Content Overview A switch with multiple VLANs requires a means of passing Layer 3 traffic between those VLANs. This module describes the process and methods of routing traffic from VLAN to VLAN. A router that is external to the Layer 2 switch hosting the VLANs can provide the inter-VLAN routing. When routing occurs within a Catalyst multilayer switch, Cisco Express Forwarding (CEF) is deployed to facilitate Layer 3 switching through hardware-based tables, providing an optimal packet forwarding process. On a multilayer switch, routing is enabled between VLANs through the configuration of switch virtual interfaces (SVIs) associated with the various VLANs on the multilayer switch.

Content 4.1 Describing Routing Between VLANs 4.1.1 Inter-VLAN Routing Using an External Router If a switch supports multiple VLANs but has no Layer 3 capability to route packets between those VLANs, the switch must be connected to a router external to the switch. This setup is accomplished most efficiently by providing a single trunk link between the switch and the router that can carry the traffic of multiple VLANs and which, in turn, can be routed by the router. This single physical link must be Fast Ethernet or greater to support Inter-Switch Link (ISL) encapsulation, but 802.1Q is supported on 10-Mbps Ethernet router interfaces. In Figure , the clients on VLAN10 need to establish sessions with a server that is in VLAN20, which requires that traffic be routed between the VLANs. Figure describes the actions necessary for traffic to be routed between VLANs using an external router. With inter-VLAN routing, the router receives frames from the switch with the source VLAN tagged (for example VLAN10). It associates the frames with the proper subinterface and then decodes the frame payload (the IP packet). The router then performs Layer 3 processing based on the destination network address contained in the IP packet to determine which subinterface should forward the IP packet. The IP packet is now encapsulated in a dot-1Q (or ISL) frame that is tagged with the VLAN identification (for example VLAN20) of the forwarding subinterface and transmitted across the trunk toward the switch. In Figure , the router can receive packets on one VLAN and forward them to another. To perform inter-VLAN routing functions, the router must know how to reach all VLANs that are being interconnected. The router must have a separate logical connection (subinterface) for each VLAN and ISL or 802.1Q trunking must be enabled on the single physical interface between the router and the switch. The routing table lists all the subnets associated with the VLANs that are configured on the router subinterfaces as directly connected. The router must learn routes to networks that are not configured on directly connected interfaces through dynamic routing protocols or static routes. There are advantages and disadvantages of inter-VLAN routing on an external router. The advantages are as follows:

Implementation is simple.
Layer 3 services are not required on the switch.
The router provides communications between VLANs.

The disadvantages are as follows:

The router is a single point of failure.
The single traffic path between the switch and the router may become congested.
Latency is higher than on a Layer 3 switch.

Content 4.1 Describing Routing Between VLANs 4.1.2 Describing Inter-VLAN Routing Using External Router Configuration Commands You can configure inter-VLAN routing using an external router over either ISL or 802.1Q trunks. The commands for configuring the trunk interface on the router are shown in Figure . Figure provides a description of the commands.

Content 4.1 Describing Routing Between VLANs 4.1.3 Configuring Inter-VLAN Routing Using an External Router A router interface providing inter-VLAN routing on a trunk link must be configured with a subinterface for each VLAN that will be serviced across the link. Each subinterface on the physical link must then be configured with the same trunk encapsulation protocol. That protocol, either 802.1Q or ISL, is typically determined by what was configured on the switch side of the link. Use the encapsulation dot1q subinterface configuration command to enable 802.1Q encapsulation on a router subinterface. The subinterface number does not have to match the dot-1Q VLAN number, but it is good practice to do so. Since traffic on the native VLAN is not tagged, all native VLAN frames are received as normal Ethernet frames, so it is not necessary to define a specific encapsulation tag for those networks. Some versions of Cisco IOS allow for the creation of a subinterface for the native VLAN. If the native VLAN is configured as a subinterface, you should use the encapsulation dot1q <vlan> native command. All other non-native VLANs have an 802.1Q tag inserted into their frames. These non-native VLANs should always be configured as subinterfaces on the router, and the VLANs must be defined as 802.1Q tagged frames and have the VLAN associated to them identified. The subinterface command encapsulation dot1q <vlan> accomplishes this task. The VLAN subnets are directly connected to the router. Routing between these subnets does not require a dynamic routing protocol, because the subnets are directly connected. Routes to the subnets associated with each VLAN appear in the routing table as directly connected interfaces. Use the encapsulation isl vlan_id subinterface configuration command to enable ISL trunking on a router subinterface. The native keyword is not used with the encapsulation ISL subinterface command, because ISL does not have the concept of a native VLAN. Figure describes the actions needed to perform ISL encapsulation on external routers. After the router is properly configured and connected to the network, the router or the switch can communicate with other nodes on the network. To test connectivity to remote hosts, use the ping command from privileged mode : Switch#ping destination-ip-address Step 1 From the router, ping a host address on each VLAN to verify router connectivity. Step 2 From a host on a particular VLAN, ping a host on another VLAN to verify routing across the external router. The ping command returns one of these responses:

Success rate is 100 percent or ip-address is alive: This response occurs in 1 to 10 ms, depending on network traffic and the number of Internet Control Message Protocol (ICMP) packets sent.
Destination does not respond: No answer message is returned if the host does not respond.
Unknown host: This response occurs if the targeted host cannot be resolved.
Destination unreachable: This response occurs if the default gateway cannot reach the specified network or is being blocked.
Network or host unreachable: This response occurs if the Time to Live (TTL) times out. The default is 2 seconds.

Use show commands to display the current (running) configuration, IP routing information, and IP protocol information to verify whether the routing table represents the subnets of all VLANs. Router#show vlans
Virtual LAN ID: 10 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.10
Protocols Configured: Address: Received: Transmitted:
IP 10.10.1.1 0 20

Virtual LAN ID: 20 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.20
Protocols Configured: Address: Received: Transmitted:
IP 10.20.1.1 0 20

Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -