Inter-VLAN routing — three ways to bridge the islands
10 min
VLANs by design cannot talk to each other at Layer 2. To let a host in VLAN 10 reach a host in VLAN 20 you need a router (or a switch that can route). Three classic patterns:
1. One router interface per VLAN
The textbook approach. The router has multiple physical interfaces, one per VLAN. The switch's access ports for each VLAN connect to the matching interface. Each router interface gets the IP that becomes the default gateway for its VLAN's hosts.
VLAN 10 hosts → Router Gi0/0 (10.0.10.1/24)
VLAN 20 hosts → Router Gi0/1 (10.0.20.1/24)
Wasteful: each VLAN needs a dedicated physical interface. Falls down at 10+ VLANs.
2. Router-on-a-stick
The router has one physical interface, configured as an 802.1Q trunk via subinterfaces. One subinterface per VLAN, each tagged appropriately, each with its own IP that becomes the gateway.
Router Gi0/0.10 → encapsulation dot1Q 10 → ip 10.0.10.1/24
Router Gi0/0.20 → encapsulation dot1Q 20 → ip 10.0.20.1/24
Connect the switch trunk to that single router port. The router routes between subinterfaces (and via the trunk back to the right VLAN).
Trade-off: all inter-VLAN traffic on one link → bandwidth bottleneck on busy networks. Fine for low traffic; insufficient for serious workloads.
[object Object]3. L3 switch with SVIs (the modern default)
A Layer-3 switch can route in hardware between VLANs without an external router. You create a virtual interface per VLAN — a Switched Virtual Interface (SVI). The SVI gets the gateway IP and the L3 switch routes between SVIs at line rate.
SW(L3)(config)# interface Vlan 10
SW(L3)(config-if)# ip address 10.0.10.1 255.255.255.0
SW(L3)(config)# interface Vlan 20
SW(L3)(config-if)# ip address 10.0.20.1 255.255.255.0
SW(L3)(config)# ip routing
This is what every modern enterprise uses inside a building or campus. Line-rate routing between VLANs, no separate router, no bandwidth bottleneck. The "router" role is reserved for the edge to the WAN.
A common gotcha — the default gateway
Every host in a VLAN needs a default gateway that's an IP on the same subnet. In all three designs above, that gateway is on the router (or SVI). Without a gateway configured, a host can only reach hosts in its own VLAN — which is the symptom that often appears as "this PC can't reach anything outside the LAN."
What to remember
- VLANs can't talk to each other at L2; you need an L3 device.
- One router interface per VLAN = old, doesn't scale.
- Router-on-a-stick = trunk to a single router interface with subinterfaces. Easy, single-link bottleneck.
- L3 switch with SVIs = modern default for campus. Routes in hardware at line rate.
- Each host needs a default gateway pointing at the L3 device's IP on its own subnet.