Inter VLAN Routing


The ability to create VLANs and establish multiple networks on a switch is useless if you cannot allow the separate VLANs to communicate with each other. For separate VLANs to communicate you need to have routing, you accomplish this by adding a router or a layer 3 switch to the network. The Cisco CCNA curriculum expects you to know how to configure inter-vlan routing using a router connected to a switch through a trunked link. Configuring Layer 3 switching is a CCNP topic and not expected in the CCNA.

To configure a router for inter-vlan routing the router’s ethernet port needs to be converted to a trunked link. As a trunk, multiple VLANs (networks) can travel across the one ethernet port. To do this the ethernet port needs to use sub-interfaces in order to become the gateway for multiple networks. The sub-interfaces also need to have the 802.1Q trunking protocol enabled and the VLAN ID or number specified in the configuration. When multiple VLANs (networks) can communicate with the router over one trunked link the configuration is called “Router on a Stick.”

In the video tutorials, below I cover the entire process of configuring VLANs, switchports and a trunk on a switch, and inter-vlan routing on a router, using Cisco’s Packet Tracer program to simulate a real network environment.

Video Tutorials

In part 1, I discuss the need for VLANs and Inter-VLAN routing in a network

If you want to follow along in Packet Tracer with the parts 2 & 3. Click here to download the start file:

In part 2, I lay out the “Router on a Stick” topology and begin configuring the switch for VLANs

In part 3, I configure sub-interfaces, 802.1Q encapsulation with VLAN IDs, and the native VLAN on the router

Video Tutorials

In this video, I setup inter-VLAN routing by configuring the switch VLANs, switchports, and trunk, then I configure the router the subinterfaces on the router with IP addresses and the 802.1Q protocol.

In this video, I configure the router for inter-vlan routing

VLANs and Trunks

VLANs Overview

VLANs – A switches is used to set up a local area network (LAN). A VLAN stands for a virtual local area network. By default, all of the ports on a Cisco switch are part of the same default VLAN (VLAN1) and therefore the same network. A VLAN is a network and a network is a broadcast domain. If you configure various switch ports for separate VLANs, then the devices on those ports will belong to separate VLANs and therefore, will be segmented into separate broadcast domains and networks. This is effectively like dividing a switch into multiple switches. This is cost effective, because instead of having multiple switches, each for a different network, you can have one switch configured for multiple VLANs and you can assign the ports on that switch to belong to whatever VLAN you need the host to belong to.

VLAN Types

Data VLAN – A data VLAN carries only user data not management data, control data or voice data.

Default VLAN – On a Cisco switch the default VLAN is VLAN1. This means that by default, when a Cisco switch boots up for the first time all the ports are automatically assigned to the default VLAN, VLAN1. You cannot delete or rename VLAN1 but you can assign the ports on the switch to a different VLAN. It is considered best practice to make all of the user ports on the switch belong to a different default VLAN, one other than VLAN1. In this way, control data such as CDP and STP (spanning tree protocol) which are by default carried on VLAN1 would be on a separate VLAN from user data.

Native VLAN – The native VLAN, if not explicitly configured, will default to the default VLAN, (VLAN1). The Native VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are associated with which VLANs, and they can also carry non VLAN traffic from legacy switches or non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends of the trunk.

Management VLAN – The management VLAN is any VLAN you configure to allow a host to connect to the switch and remotely manage it. The management VLAN will need to be configured with an IP address and subnet mask to allow a manager to connect to the switch by either a web interface (HTTP), Telnet, SSH, or SNMP.

VLAN ID Ranges

Normal Range

  • 1 to 1005
  • VLAN1 (default), created by default, cannot be deleted
  • VLAN1002-1005 (Token Ring and FDDI default), created by default and cannot be deleted
  • Stored in the VLAN.dat file in Flash memory

Extended Range

  • 1006 – 4094
  • Extended VLAN range used by ISPs
  • Stored in Running-Config

Trunks – If you have a switch that has ports variously configured on four different VLANs, then that switch has four different networks on it. When you connect that switch to a router or to another switch you will need four ethernet connections or links, one for each VLAN/network. A more cost effective way to connect a switch with multiple VLANs to a router or switch would be to configure a Trunk. A Trunk is a special kind of port configuration which allows multiple VLANs to travel over one link. This way multiple networks can travel over one trunk instead of wasting valuable ports to connect from switch to switch or switch to router. A Cisco trunk by default uses the 802.1Q protocol. The 802.1Q protocol places and strips VLAN tags on packets to identify which VLAN they belong to.

CLI Commands

switch#show vlan
switch#show interfaces trunk

switch(config)#vlan <vlan number>
switch(config-vlan)#name <vlan name>

switch(config)#interface fa0/x
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan <1-4096>

switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan <1-1005>
switch(config-if)#switchport trunk native vlan <1-1005>

Configuring VLANs and Trunks Video Tutorials

In the video tutorials below I demonstrate how to configure VLANs and Trunks on a Cisco switch using Packet Tracer.

LAN Design


A hierarchical network design model, as opposed to a flat network design model, creates a more more functional network by differentiating network devices into core, distribution, and access layers, which creates a hierarchy of network devices and gives the network the following benefits:

•  Scalability – is improved because having distribution layer 3 switches segments the network, creates multiple broadcast domains, and distributes routing duties, this in turn allows the ability to add more access layer switches and add more host computers.
•  Redundancy – instead of having only one way out of the network, a hierarchical network design creates redundant, interconnected (meshed) distribution layer and core layer switches allowing more paths for traffic to flow.
•  Manageability – centralized management software can manage from the distribution layer
•  Enhanced bandwidth resources – greater network segmentation will lead to better bandwidth availability
•  Enhanced Security – having more than one distribution layer switch allows differentiated security policies and network security services

Hierarchical Network Design Model

  • Access Layer -This layer is used to connect end devices to the network such as PC’s, IP phones, and Printers. This layer may also include switches and routers especially workgroup switches which connect to end users. The Access Layer is also used to allow and control which devices can communicate on the network.
  • Distribution Layer -This is the layer where we apply filtering and apply network policies. The distribution layer controls the flow of the network, adds redundancy, and adds routing functions between VLANs.  High performance switches.
  • Core Layer – The core is the backbone of the network and it requires the highest level of bandwidth, typically fiber optic connections. The core connects to the ISP and has major routers and switches with redundancy. The core interconnects the distribution layer switches and routers.

Switch Attributes

  • Port Security – The ability to configure which host MAC addresses can be on a port, and shutdown ports if they are not the specified host MAC addresses.
  • PoE (power over ethernet) – The ability to use certain ethernet wire pairs for electrical power instead of data.
  • Link Aggregation – The ability to have multiple ports work together as uplink ports, effectively doubling and tripling uplink speeds.
  • QoS (quality of service)- The ability to distinguish and prioritize certain kinds of traffic like voice data.
  • Port Density – How many ports a switch has.
  • VLANs (virtual local area networks) – The ability to create VLANs and assign ports to separate VLANs
  • Access List Control – Layer 3 functionality. A layer 3 switch, which is a switch and a router combined is needed.

Switch Types

  • Fixed Configuration Switches -Cannot be changed or altered, port density is set.
  • Modular Switches – Can be altered by adding switch blade ports.
  • Stackable Switches – Special high speed backplane for connecting the switches together.

Switching Modes

  • Store and Forward – Slowest, most reliable
  • Cut Through Switching – Faster, but less reliabl
  • Fast Forward – Fastest, least reliable. The switch forwards the packet/frame once it has stripped off the destination MAC address.
  • Fragment Free – Second fastest. The switch forwards the packet after reading the first 64 bytes.

Basic Switch Configuration and Port Security

Switch Security Overview

In the video tutorials below, I show how to use Packet Tracer to build a small LAN with a Cisco 2960 Switch, three PC clients, and two PC servers, one of the servers is placed on a separate VLAN for management purposes. Excellent review and study for the Cisco CCNA exam. The networking tasks that are accomplished in the videos are:

• Changing the management VLAN on the switch,
• Configuring the switch with an IP address,
• Configuring the switchports as access ports and assigning them to VLANs,
• Remotely connecting to the switch with telnet,
• Configuring passwords for console and virtual terminal ports,
• Configure privileged user mode with an md5 encrypted password,
• Configuring the hostname on the switch,
• Testing LAN connections with the Ping utility,
• Backing up the switch configuration file and IOS image file to a TFTP server using the copy command,
• Using the show mac-address-table command,
• Configuring switchport port-security and sticky mac address

Video Tutorials