Inter-VLAN Routing – Concepts & Methods

1. Why Do VLANs Need a Router?

A VLAN (Virtual Local Area Network) is a logical broadcast domain enforced by a switch. By design, Layer 2 switches keep traffic inside each VLAN isolated — frames tagged for VLAN 10 never reach devices in VLAN 20. This isolation is the whole point of VLANs: contain broadcasts, enforce security boundaries, and segment traffic by function (e.g., Data, Voice, Management).

However, devices in different VLANs sometimes must communicate — a PC in the Sales VLAN needs to reach a server in the Servers VLAN. Because Layer 2 switches do not forward between VLANs, a Layer 3 device (router or multilayer switch) is required to route packets between them. This is called Inter-VLAN Routing.

Layer Device What It Does With VLANs
Layer 2 Switch Forwards frames within a VLAN only — enforces VLAN isolation at Layer 2
Layer 3 Router or Multilayer Switch Routes packets between VLANs by stripping and rewriting Layer 2 headers

Related pages: VLANs Overview | VLAN Tagging & 802.1Q | show vlan Command | DHCP Overview | Router-on-a-Stick Lab | Layer 3 Switch Inter-VLAN Lab | Trunk Port Configuration Lab | VLAN Creation & Management Lab

2. The Three Methods of Inter-VLAN Routing

There are three approaches to routing between VLANs. Understanding when and why each method is used is a key CCNA exam topic.

# Method Device Required Era / Usage
1 Legacy — Separate Physical Interfaces Router with one physical interface per VLAN Historical; rarely used today — too many ports wasted
2 Router-on-a-Stick (ROAS) Router with sub-interfaces on a single trunk link Small/medium networks; common in CCNA labs and branch sites
3 Layer 3 Switch SVI Routing Multilayer switch with Switched Virtual Interfaces Enterprise standard; high performance, scalable
Exam tip: The CCNA exam tests Router-on-a-Stick and Layer 3 switch SVI routing heavily. Legacy separate-interface routing is conceptually tested but rarely appears in configuration questions.

3. Method 1 – Legacy: Separate Physical Interfaces

The earliest inter-VLAN routing method used one physical router interface per VLAN, with each interface connected to the switch as an access port in that VLAN. 

  TOPOLOGY — Legacy Inter-VLAN Routing

  [ Router ]
      |-- Fa0/0  (access, VLAN 10) ──────────────┐
      |-- Fa0/1  (access, VLAN 20) ────────────┐  |
      |-- Fa0/2  (access, VLAN 30) ──────────┐  |  |
                                              |  |  |
                                          [  Layer 2 Switch  ]
                                              |       |      |
                                           VLAN 30  VLAN 20  VLAN 10
                                           Servers  Finance  Sales PCs

Why it is obsolete: Every additional VLAN consumes an extra physical interface on the router and an extra cable. In environments with dozens of VLANs this becomes completely impractical. Modern networks use sub-interfaces or multilayer switches instead.

4. Method 2 – Router-on-a-Stick (ROAS)

Router-on-a-Stick solves the port-wastage problem by using a single physical link between the router and the switch, configured as a trunk port. On the router, logical sub-interfaces are created — one per VLAN — each configured with encapsulation dot1q <vlan-id> and an IP address that becomes the default gateway for that VLAN.

4.1 How ROAS Works — Step by Step

  TOPOLOGY — Router-on-a-Stick

           [ Router ]
               | Gi0/0 (physical — no IP assigned)
               |   |__ Gi0/0.10  encapsulation dot1q 10  IP: 192.168.10.1/24
               |   |__ Gi0/0.20  encapsulation dot1q 20  IP: 192.168.20.1/24
               |   |__ Gi0/0.30  encapsulation dot1q 30  IP: 192.168.30.1/24
               |
       [trunk link — carries tags for VLAN 10, 20, 30]
               |
        [ Layer 2 Switch ]
         /      |       \
      Fa0/1   Fa0/2   Fa0/3
      VLAN10  VLAN20  VLAN30
      (access)(access)(access)
        |        |        |
    Sales PC  Finance  Server

4.2 Traffic Flow: PC in VLAN 10 → Server in VLAN 30

  Step 1:  Sales PC (192.168.10.10) sends packet to Server (192.168.30.10)
           Destination is in a different subnet → packet goes to default gateway
           Default gateway = 192.168.10.1 (router sub-interface Gi0/0.10)

  Step 2:  Switch receives frame on Fa0/1 (access port, VLAN 10)
           Switch adds 802.1Q tag: VLAN ID = 10
           Frame is forwarded up the trunk link to the router

  Step 3:  Router receives tagged frame on Gi0/0
           Tag = VLAN 10 → matched to sub-interface Gi0/0.10
           Router strips the old VLAN 10 tag, routes the packet

  Step 4:  Router determines next hop = 192.168.30.0/24 out Gi0/0.30
           Router re-tags frame with VLAN 30 tag
           Frame sent back down the trunk to the switch

  Step 5:  Switch receives frame tagged VLAN 30
           Forwards out Fa0/3 (access port, VLAN 30) — tag stripped
           Server receives plain Ethernet frame

4.3 Key ROAS Configuration Commands

  ! ── Switch side: configure trunk port toward router ──
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# switchport mode trunk
  Switch(config-if)# switchport trunk encapsulation dot1q    ! (if required)

  ! ── Router side: parent interface (no IP — just bring it up) ──
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# no shutdown

  ! ── Sub-interface for VLAN 10 ──
  Router(config)# interface GigabitEthernet0/0.10
  Router(config-subif)# encapsulation dot1q 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0

  ! ── Sub-interface for VLAN 20 ──
  Router(config)# interface GigabitEthernet0/0.20
  Router(config-subif)# encapsulation dot1q 20
  Router(config-subif)# ip address 192.168.20.1 255.255.255.0

  ! ── Sub-interface for VLAN 30 ──
  Router(config)# interface GigabitEthernet0/0.30
  Router(config-subif)# encapsulation dot1q 30
  Router(config-subif)# ip address 192.168.30.1 255.255.255.0
Native VLAN on ROAS: If a native VLAN is configured on the trunk, the matching sub-interface should use encapsulation dot1q <vlan-id> native. Untagged frames arrive on the native VLAN. Mismatched native VLANs cause the Spanning Tree and CDP to generate native VLAN mismatch warnings.

4.4 ROAS Advantages and Disadvantages

Aspect Advantage Disadvantage
Cost Uses only one physical link and one router port — cost-effective Router hardware cost still required
Scalability Adding a VLAN only requires a new sub-interface — no cabling All inter-VLAN traffic shares one physical link — bottleneck at scale
Performance Adequate for small or branch-office networks with moderate traffic Single trunk link is a bandwidth bottleneck; router CPU handles all routing
Complexity Straightforward to configure and troubleshoot Single point of failure — if the trunk link or router fails, all inter-VLAN routing stops
Use case Branch offices, small campuses, CCNA labs Not recommended for high-traffic enterprise core or distribution layers

5. Method 3 – Layer 3 Switch SVI Routing

A multilayer switch (Layer 3 switch) can perform both Layer 2 switching and Layer 3 routing in hardware using Application-Specific Integrated Circuits (ASICs). Inter-VLAN routing is achieved through Switched Virtual Interfaces (SVIs) — virtual interfaces created on the switch, one per VLAN, each assigned an IP address that acts as the default gateway for that VLAN.

5.1 What Is an SVI?

An SVI is a logical Layer 3 interface associated with a VLAN. It exists entirely in software — there is no physical port. When an SVI is created for VLAN 10, the switch can route packets arriving from VLAN 10 to any other VLAN with an active SVI, all within the switch itself — no external router required for inter-VLAN forwarding. 

  TOPOLOGY — Layer 3 Switch SVI Routing

        [ Multilayer Switch (e.g., Cisco 3650 / 9300) ]
         |                                           |
     SVI VLAN 10                               SVI VLAN 20
     ip address 192.168.10.1/24               ip address 192.168.20.1/24
         |                                           |
    [Access Fa0/1]                            [Access Fa0/2]
     VLAN 10                                   VLAN 20
        |                                           |
    Sales PC                                   Finance PC
   192.168.10.10                              192.168.20.10

  ─── Routing between VLANs happens INSIDE the switch at hardware speed ───

  Uplink to router/internet (optional):
  [ Multilayer Switch ]── routed port (no switchport) ──[ Router / Firewall ]

5.2 Traffic Flow: PC in VLAN 10 → PC in VLAN 20

  Step 1:  Sales PC (192.168.10.10) sends packet to Finance PC (192.168.20.10)
           Destination is a different subnet → packet sent to default gateway
           Default gateway = 192.168.10.1 (SVI VLAN 10 on the multilayer switch)

  Step 2:  Switch receives frame on access port Fa0/1 (VLAN 10)
           Frame destined for 192.168.10.1 MAC → processed by SVI VLAN 10

  Step 3:  Switch routes packet internally:
           Destination 192.168.20.10 → matches directly connected 192.168.20.0/24
           Egress = SVI VLAN 20 → switch looks up Finance PC's MAC in CAM table

  Step 4:  Switch forwards frame out access port Fa0/2 (VLAN 20)
           Finance PC receives the packet

  ── Entire routing decision made in ASIC hardware — wire-speed forwarding ──

5.3 Key SVI Configuration Commands

  ! ── Enable IP routing on the multilayer switch ──
  Switch(config)# ip routing

  ! ── Create VLANs (must exist before SVI is active) ──
  Switch(config)# vlan 10
  Switch(config-vlan)# name Sales
  Switch(config)# vlan 20
  Switch(config-vlan)# name Finance
  Switch(config)# vlan 30
  Switch(config-vlan)# name Servers

  ! ── Create SVIs and assign gateway IPs ──
  Switch(config)# interface vlan 10
  Switch(config-if)# ip address 192.168.10.1 255.255.255.0
  Switch(config-if)# no shutdown

  Switch(config)# interface vlan 20
  Switch(config-if)# ip address 192.168.20.1 255.255.255.0
  Switch(config-if)# no shutdown

  Switch(config)# interface vlan 30
  Switch(config-if)# ip address 192.168.30.1 255.255.255.0
  Switch(config-if)# no shutdown

  ! ── Assign access ports to VLANs ──
  Switch(config)# interface FastEthernet0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10

  ! ── Optional: Routed uplink to external router (no switchport) ──
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# no switchport
  Switch(config-if)# ip address 10.0.0.2 255.255.255.252

  ! ── Verify ──
  Switch# show ip route
  Switch# show interfaces vlan 10
  Switch# show ip interface brief
SVI State: An SVI comes up (line protocol up) only when at least one access or trunk port in that VLAN is active. If VLAN 10 has no active ports, interface vlan 10 will show down/down even if configured correctly.

5.4 Routed Ports on a Layer 3 Switch

A multilayer switch can also configure individual ports as routed ports using no switchport. A routed port behaves like a router interface — it has an IP address directly and is not part of any VLAN. Routed ports are typically used for point-to-point uplinks to a router or firewall. They are distinct from SVIs:

Feature SVI (interface vlan X) Routed Port (no switchport)
Association Tied to a VLAN — serves all ports in that VLAN Individual physical port only
Use case Gateway for end devices in a VLAN Point-to-point uplinks (router, firewall, WAN)
VLAN membership Yes — bound to the VLAN No — not in any VLAN
Config command interface vlan <id> no switchport on a physical interface

6. Head-to-Head Comparison – ROAS vs. Layer 3 Switch SVI

Factor Router-on-a-Stick (ROAS) Layer 3 Switch SVI
Devices needed Layer 2 switch + external router Single multilayer switch (no external router for inter-VLAN)
Performance Router CPU processes all inter-VLAN traffic; single trunk link bottleneck ASIC hardware routing at wire speed — vastly faster
Scalability Limited by router port count and trunk bandwidth Highly scalable — add VLANs with SVIs; no external port consumed
Cost Lower upfront — standard router + access switch Higher initial cost — multilayer switches are more expensive than access switches
Redundancy Single point of failure (trunk link + router) Can be paired with HSRP / VRRP/GLBP for gateway redundancy
Configuration complexity Simple — few commands; good for learning Slightly more to configure but very clean and logical
Feature richness All router features available (NAT, ACL, dynamic routing) Most routing features available; NAT typically done on dedicated router/firewall
Ideal use case Branch offices, small networks, CCNA labs, cost-constrained setups Enterprise distribution/core layer, high-traffic campus networks
Cisco example devices Catalyst 2960 switch + ISR 4000 router Catalyst 3650, 3850, 9300 multilayer switches

7. When to Use Each Method

Choosing the right inter-VLAN routing method comes down to three factors: scale, budget, and performance requirements.

Scenario Recommended Method Reason
Small office with 2–4 VLANs and light traffic Router-on-a-Stick Low cost; simple config; performance acceptable at small scale
CCNA home lab or Cisco Packet Tracer practice Router-on-a-Stick Core CCNA exam topic; straightforward to build and verify
Enterprise distribution layer with 20+ VLANs and high traffic Layer 3 Switch SVI ASIC hardware routing; no bottleneck; scalable; supports HSRP/VRRP
Need NAT or advanced firewall features between VLANs Router-on-a-Stick (or Layer 3 switch + dedicated router/firewall) NAT and stateful firewall functions still require a dedicated router or firewall
Campus core or data centre aggregation Layer 3 Switch SVI Wire-speed routing; redundancy with FHRP; no dependency on an external router for VLAN routing
Real-world note: In most modern enterprise designs, Layer 3 switching handles all inter-VLAN routing at the distribution layer, while dedicated routers or firewalls handle NAT, VPN, and internet edge functions. ROAS is still widely seen in smaller branch deployments and is a critical concept for the CCNA exam.

8. Troubleshooting Inter-VLAN Routing

When inter-VLAN routing is not working, follow a systematic top-down approach:

Symptom Likely Cause Verification Command
Cannot ping default gateway from PC Wrong gateway IP on PC, or SVI/sub-interface is down show ip interface brief — check SVI or sub-interface state
ROAS sub-interface shows down/down Parent physical interface is down, or no shutdown not applied to parent show interfaces Gi0/0 — verify parent is up/up
SVI shows down/down on Layer 3 switch No active ports in that VLAN, or VLAN not in the VLAN database show vlan brief — confirm VLAN exists and has active ports
Traffic reaches router but cannot cross VLANs Switch port toward router is access (not trunk), or wrong encapsulation show interfaces trunk — verify trunk and allowed VLANs
Layer 3 switch not routing between SVIs ip routing not enabled on the switch show ip route — if empty, ip routing is missing
Intermittent inter-VLAN connectivity Native VLAN mismatch on trunk, or STP topology change show spanning-tree | show interfaces trunk

See also: Troubleshooting Layer 2 VLAN & Trunk Issues | Troubleshooting Layer 3 Routing | show running-config | show ip interface brief | show ip route

9. Key Terms Quick Reference

Term Definition
Inter-VLAN Routing The process of forwarding packets between different VLANs using a Layer 3 device
Sub-interface A logical virtual interface created on a physical router interface, identified by a dot notation (e.g., Gi0/0.10); used in ROAS
encapsulation dot1q Router sub-interface command that binds the sub-interface to a specific VLAN tag; required for ROAS
SVI (Switched Virtual Interface) A logical Layer 3 interface on a multilayer switch, configured with interface vlan <id>; acts as the gateway for that VLAN
Trunk port A switch port that carries traffic for multiple VLANs using 802.1Q tags; required between the switch and the router in ROAS
ip routing Global command on a multilayer switch that enables Layer 3 routing; without it, the switch forwards at Layer 2 only
Routed port A physical port on a multilayer switch configured with no switchport; behaves as a router interface with an IP address
Native VLAN The VLAN that carries untagged frames on a trunk; must match on both ends to avoid mismatches
ASIC Application-Specific Integrated Circuit — dedicated hardware in multilayer switches that performs routing at wire speed without CPU involvement

10. Inter-VLAN Routing – Practice Quiz

1. A PC in VLAN 10 cannot communicate with a PC in VLAN 20 even though both are connected to the same Layer 2 switch. What is the fundamental reason?

Correct answer is B. A VLAN is a Layer 2 broadcast domain. By design, a Layer 2 switch never forwards frames from one VLAN to another — this is the entire point of VLAN isolation. To allow communication between VLANs, a Layer 3 device (router or multilayer switch) must route packets between the subnet associated with each VLAN.

2. In a Router-on-a-Stick configuration, what type of port must the switch port connected to the router be configured as?

Correct answer is C. The link between the Layer 2 switch and the router in a ROAS topology must be a trunk port. The trunk carries 802.1Q-tagged frames for all VLANs on a single physical link. Each sub-interface on the router uses encapsulation dot1q <vlan-id> to match and process the correct tag.

3. Which command binds a router sub-interface to VLAN 20 in a Router-on-a-Stick configuration?

Correct answer is A. The encapsulation dot1q 20 command is entered on the sub-interface (e.g., Gi0/0.20) and tells the router to process all frames arriving with a VLAN tag of 20. This is the essential ROAS command — without it, the sub-interface has no VLAN association and inter-VLAN routing will not work.

4. A multilayer switch has SVIs configured for VLAN 10 and VLAN 20, but show ip route shows no connected routes and pings between VLANs fail. What is the most likely cause?

Correct answer is D. On a multilayer switch, the global command ip routing must be explicitly enabled — without it, the switch operates purely at Layer 2 and ignores its SVI IP addresses for routing purposes. show ip route will be empty (or show only a default route) until ip routing is configured. This is one of the most common inter-VLAN routing mistakes in labs and on the CCNA exam.

5. Which statement best describes a Switched Virtual Interface (SVI)?

Correct answer is B. An SVI is configured with interface vlan <id> on a multilayer switch. It is a logical (virtual) interface — not tied to any physical port — and its IP address serves as the default gateway for all devices in that VLAN. While VLAN 1 SVI is often used for management, SVIs can be created for any VLAN to enable inter-VLAN routing.

6. Why is Layer 3 switch SVI routing preferred over Router-on-a-Stick in a high-traffic enterprise environment?

Correct answer is C. In a ROAS design, every packet routed between VLANs must travel up the single trunk link to the router, be processed by the router's CPU, and return back down the same link — creating a bottleneck and latency. A multilayer switch routes in ASIC hardware without leaving the switch chassis, achieving line-rate performance regardless of VLAN count or traffic volume.

7. An SVI for VLAN 30 shows Vlan30 is down, line protocol is down even though it is configured with an IP address and no shutdown. What is the most likely cause?

Correct answer is A. An SVI's line protocol only comes up when at least one physical port in that VLAN is active (up/up). If VLAN 30 does not exist in the VLAN database (show vlan brief), or if all ports in VLAN 30 are down or disconnected, the SVI remains down/down. Always verify with show vlan brief and show interfaces status.

8. In a Router-on-a-Stick setup, the parent physical interface (Gi0/0) has no IP address configured. Is this correct?

Correct answer is D. In ROAS, the parent physical interface (e.g., Gi0/0) only needs to be brought up with no shutdown — it does not require an IP address. All IP addressing is assigned to sub-interfaces (Gi0/0.10, Gi0/0.20, etc.). The parent interface simply provides the physical connection and electrical signal; the sub-interfaces handle all logical Layer 3 functions.

9. What is the difference between a routed port and an SVI on a multilayer switch?

Correct answer is B. A routed port is created by applying no switchport to a physical interface, removing it from Layer 2 operation entirely — it behaves like a traditional router interface. An SVI (interface vlan X) is a virtual logical interface that represents the entire VLAN and provides a gateway for all devices in that VLAN. Routed ports are typically used for uplinks; SVIs for VLAN gateways and inter-VLAN routing.

10. A network engineer must implement inter-VLAN routing for 30 VLANs at the distribution layer of an enterprise campus network with high traffic volumes. Which solution is most appropriate and why?

Correct answer is C. For a high-traffic enterprise distribution layer with 30 VLANs, a Layer 3 switch with SVIs is the only practical solution. ROAS (even with 10G) creates a software-routed bottleneck and a single point of failure. Legacy separate interfaces would require 30 physical router ports — completely impractical. A multilayer switch routes in hardware at wire speed, supports all 30 SVIs simultaneously, and can be configured with HSRP or VRRP for first-hop redundancy. This is the industry-standard enterprise design pattern.

← Back to Home