Inter-VLAN routing is the cornerstone of modern switched networks, enabling hosts in different VLANs to communicate. Without it, your network is a collection of isolated islands. On the CCNA 200-301 exam, objective 3.1 tests your ability to troubleshoot inter-VLAN routing failures, a skill essential for any network engineer. Misconfigurations in router-on-a-stick, Layer 3 switching, or VLAN trunking can break connectivity, and this chapter will teach you a systematic approach to diagnose and fix these issues.
Jump to a section
Imagine an apartment building with two separate wings: the East Wing (VLAN 10) and the West Wing (VLAN 20). Each wing has its own mail room where residents send and receive mail within their wing. But to send a letter from East to West, the letter must go to the central post office (the router or Layer 3 switch). The central post office reads the apartment number (IP address) and decides which wing it belongs to. For the letter to reach the other wing, the mail carrier must know which mail room is for which wing—this is like the router knowing which VLAN is on which interface or subinterface. If the carrier doesn't have a map (routing table), the letter is lost. Also, the mail rooms must be connected to the post office via dedicated hallways (trunk links). If a hallway is blocked (trunk not allowed) or the carrier doesn't know which hallway leads to which wing (VLAN mismatch on trunk), the letter never gets there. In our network, each VLAN is like a separate wing, the switch is the building's internal mail system, and the router is the central post office that enables cross-wing communication. The VLAN tags on frames are like the apartment numbers on envelopes, telling the switch which VLAN the frame belongs to. When inter-VLAN routing fails, it's usually because the post office (router) isn't configured to handle mail for both wings, or the hallways (trunks) aren't properly set up.
What is Inter-VLAN Routing and Why Does It Exist?
Inter-VLAN routing is the process of forwarding traffic between different VLANs. By default, VLANs segment a Layer 2 network into separate broadcast domains, so hosts in VLAN 10 cannot communicate with hosts in VLAN 20 without a Layer 3 device. Inter-VLAN routing can be implemented using a router (router-on-a-stick) or a multilayer switch (Switch Virtual Interface, SVI). On the CCNA exam, you must be able to troubleshoot both methods.
How Inter-VLAN Routing Works: Packet-Level Walkthrough
Consider a host A in VLAN 10 (192.168.10.2/24) sending a packet to host B in VLAN 20 (192.168.20.2/24).
Host A checks its routing table: destination 192.168.20.2 is not on its local subnet, so it sends the packet to its default gateway (router interface in VLAN 10, e.g., 192.168.10.1).
Host A encapsulates the IP packet in an Ethernet frame with destination MAC = MAC of router interface in VLAN 10. The frame is sent untagged to the access switch port (in VLAN 10).
The switch receives the frame, sees it belongs to VLAN 10, and forwards it out the trunk port to the router (if router-on-a-stick) or to the SVI (if multilayer switch). On a trunk, the switch adds a VLAN tag (802.1Q) with VLAN 10.
The router receives the frame on its subinterface or the SVI receives it. It strips the tag, looks up the destination IP in its routing table, and finds a route to 192.168.20.0/24 via its interface in VLAN 20.
The router (or multilayer switch) then builds a new Ethernet frame destined for host B, using the MAC address of host B (obtained via ARP in VLAN 20). It sends the frame out its interface in VLAN 20, tagged with VLAN 20 on the trunk.
The switch receives the tagged frame, strips the tag, and forwards it out the access port in VLAN 20 to host B.
Key Components and Defaults
Router-on-a-Stick: Uses subinterfaces on a single physical interface. Each subinterface is configured with encapsulation dot1q <vlan-id> and an IP address in the respective VLAN subnet.
SVI (Switch Virtual Interface): A Layer 3 interface on a multilayer switch, created with interface vlan <vlan-id>. The switch must have IP routing enabled (ip routing).
Trunking: The link between the switch and router (or between switches) must allow the relevant VLANs. Default allowed VLANs are 1-4094, but the native VLAN (default 1) is untagged.
IP Routing: On a multilayer switch, ip routing is disabled by default. Many candidates forget to enable it.
IOS CLI Verification Commands
show ip interface brief # Check if interfaces are up/up and have correct IP
show interfaces trunk # Verify trunk status and allowed VLANs
show vlan brief # Verify VLANs exist on the switch
show ip route # Check routing table for routes to remote VLANs
show mac address-table # Verify MAC addresses learned on correct VLANs
ping <destination> source <source> # Test connectivity from routerExample output for a working router-on-a-stick:
Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0.10 192.168.10.1 YES manual up up
GigabitEthernet0/0.20 192.168.20.1 YES manual up up
GigabitEthernet0/0 unassigned YES unset up upIf the subinterface shows down/down, check the physical interface and trunk.
Interaction with Related Protocols
STP: Can block redundant links; ensure the trunk is in forwarding state.
VTP: If VTP pruning is enabled, VLANs may be pruned from trunks.
Dynamic Trunking Protocol (DTP): Can cause trunk negotiation failures; set trunk mode to dynamic desirable or trunk on both sides.
Port Security: Can shut down a port if MAC address limits are exceeded.
ACLs: Applied on the router or SVI can block inter-VLAN traffic.
Common Failure Points
VLAN not created on switch: The VLAN must exist in show vlan brief.
Trunk not allowing VLAN: Use switchport trunk allowed vlan add <vlan>.
Wrong encapsulation on subinterface: Must match the trunk encapsulation (dot1q).
IP address mismatch: The router's IP must be in the same subnet as the hosts.
Routing disabled: On multilayer switches, ip routing must be configured.
Native VLAN mismatch: The native VLAN must match on both ends of the trunk; otherwise, CDP errors appear and traffic for the native VLAN may be black-holed.
Verify Physical Connectivity
Start with the basics. Check if the switch port connecting to the router (or between switches) is up/up. Use `show interfaces status` or `show ip interface brief`. If the port is down/down, check cables, power, and interface configuration (no shutdown). If the port is up/down, there may be a Layer 1 issue or a speed/duplex mismatch. On a router-on-a-stick, the physical interface must be up/up for subinterfaces to come up. Also verify that the router's interface is not administratively down.
Check VLAN Existence and Access Ports
Ensure the VLANs used for inter-VLAN routing exist on the switch. Use `show vlan brief` to list all VLANs. If a VLAN is missing, create it with `vlan <vlan-id>`. Then verify that the access ports connecting hosts are in the correct VLANs with `show interfaces <interface> switchport`. The operational mode should be 'static access' and the access VLAN should match the expected VLAN. For example, a host in VLAN 10 should have its port configured with `switchport access vlan 10`.
Verify Trunk Configuration
If using router-on-a-stick, the link between the switch and router must be a trunk. On the switch, check the trunk status with `show interfaces trunk`. Look for the trunk interface in the list and verify that the mode is 'trunk' or 'dynamic desirable' and that the allowed VLAN list includes the needed VLANs. If the trunk is not established, check DTP settings: set both sides to `switchport mode trunk` for reliability. Also verify that the native VLAN matches on both ends; a mismatch can cause traffic issues. On the router, subinterfaces must use `encapsulation dot1Q <vlan-id>`.
Verify Router or SVI IP Configuration
Check that the router's subinterface or the SVI has the correct IP address for the VLAN subnet. Use `show ip interface brief` on the router or multilayer switch. The interface should be up/up. If it is down/down, the VLAN may not exist or the trunk is blocking it. For SVIs, ensure the VLAN exists and the switch has `ip routing` enabled. Use `show ip route` to confirm that the router has a directly connected route for each VLAN subnet. If not, the interface is not operational.
Test Connectivity from the Router
From the router or multilayer switch, ping the hosts in each VLAN using the source IP of the router's interface. For example: `ping 192.168.10.2 source 192.168.10.1`. If the ping succeeds, the router can reach the host. If it fails, check ARP: use `show ip arp` to see if the router has the host's MAC address. If not, the host may be unreachable due to a VLAN mismatch or access port issue. Also verify that the host's default gateway is set to the router's IP.
Verify End-to-End Connectivity
From a host in VLAN 10, ping a host in VLAN 20. If it fails, use traceroute to see where the packet stops. Common issues: the host's default gateway is wrong, the router does not have a route back to the source VLAN, or an ACL is blocking traffic. Check for ACLs on the router interfaces with `show access-lists`. Also verify that the router's routing table includes both VLAN subnets. If using a multilayer switch, ensure that `ip routing` is enabled and that the SVIs are up/up.
In a typical enterprise campus network, inter-VLAN routing is implemented on a multilayer switch (Distribution layer) rather than a router-on-a-stick, because it provides higher performance and lower latency. For example, a company with 50 VLANs across multiple floors uses a pair of stacked switches at the core. Each VLAN has an SVI on the switch, and IP routing is enabled. The switch acts as the default gateway for all hosts. Traffic between VLANs is routed at wire speed without leaving the switch.
A common deployment is the 'router-on-a-stick' in small offices where a single router connects to a switch via a trunk. The router handles inter-VLAN routing and also provides WAN connectivity. This is cost-effective but can become a bottleneck as traffic grows.
Performance considerations: Router-on-a-stick is limited by the speed of the single physical link. For high throughput, use a multilayer switch with hardware-based routing. Also, consider using a Layer 3 EtherChannel for increased bandwidth.
Misconfiguration scenarios: A network engineer might accidentally apply an ACL that blocks inter-VLAN traffic, or forget to create a VLAN on the switch, causing the SVI to remain down. Another common issue is the native VLAN mismatch on a trunk, which can cause unpredictable behavior for untagged traffic (like CDP, DTP, and sometimes user traffic if the native VLAN is used). In one real case, a company lost connectivity between VLANs because the trunk port between the core and distribution switches had the native VLAN set to 99 on one end and 1 on the other. CDP reported errors, but the real impact was that traffic for the native VLAN (which included management traffic) was black-holed. The fix was to set the native VLAN consistently on both ends.
The CCNA 200-301 exam tests inter-VLAN routing troubleshooting under Objective 3.1. You will be given a scenario with symptoms (e.g., hosts in different VLANs cannot ping each other) and a partial configuration. You must identify the root cause.
Common wrong answers and why candidates choose them:
1. 'The trunk is down' – Candidates see that the trunk is not listed in show interfaces trunk and assume it's down. But often the trunk is up but not allowing the needed VLAN. Check the allowed VLAN list first.
2. 'The router has no route to the destination' – While true in some cases, the router usually has a directly connected route if the subinterface is up. The real issue might be that the subinterface is down because the VLAN doesn't exist on the switch.
3. 'The host has the wrong default gateway' – This is a valid cause, but candidates often overlook that the host's gateway must be the router's IP in the same VLAN. If the router's IP is misconfigured, the host cannot reach it.
4. 'The switch port is in the wrong VLAN' – This is common, but candidates forget to check the access VLAN on the host's switch port. Use show interfaces <port> switchport.
Specific values and commands:
- show vlan brief – Lists VLANs and their ports. Missing VLANs are a common issue.
- show interfaces trunk – Shows trunk status, allowed VLANs, and native VLAN.
- show ip interface brief – Quick check of interface status and IP.
- debug ip routing – Can show routing table changes, but use with caution in production.
Calculation traps: None directly, but subnetting is crucial. Ensure the router's IP and host's IP are in the same subnet. A common trap is a subnet mask mismatch that causes the host to think the router is on a different network.
Decision rule for scenario questions: Start by checking Layer 1 (cables, interface status), then Layer 2 (VLANs, trunking), then Layer 3 (IP, routing). Use the simplest command first: ping from the router to each host. If that fails, the issue is between router and host. If it succeeds, the issue might be on the host or an ACL.
Inter-VLAN routing requires a Layer 3 device (router or multilayer switch) to forward traffic between VLANs.
Router-on-a-stick uses subinterfaces with 802.1Q encapsulation; each subinterface must match the VLAN ID.
On a multilayer switch, SVIs are used; ensure 'ip routing' is enabled.
The trunk link between switch and router must allow the relevant VLANs; use 'switchport trunk allowed vlan add'.
Native VLAN mismatch on a trunk can cause connectivity issues; use 'switchport trunk native vlan' to set consistently.
Always verify VLAN existence with 'show vlan brief' before troubleshooting routing.
The 'show ip interface brief' command quickly identifies interfaces that are down or missing IP addresses.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick
Uses a physical router with one interface trunked to a switch.
Each VLAN is a subinterface with 802.1Q encapsulation.
Performance limited by single link speed.
Router handles all routing in software (unless using hardware acceleration).
Cost-effective for small networks.
Multilayer Switch (SVI)
Uses a single switch with Layer 3 capability.
Each VLAN has a virtual interface (SVI) on the switch.
Routing done in hardware (ASICs) at wire speed.
No external router needed; reduces complexity.
Higher cost but better performance and scalability.
Mistake
A router-on-a-stick subinterface will come up as long as the physical interface is up.
Correct
The subinterface comes up only if the VLAN is allowed on the trunk and the switchport is in trunking mode. If the VLAN is not allowed, the subinterface will be down/down.
Candidates think the subinterface is independent of the trunk, but it relies on the trunk to carry tagged frames for that VLAN.
Mistake
On a multilayer switch, SVIs are automatically up when the VLAN exists.
Correct
An SVI comes up only if the VLAN exists AND there is at least one active access port in that VLAN or a trunk that allows the VLAN. If the VLAN has no ports, the SVI remains down.
Candidates assume the SVI is like a loopback interface, but it requires at least one active Layer 2 port in the VLAN.
Mistake
The native VLAN must be the same on both ends of a trunk, but it does not affect inter-VLAN routing.
Correct
Native VLAN mismatch can cause traffic for the native VLAN to be misdirected or dropped, and it generates CDP error messages. It can affect inter-VLAN routing if the native VLAN is used for any inter-VLAN traffic (e.g., management VLAN).
Candidates think native VLAN only matters for CDP/DTP, but user traffic on the native VLAN is also affected.
Mistake
If a router can ping a host in VLAN 10, then inter-VLAN routing is working.
Correct
The router being able to ping a host only proves Layer 3 connectivity between the router and that host. It does not test routing between VLANs. You must test from a host in one VLAN to a host in another VLAN.
Candidates confuse router-to-host reachability with host-to-host reachability across VLANs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The subinterface comes up only when the switch port is in trunking mode AND the VLAN is allowed on the trunk AND the VLAN exists on the switch. First, verify the trunk is established with 'show interfaces trunk'. Then check that the VLAN is in the allowed list and exists with 'show vlan brief'. If the VLAN is missing, create it. Also ensure the subinterface encapsulation matches the trunk encapsulation (dot1q).
Yes. By default, IP routing is disabled on Cisco switches. You must enter global configuration mode and issue the 'ip routing' command. Without it, the switch will not forward packets between SVIs, even if the SVIs are up and have IP addresses. You can verify with 'show ip route' – if only connected routes appear and no routing is happening, 'ip routing' is likely missing.
'switchport mode trunk' forces the port to become a trunk unconditionally. 'switchport mode dynamic desirable' actively tries to form a trunk if the other end is set to trunk, dynamic desirable, or dynamic auto. If both ends are dynamic auto, no trunk forms. For reliability in inter-VLAN routing, use 'switchport mode trunk' on both ends.
Yes. The router performs the routing, and the switch provides Layer 2 connectivity. The switch must have a trunk port connecting to the router. The router's subinterfaces handle the VLAN tagging. This is a common setup in small networks.
Use the extended ping command to specify the source interface. For example, 'ping 192.168.20.2 source 192.168.10.1'. This forces the router to use its VLAN 10 interface as the source. If successful, the router can route between VLANs. Then test from hosts to ensure their default gateways are correct.
The native VLAN is the VLAN that carries untagged traffic on an 802.1Q trunk. By default, it is VLAN 1. Both ends of the trunk must agree on the native VLAN; otherwise, frames for the native VLAN are not properly forwarded, and CDP/DTP may report errors. For inter-VLAN routing, if the native VLAN is used for user traffic, a mismatch can cause connectivity loss. Use 'switchport trunk native vlan <vlan>' to set it consistently.
This indicates that the switch can reach the hosts, but the hosts may not have the correct default gateway, or the switch may have an ACL blocking traffic between VLANs. Also check if the hosts have the correct subnet mask and if the switch's SVI IP is configured as the default gateway on the hosts. Use 'show access-lists' to check for ACLs applied to the SVIs.
You've just covered Troubleshoot: Inter-VLAN Routing Not Working — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?