This chapter covers inter-VLAN routing methods, a core topic for Network+ N10-009 exam objective 2.1 (Network Implementation). Inter-VLAN routing enables communication between devices on different VLANs, which are logically separate broadcast domains. Expect 5-10% of exam questions to touch on this area, focusing on the three primary methods: router-on-a-stick, multilayer switching, and Layer 3 switch with routed ports. Understanding the differences, configuration, and troubleshooting of these methods is essential for the exam and real-world network design.
Jump to a section
Imagine a large office building divided into multiple departments: Sales, Engineering, and HR. Each department occupies its own floor, and employees on a floor speak only their own language (e.g., Sales speaks Spanish, Engineering speaks German, HR speaks French). To communicate with someone on another floor, an employee must go through a central receptionist who is fluent in all languages. The receptionist receives a message in Spanish from Sales, translates it to German, and delivers it to Engineering. Each floor has a dedicated phone line (VLAN), and the receptionist is the only person with phones connected to all lines (router). If the receptionist is slow or makes translation errors, inter-department communication suffers. This mirrors inter-VLAN routing: each VLAN is a separate broadcast domain (language), and a router (receptionist) is required to forward packets between VLANs by performing translation of MAC addresses and IP routing. Without the router, devices on different VLANs cannot communicate, just as employees on different floors cannot talk without the receptionist.
What is Inter-VLAN Routing and Why It Exists
VLANs (Virtual Local Area Networks) segment a physical network into multiple logical broadcast domains. By default, devices in different VLANs cannot communicate because each VLAN is a separate subnet and broadcast domain. Inter-VLAN routing is the process of forwarding traffic between these VLANs, allowing devices in different VLANs to communicate as if they were on the same network. This is necessary for any network that uses VLANs for segmentation (e.g., separating departments, guest networks, or management traffic) while still requiring cross-VLAN communication (e.g., a user in Sales accessing a server in Engineering).
How Inter-VLAN Routing Works Internally
Inter-VLAN routing operates at Layer 3 (Network layer) of the OSI model. When a device in VLAN 10 wants to send a packet to a device in VLAN 20, it first determines that the destination IP is on a different subnet. It then sends the packet to its default gateway (the router interface in VLAN 10). The router receives the frame, strips the Layer 2 header, inspects the destination IP, and consults its routing table. If the route exists (directly connected or static/dynamic), the router rewrites the Layer 2 header with the destination MAC address of the target device (or next-hop router) and forwards the frame out the appropriate interface associated with VLAN 20.
Key Components, Values, Defaults, and Timers
Router-on-a-Stick: Uses a single physical router interface configured as a trunk link (802.1Q) to connect to a switch. Subinterfaces are created for each VLAN, each with an IP address serving as the default gateway for that VLAN. The router must support 802.1Q trunking and have enough CPU to handle inter-VLAN traffic.
Multilayer Switch: A switch that can perform both Layer 2 switching and Layer 3 routing. It uses Switch Virtual Interfaces (SVIs) — logical interfaces associated with each VLAN. The switch routes between SVIs internally, without needing an external router. Default: SVIs are created automatically when VLANs are created on some switches, but must be explicitly configured with an IP address and 'no shutdown'.
Layer 3 Switch with Routed Ports: Individual switch ports are configured as Layer 3 (routed) ports, assigning an IP address directly to the port. This is similar to a router interface. Used for point-to-point links between switches or routers.
Default Gateway: Each VLAN's default gateway IP is the IP assigned to the router subinterface or SVI for that VLAN. Devices in the VLAN must have this configured (often via DHCP).
802.1Q Trunking: The trunk link carries frames from multiple VLANs, tagging each frame with a VLAN ID. The native VLAN (default VLAN 1) is untagged.
ARP: The router performs ARP for each VLAN to resolve next-hop IP addresses to MAC addresses.
Timers: No specific timers for inter-VLAN routing itself, but ARP cache timeout (default 4 hours on Cisco devices) affects performance.
Configuration and Verification Commands
Router-on-a-Stick (Cisco IOS)
interface GigabitEthernet0/0
no shutdown
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0Multilayer Switch (Cisco IOS)
ip routing
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
no shutdown
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
no shutdownVerification Commands
show ip interface brief – lists interfaces and their IP addresses.
show vlan brief – shows VLANs and assigned ports.
show interfaces trunk – displays trunk links and allowed VLANs.
show ip route – displays routing table.
ping and traceroute – test connectivity.
Interaction with Related Technologies
STP (Spanning Tree Protocol): On trunk links, STP must be configured to prevent loops. A misconfigured trunk can cause broadcast storms.
VTP (VLAN Trunking Protocol): VTP propagates VLAN information across switches, but is optional and can cause issues if mismatched.
DHCP: DHCP servers can provide IP addresses including default gateway. The router or switch must have DHCP relay (ip helper-address) to forward broadcast DHCP requests across VLANs.
ACLs: Access control lists can be applied to router subinterfaces or SVIs to filter traffic between VLANs.
HSRP/VRRP: First Hop Redundancy Protocols provide default gateway redundancy. They use a virtual IP address shared between multiple routers or multilayer switches.
Trap Patterns
Trap 1: Thinking a Layer 2 switch can route between VLANs without a router. Reality: Layer 2 switches only forward frames based on MAC addresses; they cannot make Layer 3 decisions.
Trap 2: Assuming router-on-a-stick is always the best choice. Reality: It creates a bottleneck because all inter-VLAN traffic must traverse a single link and router CPU.
Trap 3: Forgetting to enable 'ip routing' on a multilayer switch. Without it, SVIs will not route.
Trap 4: Misconfiguring the native VLAN on a trunk. If the native VLAN does not match on both ends, control traffic (CDP, VTP) may fail.
Trap 5: Using the wrong encapsulation (ISL vs. 802.1Q). Modern networks use 802.1Q; ISL is obsolete.
Identify VLANs and Subnets
Determine the VLAN IDs and their corresponding IP subnets. For example, VLAN 10 uses 192.168.10.0/24, VLAN 20 uses 192.168.20.0/24. Each VLAN must have a unique subnet. This step is planning; no configuration happens yet. The network engineer documents the IP scheme and default gateway addresses (e.g., .1 for each subnet).
Choose Inter-VLAN Routing Method
Select one of three methods based on design requirements: router-on-a-stick (for small networks with a single router), multilayer switching (for larger networks needing high performance), or Layer 3 switch with routed ports (for point-to-point links). The decision impacts cost, performance, and scalability. Router-on-a-stick is simple but limited; multilayer switches are faster but more expensive.
Configure Trunk Link (Router-on-a-Stick)
On the switch, configure the port connecting to the router as an 802.1Q trunk. Example: 'interface GigabitEthernet0/1; switchport mode trunk; switchport trunk allowed vlan 10,20'. On the router, configure subinterfaces with encapsulation dot1Q and assign IP addresses. This ensures that frames from multiple VLANs are tagged and routed correctly.
Configure SVIs or Routed Ports (Multilayer)
On a multilayer switch, enable IP routing globally with 'ip routing'. Create SVIs for each VLAN: 'interface Vlan10; ip address 192.168.10.1 255.255.255.0; no shutdown'. Alternatively, configure a port as a routed port: 'interface GigabitEthernet0/1; no switchport; ip address 10.0.0.1 255.255.255.0'. Ensure SVIs are not shut down.
Verify Connectivity
Use 'show ip interface brief' to verify interfaces are up/up. Use 'show ip route' to confirm directly connected routes. Test with ping from a host in VLAN 10 to the default gateway (192.168.10.1), then to a host in VLAN 20 (192.168.20.2). If ping fails, check VLAN membership, trunk configuration, and IP addressing.
Enterprise Scenario 1: Small Business with Router-on-a-Stick
A small company with 50 employees uses a single Cisco 4321 router and a Catalyst 2960 switch. They have three VLANs: Data (VLAN 10), Voice (VLAN 20), and Management (VLAN 30). The router connects to the switch via a single Gigabit Ethernet link configured as a trunk. This design is cost-effective but creates a bottleneck: all inter-VLAN traffic (e.g., a data user accessing a printer in another VLAN) must traverse the single link and the router's CPU. Performance degrades under heavy load. To mitigate, the network engineer could upgrade to a multilayer switch, but for a small environment, router-on-a-stick is adequate.
Enterprise Scenario 2: Large Campus with Multilayer Switching
A university campus uses Catalyst 9300 multilayer switches at the distribution layer. Each building has access switches that trunk to the distribution switch. The distribution switch routes between VLANs using SVIs. This design is scalable and fast because routing happens in hardware (ASICs) rather than software. The network engineer must enable 'ip routing' and configure SVIs for each VLAN. Performance is high, but troubleshooting can be complex if SVIs are misconfigured (e.g., duplicate IPs or missing 'no shutdown').
Common Misconfigurations and Issues
Trunk Mismatch: If one end of a trunk is configured as 'access' and the other as 'trunk', the link may not form, or traffic may be dropped. Use 'show interfaces trunk' to verify.
Native VLAN Mismatch: If the native VLAN differs on each end, control traffic (CDP, VTP) may fail, but user traffic might still pass. Always match native VLANs.
Missing Default Gateway: Hosts must have the correct default gateway IP (the router subinterface or SVI IP). DHCP can provide this. If hosts cannot communicate off-subnet, check their gateway configuration.
ACL Blocking: An ACL applied to a subinterface or SVI may inadvertently block inter-VLAN traffic. Use 'show access-lists' to verify.
Scale and Performance Considerations
Router-on-a-stick is limited by the single link speed (e.g., 1 Gbps) and router CPU. For traffic exceeding 500 Mbps, consider multilayer switching.
Multilayer switches can route at line rate (e.g., 40 Gbps) using hardware. However, they are more expensive and may require advanced features like OSPF or EIGRP.
Routed ports are ideal for interconnecting switches or routers over point-to-point links, often used in a collapsed core design.
What N10-009 Tests
Objective 2.1: 'Given a scenario, configure and verify inter-VLAN routing.' The exam focuses on:
Identifying the correct method based on a scenario (e.g., small network vs. large campus).
Understanding the configuration steps for each method.
Troubleshooting common issues like trunk misconfiguration, missing default gateway, or disabled routing.
Most Common Wrong Answers and Why Candidates Choose Them
'Use a Layer 2 switch to route between VLANs' – Candidates confuse Layer 2 switching with Layer 3 routing. A Layer 2 switch cannot route; it only forwards frames within the same VLAN.
'Router-on-a-stick is always the best method' – Candidates think simplicity equals best. But router-on-a-stick creates a bottleneck and is not suitable for high-traffic environments.
'Multilayer switches do not need IP routing enabled' – Candidates assume that because the switch is 'Layer 3', routing is automatic. In reality, 'ip routing' must be explicitly enabled.
'Trunk ports can be used without 802.1Q' – Some think trunking is optional. Without 802.1Q tagging, frames from multiple VLANs cannot be distinguished.
Specific Numbers, Values, and Terms on the Exam
Default native VLAN: 1
802.1Q encapsulation (not ISL)
SVI (Switch Virtual Interface)
Subinterface naming: e.g., GigabitEthernet0/0.10
'no shutdown' command for SVIs and subinterfaces
'ip routing' command on multilayer switches
'switchport mode trunk' and 'switchport trunk allowed vlan'
Edge Cases and Exceptions
If a trunk's native VLAN is changed, ensure both ends match. Mismatch can cause black holes.
On some switches, SVIs are automatically created when a VLAN is created, but they remain in 'administratively down' state until 'no shutdown' is issued.
Router-on-a-stick can use multiple physical links with EtherChannel for higher throughput, but this is advanced.
How to Eliminate Wrong Answers
If the question mentions a single router and a switch, the method is router-on-a-stick.
If the question mentions a switch with routing capabilities and no external router, it's multilayer switching.
If the answer option says 'Layer 2 switch can route', eliminate it immediately.
Look for keywords like 'subinterface', 'encapsulation dot1Q', 'SVI', 'ip routing' to identify the correct method.
Inter-VLAN routing enables communication between different VLANs by forwarding packets at Layer 3.
The three methods are: router-on-a-stick, multilayer switching (SVIs), and Layer 3 switch with routed ports.
Router-on-a-stick uses a single trunk link and subinterfaces; it is simple but creates a bottleneck.
Multilayer switches require 'ip routing' to be enabled globally and SVIs configured for each VLAN.
The default native VLAN on trunk links is VLAN 1; both ends must match to avoid issues.
Hosts must have the correct default gateway IP (the router subinterface or SVI IP) to communicate off-subnet.
Common exam traps: confusing Layer 2 and Layer 3 switches, forgetting 'ip routing', and misconfiguring trunk encapsulation.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick
Uses a single physical router interface with subinterfaces.
Requires an external router and a switch with trunking.
All inter-VLAN traffic passes through a single link and router CPU.
Simple to configure in small networks.
Lower cost but limited performance (bottleneck).
Multilayer Switching
Uses SVIs (virtual interfaces) on the switch itself.
No external router needed; routing is done in hardware.
Traffic is routed internally at line rate (high performance).
More complex configuration but scalable.
Higher cost but suitable for large, high-traffic networks.
Mistake
A Layer 2 switch can route between VLANs if configured with VLAN interfaces.
Correct
Layer 2 switches cannot perform routing. VLAN interfaces (SVIs) require a Layer 3 switch with IP routing enabled. A Layer 2 switch only forwards frames within the same VLAN.
Mistake
Router-on-a-stick uses a separate physical interface for each VLAN.
Correct
Router-on-a-stick uses a single physical interface with multiple subinterfaces, one per VLAN. Each subinterface is tagged with the VLAN ID via 802.1Q encapsulation.
Mistake
Multilayer switches automatically route between all VLANs without configuration.
Correct
Multilayer switches require 'ip routing' to be enabled globally and each SVI must be configured with an IP address and brought up with 'no shutdown'.
Mistake
The native VLAN on a trunk carries no traffic.
Correct
The native VLAN carries traffic untagged. By default, VLAN 1 is the native VLAN. Control traffic like CDP and VTP uses the native VLAN.
Mistake
Inter-VLAN routing only works with a router, not a switch.
Correct
A multilayer switch (Layer 3 switch) can route between VLANs using SVIs or routed ports, eliminating the need for an external router.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A Layer 2 switch forwards frames based on MAC addresses and cannot route between VLANs. A Layer 3 switch (multilayer switch) can perform routing using SVIs or routed ports, allowing it to forward packets between VLANs without an external router. For inter-VLAN routing, you need a Layer 3 device (router or Layer 3 switch).
On the router, configure a subinterface for each VLAN: 'interface GigabitEthernet0/0.10', then 'encapsulation dot1Q 10', and assign an IP address. On the switch, configure the port connecting to the router as a trunk: 'switchport mode trunk' and 'switchport trunk allowed vlan 10,20'. Ensure the router's physical interface is 'no shutdown'.
Yes, you must enable global IP routing with the 'ip routing' command. Otherwise, the switch will not route between SVIs even if they have IP addresses. After enabling, configure SVIs and bring them up with 'no shutdown'.
Mismatched native VLANs can cause control traffic (CDP, VTP, DTP) to fail. User traffic on the native VLAN may be misdirected or dropped. Always ensure both ends of a trunk have the same native VLAN.
Yes, you can connect each VLAN to a separate router interface without trunking. However, this uses more router ports and may not be scalable. Router-on-a-stick is more efficient for many VLANs.
Modern Cisco switches use 802.1Q encapsulation by default. ISL (Inter-Switch Link) is obsolete. The 'switchport trunk encapsulation dot1q' command may be needed on older switches.
Start with 'show ip interface brief' to verify interfaces are up/up. Check 'show vlan brief' for VLAN membership. Use 'show interfaces trunk' for trunk status. Ping the default gateway from a host. On the router/switch, use 'show ip route' to confirm routes. Check ACLs that may block traffic.
You've just covered Inter-VLAN Routing Methods — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?