Mental model
Router-on-a-stick (covered in Inter-VLAN Routing) routes between VLANs by trunking every VLAN over a single physical link to an external router. It works — until you have 50 VLANs and 10 Gbps of inter-VLAN traffic. Then the router CPU melts.
A Layer-3 switch solves this. It’s a switch chassis with both:
- a normal Layer-2 forwarding plane (MAC table, VLAN tagging, STP), and
- a Layer-3 forwarding plane (route table, IP forwarding) implemented in the ASIC — at line rate.
The Layer-3 switch is the router for every VLAN it carries. Hosts use the switch itself as their default gateway.
The L3 interface for each VLAN is called an SVI — Switched Virtual Interface. It’s a logical interface (not tied to a physical port) created with interface Vlan<id>. Once you give it an IP and the VLAN exists, the switch can route packets out of that VLAN.
SVI vs routed port — know the difference
| Type | Created by | Used for | Example |
|---|---|---|---|
SVI (interface VlanX) | interface Vlan10 | Gateway for hosts in VLAN 10 | Campus access-layer to distribution |
Routed port (no switchport) | interface Gi1/0/24 + no switchport | Point-to-point L3 link to another router/L3 switch | Uplink to core, OSPF/EIGRP neighbor |
A routed port is a physical port acting like a router interface (no VLAN, no switching, just routing). You use routed ports for L3-to-L3 links between distribution and core switches.
Commands — configure an L3 switch
! 1. Enable IP routing globally (CRITICAL — switch is L2-only until this)
SW1(config)# ip routing
! 2. Create VLANs
SW1(config)# vlan 10
SW1(config-vlan)# name USERS
SW1(config)# vlan 20
SW1(config-vlan)# name SERVERS
! 3. Create SVIs (one per VLAN — hosts use these as gateway)
SW1(config)# interface Vlan10
SW1(config-if)# description USERS gateway
SW1(config-if)# ip address 192.168.10.1 255.255.255.0
SW1(config-if)# no shutdown
SW1(config)# interface Vlan20
SW1(config-if)# description SERVERS gateway
SW1(config-if)# ip address 192.168.20.1 255.255.255.0
SW1(config-if)# no shutdown
! 4. Assign access ports to VLANs (as on any switch)
SW1(config)# interface range Gi1/0/1 - 12
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
SW1(config)# interface range Gi1/0/13 - 23
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 20
! 5. (Optional) Convert uplink to a routed port
SW1(config)# interface Gi1/0/24
SW1(config-if)# no switchport
SW1(config-if)# ip address 10.0.0.1 255.255.255.252
SW1(config-if)# description Uplink to CORE1
Default gateway behavior
Hosts in VLAN 10 use 192.168.10.1 (the SVI IP) as their default gateway. The switch handles inter-VLAN routing entirely in its ASIC — no external router.
For a host in VLAN 10 to reach a host in VLAN 20:
- Host sends frame to switch with destination MAC = SVI10 MAC (gateway).
- Switch sees: destination MAC = me → strip Ethernet header, route at L3.
- Route table says VLAN 20 = SVI20 → re-encapsulate with SVI20 MAC and forward into VLAN 20.
All at line rate. No CPU involvement after the first packet (CEF caches the rewrite).
SVI “line protocol up” — the hidden gotcha
An SVI’s line protocol is up only when at least one access port in that VLAN is up.
SW1# show interface Vlan10
Vlan10 is up, line protocol is down ← no active ports in VLAN 10
If you create VLAN 10, configure SVI Vlan10, but every port in VLAN 10 is shut down → the SVI is up/down and won’t route. This trips up most CCNA labs the first time.
Workaround: no autostate on the SVI keeps it up regardless of physical port status — useful in lab setups where you don’t have hosts plugged in.
Verification
SW1# show ip interface brief
SW1# show ip route
SW1# show ip route connected ! Should show one /24 per SVI
SW1# show vlan brief
SW1# show interfaces Vlan10
SW1# ping 192.168.10.50 source vlan10
Common mistakes
-
Forgetting
ip routing. Without it, the switch is L2-only — SVIs answer pings on their own subnet but cannot forward packets between VLANs. -
SVI down because no port in VLAN is active. Plug in a host or
no autostateif labbing. -
IP address on a port that’s still
switchport. You can’t assign an IP to a port that’s in switch mode.no switchportfirst → thenip address. -
Forgetting trunk allowed VLAN list. If the SVI lives on this switch but VLANs come in over a trunk, make sure that VLAN is in the trunk’s allowed list.
-
VLAN exists in CLI but not in the VLAN database.
interface Vlan10doesn’t create VLAN 10 —vlan 10does. Both must exist. -
Stacking and the wrong stack-master. On stacked 3850/9300 switches, SVIs are owned by the stack master. A master failover takes ~30 seconds during which SVIs briefly bounce.
Lab to try tonight
- Build in CML or Packet Tracer: one L3 switch (multilayer), two access switches, two hosts per VLAN.
- Create VLAN 10 (USERS) and VLAN 20 (SERVERS) across all three switches.
- Trunk between switches; access ports for hosts.
- On the L3 switch only:
ip routing+ SVIsVlan10andVlan20. - Configure hosts to use the SVI IPs as gateways.
- Test: host in VLAN 10 pings host in VLAN 20 → success.
- Now shut down
interface Vlan10→ ping fails.show ip routeshows the connected /24 disappears. - Bonus: convert the L3 switch’s uplink to a routed port to a router. Verify with
show ip interface briefthat the port is no longer “Vlan” / access.
Cheat strip
| Concept | Plain English |
|---|---|
| L3 Switch | Switch + router in one box; routes between VLANs in ASIC |
| SVI | interface VlanX — logical L3 interface, gateway for the VLAN |
| Routed port | no switchport on a physical port — point-to-point L3 link |
ip routing | Globally enables L3 forwarding — without this, switch is L2-only |
| SVI line-protocol | Up only if ≥1 access port in that VLAN is up (or no autostate) |
| Why use over R-on-stick | Hardware-rate forwarding, no router CPU bottleneck, simpler topology |
| Where it sits in design | Distribution layer or collapsed-core in campus networks |