2.8 Inter-VLAN Routing — Deep Dive

Why Inter-VLAN Routing Is Needed

A VLAN is a separate broadcast domain and a separate IP subnet, so by design a host in VLAN 10 (10.0.10.0/24) cannot reach a host in VLAN 20 (10.0.20.0/24) without a Layer 3 hop. Inter-VLAN routing provides that hop. The CCNA expects you to compare three methods and configure two of them (router-on-a-stick and Layer 3 SVIs).

The legacy method is obsolete because it wastes physical interfaces. Modern designs use a Layer 3 switch because routing happens in hardware at wire speed.

Router-on-a-Stick (ROAS)

ROAS carries every VLAN over a single trunk to a router, which routes between sub-interfaces. Each sub-interface is tagged for one VLAN and holds that VLAN's gateway IP:

Router(config)# interface gi0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 10.0.10.1 255.255.255.0
Router(config)# interface gi0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 10.0.20.1 255.255.255.0

The matching switch port must be a trunk (switchport mode trunk). The exam's #1 ROAS trap is forgetting encapsulation dot1Q or mismatching the VLAN number — without it, the sub-interface cannot receive that VLAN's tagged frames. The native VLAN sub-interface uses encapsulation dot1Q <vlan> native.

Layer 3 Switch with SVIs

A Switch Virtual Interface (SVI) is a virtual Layer 3 interface tied to a VLAN; its IP becomes the gateway for that VLAN. Configuration has a step everyone forgets — the global ip routing command, without which the switch stays Layer 2 even though SVIs have IPs:

Switch(config)# ip routing
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.0.10.1 255.255.255.0
Switch(config)# interface vlan 20
Switch(config-if)# ip address 10.0.20.1 255.255.255.0

You may also create a routed port with no switchport then ip address — used for the uplink to a core router, not for VLAN gateways. SVIs are the preferred answer whenever the question mentions a multilayer/Layer 3 switch.

SVI State Logic and Verification

An SVI's line state follows specific rules the exam tests:

So an SVI for VLAN 20 shows up/down when no access or trunk port carrying VLAN 20 is in the up/up state — bring up a port in that VLAN to fix it. After configuration, verify with:

• show ip route — confirms the VLAN subnets appear as directly connected (C) routes; if they are missing, ip routing is off.
• show ip interface brief — confirms each SVI's IP and up/up status.
• show vlan brief — confirms the VLAN exists and has ports.

If hosts have correct gateways but still cannot route, the usual culprits in order are: ip routing not enabled, an SVI in up/down, the host's default gateway not matching the SVI IP, or a trunk that does not carry the VLAN to the Layer 3 device.

End-to-End Worked Example

Picture VLAN 10 (10.0.10.0/24) and VLAN 20 (10.0.20.0/24) on a Layer 3 switch. PC-A is 10.0.10.5 with gateway 10.0.10.1; PC-B is 10.0.20.5 with gateway 10.0.20.1. For them to ping each other, every one of these must be true: ip routing is enabled; SVI VLAN 10 has IP 10.0.10.1 and is up/up; SVI VLAN 20 has IP 10.0.20.1 and is up/up; PC-A's access port is in VLAN 10 and PC-B's in VLAN 20; and each PC's default gateway exactly matches its SVI IP. show ip route should list both subnets as directly connected (C).

If PC-A can ping its own gateway 10.0.10.1 but not PC-B, routing is the suspect — confirm ip routing and that VLAN 20's SVI is up/up.

Router-on-a-Stick vs SVI Trade-offs

Both methods route between VLANs, but they differ in performance and use case:

ROAS funnels every inter-VLAN packet through one physical link, so a busy network saturates it; the SVI approach routes in the switch fabric and scales far better, which is why it is the default modern answer.

Inter-VLAN Routing Exam Traps

The highest-frequency mistakes: forgetting the global ip routing on a Layer 3 switch (SVIs have IPs but nothing routes); on ROAS, omitting encapsulation dot1Q or using the wrong VLAN number on a sub-interface, so that VLAN's tagged frames are dropped; mismatching the host default gateway to a non-existent or wrong SVI/sub-interface IP; and leaving the switch-to-router link as an access port when ROAS demands a trunk. Also remember an SVI stays up/down until a port in its VLAN is up — creating the SVI is not enough.

Verifying with show ip route, show ip interface brief, and show vlan brief in that order resolves nearly every inter-VLAN routing scenario the exam presents.