Inter-VLAN Routing — Layer 3 Switch SVIs vs Router-on-a-Stick (CCNA Tutorial)

You built your VLANs, trunked the switches, and everything inside each VLAN pings perfectly. Then VLAN 10 tries to reach VLAN 20 and… nothing. That’s not a bug — that’s VLANs doing exactly what they’re designed to do. Making them talk to each other is inter-VLAN routing, and there are two ways to do it: the one you learn first, and the one production networks actually use.

This tutorial makes the why click, then walks both methods — router-on-a-stick and the Layer-3 switch SVI — so you know which to reach for and can spot the one mistake that fakes everyone out. For the full reference (routed ports, latency trade-offs, verification deep-dive), see the Inter-VLAN Routing library topic.

Why VLANs can’t talk by default

A VLAN is a separate broadcast domain. Two PCs in different VLANs are, as far as the switch is concerned, on two completely different switches — there is no Layer-2 path between them, by design. That’s the whole point of VLANs: isolation.

To move a packet between two broadcast domains you need a device that operates at Layer 3 — something that can look at the destination IP, make a routing decision, and forward the packet into the other VLAN. That device is either a router or a switch that can route (a Layer-3 switch). Pick one of two wiring styles:

Method	What it is	Use it for
Router-on-a-stick	One router interface, one sub-interface per VLAN, all over a single trunk	Labs, small offices (≤ 4 VLANs), branch routers
Layer-3 switch (SVIs)	A switch routing between VLANs in hardware, one virtual interface per VLAN	Production — every campus and data center

Method 1 — Router-on-a-stick

One physical router interface carries every VLAN by splitting into sub-interfaces, each tagged with its VLAN’s 802.1Q ID:

R1(config)# interface Gi0/0
R1(config-if)#  no shutdown

R1(config)# interface Gi0/0.10
R1(config-subif)#  encapsulation dot1q 10
R1(config-subif)#  ip address 10.0.10.1 255.255.255.0

R1(config)# interface Gi0/0.20
R1(config-subif)#  encapsulation dot1q 20
R1(config-subif)#  ip address 10.0.20.1 255.255.255.0

The switch port facing the router must be a trunk carrying those VLANs:

SW1(config)# interface Gi0/24
SW1(config-if)#  switchport mode trunk
SW1(config-if)#  switchport trunk allowed vlan 10,20

A frame from VLAN 10 rides the trunk up to Gi0/0.10, the router routes it, and it comes back down tagged for VLAN 20. Simple and exam-friendly.

The catch: every inter-VLAN packet crosses that one trunk link twice. All inter-VLAN traffic shares that single cable’s bandwidth. Fine for a small office, a bottleneck anywhere serious. (If that trunk is silently dropping a VLAN, that’s its own classic ticket — see Why your trunk isn’t passing a VLAN.)

Method 2 — Layer-3 switch SVIs (what production uses)

Modern Catalyst switches route in hardware. Instead of hauling traffic out to a router, the switch routes between VLANs itself using Switched Virtual Interfaces (SVIs) — one virtual Layer-3 interface per VLAN:

SW1(config)# ip routing                       ! <-- the line everything depends on

SW1(config)# interface vlan 10
SW1(config-if)#  ip address 10.0.10.1 255.255.255.0
SW1(config-if)#  no shutdown

SW1(config)# interface vlan 20
SW1(config-if)#  ip address 10.0.20.1 255.255.255.0
SW1(config-if)#  no shutdown

That’s it. The switch is now the default gateway for both VLANs, and inter-VLAN traffic switches at wire speed — no trunk to bottleneck, no separate router to buy. This is the method you’ll see on virtually every real campus network.

The #1 mistake: SVIs up, routing dead

Here’s the trap that catches everyone exactly once. You configure the SVIs, they show up/up, the IPs are right — and inter-VLAN ping still fails. You’ll stare at the SVIs convinced they’re broken.

They’re not. You forgot ip routing. A Layer-3 switch ships as a Layer-2 switch by default; without that one global command it will bring the SVIs up but flatly refuse to route between them. Turn it on and traffic flows instantly.

The proof is in the routing table — after ip routing, each SVI shows up as a connected route:

SW1# show ip route
C   10.0.10.0/24 is directly connected, Vlan10
C   10.0.20.0/24 is directly connected, Vlan20

Two connected routes = the switch knows it can deliver to both VLANs. No connected routes for your SVIs = ip routing is off, or the SVI is down.

The other two gotchas

Once routing is on, two host-side mistakes account for almost every remaining failure:

1. Wrong default gateway on the PC. Each host must point its default gateway at its own VLAN’s L3 interface (the SVI or sub-interface IP). Point a VLAN 10 host at the VLAN 20 gateway and it can’t reach anything off-subnet.
2. Trunk doesn’t allow the VLAN (router-on-a-stick). If switchport trunk allowed vlan leaves out VLAN 20, the .20 sub-interface never sees a single frame — routing looks broken when it’s really a trunk filter.

Memorize the order of attack: ip routing → SVIs up → host gateways → trunk allowed-list. That sequence resolves nearly every inter-VLAN ticket you’ll ever open.

SVI or router-on-a-stick — which to pick?

Short version: use a Layer-3 switch with SVIs whenever you have one. It routes in hardware, scales, and has no trunk bottleneck. Reach for router-on-a-stick only when you’re stuck with a Layer-2-only switch and a separate router — small branches, labs, the exam’s “configure inter-VLAN with a router” question. Knowing when to use each is exactly the kind of judgment that separates a tech who memorized commands from an engineer.

See it move

This is a topic where watching beats reading — set up both methods and watch a ping cross VLANs:

• VLAN & trunk simulator — build VLANs, trunk the link, and watch tagged frames cross between switches so the 802.1Q part stops being abstract.
• Inter-VLAN routing hands-on lab — configure router-on-a-stick, then rebuild the same network with SVIs on a Layer-3 switch, and prove inter-VLAN ping works both ways. Then disable ip routing and watch it die — the fastest way to burn that command into memory.

What’s next

• Inter-VLAN Routing — full library topic — routed ports, latency trade-offs, and full verification.
• VLANs without the overload — get the VLAN fundamentals solid first.
• Why your trunk isn’t passing a VLAN — the troubleshooting companion to this post.

Inter-VLAN routing is two methods and one command you can’t forget — and wiring it up until the failure modes are reflex is precisely what we drill on live gear in the 1:1 CCNA program. First session is free.