Inter-VLAN Routing — Layer 3 Switch (SVI)

Router-on-a-Stick works well for small networks and labs, but all inter-VLAN traffic must pass through a single physical link — creating a bottleneck as traffic grows. A Layer 3 switch (also called a multilayer switch) eliminates this limitation by performing routing entirely in hardware, at wire speed, without a dedicated router. It does this using SVIs (Switch Virtual Interfaces) — one per VLAN — each serving as the default gateway for that VLAN's devices. This is the standard inter-VLAN routing method in enterprise networks.

Before starting, complete VLAN Creation and Management and Assigning VLANs to Switch Ports. Understanding Trunk Port Configuration is also helpful if your topology includes a second switch or an uplink router.

1. How Layer 3 Switch Inter-VLAN Routing Works

A standard Layer 2 switch only forwards frames based on MAC addresses — it has no concept of IP routing. A Layer 3 (multilayer) switch adds hardware-based IP routing capability. When ip routing is enabled, the switch can route packets between SVIs just as a router routes between interfaces — but entirely in hardware without any external device. For a conceptual overview see Inter-VLAN Routing and VLANs.

Component Role in SVI Routing
SVI (interface vlan [id]) A logical Layer 3 interface associated with a VLAN. Assigned an IP address that serves as the default gateway for all devices in that VLAN.
ip routing Global command that enables Layer 3 routing on the switch. Without it, SVIs have IP addresses but the switch will not route between them.
Access ports Physical ports assigned to each VLAN — connects end devices. No change from a Layer 2 switch.
Default gateway (PC) Each PC points its default gateway to the SVI IP address for its VLAN.

Traffic Flow — VLAN 10 to VLAN 20 on a Layer 3 Switch

Step What Happens
1 PC1 (VLAN 10) sends a packet destined for PC2 (VLAN 20) to its default gateway: the VLAN 10 SVI IP (192.168.10.1)
2 The switch receives the frame on PC1's access port and recognises it as destined for the Layer 3 SVI — not a Layer 2 forwarding decision
3 The switch's routing engine looks up the destination IP in the routing table and finds 192.168.20.0/24 is directly connected via the VLAN 20 SVI
4 The switch routes the packet internally to the VLAN 20 SVI and forwards it out the access port where PC2 is connected — all within the same device

SVI vs Router-on-a-Stick — Full Comparison

Feature Router-on-a-Stick Layer 3 Switch (SVI)
Routing location External router via trunk link Internal to the switch — hardware routing engine
Performance Limited by single trunk link bandwidth Wire-speed routing — no external bottleneck
Devices required Router + Layer 2 switch (two devices) One multilayer switch
Cost Lower — reuses existing router Higher — multilayer switch required
Scalability Poor — all VLANs share one link Excellent — internal backplane handles all VLANs
Configuration complexity Moderate — subinterfaces + trunk Simple — SVIs + ip routing
Best for Small networks, CCNA labs Enterprise networks, any production environment

2. Lab Topology & IP Addressing

In this lab, NetsTuts_SW1 is a Cisco Catalyst multilayer switch (e.g., 3560, 3650, or 3850). It handles both Layer 2 switching and Layer 3 routing for all three VLANs — no external router needed.

NetsTuts_SW1 Layer 3 Multilayer Switch · ip routing enabled · hardware routing engine SVI Vlan10 192.168.10.1/24 GW for VLAN 10 SVI Vlan20 192.168.20.1/24 GW for VLAN 20 SVI Vlan30 192.168.30.1/24 GW for VLAN 30 Fa0/1 — access VLAN 10 Fa0/2 — access VLAN 20 Fa0/3 — access VLAN 30 PC1 — VLAN 10 (SALES) 192.168.10.10/24 GW: 192.168.10.1 PC2 — VLAN 20 (HR) 192.168.20.10/24 GW: 192.168.20.1 PC3 — VLAN 30 (IT) 192.168.30.10/24 GW: 192.168.30.1 ip routing Enables L3 engine No external router needed Routing inside the switch ASIC One SVI per VLAN Each SVI = default gateway Wire-speed performance No single-link bottleneck NetsTuts
Interface Type IP Address VLAN Role
Vlan10 (SVI) Logical 192.168.10.1 /24 10 Default gateway for VLAN 10 (SALES)
Vlan20 (SVI) Logical 192.168.20.1 /24 20 Default gateway for VLAN 20 (HR)
Vlan30 (SVI) Logical 192.168.30.1 /24 30 Default gateway for VLAN 30 (IT)
Fa0/1 Physical (access) N/A 10 PC1 connection
Fa0/2 Physical (access) N/A 20 PC2 connection
Fa0/3 Physical (access) N/A 30 PC3 connection

3. Step 1 — Create VLANs and Assign Access Ports

VLANs must exist in the VLAN database before SVIs can be brought up. An SVI for a VLAN that does not exist remains in a down state. Access ports must also be assigned so PCs have a path to their VLAN. 

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Create and name VLANs ─────────────────────────────────
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#name SALES
NetsTuts_SW1(config-vlan)#vlan 20
NetsTuts_SW1(config-vlan)#name HR
NetsTuts_SW1(config-vlan)#vlan 30
NetsTuts_SW1(config-vlan)#name IT
NetsTuts_SW1(config-vlan)#exit

! ── Assign access ports ───────────────────────────────────
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description PC1-VLAN10-SALES
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/2
NetsTuts_SW1(config-if)#description PC2-VLAN20-HR
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 20
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/3
NetsTuts_SW1(config-if)#description PC3-VLAN30-IT
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 30
NetsTuts_SW1(config-if)#exit
VLANs 10, 20, and 30 created and named. Access ports assigned with descriptions. See VLAN Creation Lab and Assigning VLANs to Switch Ports for detailed explanations.

4. Step 2 — Enable IP Routing

This is the single most critical command for Layer 3 switch inter-VLAN routing. Without it, the switch has SVIs with IP addresses but behaves purely as a Layer 2 device — it will not route packets between VLANs. 

NetsTuts_SW1(config)#ip routing
One command enables the full Layer 3 routing engine on the switch. This global command applies across all SVIs immediately.
Most common mistake in this lab: Configuring SVIs with correct IP addresses and connecting PCs with correct default gateways — but forgetting ip routing. The result is that pings to the SVI IP succeed (the switch responds to its own IP) but cross-VLAN pings fail entirely (the switch does not forward the packet to the other VLAN). Always verify with show ip routing or show running-config | include ip routing.

5. Step 3 — Create and Configure SVIs

Create one SVI per VLAN using interface vlan [id]. Assign the default gateway IP address for that VLAN's subnet and bring the SVI up with no shutdown. SVIs are administratively down by default. 

! ── SVI for VLAN 10 (SALES) ──────────────────────────────
NetsTuts_SW1(config)#interface vlan 10
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN10-SALES
NetsTuts_SW1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

! ── SVI for VLAN 20 (HR) ─────────────────────────────────
NetsTuts_SW1(config)#interface vlan 20
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN20-HR
NetsTuts_SW1(config-if)#ip address 192.168.20.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

! ── SVI for VLAN 30 (IT) ─────────────────────────────────
NetsTuts_SW1(config)#interface vlan 30
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN30-IT
NetsTuts_SW1(config-if)#ip address 192.168.30.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
Three SVIs configured — each serves as the default gateway for its VLAN. no shutdown is required on each SVI individually.

SVI Command Breakdown

Command What It Does Why It Matters
interface vlan 10 Creates or enters the SVI for VLAN 10 The SVI is the Layer 3 logical interface for this VLAN — it represents the VLAN on the routing engine
description SVI-Gateway-VLAN10-SALES Labels the SVI for documentation Makes each SVI's purpose immediately clear — essential in production with many VLANs
ip address 192.168.10.1 255.255.255.0 Assigns the gateway IP for the VLAN 10 subnet All PCs in VLAN 10 use this IP as their default gateway — must match the PC network configuration
no shutdown Brings the SVI up administratively SVIs are down by default — must be explicitly enabled. The SVI also requires at least one active access port in the VLAN to reach "up/up" state.
SVI up/up requirements: For an SVI to reach the fully operational "up/up" state, three things must be true:
  • no shutdown has been entered on the SVI
  • The VLAN exists in the VLAN database (show vlan brief)
  • At least one access port assigned to that VLAN is physically connected and up
If an SVI shows "up/down", the VLAN likely has no active ports. If it shows "down/down", no shutdown was not entered. Verify with show ip interface brief.

6. Complete Layer 3 Switch Configuration

! ══════════════════════════════════════════════════════════
! NetsTuts Layer 3 SVI Routing Baseline — NetsTuts_SW1
! ══════════════════════════════════════════════════════════

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Enable IP routing ─────────────────────────────────────
NetsTuts_SW1(config)#ip routing

! ── Create and name VLANs ─────────────────────────────────
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#name SALES
NetsTuts_SW1(config-vlan)#vlan 20
NetsTuts_SW1(config-vlan)#name HR
NetsTuts_SW1(config-vlan)#vlan 30
NetsTuts_SW1(config-vlan)#name IT
NetsTuts_SW1(config-vlan)#exit

! ── Access port assignments ───────────────────────────────
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description PC1-VLAN10-SALES
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/2
NetsTuts_SW1(config-if)#description PC2-VLAN20-HR
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 20
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/3
NetsTuts_SW1(config-if)#description PC3-VLAN30-IT
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 30
NetsTuts_SW1(config-if)#exit

! ── SVIs (default gateways per VLAN) ─────────────────────
NetsTuts_SW1(config)#interface vlan 10
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN10-SALES
NetsTuts_SW1(config-if)#ip address 192.168.10.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface vlan 20
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN20-HR
NetsTuts_SW1(config-if)#ip address 192.168.20.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface vlan 30
NetsTuts_SW1(config-if)#description SVI-Gateway-VLAN30-IT
NetsTuts_SW1(config-if)#ip address 192.168.30.1 255.255.255.0
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

7. Bonus: Routed Port — Connecting to an Upstream Router

In many enterprise designs, the Layer 3 switch also needs to forward traffic to an upstream router for internet or WAN access. Rather than using a trunk link with a subinterface, you can convert a physical switch port into a routed port — a Layer 3 port with an IP address, behaving exactly like a router interface.

Use the no switchport command to convert a switchport to a routed port: 

! ── Convert Gi0/1 to a routed port (uplink to router) ────
NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#description Uplink-to-Router
NetsTuts_SW1(config-if)#no switchport
NetsTuts_SW1(config-if)#ip address 10.0.0.2 255.255.255.252
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit

! ── Default route pointing to the router ─────────────────
NetsTuts_SW1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1
NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#
no switchport removes all Layer 2 switching capability from the port and converts it to a Layer 3 routed port. A static default route points all internet-bound traffic to the upstream router at 10.0.0.1. See Static Route Configuration and show ip route for details.
Feature SVI Routed Port
Associated with A VLAN — logical interface A specific physical port — no VLAN
Use case Inter-VLAN routing gateway for end devices Point-to-point uplink to a router or another Layer 3 device
Command to create interface vlan [id] no switchport on a physical interface
IP address assigned? ✅ Yes ✅ Yes

8. Verification

show ip interface brief

Confirms all SVIs are up/up with correct IP addresses:

NetsTuts_SW1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 192.168.10.1    YES manual up                    up
Vlan20                 192.168.20.1    YES manual up                    up
Vlan30                 192.168.30.1    YES manual up                    up
FastEthernet0/1        unassigned      YES unset  up                    up
FastEthernet0/2        unassigned      YES unset  up                    up
FastEthernet0/3        unassigned      YES unset  up                    up
All three SVIs show "up/up" — routing is active and PCs have reachable gateways. Physical ports show "unassigned" — correct, they are Layer 2 access ports.

show ip route

Confirms connected routes for all VLAN subnets — no static routes needed for local VLANs:

NetsTuts_SW1#show ip route
Codes: C - connected, S - static, L - local

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Vlan10
L        192.168.10.1/32 is directly connected, Vlan10
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, Vlan20
L        192.168.20.1/32 is directly connected, Vlan20
      192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.30.0/24 is directly connected, Vlan30
L        192.168.30.1/32 is directly connected, Vlan30
Three connected (C) routes — one per VLAN subnet. The switch knows all three networks and routes between them automatically. If ip routing was not entered, this output would be empty.

show interfaces vlan 10

NetsTuts_SW1#show interfaces vlan 10
Vlan10 is up, line protocol is up
  Hardware is EtherSVI, address is 0012.3456.7890
  Description: SVI-Gateway-VLAN10-SALES
  Internet address is 192.168.10.1/24
  MTU 1500 bytes, BW 1000000 Kbit/sec

Verify ip routing is enabled

NetsTuts_SW1#show running-config | include ip routing
ip routing
If this returns no output, ip routing is not configured. Enter global configuration mode and add it immediately.

Cross-VLAN Ping Test

NetsTuts_SW1#ping 192.168.10.10 source vlan 20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Pinging from VLAN 20's perspective to a VLAN 10 host — confirms inter-VLAN routing is working. The source vlan 20 option simulates traffic originating from VLAN 20's SVI.

Verification Summary

Command What It Confirms
show ip interface brief All SVIs are up/up with correct IP addresses
show ip route Connected routes exist for all VLAN subnets — routing table populated
show interfaces vlan [id] Individual SVI status, IP, description, and MTU
show running-config | include ip routing Confirms ip routing is enabled globally
show vlan brief Confirms VLANs exist and access ports are assigned
ping [IP] source vlan [id] Simulates cross-VLAN traffic from a specific VLAN's perspective

9. Troubleshooting Layer 3 Switch Inter-VLAN Routing

Problem Symptom Cause Fix
Cross-VLAN pings fail — SVI ping succeeds PC can ping its own gateway (SVI IP) but not hosts in other VLANs ip routing not enabled on the switch Enter global config and run ip routing. Verify with show running-config | include ip routing
SVI stays down/down show ip interface brief shows Vlan10 down/down no shutdown not entered on the SVI Enter interface vlan 10 and run no shutdown
SVI shows up/down show ip interface brief shows Vlan10 up/down VLAN 10 has no active access ports — either no ports assigned, or all assigned ports are disconnected Check show vlan brief — verify at least one port is assigned to VLAN 10 and the cable is connected
SVI does not appear VLAN SVI not shown in show ip interface brief VLAN does not exist in the VLAN database — SVI for a non-existent VLAN is not created Create the VLAN first: vlan 10 in global config. See VLAN Creation Lab
PC cannot reach gateway Ping to SVI IP fails from PC PC's default gateway set to wrong IP, or PC is in wrong VLAN Verify PC IP config matches the topology — correct gateway for its VLAN. Check show vlan brief to confirm port VLAN assignment
No routes in routing table show ip route shows no connected routes ip routing not enabled, or all SVIs are down Enable ip routing and bring all SVIs up with no shutdown

Key Points & Exam Tips

  • ip routing is the single most critical command for Layer 3 switch inter-VLAN routing. Without it, the switch will not route between SVIs — even if all SVIs are up/up with correct IPs.
  • An SVI (interface vlan [id]) is a logical Layer 3 interface associated with a VLAN. It has an IP address and serves as the default gateway for devices in that VLAN.
  • For an SVI to reach "up/up": (1) no shutdown must be entered, (2) the VLAN must exist in the database, and (3) at least one active access port must be assigned to that VLAN.
  • SVIs are administratively down by default — always enter no shutdown on each one.
  • The VLAN must exist in the VLAN database before its SVI can become active. Creating the SVI does not automatically create the VLAN.
  • Each PC's default gateway must be set to the SVI IP address for its VLAN — the most common misconfiguration in this lab. Ensure the PC's IP address and subnet mask match the VLAN's configured subnet.
  • show ip route confirms routing is working — connected routes (C) appear automatically for each SVI subnet once ip routing is enabled and SVIs are up.
  • A routed port (no switchport on a physical interface) is used for point-to-point uplinks to a router — it has an IP address but is not associated with any VLAN.
  • Layer 3 switch SVI routing is faster and more scalable than Router-on-a-Stick because routing is done in hardware — no external bottleneck.
  • On the CCNA exam, know both SVI routing and Router-on-a-Stick — understand when each is used and be able to identify missing commands (ip routing, no shutdown on SVI) from a broken configuration.
Next Steps: With inter-VLAN routing in place, continue to Spanning Tree Protocol — Root Bridge Election to understand how the switch prevents Layer 2 loops across your VLAN topology. For routing traffic beyond the local network, see Static Route Configuration or OSPF Single-Area Configuration. For providing IP addresses to hosts on each VLAN, see DHCP Server Configuration. For controlling inter-VLAN traffic, see ACL Overview.

TEST WHAT YOU LEARNED

All SVIs on NetsTuts_SW1 are configured with correct IPs and show "up/up". PC1 (VLAN 10) can ping the VLAN 10 SVI (192.168.10.1) but cannot ping PC2 (VLAN 20). What is the most likely cause?

Correct answer is B. The fact that PC1 can reach the VLAN 10 SVI confirms the SVI is up and the access port is correct. The fact that cross-VLAN pings fail — despite both SVIs being up/up — is the classic symptom of missing ip routing. Without it, the switch processes SVI traffic but does not route packets between different VLAN subnets.

show ip interface brief shows Vlan10 up/down. no shutdown was entered on the SVI. What is the most likely remaining cause?

Correct answer is C. "up/down" means the SVI is administratively up (no shutdown was entered) but the line protocol is down. For an SVI's line protocol to come up, at least one physical port assigned to that VLAN must be connected and active. Check show vlan brief to verify port assignments and confirm a cable is plugged in.

An engineer creates interface vlan 40 and assigns it an IP, but VLAN 40 was never created in the VLAN database. What will show ip interface brief show for Vlan40?

Correct answer is D. An SVI requires the VLAN to exist in the VLAN database to operate. If VLAN 40 was never created with the vlan 40 command, the SVI remains down/down even with no shutdown and a valid IP address. Always create the VLAN first, then configure its SVI.

What is the difference between an SVI and a routed port on a Layer 3 switch?

Correct answer is A. An SVI (interface vlan [id]) is a logical interface tied to a specific VLAN — it provides the Layer 3 gateway for all devices in that VLAN. A routed port (no switchport on a physical port) is a physical interface with Layer 3 capability, behaving like a router interface — used for uplinks between network devices, not for end-device connectivity.

show ip route on NetsTuts_SW1 shows no connected routes for any VLAN subnet. All SVIs are up/up. What is the cause?

Correct answer is C. show ip route displays the Layer 3 routing table. Without ip routing enabled, the switch does not maintain a routing table and this command returns nothing (or just the default route). The routing table — including connected routes — is only populated after ip routing is enabled.

Why is Layer 3 switch SVI routing considered superior to Router-on-a-Stick for enterprise networks?

Correct answer is B. In Router-on-a-Stick, all inter-VLAN traffic must physically travel up the trunk to the router and back — the single link becomes a bottleneck as traffic scales. On a Layer 3 switch, routing is done by a hardware ASIC inside the switch backplane at wire speed. No traffic leaves the switch for inter-VLAN routing — it is far more efficient and scalable.

Which command converts a Layer 3 switch port from a Layer 2 switchport to a Layer 3 routed port capable of having an IP address?

Correct answer is D. no switchport entered under a physical interface on a multilayer switch removes all Layer 2 switching functionality from that port and converts it into a Layer 3 routed port. After this, you can assign an IP address directly to the physical interface just like a router interface.

A network engineer adds a new VLAN 50 to NetsTuts_SW1 but forgets to create the corresponding SVI. Devices in VLAN 50 are assigned a default gateway of 192.168.50.1. What will happen?

Correct answer is A. VLANs operate at Layer 2 independently of SVIs — devices in VLAN 50 can switch frames to each other without any SVI. However, without the interface vlan 50 SVI configured with 192.168.50.1, that gateway IP does not exist on the switch. Any traffic destined outside VLAN 50 will be sent to the non-existent gateway and dropped.

Which single command verifies whether ip routing is currently enabled on a Layer 3 switch?

Correct answer is C. show running-config | include ip routing filters the running configuration to show only lines containing "ip routing". If the command is enabled, the output shows ip routing. If the output is empty, the command is not in the configuration. This is the quickest targeted verification for this specific setting.

NetsTuts_SW1 is a Layer 3 switch performing inter-VLAN routing. An upstream router at 10.0.0.1 provides internet access. Which configuration on the switch allows VLAN devices to reach the internet?

Correct answer is B. To reach external networks, the Layer 3 switch needs a path to the upstream router. The correct approach is: (1) use no switchport on the uplink interface to make it a routed port, (2) assign it an IP in the same /30 subnet as the router's interface, and (3) add a default static route (ip route 0.0.0.0 0.0.0.0 10.0.0.1) so all non-local traffic is sent to the router.

Related Topics & Step-by-Step Tutorials

Related concepts and next steps:

Back to Home