Advanced Switching Concepts

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Objectives
1- STP Concepts

Explain how STP enables redundancy in a Layer 2 network.

Topic Title Topic Objective

Explain common problems in a redundant, L2
Purpose of STP
switched network.
Explain how STP operates in a simple switched
STP Operations
network.
Evolution of STP Explain how Rapid PVST+ operates.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Objectives
2- VLAN concepts
Explain how network protocols enable devices to access local and remote network resources.

Topic Title Topic Objective

Overview of VLANs Explain the purpose of VLANs in a switched network.
VLANs in a Multi-Switched Explain how a switch forwards frames based on VLAN
Environment configuration in a multi-switch environment.
Configure a switch port to be assigned to a VLAN based on
VLAN Configuration
requirements.

VLAN Trunks Configure a trunk port on a LAN switch.

Dynamic Trunking Protocol Configure Dynamic Trunking Protocol (DTP).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Objectives
3- Inter-VLAN Routing
Troubleshoot inter-VLAN routing on Layer 3 devices

Topic Title Topic Objective

Inter-VLAN Routing Operation Describe options for configuring inter-VLAN routing.

Router-on-a-Stick Inter-VLAN
Configure router-on-a-stick inter-VLAN routing.
Routing
Inter-VLAN Routing using Layer 3 Configure inter-VLAN routing using Layer 3
Switches switching.
Troubleshoot common inter-VLAN configuration
Troubleshoot Inter-VLAN Routing
issues.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Spanning Tree Protocol

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Purpose of STP
Redundancy in Layer 2 Switched Networks
• Redundancy is an important part of the hierarchical design for eliminating
single points of failure and preventing disruption of network services to
users.
• Redundant networks require the addition of physical paths, but logical
redundancy must also be part of the design. Having alternate physical paths
for data to traverse the network makes it possible for users to access
network resources, despite path disruption. However, redundant paths in a
switched Ethernet network may cause both physical and logical Layer 2
loops.
• Ethernet LANs require a loop-free topology with a single path between any
two devices. A loop in an Ethernet LAN can cause continued propagation of
Ethernet frames until a link is disrupted and breaks the loop.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Purpose of STP
Spanning Tree Protocol
• Spanning Tree Protocol
(STP) is a loop-prevention
network protocol that allows
for redundancy while
creating a loop-free Layer 2
topology.
• STP logically blocks physical
loops in a Layer 2 network,
preventing frames from
circling the network forever.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Purpose of STP
STP Recalculation

STP compensates for a failure in the

network by recalculating and
opening up previously blocked
ports.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Purpose of STP
Issues with Redundant Switch Links

• A Layer 2 loop can result in MAC address table instability, link saturation, and high CPU
utilization on switches and end-devices, resulting in the network becoming unusable.

• Layer 2 Ethernet does not include a mechanism to recognize and eliminate endlessly looping
frames. Both IPv4 and IPv6 include a mechanism that limits the number of times a Layer 3
networking device can retransmit a packet. A router will decrement the TTL (Time to Live) in every
IPv4 packet, and the Hop Limit field in every IPv6 packet. When these fields are decremented to
0, a router will drop the packet.

• Ethernet and Ethernet switches have no comparable mechanism for limiting the number of times
a switch retransmits a Layer 2 frame.

• STP was developed specifically as a loop prevention mechanism for Layer 2 Ethernet.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Purpose of STP
Layer 2 Loops
• Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and unknown
unicast frames to loop endlessly. This can bring down a network quickly.

• When a loop occurs, the MAC address table on a switch will constantly change with the updates
from the broadcast frames, which results in MAC database instability.

• This can cause high CPU utilization, which makes the switch unable to forward frames.

• An unknown unicast frame is when the switch does not have the destination MAC address in its
MAC address table and must forward the frame out all ports, except the ingress port.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Purpose of STP
Broadcast Storm
• A broadcast storm is an abnormally high number of broadcasts overwhelming the network
during a specific amount of time. Broadcast storms can disable a network within seconds by
overwhelming switches and end devices. Broadcast storms can be caused by a hardware
problem such as a faulty NIC or from a Layer 2 loop in the network.

• Layer 2 broadcasts in a network, such as ARP Requests are very common. Layer 2
multicasts are typically forwarded the same way as a broadcast by the switch. IPv6 packets
are never forwarded as a Layer 2 broadcast, ICMPv6 Neighbor Discovery uses Layer 2
multicasts.
• A host caught in a Layer 2 loop is not accessible to other hosts on the network. Additionally,
due to the constant changes in its MAC address table, the switch does not know out of which
port to forward unicast frames.
• To prevent these issues from occurring in a redundant network, some type of spanning tree
must be enabled on the switches. Spanning tree is enabled, by default, on Cisco switches to
prevent Layer 2 loops from occurring.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Purpose of STP
The Spanning Tree Algorithm
• STP is based on an algorithm invented by Radia Perlman while working for Digital Equipment
Corporation, and published in the 1985 paper "An Algorithm for Distributed Computation of a
Spanning Tree in an Extended LAN.”

• Her spanning tree algorithm (STA) creates a loop-free topology by selecting a single root bridge
where all other switches determine a single least-cost path.

• STP prevents loops from occurring by configuring a loop-free path through the network using
strategically placed "blocking-state" ports.

• The switches running STP are able to compensate for failures by dynamically unblocking the
previously blocked ports and permitting traffic to traverse the alternate paths.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Purpose of STP
The Spanning Tree Algorithm (Cont.)
How does the STA create a loop-free topology?
• Selecting a Root Bridge: This bridge (switch) is the reference point for the entire network to build
a spanning tree around.
• Block Redundant Paths: STP ensures that there is only one logical path between all destinations
on the network by intentionally blocking redundant paths that could cause a loop. When a port is
blocked, user data is prevented from entering or leaving that port.
• Create a Loop-Free Topology: A blocked port has the effect of making that link a non-forwarding
link between the two switches. This creates a topology where each switch has only a single path to
the root bridge, similar to branches on a tree that connect to the root of the tree.
• Recalculate in case of Link Failure: The physical paths still exist to provide redundancy, but
these paths are disabled to prevent the loops from occurring. If the path is ever needed to
compensate for a network cable or switch failure, STP recalculates the paths and unblocks the
necessary ports to allow the redundant path to become active. STP recalculations can also occur
any time a new switch or new inter-switch link is added to the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
STP Operations
Steps to a Loop-Free Topology
Using the STA, STP builds a loop-free topology in a four-step process:
1. Elect the root bridge.
2. Elect the root ports.
3. Elect designated ports.
4. Elect alternate (blocked) ports.
• During STA and STP functions, switches use Bridge Protocol Data Units (BPDUs) to share
information about themselves and their connections. BPDUs are used to elect the root bridge, root
ports, designated ports, and alternate ports.
• Each BPDU contains a bridge ID (BID) that identifies which switch sent the BPDU. The BID is
involved in making many of the STA decisions including root bridge and port roles.
• The BID contains a priority value, the MAC address of the switch, and an extended system ID.
The lowest BID value is determined by the combination of these three fields.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
STP Operations
Steps to a Loop-Free Topology (Cont.)
• Bridge Priority: The default priority value for all Cisco switches is the decimal value 32768. The
range is 0 to 61440 in increments of 4096. A lower bridge priority is preferable. A bridge priority of
0 takes precedence over all other bridge priorities.
• Extended System ID: The extended system ID value is a decimal value added to the bridge
priority value in the BID to identify the VLAN for this BPDU.
• MAC address: When two switches are configured with the same priority and have the same
extended system ID, the switch having the MAC address with the lowest value, expressed in
hexadecimal, will have the lower BID.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
STP Operations
1. Elect the Root Bridge
• The STA designates a single switch as the root
bridge and uses it as the reference point for all
path calculations. Switches exchange BPDUs
to build the loop-free topology beginning with
selecting the root bridge.
• All switches in the broadcast domain
participate in the election process. After a
switch boots, it begins to send out BPDU
frames every two seconds. These BPDU
frames contain the BID of the sending switch
and the BID of the root bridge, known as the
Root ID.
• The switch with the lowest BID will become the
root bridge. At first, all switches declare
themselves as the root bridge with their own
BID set as the Root ID. Eventually, the
switches learn through the exchange of
BPDUs which switch has the lowest BID and
will agree on one root bridge.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
STP Operations
Impact of Default BIDs
• Because the default BID is 32768, it is possible
for two or more switches to have the same
priority. In this scenario, where the priorities are
the same, the switch with the lowest MAC
address will become the root bridge. The
administrator should configure the desired root
bridge switch with a lower priority.
• In the figure, all switches are configured with the
same priority of 32769. Here the MAC address
becomes the deciding factor as to which switch
becomes the root bridge. The switch with the
lowest hexadecimal MAC address value is the
preferred root bridge. In this example, S2 has the
lowest value for its MAC address and is elected
as the root bridge for that spanning tree instance.
• Note: The priority of all the switches is 32769.
The value is based on the 32768 default bridge
priority and the extended system ID (VLAN 1
assignment) associated with each switch
(32768+1).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
STP Operations
Determine the Root Path Cost
• When the root bridge has been elected for a given spanning tree instance, the STA starts determining the best paths to
the root bridge from all destinations in the broadcast domain. The path information, known as the internal root path cost,
is determined by the sum of all the individual port costs along the path from the switch to the root bridge.
• When a switch receives the BPDU, it adds the ingress port cost of the segment to determine its internal root path
cost.
• The default port costs are defined by the speed at which the port operates. The table shows the default port costs
suggested by IEEE. Cisco switches by default use the values as defined by the IEEE 802.1D standard, also known as the
short path cost, for both STP and RSTP.
• Although switch ports have a default port cost associated with them, the port cost is configurable. The ability to
configure individual port costs gives the administrator the flexibility to manually control the spanning tree paths to the root
bridge.

STP Cost: IEEE RSTP Cost: IEEE

Link Speed
802.1D-1998 802.1w-2004
10 Gbps 2 2,000
1 Gbps 4 20,000
100 Mbps 19 200,000
10 Mbps 100 2,000,000

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
STP Operations
2. Elect the Root Ports
• After the root bridge has been determined, the
STA algorithm is used to select the root port.
Every non-root switch will select one root port.
The root port is the port closest to the root bridge
in terms of overall cost to the root bridge. This
overall cost is known as the internal root path
cost.
• The internal root path cost is equal to the sum of
all the port costs along the path to the root
bridge, as shown in the figure. Paths with the
lowest cost become preferred, and all other
redundant paths are blocked. In the example,
the internal root path cost from S2 to the root
bridge S1 over path 1 is 19 while the internal
root path cost over path 2 is 38. Because path 1
has a lower overall path cost to the root bridge, it
is the preferred path and F0/1 becomes the root
port on S2.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
STP Operations
3. Elect Designated Ports
• Every segment between two switches will have one
designated port. The designated port is a port on the
segment that has the internal root path cost to the
root bridge. In other words, the designated port
has the best path to receive traffic leading to the
root bridge.
• What is not a root port or a designated port
becomes an alternate or blocked port.
• All ports on the root bridge are designated ports.
• If one end of a segment is a root port, the other end
is a designated port.
• All ports attached to end devices are designated
ports.
• On segments between two switches where neither
of the switches is the root bridge, the port on the
switch with the least-cost path to the root bridge is a
designated port.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
STP Operations
4. Elect Alternate (Blocked) Ports
• If a port is not a root port or a
designated port, then it becomes
an alternate (or backup) port.

• Alternate ports are in discarding or

blocking state to prevent loops.

• In the figure, the STA has

configured port F0/2 on S3 in the
alternate role. Port F0/2 on S3 is
in the blocking state and will not
forward Ethernet frames. All other
inter-switch ports are in forwarding
state.
• This is the loop-prevention part of
STP.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
STP Operations
Elect a Root Port from Multiple Equal-Cost Paths
When a switch has multiple equal-cost paths to the root bridge, the switch will determine a port using
the following criteria:
• Lowest sender BID
• Lowest sender port priority
• Lowest sender port ID

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
STP Operations
Elect a Root Port from Multiple Equal-Cost Paths (Cont.)
Lowest Sender BID: This topology has four switches with switch S1 as the root bridge. Port F0/1 on switch S3 and
port F0/3 on switch S4 have been selected as root ports because they have the root path cost to the root bridge for
their respective switches. S2 has two ports, F0/1 and F0/2 with equal cost paths to the root bridge. The bridge IDs
of S3 and S4, will be used to break the tie. This is known as the sender’s BID.
S3 has a BID of 32769.5555.5555.5555 and S4 has a BID of 32769.1111.1111.1111. Because S4 has a lower BID,
the F0/1 port of S2, which is the port connected to S4, will be the root port.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
STP Operations
Elect a Root Port from Multiple Equal-Cost Paths (Cont.)
Lowest Sender Port Priority: This topology has two switches which are connected with two equal-
cost paths between them. S1 is the root bridge, so both of its ports are designated ports.
• S4 has two ports with equal-cost paths to the root bridge. Because both ports are connected to
the same switch, the sender’s BID (S1) is equal. So the first step is a tie.
• Next, is the sender’s (S1) port priority. The default port priority is 128, so both ports on S1
have the same port priority. This is also a tie. However, if either port on S1 was configured with
a lower port priority, S4 would put its adjacent port in forwarding state. The other port on S4
would be a blocking state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
STP Operations
Elect a Root Port from Multiple Equal-Cost Paths (Cont.)
• Lowest Sender Port ID: The last tie-breaker is the lowest sender’s port ID. Switch S4 has
received BPDUs from port F0/1 and port F0/2 on S1. The decision is based on the sender’s port
ID, not the receiver’s port ID. Because the port ID of F0/1 on S1 is lower than port F0/2, the port
F0/6 on switch S4 will be the root port. This is the port on S4 that is connected to the F0/1 port on
S1.
• Port F0/5 on S4 will become an alternate port and placed in the blocking state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
STP Operations
STP Timers and Port States
STP convergence requires three timers, as follows:
• Hello Timer -The hello time is the interval between BPDUs. The default is 2 seconds but can be
modified to between 1 and 10 seconds.
• Forward Delay Timer -The forward delay is the time that is spent in the listening and learning
state. The default is 15 seconds but can be modified to between 4 and 30 seconds.
• Max Age Timer -The max age is the maximum length of time that a switch waits before
attempting to change the STP topology. The default is 20 seconds but can be modified to
between 6 and 40 seconds.
Note: The default times can be changed on the root bridge, which dictates the value of these timers
for the STP domain.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
STP Operations
STP Timers and Port States (Cont.)
STP facilitates the logical loop-free path throughout the broadcast domain. The spanning tree is determined through the
information learned by the exchange of the BPDU frames between the interconnected switches. If a switch port
transitions directly from the blocking state to the forwarding state without information about the full topology during the
transition, the port can temporarily create a data loop. For this reason, STP has five ports states, four of which are
operational port states as shown in the figure. The disabled state is considered non-operational.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
STP Operations
Operational Details of Each Port State

The table summarizes the operational details of each port state

Forwarding Data
Port State BPDU MAC Address Table
Frames
Blocking Receive only No update No

Listening Receive and send No update No

Learning Receive and send Updating table No

Forwarding Receive and send Updating table Yes

Disabled None sent or received No update No

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
STP Operations
Per-VLAN Spanning Tree

• STP can be configured to operate in an environment with multiple VLANs.

• In Per-VLAN Spanning Tree (PVST) versions of STP, there is a root bridge elected for each
spanning tree instance. This makes it possible to have different root bridges for different sets of
VLANs.

• STP operates a separate instance of STP for each individual VLAN. If all ports on all switches are
members of VLAN 1, then there is only one spanning tree instance.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Evolution of STP
Different Versions of STP
• Many professionals generically use spanning tree and STP to refer to the various implementations
of spanning tree, such as Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree
Protocol (MSTP). In order to communicate spanning tree concepts correctly, it is important to refer
to the implementation or standard of spanning tree in context.
• The latest IEEE documentation on spanning tree (IEEE-802-1D-2004) says, "STP has now been
superseded by the Rapid Spanning Tree Protocol (RSTP)."The IEEE uses "STP" to refer to the
original implementation of spanning tree and "RSTP" to describe the version of spanning tree
specified in IEEE-802.1D-2004. 
• Because the two protocols share much of the same terminology and methods for the loop-free
path, the primary focus will be on the current standard and the Cisco proprietary implementations
of STP and RSTP.
• Cisco switches running IOS 15.0 or later, run PVST+ by default. This version incorporates many
of the specifications of IEEE 802.1D-2004, such as alternate ports in place of the former non-
designated ports. Switches must be explicitly configured for rapid spanning tree mode in order to
run the rapid spanning tree protocol.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Evolution of STP
Different Versions of STP (Cont.)
STP
Description
Variety
This is the original IEEE 802.1D version (802.1D-1998 and earlier) that provides a loop-free topology in a
STP network with redundant links. Also called Common Spanning Tree (CST), it assumes one spanning tree
instance for the entire bridged network, regardless of the number of VLANs.
Per-VLAN Spanning Tree (PVST+) is a Cisco enhancement of STP that provides a separate 802.1D
PVST+ spanning tree instance for each VLAN configured in the network. PVST+ supports PortFast, UplinkFast,
BackboneFast, BPDU guard, BPDU filter, root guard, and loop guard.
802.1D-
This is an updated version of the STP standard, incorporating IEEE 802.1w.
2004
Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w is an evolution of STP that provides faster
RSTP
convergence than STP.
Rapid This is a Cisco enhancement of RSTP that uses PVST+ and provides a separate instance of 802.1w per
PVST+ VLAN. Each separate instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.
Multiple Spanning Tree Protocol (MSTP) is an IEEE standard inspired by the earlier Cisco proprietary
MSTP Multiple Instance STP (MISTP) implementation. MSTP maps multiple VLANs into the same spanning tree
instance.
Multiple Spanning Tree (MST) is the Cisco implementation of MSTP, which provides up to 16 instances of
MST RSTP and combines many VLANs with the same physical and logical topology into a common RSTP
instance. Each instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Evolution of STP
RSTP Concepts
• RSTP (IEEE 802.1w) supersedes the original 802.1D while retaining backward compatibility.
The 802.1w STP terminology remains primarily the same as the original IEEE 802.1D STP
terminology.
• Most parameters have been left unchanged. Users that are familiar with the original STP standard
can easily configure RSTP. The same spanning tree algorithm is used for both STP and RSTP to
determine port roles and topology.
• RSTP increases the speed of the recalculation of the spanning tree when the Layer 2 network
topology changes. RSTP can achieve much faster convergence in a properly configured
network, sometimes in as little as a few hundred milliseconds.
• If a port is configured to be an alternate port it can immediately change to a forwarding state
without waiting for the network to converge.

Note: Rapid PVST+ is the Cisco implementation of RSTP on a per-VLAN basis. With Rapid PVST+ an
independent instance of RSTP runs for each VLAN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Evolution of STP
RSTP Port States and Port Roles
There are only three port states Root ports and designated ports are the
in RSTP that correspond to the same for both STP and RSTP. However,
three possible operational states there are two RSTP port roles that
in STP. The 802.1D disabled, correspond to the blocking state of STP. In
blocking, and listening states are STP, a blocked port is defined as not being
merged into a unique 802.1w the designated or root port. RSTP has two
discarding state. port roles for this purpose.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Evolution of STP
RSTP Port States and Port Roles (Cont.)
The alternate port has an alternate path to the root bridge. The backup port is a backup to a shared
medium, such as a hub. A backup port is less common because hubs are now considered legacy
devices.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Evolution of STP
PortFast and BPDU Guard
• When a device is connected to a switch port or when a switch powers up, the switch port goes
through both the listening and learning states, each time waiting for the Forward Delay timer to
expire. This delay is 15 seconds for each state for a total of 30 seconds. This can present a
problem for DHCP clients trying to discover a DHCP server because the DHCP process may
timeout. The result is that an IPv4 client will not receive a valid IPv4 address.
• When a switch port is configured with PortFast, that port transitions from blocking to forwarding
state immediately, avoiding the 30 second delay. You can use PortFast on access ports to allow
devices connected to these ports to access the network immediately. PortFast should only be
used on access ports. If you enable PortFast on a port connecting to another switch, you
risk creating a spanning tree loop.
• A PortFast-enabled switch port should never receive BPDUs because that would indicate that
switch is connected to the port, potentially causing a spanning tree loop. Cisco switches support a
feature called BPDU guard. When enabled, it immediately puts the switch port in an errdisabled
(error-disabled) state upon receipt of any BPDU. This protects against potential loops by
effectively shutting down the port.
• The administrator must manually put the interface back into service.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
VLANs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Overview of VLANs
VLAN Definitions
VLANs are logical connections with other similar
devices.
Placing devices into various VLANs have the
following characteristics:
• Provides segmentation of the various groups
of devices on the same switches
• Provide organization that is more
manageable
• Broadcasts, multicasts and unicasts are
isolated in the individual VLAN
• Each VLAN will have its own unique range
of IP addressing
• Smaller broadcast domains

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Overview of VLANs
Benefits of a VLAN Design

Benefits of using VLANs are as

follows:
Benefits Description
Smaller Broadcast Dividing the LAN reduces the number of broadcast domains
Domains
Improved Security Only users in the same VLAN can communicate together
Improved IT Efficiency VLANs can group devices with similar requirements, e.g. faculty vs.
students
Reduced Cost One switch can support multiple groups or VLANs
Better Performance Small broadcast domains reduce traffic, improving bandwidth
Simpler Management Similar groups will need similar applications and other network resources

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Overview of VLANs
Types of VLANs
Default VLAN
VLAN 1 is the following:
• The default VLAN
• The default Native VLAN
• The default Management
VLAN
• Cannot be deleted or
renamed

Note: While we cannot delete

VLAN1 Cisco will recommend
that we assign these default
features to other VLANs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Overview of VLANs
Types of VLANs (Cont.)
Data VLAN
• Dedicated to user-generated traffic (email and web traffic).

• VLAN 1 is the default data VLAN because all interfaces are assigned to this VLAN.

Native VLAN
• This is used for trunk links only.

• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN.

Management VLAN
• This is used for SSH/Telnet VTY traffic and should not be carried with end user traffic.

• Typically, the VLAN that is the SVI for the Layer 2 switch.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Overview of VLANs
Types of VLANs (Cont.)
Voice VLAN
• A separate VLAN is required because Voice
traffic requires:
• Assured bandwidth
• High QoS priority
• Ability to avoid congestion
• Delay less that 150 ms from source to
destination
• The entire network must be designed to
support voice.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
VLANs in a Multi-Switched Environment
Defining VLAN Trunks
A trunk is a point-to-point link between
two network devices.
Cisco trunk functions:
• Allow more than one VLAN

• Extend the VLAN across the entire

network
• By default, supports all VLANs

• Supports 802.1Q trunking

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
VLANs in a Multi-Switched Environment
Networks without VLANs
Without VLANs, all devices connected to the switches will receive all unicast, multicast, and
broadcast traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
VLANs in a Multi-Switched Environment
Networks with VLANs
With VLANs, unicast, multicast, and broadcast traffic is confined to a VLAN. Without a Layer 3
device to connect the VLANs, devices in different VLANs cannot communicate.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
VLANs in a Multi-Switched Environment
VLAN Identification with a Tag
• The IEEE 802.1Q header is 4 Bytes

• When the tag is created the FCS must be

recalculated.
• When sent to end devices, this tag must be removed
and the FCS recalculated back to its original number.

802.1Q VLAN Tag Field Function

Type • 2-Byte field with hexadecimal 0x8100
• This is referred to as Tag Protocol ID (TPID)
User Priority • 3-bit value that supports
Canonical Format Identifier (CFI) • 1-bit value that can support token ring frames on Ethernet
VLAN ID (VID) • 12-bit VLAN identifier that can support up to 4096 VLANs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
VLANs in a Multi-Switched Environment
Native VLANs and 802.1Q Tagging
802.1Q trunk basics:
• Tagging is typically done on all VLANs.

• The use of a native VLAN was designed for

legacy use, like the hub in the example.
• Unless changed, VLAN1 is the native VLAN.

• Both ends of a trunk link must be configured

with the same native VLAN.
• Each trunk is configured separately, so it is
possible to have a different native VLANs on
separate trunks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
VLANs in a Multi-Switched Environment
Voice VLAN Tagging
The VoIP phone is a three port switch:
• The switch will use CDP to inform the phone of the Voice
VLAN.
• The phone will tag its own traffic (Voice) and can set Cost
of Service (CoS). CoS is QoS for layer 2.
• The phone may or may not tag frames from the PC.

Traffic Tagging Function

Voice VLAN tagged with an appropriate Layer 2 class of service (CoS) priority value
Access VLAN can also be tagged with a Layer 2 CoS priority value
Access VLAN is not tagged (no Layer 2 CoS priority value)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
VLANs in a Multi-Switched Environment
Voice VLAN Verification Example
The show interfaces fa0/18 switchport command can show us both data and voice
VLANs assigned to the interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
VLAN Configuration
VLAN Ranges on Catalyst Switches

Catalyst switches 2960 and 3650 support over

4000 VLANs.

Normal Range VLAN 1 – 1005 Extended Range VLAN 1006 - 4095

Used in Small to Medium sized businesses Used by Service Providers

1002 – 1005 are reserved for legacy VLANs Are in Running-Config
1, 1002 – 1005 are auto created and cannot be Supports fewer VLAN features
deleted
Stored in the vlan.dat file in flash Requires VTP configurations
VTP can synchronize between switches
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
VLAN Configuration
VLAN Creation Commands
VLAN details are stored in the vlan.dat file. You create VLANs in the global
configuration mode.

Task IOS Command

Enter global configuration mode. Switch# configure terminal
Create a VLAN with a valid ID number. Switch(config)# vlan vlan-id
Specify a unique name to identify the
Switch(config-vlan)# name vlan-name
VLAN.
Return to the privileged EXEC mode. Switch(config-vlan)# end
Enter global configuration mode. Switch# configure terminal

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
VLAN Configuration
VLAN Creation Example

• If the Student PC is going to be in

VLAN 20, we will create the VLAN first
and then name it.
• If you do not name it, the Cisco IOS
will give it a default name of vlan and Prompt Command
the four digit number of the VLAN. E.g. S1# Configure terminal
vlan0020 for VLAN 20.
S1(config)# vlan 20
S1(config-vlan)# name student
S1(config-vlan)# end

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
VLAN Configuration
VLAN Port Assignment Commands
Once the VLAN is created, we can then assign it to the correct interfaces.

Task Command
Enter global configuration mode. Switch# configure terminal

Enter interface configuration mode. Switch(config)# interface interface-id

Set the port to access mode. Switch(config-if)# switchport mode access

Assign the port to a VLAN. Switch(config-if)# switchport access vlan vlan-id

Return to the privileged EXEC mode. Switch(config-if)# end

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
VLAN Configuration
VLAN Port Assignment Example
We can assign the VLAN to the port
interface.
• Once the device is assigned the
VLAN, then the end device will need
the IP address information for that
VLAN Prompt Command
• Here, Student PC receives S1# Configure terminal
172.17.20.22
S1(config)# Interface fa0/18
S1(config-if)# Switchport mode access
S1(config-if)# Switchport access vlan 20
S1(config-if)# end
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
VLAN Configuration
Data and Voice VLANs
An access port may only be
assigned to one data VLAN.
However it may also be assigned to
one Voice VLAN for when a phone
and an end device are off of the
same switchport.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
VLAN Configuration
Data and Voice VLAN Example
• We will want to create and name both Voice
and Data VLANs.
• In addition to assigning the data VLAN, we
will also assign the Voice VLAN and turn on
QoS for the voice traffic to the interface.
• The newer catalyst switch will automatically
create the VLAN, if it does not already exist,
when it is assigned to an interface.
Note: QoS is beyond the scope of this course.
Here we do show the use of the mls qos trust
[cos | device cisco-phone | dscp | ip-
precedence] command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
VLAN Configuration
Verify VLAN Information
Use the show vlan command. The
complete syntax is:
show vlan [brief | id vlan-id | name
vlan-name | summary]

Task Command Option

Display VLAN name, status, and its ports one VLAN per line. brief
Display information about the identified VLAN ID number. id vlan-id
Display information about the identified VLAN name. The vlan-name
name vlan-name
is an ASCII string from 1 to 32 characters.
Display VLAN summary information. summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
VLAN Configuration
Change VLAN Port Membership

There are a number of ways to change VLAN

membership:
• re-enter switchport access vlan vlan-id
command
• use the no switchport access vlan to
place interface back in VLAN 1
Use the show vlan brief or the show
interface fa0/18 switchport commands to
verify the correct VLAN association.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
VLAN Configuration
Delete VLANs
Delete VLANs with the no vlan vlan-id command.
Caution: Before deleting a VLAN, reassign all member ports to a different VLAN.
• Delete all VLANs with the delete flash:vlan.dat or delete vlan.dat commands.

• Reload the switch when deleting all VLANs.

Note: To restore to factory default – unplug all data cables, erase the startup-configuration
and delete the vlan.dat file, then reload the device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
VLAN Trunks
Trunk Configuration Commands
Configure and verify VLAN trunks. Trunks are layer 2 and carry traffic for all VLANs.

Task IOS Command

Enter global configuration mode. Switch# configure terminal
Enter interface configuration mode. Switch(config)# interface interface-id
Set the port to permanent trunking mode. Switch(config-if)# switchport mode trunk
Sets the native VLAN to something other Switch(config-if)# switchport trunk native vlan
than VLAN 1. vlan-id
Specify the list of VLANs to be allowed on Switch(config-if)# switchport trunk allowed
the trunk link. vlan vlan-list
Return to the privileged EXEC mode. Switch(config-if)# end

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
VLAN Trunks
Trunk Configuration Example
The subnets associated with each VLAN are:
• VLAN 10 - Faculty/Staff - 172.17.10.0/24
• VLAN 20 - Students - 172.17.20.0/24
• VLAN 30 - Guests - 172.17.30.0/24
• VLAN 99 - Native - 172.17.99.0/24

F0/1 port on S1 is configured as Prompt Command

a trunk port. S1(config)# Interface fa0/1
Note: This assumes a 2960 S1(config-if)# Switchport mode trunk
switch using 802.1q tagging.
S1(config-if)# Switchport trunk native vlan 99
Layer 3 switches require the
encapsulation to be configured S1(config-if)# Switchport trunk allowed vlan 10,20,30,99
before the trunk mode.
S1(config-if)# end
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
VLAN Trunks
Verify Trunk Configuration
Set the trunk mode and native vlan.
Notice sh int fa0/1 switchport command:
• Is set to trunk administratively

• Is set as trunk operationally (functioning)

• Encapsulation is dot1q

• Native VLAN set to VLAN 99

• All VLANs created on the switch will pass

traffic on this trunk

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
VLAN Trunks
Reset the Trunk to the Default State
• Reset the default trunk settings with
the no command.
• All VLANs allowed to pass traffic
• Native VLAN = VLAN 1
• Verify the default settings with a sh
int fa0/1 switchport command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
VLAN Trunks
Reset the Trunk to the Default State (Cont.)
Reset the trunk to an access mode with the
switchport mode access command:
• Is set to an access interface administratively
• Is set as an access interface operationally
(functioning)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Dynamic Trunking Protocol
Introduction to DTP
Dynamic Trunking Protocol (DTP) is a proprietary Cisco protocol.
DTP characteristics are as follows:
• On by default on Catalyst 2960 and 2950 switches
• Dynamic-auto is default on the 2960 and 2950 switches
• May be turned off with the nonegotiate command
• May be turned back on by setting the interface to dynamic-auto
• Setting a switch to a static trunk or static access will avoid negotiation issues with the
switchport mode trunk or the switchport mode access commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Dynamic Trunking Protocol
Negotiated Interface Modes
The switchport mode command has additional options.
Use the switchport nonegotiate interface configuration command to stop DTP negotiation.

Option Description
Permanent access mode and negotiates to convert the neighboring link
access
into an access link
Will becomes a trunk interface if the neighboring interface is set to trunk
dynamic auto
or desirable mode
Actively seeks to become a trunk by negotiating with other auto or
dynamic desirable
desirable interfaces
Permanent trunking mode and negotiates to convert the neighboring link
trunk
into a trunk link

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Dynamic Trunking Protocol
Results of a DTP Configuration

DTP configuration options are as follows:

Dynamic
Dynamic Auto Trunk Access
Desirable
Dynamic Auto Access Trunk Trunk Access
Dynamic
Trunk Trunk Trunk Access
Desirable
Limited
Trunk Trunk Trunk Trunk
connectivity
Limited
Access Access Access Access
connectivity

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Dynamic Trunking Protocol
Verify DTP Mode
The default DTP configuration is
dependent on the Cisco IOS version and
platform.
 Use the show dtp interface command
to determine the current DTP mode.
 Best practice recommends that the
interfaces be set to access or trunk and
to turnoff DTP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Inter-VLAN Routing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Inter-VLAN Routing Operation
What is Inter-VLAN Routing?
VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the
reason, hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router
or a Layer 3 switch to provide routing services.

Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.

There are three inter-VLAN routing options:

• Legacy Inter-VLAN routing - This is a legacy solution. It does not scale well.
• Router-on-a-Stick - This is an acceptable solution for a small to medium-sized network.
• Layer 3 switch using switched virtual interfaces (SVIs) - This is the most scalable solution for
medium to large organizations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Inter-VLAN Routing Operation
Legacy Inter-VLAN Routing
• The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces.
Each router interface was connected to a switch port in different VLANs. The router interfaces
served as the default gateways to the local hosts on the VLAN subnet.
• Legacy inter-VLAN routing using physical interfaces works, but it has a significant limitation. It is
not reasonably scalable because routers have a limited number of physical interfaces.
• Requiring one physical router interface per VLAN quickly exhausts the physical interface capacity
of a router.
• Note: This method of inter-VLAN routing is no longer implemented in switched networks and is
included for explanation purposes only.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Inter-VLAN Routing Operation
Router-on-a-Stick Inter-VLAN Routing
The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN
routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs
on a network.
• A Cisco IOS router Ethernet interface is configured as an 802.1Q trunk and connected to a trunk port
on a Layer 2 switch. Specifically, the router interface is configured using subinterfaces to identify
routable VLANs.
• The configured subinterfaces are software-based virtual interfaces. Each is associated with a single
physical Ethernet interface. Subinterfaces are configured in software on a router. Each subinterface is
independently configured with an IP address and VLAN assignment. Subinterfaces are configured for
different subnets that correspond to their VLAN assignment. This facilitates logical routing.
• When VLAN-tagged traffic enters the router interface, it is forwarded to the VLAN subinterface. After a
routing decision is made based on the destination IP network address, the router determines the exit
interface for the traffic. If the exit interface is configured as an 802.1q subinterface, the data frames are
VLAN-tagged with the new VLAN and sent back out the physical interface
Note: The router-on-a-stick method of inter-VLAN routing does not scale beyond 50 VLANs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Inter-VLAN Routing Operation
Inter-VLAN Routing on a Layer 3 Switch
The modern method of performing inter-VLAN routing is to use Layer 3 switches and switched virtual
interfaces (SVI). An SVI is a virtual interface that is configured on a Layer 3 switch, as shown in the
figure.

Note: A Layer 3 switch is also called a multilayer switch as it operates at Layer 2 and Layer 3.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Inter-VLAN Routing Operation
Inter-VLAN Routing on a Layer 3 Switch (Cont.)
Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The
SVI is created for a VLAN that exists on the switch. Although virtual, the SVI performs the same
functions for the VLAN as a router interface would. Specifically, it provides Layer 3 processing for
packets that are sent to or from all switch ports associated with that VLAN.

The following are advantages of using Layer 3 switches for inter-VLAN routing:
• They are much faster than router-on-a-stick because everything is hardware switched and
routed.
• There is no need for external links from the switch to the router for routing.
• They are not limited to one link because Layer 2 EtherChannels can be used as trunk links
between the switches to increase bandwidth.
• Latency is much lower because data does not need to leave the switch in order to be routed to
a different network.
• They more commonly deployed in a campus LAN than routers.
• The only disadvantage is that Layer 3 switches are more expensive.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Router-on-a-Stick Inter-VLAN Routing
Router-on-a-Stick Scenario
• In the figure, the R1 GigabitEthernet 0/0/1 interface is
connected to the S1 FastEthernet 0/5 port. The S1
FastEthernet 0/1 port is connected to the S2 FastEthernet
0/1 port. These are trunk links that are required to forward
traffic within and between VLANs.
• To route between VLANs, the R1 GigabitEthernet 0/0/1
interface is logically divided into three subinterfaces, as
shown in the table. The table also shows the three VLANs
that will be configured on the switches.
• Assume that R1, S1, and S2 have initial basic
configurations. Currently, PC1 and PC2 cannot ping each
other because they are on separate networks. Only S1 and
S2 can ping each other, but they but are unreachable by Subinterface VLAN IP Address
PC1 or PC2 because they are also on different networks.
• G0/0/1.10 10 192.168.10.1/24
To enable devices to ping each other, the switches must be
configured with VLANs and trunking, and the router must be G0/0/1.20 20 192.168.20.1/24
configured for inter-VLAN routing.
G0/0/1.30 99 192.168.99.1/24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Router-on-a-Stick Inter-VLAN Routing
S1 VLAN and Trunking Configuration
Complete the following steps to configure S1 with VLANs and trunking:
• Step 1. Create and name the VLANs.
• Step 2. Create the management interface.
• Step 3. Configure access ports.
• Step 4. Configure trunking ports.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Router-on-a-Stick Inter-VLAN Routing
S2 VLAN and Trunking Configuration
The configuration for S2
is similar to S1.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Router-on-a-Stick Inter-VLAN Routing
R1 Subinterface Configuration
The router-on-a-stick method requires you to create a subinterface for each VLAN to be routed.
A subinterface is created using the interface interface_id subinterface_id global configuration
mode command. The subinterface syntax is the physical interface followed by a period and a
subinterface number. Although not required, it is customary to match the subinterface number
with the VLAN number.
Each subinterface is then configured with the following two commands:
• encapsulation dot1q vlan_id [native] - This command configures the subinterface to
respond to 802.1Q encapsulated traffic from the specified vlan-id. The native keyword
option is only appended to set the native VLAN to something other than VLAN 1.
• ip address ip-address subnet-mask - This command configures the IPv4 address of the
subinterface. This address typically serves as the default gateway for the identified VLAN.
Repeat the process for each VLAN to be routed. Each router subinterface must be assigned an
IP address on a unique subnet for routing to occur. When all subinterfaces have been created,
enable the physical interface using the no shutdown interface configuration command. If the
physical interface is disabled, all subinterfaces are disabled.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Router-on-a-Stick Inter-VLAN Routing
R1 Subinterface Configuration (Cont.)
In the configuration, the R1
G0/0/1 subinterfaces are
configured for VLANs 10, 20,
and 99.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Router-on-a-Stick Inter-VLAN Routing
Verify Connectivity Between PC1 and PC2
The router-on-a-stick configuration is complete
after the switch trunk and the router
subinterfaces have been configured. The
configuration can be verified from the hosts,
router, and switch.

From a host, verify connectivity to a host in

another VLAN using the ping command. It is a
good idea to first verify the current host IP
configuration using the ipconfig Windows host
command.

Next, use ping to verify connectivity with PC2

and S1, as shown in the figure.
The ping output successfully confirms inter-
VLAN routing is operating.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Router-on-a-Stick Inter-VLAN Routing
Router-on-a-Stick Inter-VLAN Routing Verification
In addition to using ping between devices, the following show commands can
be used to verify and troubleshoot the router-on-a-stick configuration.
• show ip route
• show ip interface brief
• show interfaces
• show interfaces trunk

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Inter-VLAN Routing using Layer 3 Switches
Layer 3 Switch Inter-VLAN Routing
Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small to
medium-sized organization. However, a large enterprise requires a faster, much more scalable
method to provide inter-VLAN routing.

Enterprise campus LANs use Layer 3 switches to provide inter-VLAN routing. Layer 3 switches
use hardware-based switching to achieve higher-packet processing rates than routers. Layer 3
switches are also commonly implemented in enterprise distribution layer wiring closets.

Capabilities of a Layer 3 switch include the ability to do the following:

• Route from one VLAN to another using multiple switched virtual interfaces (SVIs).
• Convert a Layer 2 switchport to a Layer 3 interface (i.e., a routed port). A routed port is
similar to a physical interface on a Cisco IOS router.
• To provide inter-VLAN routing, Layer 3 switches use SVIs. SVIs are configured using the
same interface vlan vlan-id command used to create the management SVI on a Layer 2
switch. A Layer 3 SVI must be created for each of the routable VLANs.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Inter-VLAN Routing using Layer 3 Switches
Layer 3 Switch Scenario

In the figure, the Layer 3

switch, D1, is connected to
two hosts on different VLANs.
PC1 is in VLAN 10 and PC2
is in VLAN 20, as shown. The
Layer 3 switch will provide
inter-VLAN routing services
to the two hosts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Inter-VLAN Routing using Layer 3 Switches
Layer 3 Switch Configuration
Complete the following steps to configure S1 with VLANs
and trunking:
• Step 1. Create the VLANs. In the example, VLANs 10
and 20 are used.
• Step 2. Create the SVI VLAN interfaces. The IP address
configured will serve as the default gateway for hosts in
the respective VLAN.
• Step 3. Configure access ports. Assign the appropriate
port to the required VLAN.
• Step 4. Enable IP routing. Issue the ip routing global
configuration command to allow traffic to be exchanged
between VLANs 10 and 20. This command must be
configured to enable inter-VAN routing on a Layer 3
switch for IPv4.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Inter-VLAN Routing using Layer 3 Switches
Layer 3 Switch Inter-VLAN Routing Verification
Inter-VLAN routing using a Layer 3 switch is simpler to configure than the router-on-a-
stick method. After the configuration is complete, the configuration can be verified by
testing connectivity between the hosts.
• From a host, verify connectivity to a host in another VLAN using the ping command. It
is a good idea to first verify the current host IP configuration using
the ipconfig Windows host command. 
• Next, verify connectivity with PC2 using the ping Windows host command.
The successful ping output confirms inter-VLAN routing is operating.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Troubleshoot Inter-VLAN Routing
Common Inter-VLAN Issues
There are a number of reasons why an inter-VAN configuration may not work. All are related to
connectivity issues. First, check the physical layer to resolve any issues where a cable might be
connected to the wrong port. If the connections are correct, then use the list in the table for other
common reasons why inter-VLAN connectivity may fail.
Issue Type How to Fix How to Verify

show vlan [brief]

•Create (or re-create) the VLAN if it does not exist.
Missing VLANs show interfaces switchport
•Ensure host port is assigned to the correct VLAN.
ping
•Ensure trunks are configured correctly. show interface trunk
Switch Trunk Port Issues
•Ensure port is a trunk port and enabled. show running-config
•Assign correct VLAN to access port.
show interfaces switchport
•Ensure port is an access port and enabled.
Switch Access Port Issues show running-config interface
•Host is incorrectly configured in the wrong
ipconfig
subnet.
•Router subinterface IPv4 address is incorrectly
Router Configuration show ip interface brief
configured.
Issues show interfaces
•Router subinterface is assigned to the VLAN ID.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
 THE END

THANK YOU

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86