post

Routing Between VLANs

We wrote an article which covers Virtual Local Area Networks (VLANs) as a concept, and another article on configuring VLANs on Cisco witches. The remaining subject to cover is the different options that exist for routing between VLANs.

Why do we need Routing Between VLANs?

As we learned in a prior article, VLANs create a logical separation between Switch ports. Essentially, each VLAN behaves like a separate physical switch. To illustrate this, below are two topology pictures of the same environment – one Physical and one Logical.

The Physical topology depicts a switch and four hosts in two different VLANs – Host A and Host B are in VLAN 20 and Host C and Host D are in VLAN 30. The logical topology reflects how the physical topology operates – the two VLANs essentially create two separate physical switches.

PhysicalLogical
Routing Between VLANs - Physical Topology
Routing Between VLANs - Logical Topology

Despite all four hosts being connected to the same physical switch, the logical topology makes it clear that the hosts in VLAN 20 are unable to speak with the hosts in VLAN 30. Notice since there is nothing connecting the two “virtual” switches, there is no way for Host A to speak to Host C.

Since Host A and Host C are in different VLANs, it is also implied that they are in different Networks. Each VLAN will typically correspond to its own IP Network. In this diagram, VLAN 20 contains the 10.0.20.0/24 network, and VLAN 30 contains the 10.0.30.0/24 network.

The purpose of a Switch is to facilitate communication within networks. This works great for Host A trying to speak to Host B. However, if Host A is trying to speak to Host C, we will need to use another device – one whose purpose is to facilitate communication between networks.

If you’ve read the Packet Traveling series, then you know that the device which facilitates communication between networks is a Router.

A router will perform the routing function necessary for two hosts on different networks to speak to one another. In the same way, a Router is what we will need in order for hosts in different VLANs to communicate with one another.

There are three options available in order to enable routing between the VLANs:

The remainder of this article will explore these three options and their configuration.

Router with Separate Physical Interfaces

The simplest way to enable routing between the two VLANs to simply connect an additional port from each VLAN into a Router.

Routing Between VLANs - Physical Interfaces

The Router doesn’t know that it has two connections to the same switch — nor does it need to. The Router operates like normal when routing packets between two networks.

In fact, the process of a packet moving from Host A to Host D in this topology will work exactly as it does in this video. The only difference is since there is only one physical switch, there will only be one MAC address table – each entry includes the mapping of switchport to MAC address, as well as the VLAN ID number that port belongs to.

Each switch port in this diagram is configured as an Access port, we can use the range command to configure multiple ports as once:

Switch(config)# interface range eth2/0 - 2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20

Switch(config)# interface range eth3/0 - 2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 30

Of course, before assigning the switchport to a VLAN, it is a good idea to create the VLAN in the VLAN Database.

The Router interfaces also use a standard configuration — configuring an IP address and enabling the interface:

Router(config)# interface eth0/2
Router(config-if)# ip address 10.0.20.1 255.255.255.0
Router(config-if)# no shutdown

Router(config)# interface eth0/3
Router(config-if)# ip address 10.0.30.1 255.255.255.0
Router(config-if)# no shutdown

Below you will find various show commands for the Router and the Switch, these can be used to understand and validate how the environment is functioning.

Router Show Commands
show runip int briefip routearpcdp neighbor
Router# show running-config
...
interface Ethernet0/2
 ip address 10.0.20.1 255.255.255.0
!
interface Ethernet0/3
 ip address 10.0.30.1 255.255.255.0

Router# show ip interface brief
Interface             IP-Address      OK? Method Status        Protocol
...
Ethernet0/2           10.0.20.1       YES manual up            up
Ethernet0/3           10.0.30.1       YES manual up            up
...

Router# show ip route
Codes: L - local, C - connected, ...

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.20.0/24 is directly connected, Ethernet0/2
L        10.0.20.1/32 is directly connected, Ethernet0/2
C        10.0.30.0/24 is directly connected, Ethernet0/3
L        10.0.30.1/32 is directly connected, Ethernet0/3

Router# show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.20.1               -   aabb.cc00.0220  ARPA   Ethernet0/2
Internet  10.0.20.11              2   0050.7966.6800  ARPA   Ethernet0/2
Internet  10.0.20.22              5   0050.7966.6801  ARPA   Ethernet0/2
Internet  10.0.30.1               -   aabb.cc00.0230  ARPA   Ethernet0/3
Internet  10.0.30.33              4   0050.7966.6802  ARPA   Ethernet0/3
Internet  10.0.30.44              4   0050.7966.6803  ARPA   Ethernet0/3

Router# show cdp neighbors
Capability Codes: R - Router, S - Switch, I - IGMP, B - Source Route Bridge
...
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Switch           Eth 0/3           126             R S I  Linux Uni Eth 3/0
Switch           Eth 0/2           126             R S I  Linux Uni Eth 2/0

Switch Show Commands
show runmac tablevlan briefcdp neighbor
Switch# show running-config
...
vlan 20
 name RED
!
vlan 30
 name BLUE
...
interface Ethernet2/0
 switchport access vlan 20
 switchport mode access
!
interface Ethernet2/1
 switchport access vlan 20
 switchport mode access
!
interface Ethernet2/2
 switchport access vlan 20
 switchport mode access
!
interface Ethernet3/0
 switchport access vlan 30
 switchport mode access
!
interface Ethernet3/1
 switchport access vlan 30
 switchport mode access
!
interface Ethernet3/2
 switchport access vlan 30
 switchport mode access

Switch# show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    0050.7966.6800    DYNAMIC     Et2/1
  20    0050.7966.6801    DYNAMIC     Et2/2
  20    aabb.cc00.0220    DYNAMIC     Et2/0
  30    0050.7966.6802    DYNAMIC     Et3/1
  30    0050.7966.6803    DYNAMIC     Et3/2
  30    aabb.cc00.0230    DYNAMIC     Et3/0
Total Mac Addresses for this criterion: 6

Switch# show vlan brief

VLAN Name                        Status    Ports
---- --------------------------- --------- --------------------
...
20   RED                         active    Et2/0, Et2/1, Et2/2
30   BLUE                        active    Et3/0, Et3/1, Et3/2
...

Switch# show cdp neighbors
Capability Codes: R - Router, S - Switch, I - IGMP, B - Source Route Bridge
...
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Router           Eth 3/0           152              R B   Linux Uni Eth 0/3
Router           Eth 2/0           166              R B   Linux Uni Eth 0/2

 

Router with Sub-Interfaces

The previously described method is functional, but scales poorly. If there were five VLANs on the switch, then we would need five switchports and five router ports to enable routing between all five VLANs

Instead, there exists a way for multiple VLANs to terminate on a single router interface. That method is to create a Sub-Interface.

Routing Between VLANs - SubinterfacesA Sub-Interface allows a single Physical interface to be split up into multiple virtual sub-interfaces, each of which terminate their own VLAN.

Sub-interfaces to a Router are similar to what Trunk ports are to a Switch – one link carrying traffic for multiple VLANs. Hence, each router Sub-interface must also add a VLAN tag to all traffic leaving said interface.

The logical operation of the Sub-interface topology works exactly as the separate physical interface topology in the section before it. The only difference is with Sub-interfaces, only one Router interface is required to terminate all VLANs.

Keep in mind, however, that the drawback with all VLANs terminating on a single Router interface is an increased risk of congestion on the link.

The Sub-interface feature is sometimes referred to as Router on a Stick or One-armed Router. This is in reference to the single router terminating the traffic from each VLAN.

The Switch’s port facing the router is configured as a standard Trunk:

Switch(config)# interface eth1/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk

The Router’s configuration of Sub-interfaces is fairly straight forward. First, we enable the physical interface:

Router(config)# interface eth1/1
Router(config-if)# no shutdown

Next, we create and configure the first Sub-interface:

Router(config)# interface eth1/1.20 
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 10.0.20.1 255.255.255.0

Apart from using the Sub-interface distinguisher (eth1/1.20) and using the encapsulation dot1q <VLAN#> command, the rest of the interface configuration is exactly the same as any other regular physical interface.

Similarly, we will also configure the Sub-interface for VLAN 30:

Router(config)# interface eth1/1.30
Router(config-subif)# encapsulation dot1Q 30
Router(config-subif)# ip address 10.0.30.1 255.255.255.0

A point of clarity regarding the Sub-interface syntax. The number after the physical interface (fa0/3.20 and fa0/3.30) simply serves the purpose of splitting up the physical interfaces into Sub-interfaces. The number specified in the encapsulation dot1q vlan ## command is what actually specifies what VLAN ID# the traffic belongs to.

These two values do not have to match, but often they do for the purpose of technician sanity.

Below you will find various show commands for the Router and the Switch. These can be used to understand and validate how the environment is functioning.

Router Sub-Interface Show Commands
show runip int briefip routearpcdp neighbor
Router# show running-config
...
interface Ethernet1/1
 no ip address
!
interface Ethernet1/1.20
 encapsulation dot1Q 20
 ip address 10.0.20.1 255.255.255.0
!
interface Ethernet1/1.30
 encapsulation dot1Q 30
 ip address 10.0.30.1 255.255.255.0

Router# show ip interface brief
Interface             IP-Address      OK? Method Status        Protocol
...
Ethernet1/1           unassigned      YES NVRAM  up            up
Ethernet1/1.20        10.0.20.1       YES manual up            up
Ethernet1/1.30        10.0.30.1       YES manual up            up
...

Router# show ip route
Codes: L - local, C - connected, ...

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.20.0/24 is directly connected, Ethernet1/1.20
L        10.0.20.1/32 is directly connected, Ethernet1/1.20
C        10.0.30.0/24 is directly connected, Ethernet1/1.30
L        10.0.30.1/32 is directly connected, Ethernet1/1.30

Router# show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.20.1               -   aabb.cc00.0211  ARPA   Ethernet1/1.20
Internet  10.0.20.11              0   0050.7966.6800  ARPA   Ethernet1/1.20
Internet  10.0.20.22              0   0050.7966.6801  ARPA   Ethernet1/1.20
Internet  10.0.30.1               -   aabb.cc00.0211  ARPA   Ethernet1/1.30
Internet  10.0.30.33              0   0050.7966.6802  ARPA   Ethernet1/1.30
Internet  10.0.30.44              0   0050.7966.6803  ARPA   Ethernet1/1.30

Router# show cdp neighbors
Capability Codes: R - Router, S - Switch, I - IGMP, B - Source Route Bridge
...
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Switch           Eth 1/1           150             R S I  Linux Uni Eth 1/1

Switch Trunk Show Commands
show runmac tablevlan briefint trunkcdp
Switch# show running-config
...
vlan 20
 name RED
!
vlan 30
 name BLUE
...
interface Ethernet1/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet2/1
 switchport access vlan 20
 switchport mode access
!
interface Ethernet2/2
 switchport access vlan 20
 switchport mode access
!
interface Ethernet3/1
 switchport access vlan 30
 switchport mode access
!
interface Ethernet3/2
 switchport access vlan 30
 switchport mode access

Switch# show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    aabb.cc00.0211    DYNAMIC     Et1/1
  20    aabb.cc00.0211    DYNAMIC     Et1/1
  30    aabb.cc00.0211    DYNAMIC     Et1/1
  20    0050.7966.6800    DYNAMIC     Et2/1
  20    0050.7966.6801    DYNAMIC     Et2/2
  30    0050.7966.6802    DYNAMIC     Et3/1
  30    0050.7966.6803    DYNAMIC     Et3/2
Total Mac Addresses for this criterion: 7

Switch# show vlan brief

VLAN Name                        Status    Ports
---- --------------------------- --------- -------------------
...
20   RED                         active    Et2/1, Et2/2
30   BLUE                        active    Et3/1, Et3/2
...


Switch# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Et1/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Et1/1       1-4094

Port        Vlans allowed and active in management domain
Et1/1       1,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Et1/1       1,20,30

Switch# show cdp neighbors
Capability Codes: R - Router, S - Switch, I - IGMP, B - Source Route Bridge
...
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Router           Eth 1/1           136              R B   Linux Uni Eth 1/1

 

Layer 3 Switch

The last option for routing between VLANs does not involve a router at all. Nor does it involve using a traditional switch.

Instead, a different device entirely can be used. This device is known as a Layer 3 Switch (or sometimes also as a Multilayer switch). But exactly what is a Layer 3 switch?

Routing Between VLANs - L3 SwitchA Layer 3 Switch is different from a traditional Layer 2 Switch in that it has the functionality for routing between VLANs intrinsically. In fact, when considering how a L3 Switch operates, you can safely imagine that a Layer 3 Switch is a traditional switch with a built in Router.

With regard to VLANs the Multilayer switch is configured mostly the same way as a regular L2 switch:

MultilayerSwitch(config)# vlan 20
MultilayerSwitch(config-vlan)# name RED 
MultilayerSwitch(config)# vlan 30
MultilayerSwitch(config-vlan)# name BLUE

MultilayerSwitch(config)# interface range eth2/0 - 2
MultilayerSwitch(config-if-range)# switchport mode access
MultilayerSwitch(config-if-range)# switchport access vlan 20

MultilayerSwitch(config)# interface range eth3/0 - 2
MultilayerSwitch(config-if-range)# switchport mode access
MultilayerSwitch(config-if-range)# switchport access vlan 30

Then, for each VLAN that you want the Multilayer switch to route for, you have the option of configuring an IP address within what is known as an SVI, or a Switched Virtual Interface.

An SVI serves as the L3 termination point for each VLAN – aka, the way in or out of each VLAN. Another way of looking at it is that the SVI serves as the interface on the built-in Router of the Multilayer switch, allowing traffic from one VLAN to reach the built-in Router and be routed to another VLAN as necessary.

The configuration for an SVI simply involves applying an IP address to the VLAN:

MultilayerSwitch(config)# interface vlan 20
MultilayerSwitch(config-if)# ip address 10.0.20.1 255.255.255.0
MultilayerSwitch(config-if)# no shutdown

MultilayerSwitch(config)# interface vlan 30
MultilayerSwitch(config-if)# ip address 10.0.30.1 255.255.255.0
MultilayerSwitch(config-if)# no shutdown

The configuration above will enable routing between VLAN 20 and VLAN 30. The hosts in each VLAN can use the IP addresses 10.0.20.1 and 10.0.30.1 as their default gateway (respectively).

Routing Between VLANs - L3 Switch Traffic Flow

When Host A sends a packet to Host B, the packet will be switched within the same VLAN – no L3 processing will occur.

When Host A sends a packet to Host C, the packet will be sent to the SVI to be routed to the other VLAN – all regular L3 processing will occur: the TTL will be decremented and the L2 header will be rewritten.

Multilayer Switch Configuration
show runmac address-tablevlan brief
MultilayerSwitch# show running-config
...
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
!
interface Vlan30
 ip address 10.0.30.1 255.255.255.0

MultilayerSwitch# show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  20    0050.7966.6800    DYNAMIC     Et2/1
  20    0050.7966.6801    DYNAMIC     Et2/2
  30    0050.7966.6802    DYNAMIC     Et3/2
  30    0050.7966.6803    DYNAMIC     Et3/1
Total Mac Addresses for this criterion: 4

MultilayerSwitch# show vlan brief

VLAN Name                        Status    Ports
---- --------------------------- --------- -------------------
...
20   RED                         active    Et2/1, Et2/2
30   BLUE                        active    Et3/1, Et3/2

ip routearpip int brief
MultilayerSwitch# show ip route
Codes: L - local, C – connected, ...

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.20.0/24 is directly connected, Vlan20
L        10.0.20.1/32 is directly connected, Vlan20
C        10.0.30.0/24 is directly connected, Vlan30
L        10.0.30.1/32 is directly connected, Vlan30

MultilayerSwitch# show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.20.1               -   aabb.cc80.0200  ARPA   Vlan20
Internet  10.0.20.11              0   0050.7966.6800  ARPA   Vlan20
Internet  10.0.20.22              0   0050.7966.6801  ARPA   Vlan20
Internet  10.0.30.1               -   aabb.cc80.0200  ARPA   Vlan30
Internet  10.0.30.33              0   0050.7966.6803  ARPA   Vlan30
Internet  10.0.30.44              0   0050.7966.6802  ARPA   Vlan30

MultilayerSwitch# show ip interface brief
Interface         IP-Address      OK? Method Status        Protocol
...
Ethernet2/1       unassigned      YES unset  up            up
Ethernet2/2       unassigned      YES unset  up            up
...
Ethernet3/1       unassigned      YES unset  up            up
Ethernet3/2       unassigned      YES unset  up            up
...
Vlan20            10.0.20.1       YES manual up            up
Vlan30            10.0.30.1       YES manual up            up

Note: both sets of tabs and configuration above are from the same device. For the sake of organization, one set of tabs refer to the L3 functions and the other refers to the L2 functions.

 

Summary

This article discussed the three different options for Routing between VLANs. In each case, the hosts in communication behave exactly the same. In fact, the hosts have no visibility into how and what they are connected to.

Each strategy above has its own benefits and limitations. Hopefully at this point you have a good idea of the options available to enable communication between hosts on different VLANs.

 

Comments

  1. nice post – thanks for these nuggets!

  2. I really liked the detailed diagrams, the config examples and of course, the clear explanation. An excellent source for beginners in networking. Kudos!

  3. Jose Carlos says:

    Hi! I’m from Portugal. Congrats for the way you teaching. Very well explained and easily to understand. Thanks!

  4. Can single host access multiple vlan using layer 2 switch without router ?

  5. Ricardo Luiz says:

    Excellent post. The best ! Thank you.

Speak Your Mind

*