |
10.1.200.1/24 |
Assume that the Router and Switch have basic configurations. Currently, PC1 and PC2 cannot ping each other because they are on different networks.
To enable the PCs to communicate, we need to configure VLANs and trunking in the switch level, and the router must be configured for inter-VLAN routing.
Complete the following steps to configure Switch with VLANs and trunking:
For each VLAN, you need to create a subinterface in the router-on-a-stick method. A subinterface can be created using the interface_id.subinterface_id format in the global configuration mode. The subinterface syntax is the physical interface followed by a period and a subinterface number. Although not required, it is common to match the subinterface number with the VLAN number.
After creating the subinterface, enable the interface with the "no shutdown" command in the interface configuration mode. All the subinterfaces are disabled if the physical interface is disabled.
In the below configuration, the Router G0/0/0 subinterfaces are configured for VLANs 100 and 200.
After the switch trunk and the router subinterface configurations, the router-on-a-stick configuration is complete. The configuration can be verified from the PC, router, and switch.
From PC1, verify connectivity to a host in another VLAN using the ping command.
The output confirms the IPv4 address and default gateway of PC1. Next, use ping to verify connectivity with PC2, as shown in the below output. The ping reply confirms that inter-VLAN routing is working.
Use the below show commands to verify and troubleshoot the router-on-a-stick configuration.
As shown in the below output, verify that the subinterfaces appear in the router's routing table by using the "show ip route" command. Notice that there are two connected routes (C) and their respective exit interfaces for each routable VLAN. The output confirms that the subnets, VLANs, and subinterfaces are active.
Another useful router command is to show the ip interface brief, as shown below. The output confirms that the subinterfaces have the correct IPv4 address configured and that they are operational.
Subinterfaces can be verified using the show interfaces subinterface-command, as shown in the below output.
Inter-VLAN routing enables routers or Layer 3 switches to route traffic between VLANs.
While it’s sometimes necessary to isolate VLANs and disallow any traffic between them, often some traffic needs to flow between VLANs so certain services and systems are available on any network segment. That’s where inter-VLAN routing comes in.
What are the benefits of inter-VLAN routing?
Inter-VLAN routing allows for communication between different VLANs, which is necessary for certain services and systems to be available across network segments. It also helps in managing network traffic efficiently.
Routers or Layer 3 switches are typically used to implement Inter-VLAN routing. These devices can route traffic between VLANs while preserving broadcast domains.
The ‘Router-on-a-Stick’ model is a common design pattern for Inter-VLAN routing. In this model, a single interface on a router is used to route traffic between multiple VLANs.
By segregating the network into different VLANs and controlling the traffic between them using Inter-VLAN routing, network administrators can add an additional layer of security. This can help prevent unauthorized access and contain potential threats within a single VLAN.