InterVLAN Routing

Hello Team,

I have a question regarding our layer 3 ports. If we decide to run layer 3 ports between our access and distro switches aren’t we kind of getting rid of our trunk interfaces if we decide to make them layer3 ports? Are trunk interfaces still needed if everything will be using routing protocols?

From a best standards prospective if we are using all layer 3 switches on access, distro and core would the best solution be something where we use layer 2 port channels on our access switches and span them to our our disto switches for redundency or make the port-channels layer3 and bundle them with our trunk interfaces and span them to our distro switches?


Hi Fabian,

When you use L3 interfaces then yes, your vlans/trunks are gone. We only use trunks to span VLANs over multiple switches.

If you create a routed design then between the routers/switches we don’t use VLANs anymore, it’s all routed. Take a look at this lesson, I added some simple examples for L2/L3 designs for the core/distribution/access layer setup:

Cisco Campus Network Design Basics

Technically a design with L3 switches everywhere would be the best. VLANs will be restricted to a single access layer switch to get rid of trunks and spanning-tree. Routing protocols like OSPF or EIGRP have faster convergence and are more reliable than spanning-tree.

It might be a challenge though…all your traffic will be routed so your applications need to support it. For example, a few years ago I ran into an issue with an Apple TV and iPAD. It uses multicast for the bonjour protocol with a TTL of 1 which means it’s unroutable…if you want to stream anything from the iPad to the Apple TV then it HAS to be in the same subnet :slight_smile:


1 Like

Hi Rene,

I have one scenario lab.

If configure Inter-Vlan on SWITCH L3 on some ports, and I used other SWITCH L3 ports to do Inter-VLAN with Router.
Is it possible ?

Best Regards,

1 Like

Hi Chhayheng,

This is no problem, you can mix different port types and in between different switches.


1 Like

Hi Rene,

I have one switch layer 3.

Example: Switch L3 port 1-10 configure with SVI feature to do Inter-vlan. the remaining port I configure inter-vlan on router but switch layer 3 act like switch layer 2. I do not disable ip routing.

Sure this is no problem, you can mix L2 and L3 interfaces on the same switch.

Hlw Rene,

Thanks for the articles. I have one questions that when creating L3 port(No switch port) from L2 port what is the Internal vlan that switch creating Autometically. As we know if we creat L3 port then that will not belongs to any vlan.

IGW_L3_SW-1#show vlan internal usage 

VLAN Usage
---- --------------------
1006 TenGigabitEthernet1/13
1007 TenGigabitEthernet1/15


Here I have created Teng1/13 & Teng1/15 are routed port and its belongs to vlan 1006 & 1007


By default, a Layer 3 port will automatically be assigned to a reserved range of “internal use” VLANs. Which specific vlans will be used depends on the internal allocation policy setting. There are two options:

vlan internal allocation policy ascending
This setting starts with VLAN 1006 and goes up.

vlan internal allocation policy descending
This setting starts with VLAN 4094 and goes down.

In general, try to avoid using manually defined VLANs close to 1006 or vlan 4094 so you won’t have a conflict.

1 Like

Hi Rene,

Could you pls explain the trunk and access port functionalities in details?
Will the trunk port allow access frames to pass through or vice versa?. Also the same functionality with different vlans and different subnets?

This might help to understand the difference between access / trunk interfaces:

Access mode interfaces are assigned to one VLAN. We use these for computers, printers, etc.

Trunk mode interfaces carry more than one VLAN…we use these between switches and sometimes to a router or server.

The main difference between access/trunk interfaces is that a trunk will “tag” the Ethernet frame with the VLAN number.


1 Like

Hello Dinh.

I had a production network where I wanted to implement exactly what you describe. The solution I used was access lists as you mentioned. It is probably the fastest and most immediate solution. However, there are a couple of other solutions that may be more flexible as well. These are described below:

VLAN access list - This is just an access list but it filters based on VLAN rather than IP. It is a layer 2 solution. An example configuration can be seen below:

interface Vlan1
no ip address
interface Vlan2
description VLan connected to Internet
ip address
interface Vlan10
description User VLAN
ip address
interface Vlan20
description Server VLAN
ip address
interface Vlan30
description Management VLAN
ip address
ip route

ip access-list standard INTERNET
permit any

ip access-list extended DENY-INTERNAL
permit ip


vlan access-map MY-VLAN-MAP 10
action drop
match ip address DENY-INTERNAL

vlan access-map MY-VLAN-MAP 20
action forward
match ip address INTERNET

vlan filter MY-VLAN-MAP vlan-list 10-30


In this example, users on the three VLANs can access ONLY VLAN2 to connect to the internet, however, any attempt for inter VLAN connectivity will be dropped. So intervlan routing is essentially blocked for VLANs 10, 20 and 30.

The other option, which is a layer 3 solution is the use of policy based routing. An example can be seen below:

access-list 100 permit ip any
access-list 110 permit ip any

route-map vlan500 permit 10
match ip address 100
set ip next-hop

route-map vlan600 permit 10
match ip address 110
set ip next-hop

interface vlan 500

ip address
ip policy route-map vlan500

interface vlan 600

ip address
ip policy route-map vlan600

This is probably the most flexible of the above solutions because you can configure it per range of IP addresses. Your access lists can be more specific to include specific hosts within a subnet/VLAN so that some hosts will have access to specific VLANs and others won’t.

I hope this has been helpful.


Does two different VLANS always have diff subnet? can’t we create two different VLAN on the same n/w?
i am referring to your text at the top of the lesson: “SwitchA has two VLANs so we have two different subnets.”

In most cases, there is a one-to-one relationship between VLANs and subnets. However, this is not always so. For example, in a shared hosting environment, it is common for multiple customers to be using the same network on the same provider’s equipment. In this case, in order to keep the traffic separated, the provider must use something called Private VLANs. Private VLANs can use the same subnet but spread across different VLANs.

If you are interested, there is a Network Lesson available on Private VLANs

19 posts were merged into an existing topic: InterVLAN Routing

Hi Laz,

Thank you for the example., I have some questions about it:
1-For the VLAN access-list, DENY-INTERNAL access-list why do you use ? Because it also blocked internet (vlan 2) traffic. I think it should be to prevent communication between VLANS 10,20,30. Could you explain?
2- In policy based routing example, what is the, is it the gateway for internet traffic? By this config do you force vlan 500, 600 connect internet and block intervlan traffic ?
3-Could you give access-list solution?


Hello Umut

I will attempt to answer your questions below:

Yes, you are correct. The access-list should be in order to cover VLANs 10, 20 and 30. Thank you! is the gateway IP. This config essentially blocks the routing from one VLAN to the other by forcing all traffic to be routed via the router rather than going to the corresponding SVI. So a ping from to would not be routed from one SVI to another, but it would be routed to From there, whatever routing is confgured on that device would define what happens to such packets after that…

Let’s say you have two SVIs configured on a layer 3 switch: VLAN 10 and VLAN 20 with IP addresses and respectively. Host A with an IP address of wants to communicate with host B with an IP address of InterVLAN routing will allow this communication.

To block it, you can create the following access list and assign it to one of the SVIs:

ip access-list 101 deny ip ip access-list 101 permit ip any any

This blocks all traffic from VLAN 10 to VLAN 20. You can either place it as an outgoing access list on SVI VLAN 10 or as an incoming access list on SVI VLAN 20. Being an extended access list, it should always be placed closer to the source, so the following should be configured:

interface vlan 10 ip access-group 101 in

Any packets originating from VLAN 10 will now be blocked at the default gateway of VLAN 10 which is the corresponding SVI ( Thus, intervlan routing is not functional.

I hope this has been helpful!


Hi Andrew,

This is of great interest to me as its something that keeps nagging at me that I want to make 100% sense of. I will soon study private VLANs on the issue of sharing subnets on a VLAN.

There is a variation of this question though that I have great interest in. Rene uses an example where he has two switches and each one has SVI with same subnet for the same VLAN but on different switches.

Similar example:


so four switches all four are in same subnet, and lets just say they are in VLAN 10.

I think I have been coming at this all wrong. when I thought of SVI I thought about Default Gateway when we gave it an IP but that does not seem to be the case???

it now seems that it has nothing to do with the default gateway. In fact the default gateway could be different and would depend on the specific device if done manually or if done through DHCP that would delegate the Default Gateway.

so if I had four different PC each one could if manually configured have each have a different default gateway. which makes sense when you think about what a Default Gateways job is in regards to a specific device.

am I thinking about this correctly? meaning an SVI is simply a mechanism to allow inter vlan routing on that switch.

so if I have an SVI on a switch with the subnet for VLAN 10 and I have on that switch also VLAN 20, 30, and 40 and they all have an SVI interface then that switch will allow all that traffic from those VLANs and their different subnets to communicate.

However, an SVI does not mean its a Default Gateway it only means it could be its real purpose is just inter vlan routing.

I hope I am understanding this and I think I am now just wanted to clarify.

Hello Brian

Please allow me to step in and participate, as this is an issue that I had trouble in visualising and understanding. I hope I can be of some help. For the most part, you’ve got it, maybe I can make things a little bit clearer for you.

It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the subnet. In the same way, you can place multiple routers on the same subnet and have them function as multiple possible default gateways. The concept is the same.

Yes, that is correct.

Keep in mind that:

  • An SVI can be thought of as a (virtual) layer three interface that resides on a VLAN.
  • It can be used for several purposes, one of which is to function as a default gateway for inter-VLAN routing, so devices on that specific VLAN will be able to communicate with other subnets, either on or off of the specific layer three switch.
  • It can also used as an interface to configure the switch itself, either via telnet/ssh or via http.

Yes, that is absolutely right!

Keep in mind that inter-VLAN routing is still routing, and as such, it still requires a default gateway, so in this sense, an SVI will function as a default gateway.

I hope this has been helpful!


1 Like

how to add vlan 10,vlan 20 to vlan database on SVI ?

Here is an example: