Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
IP Connectivity Foundational

Inter-VLAN Routing

How devices in different VLANs talk to each other. Covers router-on-a-stick (with sub-interfaces), Layer-3 switch SVIs, and when to pick each.

TL;DR
  • VLANs separate broadcast domains. Routing between them requires a Layer-3 device — either a router or an L3 switch.
  • Router-on-a-stick uses one trunk + one sub-interface per VLAN on the router. Simple, but the trunk becomes a bottleneck.
  • Layer-3 switch SVIs are faster — routing happens in hardware on the switch itself. Standard in production.

Mental model

VLANs are broadcast domains. Two PCs in different VLANs are, from the network’s perspective, on different switches. They can’t talk to each other at Layer 2 — there is no Layer 2 path between them, by design.

To make them talk, you need something at Layer 3 — a router (or a switch that can route, called a Layer-3 switch). The Layer-3 device has an interface in each VLAN. A frame from VLAN 10 arrives at the router, the router strips the Layer-2 header, makes a routing decision based on destination IP, and sends the packet back out into the appropriate VLAN.

Two ways to wire this up:

ApproachWhat it isBest for
Router-on-a-stickOne physical router interface, one sub-interface per VLAN, all over a trunkSmall networks (≤ 4 VLANs), labs, branch routers
Layer-3 switch (SVIs)A switch with built-in routing — one “switched virtual interface” per VLANProduction. Standard for any campus / data center.

Router-on-a-stick

A single physical router interface carries traffic for multiple VLANs by using sub-interfaces, one per VLAN, each tagged with that VLAN’s 802.1Q ID.

R1(config)# interface GigabitEthernet0/0
R1(config-if)# no shutdown

R1(config)# interface GigabitEthernet0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 10.0.10.1 255.255.255.0

R1(config)# interface GigabitEthernet0/0.20
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 10.0.20.1 255.255.255.0

The corresponding switch port becomes a trunk:

SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20

PC-A in VLAN 10 sends to PC-B in VLAN 20 → frame goes up the trunk → router’s Gi0/0.10 sub-interface receives → router routes to Gi0/0.20 sub-interface → frame goes back down the trunk with VLAN 20 tag.

The bottleneck: every inter-VLAN packet traverses the trunk twice. If the trunk is 1 Gbps, all inter-VLAN traffic shares that 1 Gbps. Fine for small offices, terrible for data centers.

Layer-3 switch with SVIs

Modern Catalyst switches have routing built in. Instead of sending traffic out to a router, the switch routes between VLANs in hardware using Switched Virtual Interfaces (SVIs) — one virtual L3 interface per VLAN.

SW1(config)# ip routing                          ! enable routing on the switch

SW1(config)# vlan 10
SW1(config-vlan)# name USERS
SW1(config)# vlan 20
SW1(config-vlan)# name SERVERS

SW1(config)# interface vlan 10
SW1(config-if)# ip address 10.0.10.1 255.255.255.0
SW1(config-if)# no shutdown

SW1(config)# interface vlan 20
SW1(config-if)# ip address 10.0.20.1 255.255.255.0
SW1(config-if)# no shutdown

That’s it. The switch is now the default gateway for both VLANs, and inter-VLAN traffic switches in hardware at wire-speed.

An L3 switch can also have a routed port — a port that acts like a router interface (not part of any VLAN):

SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# no switchport          ! turn off Layer-2 behavior
SW1(config-if)# ip address 10.0.99.1 255.255.255.252

Used for point-to-point uplinks between L3 switches or to routers — no VLAN, no STP, just routing.

Verification

R1# show ip interface brief
R1# show ip route
SW1# show ip interface vlan 10
SW1# show ip route

On an L3 switch, show ip route should display directly-connected routes for each SVI — that’s how it knows it can deliver inter-VLAN traffic.

Common mistakes

  1. Forgetting to enable ip routing on a Layer-3 switch. SVIs come up, but the switch refuses to route between them. Always ip routing first.

  2. Setting hosts’ default gateway to the wrong VLAN’s SVI. Each PC must have its default gateway pointed to its own VLAN’s SVI (or sub-interface). Mixing them up = host can’t reach anything off-subnet.

  3. Trunk port doesn’t allow the VLAN. Router-on-a-stick relies on the trunk carrying all the relevant VLANs. If the switch’s switchport trunk allowed vlan list doesn’t include VLAN 20, sub-interface Gi0/0.20 will never see traffic.

  4. Sub-interface encapsulation mismatch. The number after encapsulation dot1q must match the VLAN ID on the switch side. Gi0/0.10 encapsulation dot1q 99 is a config bug.

  5. Forgetting no switchport on a routed port. Without it, the port is still a switchport and can’t accept an IP address.

  6. Putting the routed port back into a VLAN by mistake. Once no switchport is set, the port is L3. Re-issuing switchport reverts it — but any IP config is removed silently.

Lab to try tonight

  1. One Layer-3 switch (or a router + a Layer-2 switch). Two PCs in VLAN 10 and 20.
  2. Approach A — Router-on-a-stick: configure sub-interfaces on the router, trunk on the switch. Set each PC’s default gateway to the sub-interface IP. Confirm inter-VLAN ping works.
  3. Approach B — L3 switch SVIs: enable ip routing on the switch, configure SVIs for VLAN 10 and 20, remove the router entirely. Set each PC’s gateway to its SVI IP. Confirm inter-VLAN ping works.
  4. Measure latency on each approach (use ping -t or repeated pings). The L3 switch should be noticeably lower.
  5. Disable ip routing on the L3 switch. Confirm inter-VLAN ping now fails (despite SVIs being up).

Cheat strip

ConceptPlain English
Inter-VLAN routingLayer-3 device routing between VLANs
Router-on-a-stickOne trunk + one sub-interface per VLAN on a router
SVISwitched Virtual Interface — L3 interface for a VLAN on a switch
Routed portL3 port on a switch (no switchport) — no VLAN, point-to-point use
encapsulation dot1q NTells a sub-interface to tag/untag with VLAN N
ip routingThe command that turns on routing on a Layer-3 switch
Default gatewayEach host points to its VLAN’s L3 interface
← Previous topic

EtherChannel (Link Aggregation)

Bundle multiple physical links between two switches into one logical Port-Channel — more bandwidth, instant failover, and STP sees it as a single link. Covers LACP, PAgP, static, and load-balancing methods.
Next topic →

Wireless LAN Basics

Definitive CCNA-level Wi-Fi fundamentals — SSID / BSS / ESS / BSSID terminology, autonomous vs lightweight APs, CAPWAP tunnel anatomy, WLC discovery (DHCP option 43 + DNS), Wi-Fi standards generations, security (WPA / WPA2 / WPA3), roaming, and 7 worked scenarios.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

IP Connectivity

Static Routing

Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.

 Network Access

Trunks & 802.1Q Tagging

How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.

 Network Access

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages