Inter VLAN Routing
Inter VLAN Routing
Routing
By Aaron on November 10, 2010. Posted in
SWITCH.
The Online CCNP Guide » SWITCH » CCNP SWITCH 642-813 :: Inter-VLAN Routing
http://www.ccnpguide.com/ccnp-switch-642-813-switching/
VLANs require a layer 3 device between them to communicate. Cisco recommends using layer 3
routing at the distribution layer of the multilayer switched network to terminate local VLANS, isolate
network problems, and avoid access layer issues from affecting the core.
external router with enough interfaces for every VLAN (this doesn’t scale and is very
expensive)
All Catalyst multilayer switches support the following types of layer 3 interfaces:
Switch virtual interface (SVI) – virtual routed VLAN interface for inter-VLAN routing
A layer two switch can be connected to a single router to allow inter-VLAN communication either
using a single physical link as a trunk with multiple sub-interfaces (a.k.a. router-on-a-stick) or using
seperate physical links between the switch and router for each individual VLAN.
no ip address
duplex auto
speed auto
encapsulation dot1q 10
description mgmt vlan
encapsulation dot1q 20
description native vlan
encapsulation dot1q native
Advantages
Works with almost all switches because the switches do not have to support layer 3, just
Disadvantages
Slightly higher latency because (1)traffic must leave and re-enter the switch and (2)the router
Need to know how many VLANS require routing, the VLAN IDs, and what ports connect to
the router
Every router subinterface must be configured with the same type of frame encapsulation
Make sure the native VLAN is the same on both ends. A subinterface on the router can be
4. Configure IPs and encapsulation on each subinterface as they relate to their VLANs
Router(config-if)#no shutdown
Router(config-subif)# exit
Router(config-subif)# exit
Router(config)# end
SVIs are virtual VLAN interfaces on multilayer switches; one SVI is created for each VLAN to be routed
and it performs the process for all the packets associated with that VLAN.
The only SVI created by default is the SVI for VLAN 1. The rest must be created manually using the
command:
Switch(conf)# interface vlan vlan_id
An SVI is considered “up” when at least one interface in it’s associated VLAN is active and forwarding
traffic. If all interfaces within that VLAN are down, the SVI goes down to prevent creating a routing
loop.
Advantages
Disadvantages
May require a more expensive switch
Identify which VLANs require layer 3 gateways as you may not want all VLANs to be routable
Make sure VLANs are first created on the switch, then make the SVIs
Find out what IPs need to be configured on each SVI interface, then use the no shutdown
Determine if any switchports should be excluded from contributing to the SVI line-state up-
and-down calculation
Configuring SVIs
1. Enable IP routing
3. Create the SVI
Note: Routing protocols are only required to allow different devices to communicate across different
VLANs or networks. They are not required to route between SVIs on the same switch because
(Switch virtual interface (SVI) – virtual routed VLAN interface for inter-VLAN routing)
Example Configuration
Switch(config-if)# no shutdown
SVI Autostate
At least a single port on the switch has a port in the VLAN, is in the up state, and is in the
This automatic SVI creation is called SVI Autostate. If there are multiple ports on the switch in the
same VLAN, the default action is to take down the SVI interface if all of the ports in that VLAN are shut
down.
The command switchport autostate exclude, when applied to port, will allow the VLAN to go down if
all of the other ports in the VLAN go down except the one autostate exclude was applied to. This is
often desirable when traffic analyzers are attached to a host. They will stay up, but are just passive
monitors, so if all other devices in the VLAN go down – this port would prevent the VLAN from going
Routed Ports
Routed ports are physical ports on the switch that act much like a router interface would with an IP
address configured. Routed ports are not associated with an particular VLAN and do not run layer 2
Note: Routed interfaces also do not support subinterfaces. Routed ports are point-to-point links that
usually connect core switches to other core switches or distribution layer switches (if the distribution
layer is running layer 3). They can also be used when a switch has only a single switch port per VLAN
or subnet.
Make sure when configuring a routed port that you use the no switchport command to make sure
the interface is configured to operate at layer 3. Also make sure to assign an IP addresses and any
other layer 3 information required. Lastly, check that the appropriate routing protocols are
configured.
Advantages
A multilayer switch can have both SVIs and routed ports configured
Multilayer switches forward all layer 2 and 3 traffic in hardware, so it is very fast
3. Add an IP address
Example Configuration
Core(config-if)# no switchport
Core(config-if)# ip address 10.10.1.1 255.255.255.252
Core(config-if)# exit
Verification Commands
ping
show vlan
Troubleshooting Inter-VLAN
Problems
Here is a list to run through when identifying an issue related to inter-VLAN routing:
Correct routes
The table below outlines common issues that may come up and some potential causes.
SVI is created. Routing can be configured just like on an actual router, using static routes and
dynamic routing protocols. If routing is required, make sure the global ip routing command has first
been applied. You may be required to do some dynamic routing protocol configuration on a
multilayer switch within the SWITCH exam, so make sure you brush up on your routing protocol
basics.
A simple example is below:
Switch(config)# ip routing
Switch(config-router)# no auto-summary
Switch(config-router)# exit
To verify a routing protocol is behaving as expected, use the show ip route command to display the
active routing table routes. Show IP route will allow you to see the routing protocols currently
Multilayer Switching
A Multilayer switch can perform both layer two switching as well as inter-VLAN routing. While I spend
a considerable amount of time walking through the low-level details here, Cisco thinks it is really
important. It’s also easy for Cisco to ask SWITCH exam questions on (like the order of operations), so
take your time and make sure you understand the process. Knowing the order of events within the
switch will help you understand how the many forwarding and filtering options interact.
There are three different ways packets are switched on a layer 3 switch or router:
Process Switching
Each packet is examined by the internal processor and and is handled in software. This is the slowest
The route processor tracks a flow’s first packet, setting up a “shortcut” for the remaining packets to
faster than process switching and is done in both routers and layer 3 switches.
Layer 3 routing table dynamically populates a single database of the entire network topology in
hardware (the FIB) for fast and efficient lookup. This is the fastest method and is the defualt option
efficient routing of traffic between VLANs and routed ports. Cisco Express Forwarding, or CEF, is the
CAM
The CAM table stores information about frames that pass through the switch for more intelligent
forwarding.
The CAM table stores two pieces of information about traffic:
MAC address
Inbound port
Frames passing through the switch first enter the ingress queue, then proceed simultaneously to the
Security TCAM (ACLs), QoS TCAM, and L2 Forwarding Table (CAM). Afterwards, they all then enter
Allows you to view the contents of the switch’s CAM table (ones learned through passing frames)
Shows the CAM table entries according to VLAN assignments. So if you want to see how many hosts
the switch knows about in a particular VLAN, this lays it out in a nice table format.
TCAM
The TCAM stores layer 3 and up information including QoS, ACLs, and routing info. The TCAM
always is organized by masks – each mask has 8 value patterns associated with it. Note that each
mask-value pair is evaluated simultaneously (in parallel) looking for the longest match in a single look
up.
Troubleshooting tip: If you need to find out where a particular device is attached to the network, you can
run the sh mac address-table dynamic address xxxx.xxxx.xxxx command at the core of the network,
determining which ports it is connected to (and thus downstream switch). Continue the process until you
reach the final access switch that the device is attached to.
CEF Packet Flow:
Ingress queue
V
Security TCAM, QoS TCAM, L3 Forwarding (FIB), L2 Forwarding (CAM)
V
L3 packet rewrite
V
Egress queue
The FIB, or Forwarding Information Base, is what allows CEF to switch layer 3 traffic so quickly. It is
created in hardware using the existing routing table to create a single route cache, allowing the
packets to be forwarded directly the very first time they are seen on the switch.
The FIB uses destination IP address as table index. It also contains next-hop IP and MAC so no other
look up is necessary. CEF uses another table, the adjacency table, along with the FIB to quickly
forward packets. While the FIB stores the routing information, the adjacency table is derived from the
ARP table and stores the layer 2 next-hop address and frame header rewrite information for all FIB
entries. The control plane is what controls and coordinates all of this information, which is physically
separate from the data plane (the actual layer 2 forwarding). This further allows performance
improvements.
To recap, the FIB is responsible for maintaining the next-hop IP address for all known routes and the
adjacency tables maintain the layer 2 information. The adjacency table links to the FIB entries, so
combined they provide all the layer 2 and 3 next hop information necessary to dramatically increase
packet switching speed. When the adjacency table is full, a TCAM entry points to the L3 engine to
There are five adjacency categories that you should be aware of:
Null
Punt
Glean
Discard
Drop
For the CCNP SWITCH exam, it’s not important that you understand the function of each adjacency.
Just know that they provide L2 information for CEF , derived from ARP table, and be able to recognize
the names.
Distributed CEF, commonly denoted dCEF, speeds up CEF switching even more by running a FIB table
on each of a switch’s line cards. Because the FIB look up occurs directly on the line card itself, it no
longer has to query the switch’s processor or route table for next hop information.
This is currently the fastest method of implementing CEF on Cisco switches. Switching methods in
All modern Catalyst switches use CEF by default, so no manual configuration is necessary.
CEF Exceptions
Some types of traffic are not able to bypass the processor using CEF. Some examples include:
ARP packets
Anything encrypted
Distribution multilayer switches often act as layer 3 gateways for clients connecting to the access
switches. Because of this, DHCP can be provided within the same switches to serve the hosts with IP
The other option is to consolidate the DHCP services to one or more dedicated servers. In that case,
the distribution layer must redirect incoming client DHCP requests to the external DHCP server.
1. By default the switch assumes the whole network range for the DHCP scope. To exclude certain
addresses or ranges, in global config mode, use the ip dhcp excluded-address command. Follow it
with a range of addresses to exclude from your scope. For discontinuous ranges, use more than one
2. Configure the network value, which indicates the subnet to offer addresses from.
3. Configure any other network parameters you would like the switch to serve in its DHCP offers (ex.
Note: Remember that a switch cannot offer DHCP addresses for a subnet it is not a member of.
Configuration Example
If an enterprise is using external DHCP servers, then the ip helper-address command must be
entered on the layer 3 interface. Because hosts use broadcast messages to try to find the DHCP
server, if it is in a different subnet, it will be dropped at the default gateway because broadcasts are
not forwarded across VLAN boundaries.
The DHCP relay agent allows the DHCP request to be forwarded on as a unicast message to a single
IP address. It not only forwards DHCP services, but also TFTP, DNS, Time, NetBIOS, names server,
and BOOTP packets by default. The ip helper-address command must be applied to the layer 3
interface itself.
Configuration Example