InterVLAN Routing

Sure this is no problem, you can mix L2 and L3 interfaces on the same switch.

Hlw Rene,

Thanks for the articles. I have one questions that when creating L3 port(No switch port) from L2 port what is the Internal vlan that switch creating Autometically. As we know if we creat L3 port then that will not belongs to any vlan.

IGW_L3_SW-1#show vlan internal usage 

VLAN Usage
---- --------------------
1006 TenGigabitEthernet1/13
1007 TenGigabitEthernet1/15

IGW_L3_SW-1#

Here I have created Teng1/13 & Teng1/15 are routed port and its belongs to vlan 1006 & 1007

br//
zaman

Zaman,
By default, a Layer 3 port will automatically be assigned to a reserved range of “internal use” VLANs. Which specific vlans will be used depends on the internal allocation policy setting. There are two options:

#1
vlan internal allocation policy ascending
This setting starts with VLAN 1006 and goes up.

#2
vlan internal allocation policy descending
This setting starts with VLAN 4094 and goes down.

In general, try to avoid using manually defined VLANs close to 1006 or vlan 4094 so you won’t have a conflict.

1 Like

Hi Rene,

Could you pls explain the trunk and access port functionalities in details?
Will the trunk port allow access frames to pass through or vice versa?. Also the same functionality with different vlans and different subnets?

This might help to understand the difference between access / trunk interfaces:

https://networklessons.com/cisco/ccna-routing-switching/802-1q-encapsulation-explained/

Access mode interfaces are assigned to one VLAN. We use these for computers, printers, etc.

Trunk mode interfaces carry more than one VLAN…we use these between switches and sometimes to a router or server.

The main difference between access/trunk interfaces is that a trunk will “tag” the Ethernet frame with the VLAN number.

Rene

1 Like

Hello Dinh.

I had a production network where I wanted to implement exactly what you describe. The solution I used was access lists as you mentioned. It is probably the fastest and most immediate solution. However, there are a couple of other solutions that may be more flexible as well. These are described below:

VLAN access list - This is just an access list but it filters based on VLAN rather than IP. It is a layer 2 solution. An example configuration can be seen below:

interface Vlan1
no ip address
shutdown
!
interface Vlan2
description VLan connected to Internet
ip address 10.0.2.1 255.255.255.252
!
interface Vlan10
description User VLAN
ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
description Server VLAN
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
description Management VLAN
ip address 10.1.30.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.2.2

ip access-list standard INTERNET
permit any

ip access-list extended DENY-INTERNAL
permit ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

-----------------------------------------------------

vlan access-map MY-VLAN-MAP 10
action drop
match ip address DENY-INTERNAL

vlan access-map MY-VLAN-MAP 20
action forward
match ip address INTERNET

vlan filter MY-VLAN-MAP vlan-list 10-30

-------------------------------------------------------

In this example, users on the three VLANs can access ONLY VLAN2 to connect to the internet, however, any attempt for inter VLAN connectivity will be dropped. So intervlan routing is essentially blocked for VLANs 10, 20 and 30.

The other option, which is a layer 3 solution is the use of policy based routing. An example can be seen below:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.255 any

route-map vlan500 permit 10
match ip address 100
set ip next-hop 10.170.10.10

route-map vlan600 permit 10
match ip address 110
set ip next-hop 10.170.10.10

interface vlan 500

ip address 192.168.1.1 255.255.255.0
ip policy route-map vlan500

interface vlan 600

ip address 172.16.1.1 255.255.255.0
ip policy route-map vlan600

This is probably the most flexible of the above solutions because you can configure it per range of IP addresses. Your access lists can be more specific to include specific hosts within a subnet/VLAN so that some hosts will have access to specific VLANs and others won’t.

I hope this has been helpful.

Laz

Does two different VLANS always have diff subnet? can’t we create two different VLAN on the same n/w?
i am referring to your text at the top of the lesson: “SwitchA has two VLANs so we have two different subnets.”

Prem,
In most cases, there is a one-to-one relationship between VLANs and subnets. However, this is not always so. For example, in a shared hosting environment, it is common for multiple customers to be using the same network on the same provider’s equipment. In this case, in order to keep the traffic separated, the provider must use something called Private VLANs. Private VLANs can use the same subnet but spread across different VLANs.

If you are interested, there is a Network Lesson available on Private VLANs

19 posts were merged into an existing topic: InterVLAN Routing

Hi Laz,

Thank you for the example., I have some questions about it:
1-For the VLAN access-list, DENY-INTERNAL access-list why do you use 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ? Because it also blocked internet (vlan 2) traffic. I think it should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 to prevent communication between VLANS 10,20,30. Could you explain?
2- In policy based routing example, what is the 10.170.10.10, is it the gateway for internet traffic? By this config do you force vlan 500, 600 connect internet and block intervlan traffic ?
3-Could you give access-list solution?

Regards,
Umut

Hello Umut

I will attempt to answer your questions below:

Yes, you are correct. The access-list should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 in order to cover VLANs 10, 20 and 30. Thank you!

10.170.10.10 is the gateway IP. This config essentially blocks the routing from one VLAN to the other by forcing all traffic to be routed via the 10.170.10.10 router rather than going to the corresponding SVI. So a ping from 192.168.1.5 to 172.16.1.5 would not be routed from one SVI to another, but it would be routed to 10.170.10.10. From there, whatever routing is confgured on that device would define what happens to such packets after that…

Let’s say you have two SVIs configured on a layer 3 switch: VLAN 10 and VLAN 20 with IP addresses 10.10.10.1 and 10.10.20.1 respectively. Host A with an IP address of 10.10.10.5 wants to communicate with host B with an IP address of 10.10.20.5. InterVLAN routing will allow this communication.

To block it, you can create the following access list and assign it to one of the SVIs:

ip access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 ip access-list 101 permit ip any any

This blocks all traffic from VLAN 10 to VLAN 20. You can either place it as an outgoing access list on SVI VLAN 10 or as an incoming access list on SVI VLAN 20. Being an extended access list, it should always be placed closer to the source, so the following should be configured:

interface vlan 10 ip access-group 101 in

Any packets originating from VLAN 10 will now be blocked at the default gateway of VLAN 10 which is the corresponding SVI (10.10.10.1). Thus, intervlan routing is not functional.

I hope this has been helpful!

Laz

Hi Andrew,

This is of great interest to me as its something that keeps nagging at me that I want to make 100% sense of. I will soon study private VLANs on the issue of sharing subnets on a VLAN.

There is a variation of this question though that I have great interest in. Rene uses an example where he has two switches and each one has SVI with same subnet for the same VLAN but on different switches.

Similar example:

SW1: 192.168.1.1 255.255.255.0
SW2: 192.168.1.2 255.255.255.0
SW3: 192.168.1.3 255.255.255.0
SW4: 192.168.1.3 255.255.255.0

so four switches all four are in same subnet, and lets just say they are in VLAN 10.

I think I have been coming at this all wrong. when I thought of SVI I thought about Default Gateway when we gave it an IP but that does not seem to be the case???

it now seems that it has nothing to do with the default gateway. In fact the default gateway could be different and would depend on the specific device if done manually or if done through DHCP that would delegate the Default Gateway.

so if I had four different PC each one could if manually configured have each have a different default gateway. which makes sense when you think about what a Default Gateways job is in regards to a specific device.

am I thinking about this correctly? meaning an SVI is simply a mechanism to allow inter vlan routing on that switch.

so if I have an SVI on a switch with the 192.168.1.0 subnet for VLAN 10 and I have on that switch also VLAN 20, 30, and 40 and they all have an SVI interface then that switch will allow all that traffic from those VLANs and their different subnets to communicate.

However, an SVI does not mean its a Default Gateway it only means it could be its real purpose is just inter vlan routing.

I hope I am understanding this and I think I am now just wanted to clarify.

Hello Brian

Please allow me to step in and participate, as this is an issue that I had trouble in visualising and understanding. I hope I can be of some help. For the most part, you’ve got it, maybe I can make things a little bit clearer for you.

It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the 192.168.1.0/24 subnet. In the same way, you can place multiple routers on the same subnet and have them function as multiple possible default gateways. The concept is the same.

Yes, that is correct.

Keep in mind that:

  • An SVI can be thought of as a (virtual) layer three interface that resides on a VLAN.
  • It can be used for several purposes, one of which is to function as a default gateway for inter-VLAN routing, so devices on that specific VLAN will be able to communicate with other subnets, either on or off of the specific layer three switch.
  • It can also used as an interface to configure the switch itself, either via telnet/ssh or via http.

Yes, that is absolutely right!

Keep in mind that inter-VLAN routing is still routing, and as such, it still requires a default gateway, so in this sense, an SVI will function as a default gateway.

I hope this has been helpful!

Laz

1 Like

how to add vlan 10,vlan 20 to vlan database on SVI ?

Here is an example:

Renee / Lagapides
A question please i have read on this forum as follows:
It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the
192.168.1.0/24 subnet…
So based on above can you clarify please further do you mean this can be done also when stretching across 2 x core switches but where those core switches route in different routing domains so to speak EG what if you have 2 x core switch that are for example EBGP peers (different AS) with L2 direct connection which could trunk VLaNs (if required). So I then want to deploy a single but SAME subnet say 10.1.1.x/24 where x is constant and want to stretch that across each individual respective campus is it possible ? And secondly how would SVI,s be numbered ie would you use a .1 on each core switch SVI interface (my wider reading suggests it’s never good practice to stretch or span vlans) I labbed this in gns and it seemed to work to a point through a vlan add to the layer 2 trunk adjoining each core switch (presumably no spanning issues as port channel) i connected and configured hosts in same subnet either side of core switch directly connected as well as other test subnets (so 10.1.2.x & 10.1.3.x) - it seemed to work configuring only a single svi on one core switch for the subnet with vlans added both sides and to the layer 2 trunk I could ping between all hosts but also works for svi on both core switch with some success) which would you or could you do if any but on bgp I could only think to configure host routes /32 to null 0 to push into bgp to allow specific L3 routing updates beyond the core network so traffic destined for each directly connected /32 host within the subnet gets explicitly routed to the correct core switch - this shaped up to a point however, bgp route should propagated to core peers for same respective subnet would show in local ip bop table but would be unreachable ‘U’ / !H … sorry long question I know but this is a response to the statement by lagapides and confusion caused by the rhetoric surrounding spanning or stretching layer 2 clans beyond the core - await any input on this’ll most appreciated hope this makes sense - ps I think this touches on a wider design issue however also focusses as a good example on the specific use case for svi and also incorporates the use case of actually routing svi as well whereas all education often point should to handling routed vlans separately from l3 side many thank so will

Happy to provide my example lab and diagram if helps I really have spent long time reading on this on your site and wider sources but I’m not sure what is allowed or should be allowed and most importantly if vlans have to be stretched (spanned is different I think) what is the right / best way to do it. (Assuming a subnet has to Ben stretched)

Hello William

You have touched on many subjects in your post, so I will attempt to respond as best I can.

The original comment concerning the SVIs was mine I believe. An example of what I mean can be seen in the following simple topology with layer 3 switches:
image
So here we have two switches, each with an SVI on VLAN 10, having IP addresses 10.96.4.1 and 10.96.4.2 respectively. Each switch is connected to a router on a different VLAN to which it sends all default route traffic. So, each PC connected to VLAN 10 can have either a default gateway of 10.96.4.1 or 10.96.4.2. Each choice has a different routing choice.
This scenario is indeed an unusual implementation. The point is however, that it is possible to configure.

Now in order to respond more clearly to the rest of your queries, it would be helpful to provide us with a topology and specific problems or issues that you are facing so we can more effectively help you.

I hope this has been helpful!

Laz

Say I had a 2960 switch with 24 host. All the host are in the same VLAN 123 (same subnet). There will be no other VLANS on that switch. That switch is connected to a router. That link connected to the router – would that switchport on the switch be a trunk port or and access port?

Hi Jason,

If you only have one VLAN then you can configure the switchport to the router as an access port that is assigned to VLAN 123. Technically, you could also use a trunk (with only VLAN 123) but it’s not needed since you only have one VLAN.

If you have two VLANs and you want to use your router as a default gateway for your hosts, that’s when you need a trunk between the switch and router.

Hope this helps!

Rene