Imagine you've built a network with multiple VLANs to segment broadcast domains, but now devices in different VLANs can't communicate. That's where Inter-VLAN Routing comes in—it's the mechanism that allows traffic to pass between VLANs, typically using a router or a Layer 3 switch. On the CCNA 200-301 exam (Objective 3.1), you'll need to configure and troubleshoot traditional router-on-a-stick, multilayer switching with SVIs, and Layer 3 EtherChannel. Mastering this topic is essential because real enterprise networks rely on inter-VLAN routing to enable secure, segmented communication.
Jump to a section
Think of a company occupying a multi-floor office building. Each floor (VLAN) is a separate department—Sales on floor 2, Engineering on floor 3, and HR on floor 4. Within a floor, employees can freely move around (communicate) because they share the same hallway (broadcast domain). However, to go from one floor to another, you must use the elevator (router). The elevator has a single door on each floor, and it can only carry one person at a time (router-on-a-stick). If many people need to move between floors, the elevator becomes a bottleneck. To solve this, the building installs multiple elevators (Layer 3 switch with SVIs) that allow simultaneous movement between floors at much higher speed. The elevators have special access cards (routing decisions) that check if a person is allowed to enter a floor (access control lists). Each floor has a floor captain (default gateway) who directs people to the elevator when they need to leave the floor. In a real network, the router or Layer 3 switch performs the same role: it receives frames from one VLAN, strips the VLAN tag (if using 802.1Q), looks up the destination IP in its routing table, and forwards the packet out the interface belonging to the destination VLAN, adding the appropriate VLAN tag. The key is that the router must have an interface (physical or virtual) in each VLAN to act as the gateway.
What is Inter-VLAN Routing and Why Do We Need It?
By default, VLANs isolate traffic—a host in VLAN 10 cannot send frames to a host in VLAN 20 because switches do not forward frames between VLANs. This is exactly what we want for security and broadcast containment. But sometimes devices in different VLANs need to communicate (e.g., a PC in the Sales VLAN accessing a server in the Server VLAN). Inter-VLAN routing is the process of forwarding traffic between VLANs using a router or a Layer 3 switch. The router acts as the default gateway for each VLAN, and it performs IP routing between the subnets associated with each VLAN.
Methods of Inter-VLAN Routing
Cisco CCNA covers three methods:
Router-on-a-Stick (ROAS): A single physical router interface is configured as a trunk link to a switch, and subinterfaces are created for each VLAN. Each subinterface is assigned an IP address in the VLAN's subnet and uses 802.1Q encapsulation. This method is simple but limited by the bandwidth of the single physical link.
Multilayer Switch with Switched Virtual Interfaces (SVIs): A Layer 3 switch has the ability to route IP packets internally. You create an SVI (VLAN interface) for each VLAN, assign an IP address, and enable IP routing globally. The switch performs routing at wire speed using hardware (ASICs). This is the most common method in modern enterprise networks.
Layer 3 EtherChannel: You bundle multiple physical links into a logical EtherChannel and configure IP addresses on the port-channel interface, which can be a routed port (no VLAN) or a trunk with SVIs. This provides both redundancy and increased bandwidth.
How Inter-VLAN Routing Works at the Packet/Frame Level
Let's walk through a packet traveling from Host A (VLAN 10, IP 10.1.10.2/24) to Host B (VLAN 20, IP 10.1.20.2/24) using a router-on-a-stick.
Host A knows its own IP, subnet mask, and default gateway (10.1.10.1). It also knows Host B's IP (10.1.20.2). Since Host B is on a different subnet, Host A determines that it must send the packet to its default gateway.
Host A sends an ARP request for 10.1.10.1 (the router's subinterface IP). The switch forwards the broadcast out all access ports in VLAN 10 and also out the trunk port (tagged as VLAN 10) to the router.
The router responds with its MAC address for the VLAN 10 subinterface. Host A now builds an Ethernet frame with destination MAC = router's VLAN 10 MAC, source MAC = its own MAC, and the IP packet inside. The frame is sent to the switch.
The switch receives the frame on an access port in VLAN 10. It looks up the destination MAC in its MAC table. Since the router's MAC is reachable via the trunk port, the switch forwards the frame out the trunk port, adding an 802.1Q tag with VLAN ID 10.
The router receives the tagged frame on its physical interface. The subinterface for VLAN 10 processes it: the router strips the tag, looks at the destination IP (10.1.20.2), and consults its routing table. It finds a route to 10.1.20.0/24 via the VLAN 20 subinterface (10.1.20.1).
The router needs to send the packet out the VLAN 20 subinterface. It checks its ARP cache for 10.1.20.2; if not present, it sends an ARP request out the VLAN 20 subinterface, which is encapsulated with VLAN 20 tag. The switch receives the ARP request, forwards it to all ports in VLAN 20, and Host B responds.
The router now builds a new Ethernet frame with destination MAC = Host B's MAC, source MAC = router's VLAN 20 MAC, and the original IP packet. The frame is sent out the physical interface with VLAN 20 tag.
The switch receives the frame, strips the tag, and forwards it out the access port to Host B.
Key Differences: Router-on-a-Stick vs. SVI
Router-on-a-Stick: The router's physical interface must be configured as a trunk. Each subinterface is associated with a VLAN using encapsulation dot1q <vlan-id>. The router performs routing in software (CPU), which can be a bottleneck. Bandwidth is limited to the speed of the single physical link.
Multilayer Switch with SVIs: The switch performs routing in hardware (ASICs) at wire speed. You create a VLAN interface (SVI) for each VLAN using interface vlan <vlan-id>. The switch must have IP routing enabled (ip routing). SVIs are virtual and not tied to a physical port; they become active when at least one port in the VLAN is up.
Configuration Examples
Router-on-a-Stick Configuration:
! On the router
interface GigabitEthernet0/0
no shutdown
! No IP address on the physical interface
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.1.20.1 255.255.255.0
!
! On the switch (trunk port)
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20Multilayer Switch SVI Configuration:
! Enable IP routing
ip routing
!
! Create VLANs
vlan 10
name Sales
!
vlan 20
name Engineering
!
! Configure access ports
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
!
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20
!
! Create SVIs
interface vlan 10
ip address 10.1.10.1 255.255.255.0
no shutdown
!
interface vlan 20
ip address 10.1.20.1 255.255.255.0
no shutdownVerification Commands
show ip interface brief
show ip route
show interfaces trunk
show vlan brief
show interfaces [interface] switchport
show mac address-tableExample output for show ip route on a multilayer switch:
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 10.1.10.0/24 is directly connected, Vlan10
C 10.1.20.0/24 is directly connected, Vlan20Interaction with Related Protocols
ARP: Routers and hosts use ARP to resolve next-hop IP addresses to MAC addresses. The router's ARP cache must have entries for hosts in each VLAN.
Spanning Tree Protocol (STP): STP runs on the switch to prevent loops. It can affect the path of inter-VLAN traffic if the router is connected via multiple links. However, with SVIs, the switch handles routing internally, so STP is less of a concern.
VLAN Trunking Protocol (VTP): VTP can propagate VLAN information across switches, but it is not required for inter-VLAN routing. In modern networks, VTP is often disabled or set to transparent mode.
Dynamic Trunking Protocol (DTP): DTP negotiates trunking between switches. For router-on-a-stick, the switch port must be set to trunk mode (nonegotiate recommended).
Plan the VLANs and Subnets
Determine the number of VLANs needed and assign IP subnets. Each VLAN must have its own subnet. For example, VLAN 10 = 10.1.10.0/24, VLAN 20 = 10.1.20.0/24. The router or SVI will be the default gateway for each subnet (e.g., .1). Ensure there is no overlap. Also decide on the method: router-on-a-stick (single router with trunk) or multilayer switch with SVIs. For the exam, be prepared to configure both.
Configure VLANs on the Switch
On the switch, create the VLANs using the `vlan <vlan-id>` command in global configuration mode. Optionally give them names. Then assign access ports to the appropriate VLANs using `switchport mode access` and `switchport access vlan <vlan-id>`. For the trunk port (if using router-on-a-stick), configure the port as trunk: `switchport mode trunk` and optionally limit allowed VLANs with `switchport trunk allowed vlan <vlan-list>`. Verify with `show vlan brief`.
Configure Router-on-a-Stick (if applicable)
On the router, go to the physical interface that connects to the switch trunk port. Do not assign an IP address to the physical interface. Create subinterfaces using `interface <type><number>.<subinterface-number>`. For each subinterface, specify the VLAN encapsulation with `encapsulation dot1Q <vlan-id>` and assign an IP address from the corresponding subnet. Enable the subinterface with `no shutdown`. Verify with `show ip interface brief` and `show interfaces trunk` (on the switch).
Configure SVIs on a Multilayer Switch (if applicable)
On the multilayer switch, first enable IP routing globally with `ip routing`. Then create an SVI for each VLAN using `interface vlan <vlan-id>`. Assign an IP address and subnet mask, and issue `no shutdown`. The SVI will come up when at least one port in that VLAN is up. Verify with `show ip interface brief` and `show ip route`. Note that the switch must have IP routing enabled; otherwise, SVIs will not route between VLANs.
Configure Hosts and Verify Connectivity
Assign IP addresses to hosts in each VLAN with the correct default gateway (the router or SVI IP for that VLAN). From a host in VLAN 10, ping the gateway (e.g., 10.1.10.1). Then ping a host in VLAN 20 (e.g., 10.1.20.2). If successful, inter-VLAN routing is working. If not, troubleshoot using `ping`, `traceroute`, `show ip arp`, `show mac address-table`, and `debug ip packet` (carefully). Also ensure that the router has a route to each subnet (connected routes should appear if interfaces are up).
Troubleshoot Common Issues
Common problems: (1) Hosts cannot ping the gateway – check VLAN assignment on the access port, check trunk allowed VLAN list, ensure the router subinterface or SVI is up/up. (2) Hosts can ping the gateway but not hosts in other VLANs – verify IP routing is enabled on the multilayer switch, check the router's routing table, ensure there are no ACLs blocking traffic. (3) Router-on-a-stick issues – ensure encapsulation dot1Q is correct on each subinterface, and that the physical interface is not shutdown. Use `show interfaces trunk` on the switch to verify the trunk is operational. Also check that the native VLAN matches on both ends (default is VLAN 1; if changed, use `switchport trunk native vlan <vlan>`).
In a typical enterprise, VLANs are used to separate traffic by department (Sales, Engineering, HR) or by function (Voice, Data, Management). Inter-VLAN routing is essential for allowing these groups to communicate while maintaining security. For example, a salesperson might need to access a CRM server in the Server VLAN, or an engineer might need to reach a file server. In production, the most common method is to use a multilayer switch (e.g., Cisco Catalyst 3850 or 9300) with SVIs because it provides wire-speed routing and doesn't introduce a single point of failure like a router-on-a-stick. The switch can also implement access control lists (ACLs) on the SVIs to restrict traffic between VLANs (e.g., allow only HTTP from Sales to Server, block all other traffic).
A typical deployment might involve a collapsed core design where a pair of multilayer switches in a stack or VSS (Virtual Switching System) provide both Layer 2 switching and Layer 3 routing for all VLANs. Each VLAN has an SVI on the switch, and the switch's uplink to the WAN router is a routed port (no VLAN). This design scales well: you can have hundreds of VLANs, and the switch hardware can route between them at line rate. Performance is excellent; a modern switch can route millions of packets per second.
When misconfigured, inter-VLAN routing can cause network outages or security breaches. For instance, if an SVI is accidentally assigned the wrong IP subnet, hosts in that VLAN will not be able to reach their default gateway. If IP routing is not enabled on a multilayer switch, the SVIs will not route traffic, and hosts will only be able to communicate within their VLAN. Another common mistake is forgetting to add a VLAN to the trunk allowed list on the switch port connected to the router, which stops all traffic for that VLAN from reaching the router. In a router-on-a-stick scenario, if the native VLAN mismatch occurs, control traffic (like CDP) may fail, but user traffic might still work if the native VLAN is not used for user data. However, it's best practice to keep the native VLAN consistent and not use it for user traffic.
For high availability, many networks use two routers or two multilayer switches with HSRP (Hot Standby Router Protocol) or VRRP to provide a virtual default gateway. This ensures that if one device fails, hosts can still route between VLANs. The configuration involves creating the same SVI on both switches with different IP addresses, then configuring HSRP to share a virtual IP that hosts use as their default gateway.
The CCNA 200-301 exam tests Inter-VLAN Routing under Objective 3.1: 'Configure and verify inter-VLAN routing (router-on-a-stick and SVIs)'. You can expect questions that ask you to identify the correct configuration, troubleshoot a given scenario, or explain the packet flow. The exam often presents a diagram with a router connected to a switch via a trunk, and you must choose the correct subinterface configuration. Common traps include:
Forgetting to enable IP routing on a multilayer switch: Candidates see that the SVIs have IP addresses and assume the switch will route, but without ip routing, the switch remains a Layer 2 device and will not forward packets between VLANs. The exam might show a switch with SVIs configured but no ip routing command, and ask why hosts cannot ping across VLANs.
Putting an IP address on the physical interface instead of subinterfaces: In router-on-a-stick, the physical interface should have no IP address; all IPs go on subinterfaces. If you assign an IP to the physical interface, it will not process 802.1Q tags correctly. The exam may show a configuration with interface Gig0/0 having an IP address and ask what is wrong.
Using the wrong VLAN ID in encapsulation: Each subinterface must have the correct VLAN ID matching the VLAN it serves. A common mistake is to use the same VLAN ID on two subinterfaces or to omit the encapsulation command entirely. The exam might ask which subinterface configuration is correct for a given VLAN.
Misunderstanding SVI state: An SVI will be up/up only if at least one switch port in that VLAN is in the up/up state. If all ports in a VLAN are down, the SVI will be down/down, and hosts cannot reach the gateway. The exam may present a scenario where an SVI is down because no ports are assigned to the VLAN or all ports are shutdown.
Trunk allowed VLAN list: If the trunk port does not allow the required VLAN, traffic for that VLAN will not reach the router. The exam might show a trunk configured with switchport trunk allowed vlan 1-10 and ask why VLAN 20 traffic fails.
Decision rule for scenario questions: First, determine if the router is a multilayer switch or an external router. If it's a multilayer switch, check if ip routing is enabled. Then check if the SVIs have IP addresses and are up/up. For an external router, check that the physical interface is up and that subinterfaces have correct encapsulation and IP addresses. Finally, verify the switch trunk configuration and VLAN assignments. If hosts can ping their gateway but not remote hosts, the issue is likely routing (missing route or ACL).
Inter-VLAN routing requires a router or Layer 3 switch to forward packets between VLANs; the router acts as the default gateway for each VLAN.
Router-on-a-stick uses a single physical router interface with 802.1Q subinterfaces, one per VLAN; the switch port must be a trunk.
Multilayer switch SVIs are virtual interfaces that route at wire speed; enable IP routing with 'ip routing' command.
For router-on-a-stick, the physical interface must have no IP address; each subinterface uses 'encapsulation dot1Q <vlan-id>' and an IP address.
An SVI is up/up only when at least one switch port in that VLAN is up/up; otherwise it is down/down.
Common verification commands: 'show ip interface brief', 'show ip route', 'show interfaces trunk', 'show vlan brief', 'show mac address-table'.
The trunk port must allow the VLANs that need inter-VLAN routing; use 'switchport trunk allowed vlan <vlan-list>'.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick
Uses an external router with a single physical link to the switch.
Each VLAN requires a subinterface on the router.
Routing is performed in software (CPU), limited by router processing power.
Bandwidth is shared among all VLANs on the single link.
Simple to configure but less scalable.
Multilayer Switch SVIs
Uses a Layer 3 switch with internal routing hardware (ASICs).
Each VLAN requires a virtual SVI on the switch.
Routing is performed in hardware at wire speed.
Bandwidth is not a bottleneck; each VLAN can use full switch fabric capacity.
More scalable and commonly used in enterprise networks.
Mistake
A router can route between VLANs without any special configuration on the switch.
Correct
The switch port connecting to the router must be configured as a trunk port (for router-on-a-stick) or the router must be connected to an access port in each VLAN (using multiple router interfaces). Without a trunk, the router only sees frames from the native VLAN of the access port.
Candidates often think that plugging a router into any switch port automatically allows it to reach all VLANs, but the switch only forwards frames from the port's assigned VLAN (access port) or from allowed VLANs (trunk port).
Mistake
A Layer 3 switch can route between VLANs without any configuration beyond assigning IP addresses to SVIs.
Correct
You must also enable IP routing globally with the 'ip routing' command. Without it, the switch operates as a Layer 2 device and SVIs will not route packets between VLANs.
The term 'Layer 3 switch' implies it can route, but the default IOS image for many switches disables IP routing. Candidates forget the explicit command.
Mistake
The native VLAN on a trunk must be the same as the management VLAN; otherwise, inter-VLAN routing fails.
Correct
The native VLAN can be any VLAN, but it must match on both ends of the trunk. If mismatched, control traffic (CDP, DTP) may fail, but user traffic on non-native VLANs still works. However, it's best practice to keep the native VLAN consistent and not use it for user traffic to avoid security issues.
Candidates confuse native VLAN with management VLAN. The native VLAN is simply the VLAN that carries untagged frames on a trunk; it does not inherently affect routing.
Mistake
In router-on-a-stick, you can assign an IP address to the physical interface and use it for one VLAN without a subinterface.
Correct
The physical interface should not have an IP address; all VLANs must be configured on subinterfaces with encapsulation. If you assign an IP to the physical interface, it will process only untagged frames (native VLAN), and tagged frames will be dropped.
Some candidates think they can save a subinterface by using the physical interface for one VLAN, but this breaks the 802.1Q trunking model.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A routed port is a physical switch port that acts like a router interface—it has an IP address and does not belong to any VLAN. You create a routed port using 'no switchport' in interface configuration mode. An SVI (Switched Virtual Interface) is a virtual interface associated with a VLAN; it requires that at least one physical port in that VLAN is active. Routed ports are used for point-to-point links (e.g., connecting to another router), while SVIs are used for VLAN-based routing. On the exam, know that 'no switchport' converts a port to Layer 3, and you can assign an IP directly.
Yes, you can connect each VLAN to a separate physical interface on the router. For example, connect an access port from VLAN 10 to router interface G0/0, and an access port from VLAN 20 to router interface G0/1. This avoids trunking and subinterfaces. However, it consumes more router interfaces and is less scalable. Router-on-a-stick is more efficient when you have many VLANs. The exam may test both methods, but router-on-a-stick is the classic configuration.
The native VLAN is the VLAN that carries untagged frames on a trunk link. By default, it is VLAN 1. On a router-on-a-stick, if you configure a subinterface for the native VLAN, you must use the 'native' keyword: 'encapsulation dot1Q <vlan-id> native'. Frames on the native VLAN are sent untagged, so the router's physical interface can process them. If the native VLAN mismatches between the switch and router, control traffic (CDP, DTP) may fail, but user traffic on non-native VLANs still works. For security, it's best to change the native VLAN to an unused VLAN and not use it for user data.
Use 'show ip route' on the router or multilayer switch to see connected routes for each VLAN subnet. On a host, ping the default gateway, then ping a host in another VLAN. Use 'traceroute' to see the path. On the router, 'show ip arp' shows MAC-to-IP mappings for hosts. On the switch, 'show mac address-table' shows which MAC addresses are learned on which ports. If pings fail, check 'show interfaces trunk' to ensure the trunk is up and allowed VLANs are correct. Also check 'show ip interface brief' to verify interfaces are up/up.
Yes, that is exactly what router-on-a-stick does. The Layer 2 switch segments VLANs and trunks to the router. The router performs the routing. The switch does not perform any Layer 3 functions. This is a common design for small to medium networks. For larger networks, a multilayer switch is preferred for performance.
The 'ip routing' command enables the switch to function as a router. Without it, the switch operates only at Layer 2, and SVIs can only communicate within the same VLAN. When 'ip routing' is enabled, the switch can forward packets between different VLANs based on the routing table. This command is required for inter-VLAN routing via SVIs. It is not needed for router-on-a-stick because the external router handles routing.
STP prevents loops in Layer 2 networks. In a router-on-a-stick design, the router is a single point of connection, so STP does not typically block any path to the router. However, if the router is connected via multiple links (e.g., for redundancy), STP will block one link to prevent a loop, which could affect bandwidth. In a multilayer switch design, STP runs on Layer 2 ports, but routing (Layer 3) is not affected by STP. The switch uses CEF (Cisco Express Forwarding) to route packets independently of STP topology changes.
You've just covered Inter-VLAN Routing — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?