InterVLAN Routing

Prem,
In most cases, there is a one-to-one relationship between VLANs and subnets. However, this is not always so. For example, in a shared hosting environment, it is common for multiple customers to be using the same network on the same provider’s equipment. In this case, in order to keep the traffic separated, the provider must use something called Private VLANs. Private VLANs can use the same subnet but spread across different VLANs.

If you are interested, there is a Network Lesson available on Private VLANs

19 posts were merged into an existing topic: InterVLAN Routing

Hi Laz,

Thank you for the example., I have some questions about it:
1-For the VLAN access-list, DENY-INTERNAL access-list why do you use 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ? Because it also blocked internet (vlan 2) traffic. I think it should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 to prevent communication between VLANS 10,20,30. Could you explain?
2- In policy based routing example, what is the 10.170.10.10, is it the gateway for internet traffic? By this config do you force vlan 500, 600 connect internet and block intervlan traffic ?
3-Could you give access-list solution?

Regards,
Umut

Hello Umut

I will attempt to answer your questions below:

Yes, you are correct. The access-list should be 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 in order to cover VLANs 10, 20 and 30. Thank you!

10.170.10.10 is the gateway IP. This config essentially blocks the routing from one VLAN to the other by forcing all traffic to be routed via the 10.170.10.10 router rather than going to the corresponding SVI. So a ping from 192.168.1.5 to 172.16.1.5 would not be routed from one SVI to another, but it would be routed to 10.170.10.10. From there, whatever routing is confgured on that device would define what happens to such packets after that…

Let’s say you have two SVIs configured on a layer 3 switch: VLAN 10 and VLAN 20 with IP addresses 10.10.10.1 and 10.10.20.1 respectively. Host A with an IP address of 10.10.10.5 wants to communicate with host B with an IP address of 10.10.20.5. InterVLAN routing will allow this communication.

To block it, you can create the following access list and assign it to one of the SVIs:

ip access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 ip access-list 101 permit ip any any

This blocks all traffic from VLAN 10 to VLAN 20. You can either place it as an outgoing access list on SVI VLAN 10 or as an incoming access list on SVI VLAN 20. Being an extended access list, it should always be placed closer to the source, so the following should be configured:

interface vlan 10 ip access-group 101 in

Any packets originating from VLAN 10 will now be blocked at the default gateway of VLAN 10 which is the corresponding SVI (10.10.10.1). Thus, intervlan routing is not functional.

I hope this has been helpful!

Laz

Hi Andrew,

This is of great interest to me as its something that keeps nagging at me that I want to make 100% sense of. I will soon study private VLANs on the issue of sharing subnets on a VLAN.

There is a variation of this question though that I have great interest in. Rene uses an example where he has two switches and each one has SVI with same subnet for the same VLAN but on different switches.

Similar example:

SW1: 192.168.1.1 255.255.255.0
SW2: 192.168.1.2 255.255.255.0
SW3: 192.168.1.3 255.255.255.0
SW4: 192.168.1.3 255.255.255.0

so four switches all four are in same subnet, and lets just say they are in VLAN 10.

I think I have been coming at this all wrong. when I thought of SVI I thought about Default Gateway when we gave it an IP but that does not seem to be the case???

it now seems that it has nothing to do with the default gateway. In fact the default gateway could be different and would depend on the specific device if done manually or if done through DHCP that would delegate the Default Gateway.

so if I had four different PC each one could if manually configured have each have a different default gateway. which makes sense when you think about what a Default Gateways job is in regards to a specific device.

am I thinking about this correctly? meaning an SVI is simply a mechanism to allow inter vlan routing on that switch.

so if I have an SVI on a switch with the 192.168.1.0 subnet for VLAN 10 and I have on that switch also VLAN 20, 30, and 40 and they all have an SVI interface then that switch will allow all that traffic from those VLANs and their different subnets to communicate.

However, an SVI does not mean its a Default Gateway it only means it could be its real purpose is just inter vlan routing.

I hope I am understanding this and I think I am now just wanted to clarify.

Hello Brian

Please allow me to step in and participate, as this is an issue that I had trouble in visualising and understanding. I hope I can be of some help. For the most part, you’ve got it, maybe I can make things a little bit clearer for you.

It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the 192.168.1.0/24 subnet. In the same way, you can place multiple routers on the same subnet and have them function as multiple possible default gateways. The concept is the same.

Yes, that is correct.

Keep in mind that:

* An SVI can be thought of as a (virtual) layer three interface that resides on a VLAN.
* It can be used for several purposes, one of which is to function as a default gateway for inter-VLAN routing, so devices on that specific VLAN will be able to communicate with other subnets, either on or off of the specific layer three switch.
* It can also used as an interface to configure the switch itself, either via telnet/ssh or via http.

Yes, that is absolutely right!

Keep in mind that inter-VLAN routing is still routing, and as such, it still requires a default gateway, so in this sense, an SVI will function as a default gateway.

I hope this has been helpful!

Laz

1 Like

how to add vlan 10,vlan 20 to vlan database on SVI ?

Here is an example:

Renee / Lagapides
A question please i have read on this forum as follows:
It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the
192.168.1.0/24 subnet…
So based on above can you clarify please further do you mean this can be done also when stretching across 2 x core switches but where those core switches route in different routing domains so to speak EG what if you have 2 x core switch that are for example EBGP peers (different AS) with L2 direct connection which could trunk VLaNs (if required). So I then want to deploy a single but SAME subnet say 10.1.1.x/24 where x is constant and want to stretch that across each individual respective campus is it possible ? And secondly how would SVI,s be numbered ie would you use a .1 on each core switch SVI interface (my wider reading suggests it’s never good practice to stretch or span vlans) I labbed this in gns and it seemed to work to a point through a vlan add to the layer 2 trunk adjoining each core switch (presumably no spanning issues as port channel) i connected and configured hosts in same subnet either side of core switch directly connected as well as other test subnets (so 10.1.2.x & 10.1.3.x) - it seemed to work configuring only a single svi on one core switch for the subnet with vlans added both sides and to the layer 2 trunk I could ping between all hosts but also works for svi on both core switch with some success) which would you or could you do if any but on bgp I could only think to configure host routes /32 to null 0 to push into bgp to allow specific L3 routing updates beyond the core network so traffic destined for each directly connected /32 host within the subnet gets explicitly routed to the correct core switch - this shaped up to a point however, bgp route should propagated to core peers for same respective subnet would show in local ip bop table but would be unreachable ‘U’ / !H … sorry long question I know but this is a response to the statement by lagapides and confusion caused by the rhetoric surrounding spanning or stretching layer 2 clans beyond the core - await any input on this’ll most appreciated hope this makes sense - ps I think this touches on a wider design issue however also focusses as a good example on the specific use case for svi and also incorporates the use case of actually routing svi as well whereas all education often point should to handling routed vlans separately from l3 side many thank so will

Happy to provide my example lab and diagram if helps I really have spent long time reading on this on your site and wider sources but I’m not sure what is allowed or should be allowed and most importantly if vlans have to be stretched (spanned is different I think) what is the right / best way to do it. (Assuming a subnet has to Ben stretched)

Hello William

You have touched on many subjects in your post, so I will attempt to respond as best I can.

The original comment concerning the SVIs was mine I believe. An example of what I mean can be seen in the following simple topology with layer 3 switches:
image
So here we have two switches, each with an SVI on VLAN 10, having IP addresses 10.96.4.1 and 10.96.4.2 respectively. Each switch is connected to a router on a different VLAN to which it sends all default route traffic. So, each PC connected to VLAN 10 can have either a default gateway of 10.96.4.1 or 10.96.4.2. Each choice has a different routing choice.
This scenario is indeed an unusual implementation. The point is however, that it is possible to configure.

Now in order to respond more clearly to the rest of your queries, it would be helpful to provide us with a topology and specific problems or issues that you are facing so we can more effectively help you.

I hope this has been helpful!

Laz

Say I had a 2960 switch with 24 host. All the host are in the same VLAN 123 (same subnet). There will be no other VLANS on that switch. That switch is connected to a router. That link connected to the router – would that switchport on the switch be a trunk port or and access port?

Hi Jason,

If you only have one VLAN then you can configure the switchport to the router as an access port that is assigned to VLAN 123. Technically, you could also use a trunk (with only VLAN 123) but it’s not needed since you only have one VLAN.

If you have two VLANs and you want to use your router as a default gateway for your hosts, that’s when you need a trunk between the switch and router.

Hope this helps!

Rene

Hi Rene,
Hope you are doing good…

I am trying to make access list for Inter VLAN routing but not able to do so do you have any example?

I think Lazaros given same kind if example on July 2016 but to whom Lazaros explained the person didn’t explain with any topology i read out the topic in forum but not having any clue.

So can you help me on this…

Aside Lazaros,if you are there you can help me…bcz from last few hours i tried and tried but not able to fix…

Thanks & Regards,
Arindom

1 Like

Hi Rene,
Hope you are doing good…Can you help me please…i asked you 2 days back dated on 13th June…:smiley:
ACL for Inter VLAN routing…Based on my LAB topology requirement is,
Condition1,
Network 3.3.3.0/24(VLAN30),4.4.4.0/24(VLAN20) …will ping to each other.

Condition2,
the network 10.10.101.0/24(VLAN3939) should not ping to the other or other network shold not ping to 10.10.101.0/24(VLAN3939)

NOTE:Here vlan20 & 30 is service vlan & Vlan3939 is management vlan for switches reach-ability from backhand,Main agenda is from downside network services vlan will not ping to switches.

ACL%20for%20Inter%20vlan%20routing%20

Untitled

Thanks & Regards,
Arindom

Hello Arindom

Based on your description, I am making the following assumptions:

  1. the link between the router and the switch is on VLAN 30
  2. The SVI of VLAN 30 on the switch has an IP address of 3.3.3.1

Now if this is the case, then we can proceed looking at the conditions.

For this condition, we don’t have to do anything, since by default, communication between VLANs on a layer 3 switch occurs as long as the SVIs are configured and as long as the correct default gateways are configured on the devices themselves.

Now from my understanding, you want to completely isolate VLAN 3939 from all other VLANs. So no communication from 3939 to 20 or 30 and no communication from 20 or 30 to 3939. This means that you want to block all traffic to and from the VLAN 3939 SVI. You can do this by creating the following ACLs

access-list 101 deny any any
access-list 102 deny any any

and placing it both incoming and outgoing on the VLAN 3939 interface like so:

interface VLAN 3939
  access-group 101 in
  access-group 102 out

Now if at some point you choose to provide access to another VLAN from the 3939 VLAN, you can always add specific IP address ranges that you will allow. This is why I created two separate ACLs, so that you can more specifically specify the incoming and outgoing traffic.

I hope this has been helpful!

Laz

Hi Laz,
Thanks for answering me…
As per your above mentioned configuration line Today i did test with my LAB simulator and its working fine but i have few questions so tomorrow i will send you.

Thanks & Regards,
Arindom

Hello Arindom

Great to hear that it’s up and running!

I’m looking forward to your questions. Talk soon!

Laz

Hi Laz,
As i told you Which configuration you suggested its working but i did tried with different way so i want to understand what is the difference between your cfg & my cfg,
Below mention is my cfg & topology is attached for your reference…

Router----

interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 3.3.3.1 255.255.255.0
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.10.101.1 255.255.255.0
 ip access-group 2 out


interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 3.3.3.1 255.255.255.0
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.10.101.1 255.255.255.0
 ip access-group 2 out

access-list 2 permit 10.10.101.0 0.0.0.255
access-list 2 deny any

PC2 Under VLAN 30

PC2>ping 2.2.2.2

Pinging 2.2.2.2 with 32 bytes of data:

Reply from 2.2.2.2: bytes=32 time=0ms TTL=127
Reply from 2.2.2.2: bytes=32 time=1ms TTL=127
Reply from 2.2.2.2: bytes=32 time=0ms TTL=127
Reply from 2.2.2.2: bytes=32 time=0ms TTL=127

Ping statistics for 2.2.2.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms


PC2>ping 10.10.101.65

Pinging 10.10.101.65 with 32 bytes of data:

Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.

Ping statistics for 10.10.101.65:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC2>ping 10.10.101.101

Pinging 10.10.101.101 with 32 bytes of data:

Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.
Reply from 3.3.3.1: Destination host unreachable.

Ping statistics for 10.10.101.101:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC3 Under VLAN 100

PC3>ping 2.2.2.2

Pinging 2.2.2.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 2.2.2.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC3>ping 3.3.3.3

Pinging 3.3.3.3 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 3.3.3.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC3>ping 10.10.101.1

Pinging 10.10.101.1 with 32 bytes of data:

Reply from 10.10.101.1: bytes=32 time=0ms TTL=255
Reply from 10.10.101.1: bytes=32 time=0ms TTL=255
Reply from 10.10.101.1: bytes=32 time=0ms TTL=255
Reply from 10.10.101.1: bytes=32 time=0ms TTL=255

Ping statistics for 10.10.101.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PC3>ping 10.10.101.65

Pinging 10.10.101.65 with 32 bytes of data:

Reply from 10.10.101.65: bytes=32 time=0ms TTL=255
Reply from 10.10.101.65: bytes=32 time=0ms TTL=255
Reply from 10.10.101.65: bytes=32 time=0ms TTL=255
Reply from 10.10.101.65: bytes=32 time=0ms TTL=255

Ping statistics for 10.10.101.65:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% los

![2018_ACL_inter%20vlan%20routing|690x419](upload://zCtBYCa6b2m1KNO9MwQuhnxiNbz.png)

Thanks & Regards,
Arindom

Hello Arindom

There are two fundamental differences between your config and mine. Your config is what is called a “router on a stick” where the routing takes place in the router itself. This means that any traffic from VLAN 10 to VLAN 20 for example will go to the router, be routed from the Fe0/0.10 interface to the Fe0/0.20 interface, be sent back to the switch and to the appropriate device on VLAN 20.

My config involves interVLAN routing, which is routing from one VLAN to another within the Layer 3 switch itself. In this case, routing takes place from one SVI to another, for the specific example, from the VLAN 10 interface to the VLAN 20 interface on the switch itself.

The other fundamental difference is the location and type and direction of the access lists that have been applied. In my example, I used two EXTENDED access lists that can deny or permit packets based on their source AND destination addresses, while you used a STANDARD access list that filters traffic based ONLY on the source address.

By creating two access lists and placing them on the SVI of the subnet you want to isolate and specifying that we want both directions (in and out) to be blocked AND we want to block packets regardless of source or destination IP, we verify that no traffic can go in our out of this subnet.

What you have done is created a single access list that filters based on source IP address only and filters only traffic flowing into VLAN 100.

So, when you get this result:

the ping reaches the Fe0/0.100 interface, but because the access list blocks the ping, the router responds and says that it can’t reach the destination.

When you get:

The ping goes to the router, gets routed, reaches PC2, and PC2 responds. The response reaches the router, but because of the access list on the Fe0/0.100 interface in an outgoing direction blocks it, the packet never returns and thus you get a request timed out.

PC3 can ping anywhere within the subnet (10.10.101.X) because you are not directing any traffic to the interface where the access list has been installed.

I hope this has been helpful!

Laz