InterVLAN Routing

Why would we want to assign more than one IP address subnet to a single SVI? I noticed they do this at my work for redundancy. The additional IP address show up as “secondary” on a show run. Is this a common practice? Can more than one IP address subnet be assigned to a physical interface (not including sub- interfaces – router on a stick)?

Hello Jason

It is indeed a rare occurrence to have two or more IP addresses assigned to a single interface, whether SVI or physical. There are however some situations where it can be useful. Before I mention those, let me answer your question:

Typically, good network design dictates that each VLAN should contain a single subnet. It is possible however to have two or more subnets share the same broadcast domain/VLAN/network segment. This is done by adding another IP address in a different subnet to the same SVI. So you can have 10.10.10.1/24 and 10.10.20.1/24 assigned to a single SVI. All hosts within the VLAN will have one of the following two configurations:

  • IP address between 10.10.10.2 and 10.10.10.254, subnet mask 255.255.255.0 and default gateway 10.10.10.1

  • IP address between 10.10.20.2 and 10.10.20.254, subnet mask 255.255.255.0 and default gateway 10.10.20.1

Both subnets will coexist on the same VLAN and the SVI will be used as the default gateway in both cases. Even communication between hosts in each VLAN must go through the SVI to be routed. This in general is not good network design but it can be done. Note however that all broadcasts sent from one device will be “heard” by all hosts in the VLAN regardless of which subnet they belong to. Remember that although there are two subnets, they coexist in the same VLAN/network segment/broadcast domain.

Cisco suggests some situations in which secondary addresses are useful in this Cisco documentation.

I’m interested to find out how a secondary IP address on an SVI serves to provide redundancy? Can you elaborate on that?

I hope this has been helpful!

Laz

Hi Rene and staff,
i just want to add a comment about the conclusion of the section “routed ports”
I hope i am right, and my comment will be useful
"
What should you use? The SVI or the routed port? If you only have one interface in a VLAN it’s fine to use the routed port, configure an IP address on it and you are ready to go. If you have multiple interfaces in a VLAN you should use the SVI.
"
Look at my small lab


SW3 has ports in vlan 10 (and ports in vlan 20): in this case you cannot use g0/1 ou g0/0 as routed ports because in this case PCVLAN10 can’t communicate with PC10 (and PCVLAN20 also cannot ping PC20). Because the routed ports cannot forward the trames to access ports g3/0 (or g3/1) that are in access vlans. You have no choice: g0/0 and g0/1 must be switchport and you have to use SVI (int vlan 10 and int vlan 20) as GW to make inter-vlan routing

So “If you have multiple interfaces in a VLAN you should use the SVI”: it seems that it is a better way than to use routed ports (but i am french and i hope my translation is right). But in my opinion (see my small lab), in this case, you cannot use routed ports to make intervlan-routing

Note: in real world, you should replace the 2 links between the SW by a trunk
Regards

Hello Dominique

Yes, you are correct in your explanation. You can also look at it this way: If you have a routed port on a L3 switch, then that port will function exactly the same way as a port on a router. You would require an L2 switch to connect to that routed port in order to connect multiple devices to that subnet.

Thanks for your comments, it clarifies the point even more and adds value to the forum!

Laz

Hi Rene, Appreciate your efforts to make simple and excellent explanation of network.

image

If I have two L2 links between two switches then how can I achieve static routing or ospf routing. Any STP issues ? Can I use both the links as active/active or active/ standby ?

Hello Nityanand,

You need routing only if packets have to leave one vlan/subnet and enter another vlan/subnet. Routed ports and SVIs behave as default gateway for these packets, they re-write layer 2 header informations.

If you have 2 links inter-connecting 2 switches and all 4 endpoinds of these links are switchports, then STP will put one of these switchpors into blocking state. STP is operating only on switchports. Routed ports and SVIs are not sending STP BPDUs, neigher understand them, they just drop STP ingress traffic.
You can overcome this STP blocking state by bundling this two inter-connecting links into Etherchannel. STP runs on top of Etherchannel, so these two physical links will appear as just one link for STP, therefore STP will not block any of link endpoints.
You can study more about Etherchannels in following lecture:


And more about STP:
https://networklessons.com/switching/introduction-to-spanning-tree

Sorry, that my answer is such universal, but i didnt really get what you are asking for. Can you be more specific, may be post image of your topology, so I can help you?

1 Like

Thank You Fugazz, Much appreciated your response.

https://networklessons.com/cisco/ccie-routing-switching/intervlan-routing.

image

In this image, fa0/16 single link failure, if i add one more interface fa0/17 and create portchannel.

Hi Nityanand,
this “L3” written over the line means that both link end-points on switches are routed ports. We can add one more link interconnecting switches, make both of its end-points routed ports. Bundle links together, add IP on each end-point of port-channel and then run OSPF over it. It is no problem, should look like this.

L3%20etherchannel%20OSPF%20adjancency

Create virtual port-channel interface, make it routed port-channel and add IP on it.

SW2(config)# interface port-channel 23
SW2(config-if)# no switchport
SW2(config-if)# ip address 10.10.10.2 255.255.255.0

SW3(config)# interface port-channel 23
SW3(config-if)# no switchport
SW3(config-if)# ip address 10.10.10.3 255.255.255.0

Make physical interfaces routed ports and bundle them into port-channel. You can use interface range command for it.

SW2(config)# interface range g0/1 - 2
SW2(config-if-range)# no switchport
SW2(config-if-range)# channel-group 23 mode on

SW3(config)# interface range g1/1 - 2
SW3(config-if-range)# no switchport
SW3(config-if-range)# channel-group 23 mode on

Port-channel should be up, you can try some verification commands.

SW2# show etherchannel 23 summary

<..output omitted..>

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
23     Po23(RU)         -        Gi0/1(P)    Gi0/2(P)    

Enable IP routing on both switches.

SW2(config)# ip routing

SW3(config)# ip routing

Run OSPF process on created L3 port-channel interfaces. For example like this.

SW2(config)# router ospf 1
SW2(config-router)# network 10.10.10.2 0.0.0.0 area 0

SW3(config)# router ospf 1
SW3(config-router)# network 10.10.10.3 0.0.0.0 area 0

OSPF adjancency should come up. You can verify it.

SW2# show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.3        1   FULL/DR         00:00:36    10.10.10.3      Port-channel23

Edit:
Notice that ip address is configured only on virtual port-channel. There is no ip address configured on physical routed ports.

In case you shutdown one physical interface then port-channel stays up. Verify it like this.

SW2(config)# interface g0/2
SW2(config-if)# shut

SW2# show etherchannel 23 summary
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
23     Po23(RU)         -        Gi0/1(P)    Gi0/2(D)    

Pay attention to letters in brackets.

  • Po23(RU), R means that it is layer 3 portchannel and U means that its status is up (working).
  • Gi0/1(P ), P means that interface G0/1 is active and still bundled.
  • Gi0/2(D), D tells us that interface is down, well because we did shut it down.

Is this what you was looking for?

1 Like

Hi Fugazz, Thank You for quick response. Much appreciated.

Yes, you made it clear. In my case one end Cisco 3750 and other end Aurba os 16.6 so not sure about creating l3 portchannel. If you know this or find something, please let me know. Thank you again.

Hello Nityananad

Kudos to @fugazz for his explanation, clear, comprehensive and correct! As for connecting a 3750 to an Aruba device it is possible to create a port channel. You can do this either by statically configuring it on both ends or by using the Link Aggregation Control Protocol (LACP) to negotiate aggregation, which is an open protocol supported by Cisco and many other vendors. Don’t use PAgP as this is Cisco proprietary.

You can find out more about link aggregation at the lesson posted by @fugazz.

I hope this has been helpful!

Laz

1 Like

I’m trying to configure a 2950T-24 in packet tracer and when I try to assign fa0/1 an ip address I keep gettting:

North_Switch(config-if)#ip address 192.168.4.3 255.255.255.0
                           ^
% Invalid input detected at '^' marker.

The config is below. Any ideas? I’ve tried “ip routing” no switch port (in config mode, per google) no luck.

North_Switch#sh run
Building configuration...

Current configuration : 1447 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname North_Switch
!
enable secret 5 $1$mERr$.mZUxVw4tp.fz.HSTl9q3/
enable password 7 08314D5D1A0E0A05165A
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
 description connection to north_host1
 duplex half
 speed 10
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4

North_Switch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
North_Switch(config)#int fa0/1
North_Switch(config-if)#ip address 192.168.4.3 255.255.255.0
                           ^
% Invalid input detected at '^' marker.

Hello David

The reason you’re getting the error for this command is because the specific switch is a layer 2 switch. This means that its ports cannot operate any layer 3 mechanisms or configurations, therefore they cannot be assigned an IP address. A layer 2 switch can only have an IP address assigned to its VLAN interface more correctly referred to as a Switched Virtual Interface (SVI). In order to assign an IP address to an interface, you require a Layer 3 switch where you can convert a switchport to a routed port and assign the IP address. Or of course, if you use a router, which can have its ports assigned an IP address.

I hope this has been helpful!

Laz

Hi,
I have Cisco Catalyst 3650 switches. I would like to find out how to configure hosts in VLAN 10 & VLAN 20 both talk to VLAN 50’s hosts, but not between each other (VLAN 10 & VLAN 20). If you have video or discussion about it, please let me know. Thank you for your help.

Hello Phong

If you have various hosts on different VLANs on a Layer 3 switch, these hosts will automatically be able to communicate with each other through InterVLAN routing. If however you want to block certain communications between them, then you can use access lists to do so. Take a look at these two lessons. They involve access lists on routers, but the concept is the same for Layer 3 switches:


I hope this has been helpful!

Laz

Why do you have to assign the vlan for an SVI on an access or trunk port? isn’t a SVI a layer 3 port?
It would seem like you should be able to connect to an SVI just like a router port. What is the point of having that random access port up or an allowed vlan over a trunk when you have an SVI(layer 3 port) to let the traffic in? I have done a good bit of googling, and I am honestly not sure where to look.

Hello Justin

When you have a L3 switch, you have the following two options for creating routed interfaces:

  1. Make one of the physical ports a routed interface using the no switchport command, and then assign an IP address to the port. This will actually make the physical port function like the port of a router, with an IP address and subnet mask on the interface itself.
  2. Create an SVI and assign it an IP address. Now if you do this, you create a virtual interface. This virtual interface has no connection to a physical device in any way UNLESS you create an access or trunk port on the same VLAN as the SVI via which end devices can communicate with the SVI. There is no other physical way for a device, such as a PC, to access that IP address and use it as the default gateway.

I hope this has been helpful!

Laz

My question is regarding inter-vlan routing. The short, do all L2 and L3 switches need svi to have a svi with the appropriate vlan, ip address and vlan for inter vlan routing to work? In a three tier Cisco networking framework, Can the access switch have the vlan(s) configured and the end device in the vlan without a svi and up address? Will the following scenario work?

L3
Vlan 10, Interface Vlan 10 - 192.168.10.2/24
Vlan 20, Interface Vlan 20 - 192.168.20.2/24
Trunk between L2 and L3 switch
IP routing is enabled

L2
Vlan 10, interface vlan 10 no IP address
Vlan 20, interface vlan 20 no IP address
Truck between L2 and L3 switch
Pc in vlan 10
Pc in vlan 20

Pc (192.168.10.6) on vlan 10 with the default gateway pointing to 192.168.10.2

Pc (192.168.20.5) on vlan 20 with the default gateway pointing to 192.168.20.2

Hello Derrick

Your description of how to create such a network is absolutely correct. I’ve created a topology with the information you provided:


So the L2 switch doesn’t need any SVIs or IP addresses configured, you simply configure the correct ports on the correct VLANs. You create a trunk with both VLANs, and you create both VLANs on the L3 switch as well. At the L3 switch you create two SVIs, one for each VLAN that will act as the default gateways for each subnet/VLAN.

The result is, when PC1 wants to communicate with PC2, the traffic will:

  • go to the L2 switch on VLAN 10
  • go through the trunk on VLAN 10
  • reach the VLAN 10 SVI on the L3 switch
  • be routed from VLAN 10 to VLAN 20
  • be sent out of the VLAN 20 SVI on the L3 switch
  • go through the trunk on VLAN 20
  • reach PC2 via the access port on VLAN 20

This is very similar to Router on a Stick, where instead of an L3 switch, you have a router with subinterfaces, one for each VLAN on the trunk.

So for the L2, you don’t need to configure SVIs with IP addresses. The only reason you would do this is to have access to the switch itself via the network for CLI access and configuration. But L2 switches with SVIs won’t route traffic between VLANs.

I hope this has been helpful!

Laz

Good afternoon,

I’m trying to configure two PCs to be able to ping each other. After setup I’m unable to get them to ping each other.

Here is my setup, PC1 (…155.101) is directly connected to the core layer 3 switch. It’s port has been configured and placed into vlan 1401 with the following commands switchport access vlan 1401, switchport mode access.

PC2 (…155.102) is directly connected to a layer 2 switch. Also, It’s port has been configured and placed into vlan 1401 with the following commands switchport access vlan 1401, switchport mode access.

The Layer 3 switch houses the interface vlan 1401 and its SVI address is …155.65. Between the two switches Vlan 1401 is allowed.

PC1 is able to ping the gateway …155.65. Additionally, to ensure all is well I created a svi on the layer 2 switch and was able to ping PC2. The layer 3 switch is a 3750 and the layer 2 switch is a 3650.

The vlan has been allowed and has not been pruned in the configuration or either switch.

Am I missing anything?

Hello Derrick

To facilitate responding, I have mapped out your topology in the following diagram. I assumed the IP addresses are in the 10.10.155.0/24 subnet:

Now if Fa0/1 interfaces are configured as you state, and the trunk allows the 1401 VLAN, and the PCs are configured with these IP addresses, then they should communicate with each other. Just a note here, that no default gateway should be needed for this communication, since both PCs reside on the same VLAN and in the same subnet. No InterVLAN routing is taking place and thus, configuration of the SVIs is not necessary for connectivity.

Since PC1 can ping the SVI on the core L3 switch, and PC2 can ping the SVI on the L2 switch, then my attention would be brought to the trunk configuration. I suggest you follow this troubleshooting procedure:

  1. Verify that VLAN 1401 has been created in both switches
  2. Make sure that the VLAN 1401 SVIs in both switches are in the same subnet
  3. Try to ping from one SVI to the other. If it fails examine the trunk configuration
  4. attempt to achieve the same connectivity by changing the trunk link to an access link on VLAN 1401 and testing again

If you get the trunk or the access link working between switches, then your topology should function correctly. Let us know your results!

I hope this has been helpful!

Laz