Layer 3 switches, also known as multilayer switches, are the workhorses of modern enterprise networks. They combine the speed of hardware-based switching with the intelligence of routing, enabling you to route between VLANs at near-wire speed without the latency of a traditional router-on-a-stick design. For the CCNA 200-301 exam, understanding how to configure and verify inter-VLAN routing on a Layer 3 switch is essential (Exam Objective 3.1: Inter-VLAN routing using Layer 3 switching). In real networks, this is how you segment broadcast domains while maintaining high-performance connectivity between subnets.
Jump to a section
Imagine a large train station with multiple platforms, each serving a different train line (VLAN). Passengers (data frames) need to travel between platforms, but they can't walk across the tracks — they must go through the station's main concourse (the Layer 3 switch). In a traditional router-on-a-stick setup, there's a single ticket booth (router) at the concourse that everyone must queue at. Each passenger must stop, show their ticket (frame header rewrite), and then proceed. This creates a bottleneck. Now imagine the station installs an express transfer system: a set of high-speed escalators and walkways that allow passengers to move between platforms without stopping at the ticket booth. The escalators are powered by the station's infrastructure — they are built into the station itself. That's a Layer 3 switch. The switch fabric (the escalators) can forward frames between VLANs at hardware speed using application-specific integrated circuits (ASICs). The station master (the switch's CPU) only gets involved for the first passenger to a new platform (the first packet to a new destination), to set up the route in the escalator's routing table (the FIB). After that, all subsequent passengers zip through without CPU intervention. This is called 'route once, switch many.' The express system still respects the rules of the station (routing protocols, ACLs), but it does so without the delay of a central queue. In networking terms, the switch uses a multilayer switching architecture: the route processor (CPU) performs initial routing lookups and populates the hardware forwarding tables (TCAM), enabling wire-speed forwarding for subsequent packets in the same flow.
What is a Layer 3 Switch?
A Layer 3 switch is a device that operates at both Layer 2 (data link) and Layer 3 (network) of the OSI model. It can switch frames within a VLAN using MAC address tables, and it can route packets between VLANs using IP routing tables. The key innovation is that the routing is done in hardware (ASICs) rather than software (CPU), which allows for much higher throughput than a traditional router.
Why Not Just Use a Router?
Traditional routers route in software, meaning the CPU must process each packet. This works fine for WAN links but becomes a bottleneck when routing between many VLANs on a LAN. A router-on-a-stick design uses a single trunk link to a router, which must handle all inter-VLAN traffic. This creates a single point of congestion and limits throughput to the speed of that link. A Layer 3 switch, on the other hand, has a high-speed backplane that can route packets at wire speed between any ports, making it ideal for campus networks where many VLANs need to communicate.
How Layer 3 Switching Works
Layer 3 switching combines two processes: routing and switching. The switch maintains both a MAC address table (Layer 2) and a routing table (Layer 3). When a frame arrives at an interface, the switch examines the destination MAC address. If the destination MAC is the switch's own interface (for the VLAN), the switch knows the frame is destined for another VLAN and performs routing. The routing decision is based on the destination IP address, which is looked up in the routing table. The switch then rewrites the source and destination MAC addresses and forwards the frame out the appropriate port.
Cisco Express Forwarding (CEF)
Cisco switches use CEF for hardware-based routing. CEF builds two main tables: the Forwarding Information Base (FIB) derived from the routing table, and the adjacency table derived from ARP. The FIB contains destination prefixes and next-hop information. The adjacency table contains Layer 2 rewrite information (MAC addresses and output interfaces). When a packet arrives, the switch performs a lookup in the FIB to find the next hop, then looks up the adjacency table to get the new MAC addresses, and forwards the packet entirely in hardware. This is incredibly fast and efficient.
Configuring Inter-VLAN Routing on a Layer 3 Switch
To enable routing on a Layer 3 switch, you must first enable IP routing globally. Then, you create VLANs and assign switch ports to them. Finally, you create switched virtual interfaces (SVIs) for each VLAN and assign IP addresses. The SVI serves as the default gateway for hosts in that VLAN. Here is a basic configuration:
Switch(config)# ip routing
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name Engineering
Switch(config-vlan)# exit
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20Verification Commands
Use the following commands to verify Layer 3 switching:
Switch# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan10 192.168.10.1 YES manual up up
Vlan20 192.168.20.1 YES manual up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up upSwitch# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.1/32 is directly connected, Vlan10
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20Switch# show interfaces vlan 10
Vlan10 is up, line protocol is up
Hardware is EtherSVI, address is aabb.cc00.0100 (bia aabb.cc00.0100)
Internet address is 192.168.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped outInteraction with Related Protocols
Layer 3 switching relies on ARP to resolve next-hop IP addresses to MAC addresses for the adjacency table. It also works with routing protocols like OSPF and EIGRP, which populate the routing table that feeds the FIB. Additionally, VLAN trunking (802.1Q) is often used to carry multiple VLANs between switches, and Layer 3 switches can route between VLANs that are trunked. The switch must have an SVI for each VLAN that needs to be routed.
Key Timers and Defaults
ARP timeout: 4 hours (default on Cisco switches)
CEF is enabled by default on most Layer 3 switches
The switch's routing table is populated by directly connected networks (SVIs) and any configured routing protocols
The FIB is updated when the routing table changes; the adjacency table is updated when ARP entries change
Enable IP Routing Globally
By default, a switch operates as a Layer 2 device. To enable routing functionality, you must issue the `ip routing` command in global configuration mode. This command activates the switch's routing engine and allows it to make Layer 3 forwarding decisions. Without this command, the switch will only switch frames within the same VLAN, and SVIs will remain in a down/down state if no other routing process is active. This is a common oversight in lab scenarios: candidates forget to enable `ip routing` and then wonder why inter-VLAN ping fails.
Create VLANs and Assign Ports
Create the VLANs that represent your subnets using the `vlan` command in global config. For example, `vlan 10` creates VLAN 10. Then, assign switch ports to these VLANs using `switchport mode access` and `switchport access vlan 10` under the interface configuration. This step is identical to configuring a Layer 2 switch. The ports will be in the respective VLANs, and hosts connected to them will belong to those VLANs. Ensure the ports are up with `no shutdown`.
Configure Switched Virtual Interfaces (SVIs)
An SVI is a virtual interface that represents a VLAN as a Layer 3 interface. Create an SVI for each VLAN using `interface vlan <vlan-id>`. Assign an IP address to the SVI that will serve as the default gateway for hosts in that VLAN. For example, `ip address 192.168.10.1 255.255.255.0`. Then issue `no shutdown` to activate the SVI. The SVI will come up only if the VLAN exists and at least one switch port in that VLAN is up (or if the VLAN is created and no shutdown is issued, but it may show up/up with no ports).
Verify SVI and Routing Table
Use `show ip interface brief` to confirm that the SVIs are up/up and have the correct IP addresses. Then use `show ip route` to see the directly connected routes. You should see entries like `C 192.168.10.0/24 is directly connected, Vlan10`. If the SVI is down, the route will not appear. This is a common troubleshooting step: if a ping from one VLAN to another fails, check that both SVIs are up and the routing table has the expected entries.
Test Inter-VLAN Connectivity
From a host in VLAN 10 (e.g., 192.168.10.10), ping the host in VLAN 20 (192.168.20.10). The ping should succeed if the Layer 3 switch is correctly configured. If it fails, check the following: 1) Are the SVIs up? 2) Do the hosts have the correct default gateway (the SVI IP)? 3) Is `ip routing` enabled? 4) Are there any ACLs blocking traffic? Use `debug ip packet` with caution in a lab to see routing decisions, but avoid in production.
Examine CEF Forwarding Tables
To see the hardware forwarding tables, use `show ip cef` and `show adjacency`. The `show ip cef` command displays the FIB entries, which include the prefix and next-hop information. The `show adjacency` command shows the Layer 2 rewrite information. For example, `show adjacency vlan 10 detail` will show the MAC address and output interface for each adjacency. These commands are useful for advanced troubleshooting, especially when traffic is not being forwarded as expected due to CEF inconsistencies.
In enterprise networks, Layer 3 switches are deployed as distribution layer devices in a three-tier hierarchical design. The access layer switches connect end devices and group them into VLANs. These access switches uplink to distribution layer switches, which are typically Layer 3 switches that route between VLANs. This design allows for efficient use of bandwidth and reduces the load on the core layer. For example, a university might have a separate VLAN for each department (e.g., Engineering, Science, Arts). The distribution layer switch routes traffic between these VLANs, allowing students in Engineering to access servers in Science without traversing the core. The core layer then handles traffic that must go to other buildings or the internet.
Another common scenario is using a Layer 3 switch as a collapsed core in a small to medium-sized business. Here, the switch performs both routing and switching for the entire network. It connects to the WAN router for internet access and to access switches for user connectivity. This simplifies the design and reduces cost while still providing high performance.
Performance considerations: Layer 3 switches can forward millions of packets per second (pps) because routing is done in hardware. However, features like NAT, VPN, or advanced ACLs may require software processing (CPU), which can slow down traffic. In production, network engineers must be aware of the switch's hardware capabilities and avoid enabling features that are not supported in hardware on the specific platform.
Misconfiguration scenarios: A common mistake is forgetting to enable ip routing. The switch then operates as a Layer 2 device, and inter-VLAN traffic fails. Another issue is misconfigured SVIs — for example, using the wrong IP address or subnet mask, which causes hosts to be unreachable. Also, if a VLAN is not created or all ports in a VLAN are down, the SVI will be down, and routing will not occur. In larger networks, routing protocol misconfiguration (e.g., OSPF area mismatch) can prevent routes from being exchanged, causing black holes.
For CCNA 200-301, Exam Objective 3.1 focuses on configuring and verifying inter-VLAN routing using Layer 3 switching. You must know how to enable IP routing, create SVIs, assign IP addresses, and verify connectivity. The exam will test your ability to troubleshoot a misconfigured Layer 3 switch scenario.
Common wrong answers:
1. Enabling routing on a Layer 2 switch: Candidates often think that any switch can route. Only multilayer switches support ip routing. A standard Layer 2 switch will reject the command. The exam may present a scenario where a switch cannot be configured for routing, and the correct answer is to use a router-on-a-stick or upgrade the hardware.
2. Forgetting to create the VLAN before the SVI: The SVI will not come up if the VLAN does not exist in the VLAN database. Candidates might configure interface vlan 10 without first creating vlan 10. The SVI will appear but may be in a down state. The exam may show a show ip interface brief output where an SVI is down, and you must identify that the VLAN is missing.
3. Using the wrong IP address on the SVI: The SVI IP must be the default gateway for hosts in that VLAN. If the IP is in a different subnet, hosts cannot reach the gateway. The exam may give a scenario where hosts can ping each other within the same VLAN but cannot ping the SVI, indicating an IP misconfiguration.
4. Confusing SVIs with routed ports: A routed port is a physical port configured as a Layer 3 interface (using no switchport). SVIs are virtual. The exam may ask which interface type is used for inter-VLAN routing on a multilayer switch. The correct answer is SVI, not a routed port, because SVIs allow routing between VLANs without consuming physical ports.
Calculation traps: There are no calculations specific to Layer 3 switching, but you may need to determine the correct subnet for an SVI based on the VLAN's IP range.
Decision rule: For scenario questions asking how to route between VLANs on a single switch, the answer is almost always "Configure an SVI on the switch" if the switch supports Layer 3. If the switch is Layer 2 only, then you need a router-on-a-stick or an external router.
Enable IP routing globally with 'ip routing' to allow Layer 3 switching.
Create SVIs using 'interface vlan <vlan-id>' and assign an IP address as the default gateway.
The SVI will be up/up only if the VLAN exists and at least one switch port in that VLAN is up.
Use 'show ip route' to verify directly connected routes via SVIs.
CEF (Cisco Express Forwarding) is used for hardware-based routing; show with 'show ip cef'.
A Layer 2 switch cannot perform routing; you need a multilayer switch.
The 'no switchport' command creates a routed port, not an SVI; SVIs are virtual.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick
Uses an external router with a single trunk link to the switch.
All inter-VLAN traffic must traverse the trunk link, creating a bottleneck.
Router performs routing in software (CPU), limiting throughput.
Scalability is limited by the router's CPU and trunk bandwidth.
Configuration involves subinterfaces on the router with 802.1Q encapsulation.
Layer 3 Switch (SVI)
Integrated routing and switching in one device.
Routing occurs in hardware (ASICs) at wire speed.
No single point of congestion; traffic stays within the switch backplane.
Highly scalable; can handle many VLANs without performance degradation.
Configuration uses SVIs; no trunk needed for internal routing.
Mistake
Any switch can route between VLANs if you assign IP addresses to VLAN interfaces.
Correct
Only multilayer switches (e.g., Catalyst 3560, 3650, 3850) support routing. Layer 2 switches (e.g., 2960) do not have the hardware or software capability to route; they will reject the 'ip routing' command.
Candidates often assume all switches are the same because the configuration looks similar.
Mistake
You must use 'no switchport' on an interface to create a routed interface for inter-VLAN routing.
Correct
Inter-VLAN routing on a multilayer switch is done using SVIs (virtual interfaces), not routed ports. Routed ports are used for connecting to routers or other Layer 3 devices, not for routing between VLANs on the same switch.
The term 'routed port' sounds like it should be used for routing, but SVIs are the correct method for inter-VLAN routing.
Mistake
The SVI will come up as soon as you configure it with 'no shutdown'.
Correct
An SVI will only come up if the VLAN exists in the VLAN database AND at least one switch port in that VLAN is in the up/up state (or the VLAN is created and the SVI is administratively up, but the line protocol may show down if no ports are active).
Candidates forget that SVIs depend on Layer 2 connectivity.
Mistake
You need to configure a routing protocol for directly connected VLANs to communicate.
Correct
Directly connected networks (SVIs) are automatically added to the routing table when they are up. No routing protocol is needed for inter-VLAN routing on the same switch. Routing protocols are only needed to exchange routes with other routers.
Candidates often think routing protocols are always required for any routing.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you must enable 'ip routing' globally. Without it, the switch will not perform routing, and SVIs will not be able to forward packets between VLANs. The SVIs will still come up if the VLAN exists and ports are active, but they will not route traffic. This is a common mistake in labs.
An SVI is a virtual interface associated with a VLAN, used for inter-VLAN routing. A routed port is a physical switch port configured as a Layer 3 interface using 'no switchport', typically used to connect to a router or another Layer 3 device. SVIs are the correct method for routing between VLANs on the same switch.
No, a Layer 2 switch cannot route. It can only switch frames within the same VLAN. To route between VLANs, you need a Layer 3 switch or an external router (router-on-a-stick). The Catalyst 2960 series, for example, is Layer 2 only.
An SVI will be down if the VLAN does not exist in the VLAN database or if no switch port in that VLAN is in the up/up state. Create the VLAN with 'vlan <id>' and ensure at least one port is assigned to that VLAN and is up (no shutdown).
CEF (Cisco Express Forwarding) is the default forwarding mechanism on Cisco switches and routers. It builds a FIB from the routing table and an adjacency table from ARP, allowing hardware-based forwarding. This enables wire-speed routing without CPU involvement for most packets.
Use 'show ip route' to see connected routes for each SVI. Use 'show ip interface brief' to confirm SVIs are up/up. Finally, ping from a host in one VLAN to a host in another VLAN to test connectivity. You can also use 'traceroute' to see the path.
Yes, Layer 3 switches support dynamic routing protocols like OSPF, EIGRP, and RIP. You can configure them to exchange routes with other routers. The routing table is then used to populate the FIB for hardware forwarding.
You've just covered Lab: Layer 3 Switch Routing — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?