Cisco LAN Routing

Apr 24, 2025
Modified on Apr 26, 2025
Categories: Networking
#Cisco , #CCNA , #multilayer switches , #SVI , #ROAS , #router on a stick , #routed ports
4 minute read

Let’s look at several ways to route between VLANs in the Cisco world.

Router on a Stick (ROAS)

A router is connected to a switch. If separate VLANs on separate IP subnets want to talk to each other, they have to go through the router. The router has a VLAN trunk to the switch. The router itself needs an IP address in every VLAN it routes. These IP addresses are the default routes for the end hosts.

On the router, you create subinterfaces by putting a .<n> after the interface type and number, where n can be any number. By doing so, you immediately create the interface.

You tell the subinterface which VLAN ID all incoming frames are tagged with and all outgoing frames will be tagged with:

L3(config-if)#encapsulation dot1q 20

You then assign an IP address to that interface:

L3(config-if)#ip addr 10.10.20.1 255.255.255.0

Finally, make sure the physical interface is not shutdown.

L3(config)#int g0/0/0
L3(config-if)#no shutdown

Verify:

Router#sh ip int br
Interface               IP-Address      OK? Method Status                Protocol 
GigabitEthernet0/0/0    unassigned      YES unset  up                    up 
GigabitEthernet0/0/0.10 10.10.10.1      YES manual up                    up 
GigabitEthernet0/0/0.20 10.10.20.1      YES manual up                    up 
GigabitEthernet0/0/1    unassigned      YES unset  administratively down down 
Vlan1                   unassigned      YES unset  administratively down down

Switched Virtual Interfaces (SVIs)

Layer-3 switches do both layer-2 switching and layer-3 IP routing. When a frame comes in, it will act like a switch, unless the MAC address on the frame is addressed to the switch itself. In that case, the switch will de-encapsulate the frame and inspect the package. If addressed to the switch itself, it will pass the package to a locally running process, else it will perform its routing function and forward the package out one of its interfaces.

The created SVI is not attached to any physical port. Instead, whenever a frame tagged with the right VLAN ID comes in on any of the ports, the switch will treat it as if it came in from that virtual interface. It will switch the frame to any other interface associated with that VLAN ID. The creation of a virtual interface will give the layer-3 switch’s routing logic an entrypoint into the VLAN.

In order for a layer-3 switch to perform layer-3 routing:

L3(config)#ip routing

Configure the VLAN interface and assign an IP address to it:

L3(config)#vlan 10
L3(config)#int vlan 10
L3(config-if)#ip address 10.10.10.1 255.255.255.0

Verify:

L3#sh ip route | i 10.10.10
C       10.10.10.0/24 is directly connected, Vlan10

If the routing table is empty, you might have forgotten to enable ip routing.

Other gotchas:

VLANs must be defined on the local switch.
The switch must have at least 1 up/up interfaces using the VLAN (up/up access interface using that VLAN or a trunk interface for which the VLAN is allowed and is STP forwarding).
vlan <n> must be no shutdown.
int vlan <n> must be no shutdown.

Layer-3 Switch Routed Ports

If we want to route traffic between 2 devices that do routing, we might not need VLAN information. In that case, we can use routed interfaces.

A layer-3 switch can disable the switching behavior of a port (no switchport). This makes it a routed port. It will no longer be forwarding frames based on their MAC address. Instead, it will only accept frames addressed to the routed port, de-encapsulate the frame and take it from there.

Configure:

L3(config)#int g1/1/1
L3(config-if)#no switchport
L3(config-if)#ip addr 10.100.100.1 255.255.255.252

You can verify in multiple ways:

L3#sh int status
Port      Name  Status       Vlan       Duplex  Speed Type
! ... snip ...
Gig1/1/1        connected    routed     auto    auto  10/100BaseTX

show interfaces should show an IP address (because switch ports do not show IP addresses on a physical interface).

show ip route should show the physical interface as an outgoing interface in routes (again, switch ports are not listed as outgoing ports).

show interfaces <type> <number> switchport should show short output confirming the port is not a switch port.

Interface Gig1/1/1 has routed under Vlan, indicating that it does not participate in any VLANs.

(Make a router port a switch port again by issuing the switchport command in interface configuration mode.)

Incidentally, you can create a layer-3 EtherChannel by creating a channel-group <n> mode <active|desirable|on> on 2 or more routed ports. Make sure to also issue no switchport on the int port-channel <n> itself and double check that both speed and duplex are set to auto on the physical ports.