Inter Vlan Routing

Category: Routing and Switching
Type: Network Concepts
Generated on: 2025-07-10 09:03:19
For: Network Engineering, Administration & Technical Interviews

---

Inter-VLAN Routing Cheatsheet

What is Inter-VLAN Routing?

Inter-VLAN routing is the process of forwarding network traffic between different VLANs (Virtual Local Area Networks). VLANs are logically separated broadcast domains within a physical network. Without inter-VLAN routing, devices in different VLANs cannot communicate with each other.

Why is it Important?

• Network Segmentation: Isolates network traffic for security and performance.

• Resource Optimization: Allows efficient use of network resources by grouping devices with similar needs.

• Simplified Management: Makes network management easier by organizing devices into logical groups.

• Security: Prevents broadcast traffic from one VLAN from affecting other VLANs, improving security.

• VLAN: A logically isolated broadcast domain within a physical network.

• Router: A device that forwards network traffic between different networks, including VLANs.

• Layer 3 Switch (Multilayer Switch): A switch that can perform routing functions in addition to switching. It operates at both Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model.

• Routed Port: A physical switch port configured as a Layer 3 interface, similar to a router interface.

• Switch Virtual Interface (SVI): A virtual interface configured on a switch representing a VLAN. It’s a Layer 3 interface associated with a VLAN.

• Trunk Port: A port that carries traffic for multiple VLANs. Uses protocols like 802.1Q to tag frames with VLAN IDs.

• Access Port: A port that carries traffic for a single VLAN.

• Subinterface: A virtual interface on a router that is associated with a specific VLAN. Used in “Router-on-a-Stick” configurations.

• 802.1Q (VLAN Tagging): A standard protocol for tagging Ethernet frames with VLAN IDs.

There are two primary methods for inter-VLAN routing:

A. Router-on-a-Stick (ROAS):

• A single physical interface on a router is used to route traffic between multiple VLANs.
• The interface is divided into subinterfaces, each associated with a specific VLAN.
• 802.1Q trunking is used to carry VLAN traffic between the switch and the router.

+----------+      +-----------+      +----------+
|  PC (VLAN |------| Switch    |------| Router   |
|   10)    |      | (Trunking)|      | (Sub-   |
+----------+      +-----------+      | interface)|
                   |           |      +----------+
+----------+      |           |
|  PC (VLAN |------|           |
|   20)    |      +-----------+
+----------+

1. PC in VLAN 10 sends a packet to PC in VLAN 20:
2. The switch receives the packet on an access port (VLAN 10).
3. The switch forwards the packet to the trunk port, adding an 802.1Q tag with VLAN ID 10.
4. The router receives the tagged packet on the trunk port.
5. The router examines the VLAN tag and forwards the packet to the appropriate subinterface (VLAN 10).
6. The router routes the packet to the subinterface associated with VLAN 20.
7. The router adds a new 802.1Q tag with VLAN ID 20.
8. The router sends the tagged packet back to the switch through the trunk port.
9. The switch removes the VLAN tag and forwards the packet to the access port associated with VLAN 20.
10. The destination PC in VLAN 20 receives the packet.

B. Layer 3 Switching (Using SVIs and Routed Ports):

• The switch itself performs the routing function.
• SVIs are created for each VLAN, acting as the gateway for devices in that VLAN.
• Routed ports can be used for direct connections to other Layer 3 devices.

+----------+      +-----------+
|  PC (VLAN |------| Layer 3   |
|   10)    |      | Switch    |
+----------+      | (SVIs &   |
                   | Routing)  |
+----------+      +-----------+
|  PC (VLAN |------|
|   20)    |      |
+----------+

1. PC in VLAN 10 sends a packet to PC in VLAN 20:
2. The switch receives the packet on an access port (VLAN 10).
3. The switch determines that the destination IP address is in a different subnet (VLAN 20).
4. The switch routes the packet using its internal routing table, using the SVI for VLAN 10 as the gateway.
5. The switch forwards the packet to the SVI associated with VLAN 20.
6. The switch forwards the packet to the access port associated with VLAN 20.
7. The destination PC in VLAN 20 receives the packet.

802.1Q Header (VLAN Tag):

The 802.1Q tag is inserted into the Ethernet frame header.

+-----------------------------------------------------------------+
| Destination MAC Address | Source MAC Address | 802.1Q Tag | EtherType | Data | FCS |
+-----------------------------------------------------------------+

• TPID (Tag Protocol Identifier): 0x8100 (identifies the frame as 802.1Q tagged)
• Priority: 3-bit field for QoS (Quality of Service).
• CFI (Canonical Format Indicator): Used for Token Ring compatibility (usually 0).
• VLAN ID (VID): 12-bit field representing the VLAN ID (0-4095, but 0 and 4095 are reserved).

Packet Flow (Example: Router-on-a-Stick):

Imagine PC1 (192.168.10.10/24, VLAN 10) pings PC2 (192.168.20.20/24, VLAN 20). The gateway for PC1 is 192.168.10.1 (router’s subinterface for VLAN 10).

1. PC1 -> Switch: Ethernet frame with:
   • Source MAC: PC1’s MAC
   • Destination MAC: Router’s MAC (for 192.168.10.1)
   • Source IP: 192.168.10.10
   • Destination IP: 192.168.20.20
2. Switch -> Router (Trunked): Ethernet frame with:
   • Source MAC: PC1’s MAC
   • Destination MAC: Router’s MAC
   • 802.1Q Tag: VID = 10
   • Source IP: 192.168.10.10
   • Destination IP: 192.168.20.20
3. Router -> Switch (Trunked): Ethernet frame with:
   • Source MAC: Router’s MAC
   • Destination MAC: PC2’s MAC
   • 802.1Q Tag: VID = 20
   • Source IP: 192.168.10.10
   • Destination IP: 192.168.20.20
4. Switch -> PC2: Ethernet frame with:
   • Source MAC: Router’s MAC
   • Destination MAC: PC2’s MAC
   • Source IP: 192.168.10.10
   • Destination IP: 192.168.20.20

• Corporate Network: Separating departments (e.g., Sales, Marketing, Engineering) into different VLANs for security and access control. Inter-VLAN routing allows them to share resources like printers and file servers, while maintaining isolation for sensitive data.

• University Network: Separating student, faculty, and guest networks into different VLANs to manage bandwidth and security. Inter-VLAN routing allows students to access the internet while preventing them from accessing sensitive faculty resources.

• Data Center: Segmenting servers into different VLANs based on application or security requirements. Inter-VLAN routing allows communication between application tiers while isolating sensitive databases.

• VOIP Networks: Separating voice traffic into a dedicated VLAN to prioritize voice packets and ensure call quality. Inter-VLAN routing allows voice traffic to communicate with other networks.

• Incorrect VLAN Assignments: Devices are assigned to the wrong VLAN, preventing communication.

  • Troubleshooting: Verify VLAN assignments on switch ports and end devices. Use show vlan brief on the switch.

• Missing VLAN Configuration: VLANs are not configured on the switch or router.

  • Troubleshooting: Create the necessary VLANs on the switch and router. Use show vlan brief to verify VLAN configuration.

• Incorrect IP Addressing: Devices are using incorrect IP addresses or subnet masks.

  • Troubleshooting: Verify IP addresses, subnet masks, and gateway addresses on end devices. Use ipconfig (Windows) or ifconfig (Linux/macOS).

• Missing or Incorrect Routing: The router or Layer 3 switch is not configured to route traffic between VLANs.

  • Troubleshooting: Verify routing configuration on the router or Layer 3 switch. Use show ip route.

• Trunking Issues: Trunk ports are not configured correctly, or VLANs are not allowed on the trunk.

  • Troubleshooting: Verify trunk port configuration, including encapsulation (802.1Q) and allowed VLANs. Use show interface trunk.

• MTU (Maximum Transmission Unit) Issues: MTU mismatch between devices can cause packet fragmentation and performance problems.

  • Troubleshooting: Verify MTU settings on all devices. The standard Ethernet MTU is 1500 bytes. Consider Path MTU Discovery (PMTUD).

• ACL (Access Control List) Issues: ACLs are blocking traffic between VLANs.

  • Troubleshooting: Review ACL configurations and ensure that necessary traffic is permitted. Use show ip access-lists.

• Spanning Tree Protocol (STP) Issues: STP can block ports, preventing traffic flow.

  • Troubleshooting: Verify STP configuration and ensure that the correct root bridge is selected. Use show spanning-tree.

A. Router-on-a-Stick (Cisco IOS):

! Router Configuration
interface GigabitEthernet0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0.10  ! Subinterface for VLAN 10
 encapsulation dot1Q 10        ! VLAN ID 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20  ! Subinterface for VLAN 20
 encapsulation dot1Q 20        ! VLAN ID 20
 ip address 192.168.20.1 255.255.255.0
!
ip routing  ! Enable IP routing globally

! Switch Configuration
vlan 10
 name VLAN10
!
vlan 20
 name VLAN20
!
interface GigabitEthernet0/1  ! Connects to PC VLAN 10
 switchport mode access
 switchport access vlan 10
!
interface GigabitEthernet0/2  ! Connects to PC VLAN 20
 switchport mode access
 switchport access vlan 20
!
interface GigabitEthernet0/3  ! Trunk port to Router
 switchport mode trunk
 switchport encapsulation dot1q
 switchport trunk allowed vlan 10,20

B. Layer 3 Switching (Cisco IOS):

! Layer 3 Switch Configuration
vlan 10
 name VLAN10
!
vlan 20
 name VLAN20
!
interface Vlan10  ! SVI for VLAN 10
 ip address 192.168.10.1 255.255.255.0
 no shutdown
!
interface Vlan20  ! SVI for VLAN 20
 ip address 192.168.20.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1  ! Connects to PC VLAN 10
 switchport mode access
 switchport access vlan 10
!
interface GigabitEthernet0/2  ! Connects to PC VLAN 20
 switchport mode access
 switchport access vlan 20
!
ip routing  ! Enable IP routing globally

Verification Commands:

• show vlan brief (Switch): Displays VLAN information.
• show interface trunk (Switch): Displays trunk port configuration.
• show ip interface brief (Router/Switch): Displays IP interface information.
• show ip route (Router/Switch): Displays the routing table.
• ping <destination_ip>: Tests connectivity.
• traceroute <destination_ip>: Traces the path to the destination.

Q1: What is inter-VLAN routing, and why is it necessary?

Answer: Inter-VLAN routing is the process of forwarding network traffic between different VLANs. It’s necessary because VLANs are logically separate broadcast domains. Without it, devices in different VLANs cannot communicate directly.

Q2: Explain the difference between Router-on-a-Stick and Layer 3 switching for inter-VLAN routing.

Answer: Router-on-a-Stick uses a single physical router interface with subinterfaces to route traffic between VLANs over a trunk link. It’s simpler to configure but can be a bottleneck. Layer 3 Switching uses a multilayer switch with SVIs to perform routing internally. It’s faster and more scalable but requires a more capable switch.

Q3: What is an SVI, and what is its purpose in inter-VLAN routing?

Answer: An SVI (Switch Virtual Interface) is a virtual interface on a Layer 3 switch associated with a VLAN. It acts as the gateway for devices in that VLAN, allowing the switch to route traffic between VLANs.

Q4: What is 802.1Q, and how is it used in inter-VLAN routing?

Answer: 802.1Q is a standard protocol for VLAN tagging. It adds a tag to Ethernet frames containing the VLAN ID, allowing trunk ports to carry traffic for multiple VLANs.

Q5: How would you troubleshoot a situation where devices in different VLANs cannot communicate?

Answer:

1. Verify VLAN assignments: Ensure devices are in the correct VLANs.
2. Check IP addressing: Verify IP addresses, subnet masks, and gateway addresses.
3. Examine routing configuration: Ensure the router or Layer 3 switch is configured to route between VLANs.
4. Verify trunking: Check trunk port configuration and allowed VLANs.
5. Check ACLs: Ensure ACLs are not blocking traffic.
6. Test connectivity: Use ping and traceroute.

Q6: What security considerations are important when implementing inter-VLAN routing?

Answer:

• ACLs: Use ACLs to control traffic flow between VLANs and prevent unauthorized access.

• VLAN segmentation: Properly segment VLANs based on security requirements.

• Monitoring: Monitor network traffic for suspicious activity.

• Authentication: Implement strong authentication mechanisms.

• VLAN Trunking Protocol (VTP): A Cisco proprietary protocol for managing VLAN information across multiple switches (less common now due to security concerns).

• First Hop Redundancy Protocols (FHRP): Protocols like HSRP, VRRP, and GLBP that provide redundancy for the default gateway.

• Quality of Service (QoS): Techniques for prioritizing network traffic based on importance.

• Network Address Translation (NAT): Translates private IP addresses to public IP addresses for internet access.

• Subnetting: Dividing a network into smaller subnets.

• Supernetting (CIDR): Combining multiple smaller networks into a larger network.

This cheatsheet provides a comprehensive overview of inter-VLAN routing, covering key concepts, configuration examples, troubleshooting tips, and interview questions. It’s designed to be a practical resource for both students and network professionals.