Inter-VLAN Routing

VLANs exist to create walls. Inter-VLAN routing exists because walls need doors.

This is the central tension of VLAN design: you segment your network into isolated broadcast domains for security and organization, then immediately need devices in different segments to talk to each other. Employees need servers. Servers need databases. Everyone needs printers.

The solution is routing. VLANs are Layer 2 constructs—they isolate at the Ethernet level. To cross between them, traffic must climb to Layer 3, make a routing decision, and descend back to Layer 2 in the destination VLAN. This gives you something isolation alone cannot: controlled communication with policies about exactly what traffic flows where.

How It Works

A device in VLAN 10 wants to reach a device in VLAN 20. It recognizes the destination is on a different subnet, so it sends traffic to its default gateway—a router or Layer 3 switch with a presence in VLAN 10.

The routing device receives the packet, examines the destination IP, consults its routing table, and forwards the packet out its interface in VLAN 20. The destination device receives it. Neither endpoint knows or cares that VLANs were involved—it looks like normal routed communication.

The key requirement: the routing device must have an interface (physical or virtual) in each VLAN, with an IP address serving as that VLAN's gateway.

Router-on-a-Stick

The traditional approach uses a single physical router connected to the switch via a trunk link:

interface GigabitEthernet0/0
 no shutdown

interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

Each subinterface handles one VLAN. The .10 subinterface tags traffic with VLAN 10, the .20 with VLAN 20.

Here's where it gets absurd: when a packet travels from VLAN 10 to VLAN 20, it leaves the switch on the trunk port to the router, the router removes the VLAN 10 tag, makes a routing decision, adds a VLAN 20 tag, and sends it RIGHT BACK to the same switch. The packet takes a round trip just to change its tag.

This works. It's simple to understand and configure. But that single trunk link carries all inter-VLAN traffic in both directions, making it a natural bottleneck. And every packet pays the latency tax of traveling to an external device and back.

Layer 3 Switching

Modern networks route between VLANs inside the switch itself:

interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 no shutdown

interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 no shutdown

ip routing

Switch Virtual Interfaces (SVIs) are logical interfaces representing each VLAN. The Layer 3 switch performs routing in hardware—the same ASICs that forward traffic at wire speed within a VLAN also route between VLANs.

No external router. No round-trip across a trunk link. Traffic enters the switch, gets routed internally, and exits toward its destination. This happens at the same speed as regular switching—multi-terabit throughput with microsecond latency.

The catch: Layer 3 switches cost more than Layer 2 switches. But for any network where inter-VLAN traffic matters, the performance difference makes this the obvious choice.

Routed Ports

Layer 3 switches can also convert physical ports into pure router interfaces:

interface GigabitEthernet0/1
 no switchport
 ip address 10.1.1.1 255.255.255.0

The no switchport command transforms the port. It no longer participates in VLANs or spanning tree—it's a Layer 3 interface for connecting to routers, WAN links, or other Layer 3 devices.

Security at the Boundary

Inter-VLAN routing is where you enforce policy. Traffic crossing VLAN boundaries passes through a routing decision, giving you a natural chokepoint for access control:

ip access-list extended EMPLOYEE-TO-SERVER
 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 443
 permit tcp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 eq 3389
 deny ip any any log

interface Vlan20
 ip access-group EMPLOYEE-TO-SERVER in

This allows employees (VLAN 10) to reach servers (VLAN 20) on HTTPS and RDP only. Everything else is denied and logged.

The principle: deny by default, permit explicitly. VLANs created the walls. ACLs decide who gets keys to which doors.

Design Patterns

Centralized routing: All inter-VLAN routing happens at core Layer 3 switches. Access switches are Layer 2 only. Simple to manage, but all routed traffic flows to the core.

Distributed routing: Layer 3 switches throughout the network route locally. Reduces core traffic but increases configuration complexity.

Collapsed core: Smaller networks combine distribution and core functions in one set of Layer 3 switches. Common and practical for most organizations.

Troubleshooting

When inter-VLAN routing fails, check these in order:

Is routing enabled? Layer 3 switches require ip routing to be explicitly enabled. Without it, they're expensive Layer 2 switches.

Are the SVIs up? An SVI stays down if no active ports exist in that VLAN. Check show ip interface brief.

Do routes exist? The routing device needs routes to both source and destination subnets. Check the routing table.

Is the gateway correct? End devices must use the SVI's IP address as their default gateway. A misconfigured gateway means traffic never reaches the router.

Are ACLs blocking? Review access list hit counters. Overly restrictive rules are a common culprit.

Is ARP working? The routing device must resolve destination MAC addresses. Check ARP tables if specific hosts are unreachable.