Layer 3 Switch Not Routing Between VLANs
Presenting Symptom
Hosts in different VLANs cannot ping each other through the Layer 3 switch, even though they can ping their default gateway.
Network Context
A small branch office network uses a single Cisco Catalyst 3560 Layer 3 switch (IOS 15.0) to route between VLANs 10 (192.168.10.0/24) and 20 (192.168.20.0/24). The switch has SVIs configured for both VLANs, and hosts are connected via access ports. The problem occurs after a recent configuration change.
Diagnostic Steps
Check VLAN and SVI status
show vlan briefVLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, ... 10 VLAN0010 active Fa0/3, Fa0/4 20 VLAN0020 active Fa0/5, Fa0/6 1002 fddi-default act/unsup ...
Ensure both VLANs exist and have assigned ports. If a VLAN is missing or inactive, routing won't work.
Verify SVI interface status and IP configuration
show ip interface brief | include VlanInterface IP-Address OK? Method Status Protocol Vlan10 192.168.10.1 YES manual up up Vlan20 192.168.20.1 YES manual up up
Both SVIs must be up/up. If an SVI is down/down, check VLAN existence and port membership. If administratively down, enable with 'no shutdown'.
Check IP routing status and routing table
show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20Both subnets should appear as directly connected. If missing, check SVI configuration. Also verify that 'ip routing' is enabled globally (show running-config | include ip routing).
Test connectivity from the switch to both VLANs
ping 192.168.10.1
ping 192.168.20.1Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
If pings fail, the SVI may be down or misconfigured. If successful, the issue is likely on the host side (default gateway, subnet mask, or firewall).
Check for ACLs or VACLs blocking inter-VLAN traffic
show access-lists
show vlan access-listStandard IP access list 10
10 permit 192.168.10.0 0.0.0.255
Extended IP access list 100
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
20 deny ip any anyLook for any ACL applied to the SVI (show running-config interface Vlan10) that might deny traffic. Also check for VLAN access-maps that could filter.
Root Cause
The 'ip routing' global command is missing from the switch configuration. Without it, the Layer 3 switch does not perform routing between VLANs; it only acts as a Layer 2 switch. This often happens after a configuration reset or when the switch is initially configured without enabling IP routing.
Resolution
Verification
1. Verify IP routing is enabled: show running-config | include ip routing Expected output: 'ip routing' 2. Check routing table again: show ip route Expected output: Both VLAN subnets listed as directly connected. 3. Test inter-VLAN ping from a host in VLAN 10 to a host in VLAN 20. Should succeed.
Prevention
1. Always include 'ip routing' in the initial switch configuration template for any Layer 3 switch that will route between VLANs. 2. Use configuration management tools to enforce standard configurations and audit for missing commands. 3. Document and review switch configurations after any changes to ensure routing features are not accidentally disabled.
CCNA Exam Relevance
On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where a Layer 3 switch fails to route between VLANs. The exam tests the candidate's ability to identify that 'ip routing' is disabled. Questions may be multiple-choice or drag-and-drop, asking to select the correct command to enable routing or to identify the root cause from show command outputs. Key fact: A Layer 3 switch requires the 'ip routing' command to perform inter-VLAN routing; without it, SVIs act as default gateways but do not forward between VLANs.
Exam Tips
Remember that 'ip routing' is disabled by default on most Catalyst switches; you must enable it for inter-VLAN routing.
If hosts can ping their default gateway but not hosts in other VLANs, suspect missing 'ip routing' or an ACL.
Use 'show ip route' to confirm that both VLAN subnets appear as directly connected; if only one appears, check SVI configuration.
Commands Used in This Scenario
show ip interface brief
Displays a summary of all IP interfaces on the device, including their IP address, status, and protocol state, used for quick verification of interface configuration and connectivity.
show ip route
Displays the current IP routing table on a Cisco router, used to verify routes, check next-hop addresses, and troubleshoot connectivity issues.
show vlan brief
Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions