Lab Overview
In this CCNA lab, we are going to take a look at how inter-VLAN routing works and how to configure it using both the router-on-a-stick (ROAS) method and with layer 3 switches. As discussed in my VLAN configuration lab, we know that VLANs segment portions of a network, and devices on one VLAN cannot communicate with devices on another VLAN. VLANs are also normally configured with different subnets. Because of this, we need a layer 3 device for different VLANs to communicate with each other.
Methods of VLAN Routing
Before we do the lab, let’s make sure you understand the methods of inter-VLAN routing. There are three ways to do it:
- Routers with separate interfaces (legacy) – The traditional way of routing between VLANs. While this method still works and may still be found in networks today, it is the least efficient way to do it. This method requires a physical interface on the router for each VLAN. If your network has many VLANs, hundreds even, you can see how that could become a problem and does not scale well.
- Routers with sub-interfaces – This method replaces the traditional way of routing. Instead of requiring a separate physical interface for each VLAN, you can use a single physical interface and configure virtual sub-interfaces underneath it. Each VLAN would have its own sub-interface with a unique IP address. This is the method used in Router-on-a-stick.
- Multilayer (Layer 3) Switches – This is the modern way of routing VLANs and is very scalable. Layer 3 switches are devices that have the functionality of a traditional layer 2 switch and a router. This method takes advantage of interfaces known as switch virtual interfaces (SVIs). These are virtual interfaces that perform similarly to sub-interfaces on routers would, and provides a layer 3 interface for each VLAN. VLAN traffic is switched and routed much faster with lower latency using this method.
If you are new to my site, I recommend going through my VLAN configuration and trunk configuration labs before proceeding with this guide. If you are already comfortable with configuring trunks and VLANs, then feel free to skip those.
In this lab, we will go over the following:
I have provided Packet Tracer labs to go with this post. One is for router-on-a-stick configuration, and one is for Layer 3 switch configuration. This post covers both labs.
- Inter-VLAN Routing with Router-on-a-Stick
(Completed lab available here) - Inter-VLAN Routing with Layer 3 Switches
(Completed lab available here)
VLAN Routing with Router-on-a-Stick
| VLAN | Name | Access Ports | Subnet |
| 10 | Administration | FastEthernet 0/1 | 10.1.10.0/24 |
| 20 | Accounting | FastEthernet 0/2 | 10.1.20.0/24 |
| 30 | HR | FastEthernet 0/3 | 10.1.30.0/24 |
| 40 | IT | FastEthernet 0/4-5 | 10.1.40.0/24 |
Objectives
- Configures VLANs on S1 and name them according to the above chart
- Configure switchports for access mode and assign ports to VLANs according to the chart
- Configure the link between S1 and R1 to be a trunk
- Configure sub-interfaces on R1 – G0/1
- Verify connectivity by pinging between PCs and browsing to nickm155.sg-host.com on each PC
Note: IP addressing for all PCs and the server has already been configured. Steps 1-3 have been covered in other labs, so I will not go into detail on how to configure those steps. Refer to my trunking and VLAN configuration labs for more information.
1. Configuring and Naming VLANs
Configuring VLANs is covered in my VLAN configuration lab. In short, VLANs can be created using the vlan command followed by the vlan-id. This will create the VLAN and enter into VLAN config mode. Use the name command to apply a name to VLAN. This is not required but helps keep things organized.
S1(config)#vlan 10
S1(config-vlan)#name Administration
Repeat for each VLAN.2. Configuring Switchports and Assigning to VLANs
Assigning access ports to VLANs is also covered in my VLAN guide, but you can follow the below example to configure them. Make sure you reference the chart to make sure you assign the ports to the correct VLANs.
S1(config)#int fa0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 10
S1(config-if)#no shutdown
Repeat for each VLAN according to the chart.3. Configure the Trunk Link
If you recall from my trunk configuration lab, trunks are required to pass VLAN information between network devices. Links between network devices are often configured to be trunks for this reason. You will need to configure the link between S1 and R1 as a trunk. If you forgot how to do that, reference my trunk lab or the full configuration on my Github (link at the bottom of this article).
4. Configure Sub-interfaces
Creating sub-interfaces is extremely simple and useful. Before sub-interfaces were used for inter-VLAN routing, routers would need an interface for each VLAN used in the network. By transitioning to using the ROAS method, only one interface is needed and can handle all VLANs. To configure sub-interfaces, you use the command interface {interface type} {interface number}.{sub-interface}. In the below example, you can see I used the command interface GigabitEthernet 0/1.10. This is a sub-interface of the Gi0/1 interface on the router.
Once in sub-interface config mode, we need to set the encapsulation to use the dot1q standard followed by the vlan-id. We can then configure the IP address of the interface using an IP address from the subnet used by the VLAN. In the instructions, I’ve asked you to use the last available address from each subnet. This address becomes the gateway for the VLAN.
After configuring each sub-interface, you can exit and go back to the interface configuration mode for interface gigabitethernet 0/1 and use the no shutdown command to make all of the sub-interfaces come up.
R1(config)#interface GigabitEthernet 0/1.10
R1(config-subif)#encapsulation dot1q 10
R1(config-subif)#ip address 10.1.10.254 255.55.255.0
R1(config-subif)#exit
R1(config)#int gi0/1
R1(config-if)#no shutdownNote: VLAN 1 is not used in this lab. There is no need to create a sub-interface for VLAN 1. Normally, VLAN 1 would be configured as well, usually as the Native VLAN.
5. Verify Connectivity
If you have completed the configuration successfully, all PCs should be able to ping each other and browse to nickm155.sg-host.com in the browsers. If you cannot ping or browse to the website, double check your IP addressing and configuration. If you cannot find the issue, compare your configuration with the full configuration for this lab located on my Github.
VLAN Routing with Multilayer/Layer 3 Switches
As mentioned previously, using a layer 3 switch to route between VLANs offers a significant speed benefit. As a reminder, switches can route traffic between VLANs much faster and are not bottlenecked by the link between it and a router. When using a multilayer switch, you can create interfaces called switch virtual interfaces (SVIs), which are virtual layer 3 interfaces.
| VLAN | Name | Access Ports | Subnet |
| 10 | Administration | GigabitEthernet 1/0/1 | 10.1.10.0/24 |
| 20 | Accounting | GigabitEthernet 1/0/2 | 10.1.20.0/24 |
| 30 | HR | GigabitEthernet 1/0/3 | 10.1.30.0/24 |
| 40 | IT | GigabitEthernet 1/0/4-5 | 10.1.40.0/24 |
Objectives
- Create VLANs on the switch and name them accordingly
- Configure ports for access mode and assign to correct VLANs according to the chart
- Enable IP Routing
- Configure SVIs for each VLAN and assign configure them with the last IP address in the subnet
- Verify connectivity by pinging between PCs and browsing to nickm155.sg-host.com on each PC
1. Create and Name VLANs
This step is identical to the previous ROAS lab. As a reminder, use the VLAN command followed by a VLAN-id: vlan {vlan-id}, then under VLAN configuration, use the name command followed by the desired name: name {vlan name}.
You can verify the VLANs have been created by using the show vlan brief command from enable mode, or do show vlan brief from global config mode.
2. Configuring Switchports and Assigning to VLANs
Configuring switchports using a layer 3 switch is exactly the same as using the router-on-a-stick method. Using the chart above, go into interface configuration mode for each port you want to configure using the interface command followed by the interface type and number: interface {interface type} {interface number}.
Because these are access ports connected to end devices, the port needs to be in access mode. Once in interface configuration mode, configure the port for access mode using the switchport mode access command.
Now that the port is in access mode, you can assign it to the VLAN it belongs to. Assign the port to the appropriate VLAN using the switchport access vlan {vlan-id} command.
S1(config)#interface gigabitEthernet 1/0/1
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 10
S1(config-if)#exitAs before, verify that the ports are assigned to the appropriate VLAN using the show VLAN brief command.
3. Enable IP Routing
In order for a layer 3 switch to do routing, IP routing must be enabled. This is done by simply going to global configuration mode and using the command ip routing. IP routing may be enabled by default for some layer 3 switches. In this lab, I have disabled IP routing.
4. Configuring SVIs
Switch virtual interfaces, or SVIs, are what allow all of this to work. They are essentially virtual interfaces that act as a layer 3 interface for a VLAN. You can look at them as interfaces on the switch’s built-in router. They can be configured using the interface vlan {vlan-id} command. You will notice the interface come up immediately.
Just like traditional ports, SVIs have an interface configuration mode where you can configure IP addresses among other things. I have asked you to configure SVIs with the last available IP address in each subnet.
S1(config)#int vlan 10
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
S1(config-if)#ip address 10.1.10.254 255.255.255.0
S1(config-if)#exitBecause SVIs act like normal ports, you can use all of the same show commands to look at them. For example, you can use show ip interface brief and show interface vlan {vlan-id}.
5. Verify Connectivity
If you have configured the lab successfully, you should now be able to ping between PCs and browse to nickm155.sg-host.com on the web browser of the PCs. You may notice ping drops at first, but should all be successful after that. If you can not ping successfully, double check your SVI and VLAN configuration. You can find the full configuration for this lab on my Github.
Thanks for Reading!
I hope this post has helped you inter-VLAN routing a little better and how to configure it. If you believe there is something wrong with the initial configuration, please contact me via my contact form to let me know.
Full Configuration
The full configurations for both labs can be found on my github!