My recent series of articles has dealt with the core concepts of Cisco switching and VLANs. VLANs allow you to segregate ports into virtual mini-switches which limit broadcasts and tighten security; you can read about the essential concepts in my previous post. Starting in this article, we’ll explore the essentials of inter-VLAN routing. Since VLANs group switch ports at layer 2, the data-link layer, and since switches will not forward frames from one VLAN to another, we need a mechanism to provide such connectivity.
That mechanism is routing: good old-fashioned layer 3 routing. I think many people become awfully confused about VLANs because they conflate the layer 2 concepts of VLANs with the layer 3 concepts of inter-VLAN routing. Always remember that VLANs are about layer 2 and are created and configured on switches. Allowing VLANs to communicate is all about routing and this adds a separate (although related) layer on top.
Here is a simple schematic I used when introducing VLANs. There are no VLANs here, only two switches with no trunk between them. John and Paul, on S1, cannot communicate with George and Ringo, on S2. What we have here are essentially two separate LANs, which implies two separate networks (or subnets). This is why I’ve placed John and Paul into the 192.168.1.0 network, and George and Ringo into the 192.168.2.0 network. Thus, we have a layer 3 separation here. With two networks, we must use a router to facilitate communication between them. So let’s add in a router with two Ethernet interfaces, each interface connected to a port on the appropriate switch.
This scenario provides a useful recap on configuring the router interfaces, which will stand us in good stead shortly. Our goal is to allow Ringo to ping Paul and vice versa. First, we configure the IP details on each host, as shown in the schematic. The default gateway for John and Paul is the Ethernet0 interface of the router, which will have the IP 192.168.1.254, since I like to use the highest available host address for a network’s router. Similarly, George and Ringo will use a gateway of 192.168.2.254, which corresponds to the router’s Ethernet1 interface. Let’s now configure the router:
Router> enable Router# configure terminal Router(config)# interface e0 Router(config-if)# description Interface on John and Paul network Router(config-if)# ip address 192.168.1.254 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# interface e1 Router(config-if)# description Interface on George and Ringo network Router(config-if)# ip address 192.168.2.254 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# end
Nothing very strenuous here: we apply descriptions and addresses to the interfaces and bring them up. The router will now be aware that networks 192.168.1.0 and 192.168.2.0 are directly connected and we can verify this by looking at its routing table:
Router# show ip route ---Sample output--- Gateway of last resort is not set C 192.168.1.0 is directly connected, Ethernet0 C 192.168.2.0 is directly connected, Ethernet1
Ringo will now be able to ping Paul and vice versa. Let’s now transition to a single switch, but with VLANs 2 and 3 instead of physically separate switches. Here is the schematic:
Conceptually, you can think of this as no different from the scenario we started with earlier. But, instead of separate switches, John and Paul are members of VLAN 2, and George and Ringo are members of VLAN 3. Thus, the switch will prevent these VLANs communicating between themselves; we must add in layer 3 routing to allow such communication.
The process begins by assigning IP addresses to each system, such that all hosts within the same VLAN are in the same network or subnet. There is a one-to-one correspondence between a VLAN and an IP network. Hosts in the same VLAN are in the same network, and hosts in different VLANs are in different networks. I’ve used the same addressing scheme as earlier, as the schematic clearly shows.
Before, the router interfaces connected to any available port on either switch, but with both switches now merged into a single switch, we must take the VLANs into account when hooking them up. I’ll start from scratch: first, I’ll follow best practice and create a new default VLAN and move all the ports into it. VLAN 1 will remain (you cannot delete it) but will be unused. This prevents possible hacks that rely on the default VLAN being number 1:
Switch> en Switch# configure terminal Switch(config)# vlan 50 VLAN 50 added: Name: VLAN0050 Switch(config-vlan)# name Default Switch(config-vlan)# exit Switch(config)# interface range gi0/1 – 12 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 50 Switch(config-if-range)# do show vlan brief ---Sample output--- VLAN Name Status Ports ---- ---- ------ ----- 1 default active 50 Default active Gi0/1, Gi0/2, Gi0/3, Gi0/4 Gi0/5, Gi0/6, Gi0/7, Gi0/8 ---More ports omitted--- ---Output omitted---
Next, I’ll create VLANs 2 and 3:
Switch(config-if-range)# exit Switch(config)# vlan 2 VLAN 2 added: Name: VLAN0002 Switch(config-vlan)# name RubberSoul Switch(config-vlan)# vlan 3 VLAN 3 added: Name: VLAN0003 Switch(config-vlan)# name Revolver Switch(config-vlan)# exit
I’ve named the two VLANs after classic Beatles albums—and why not? I’ll place John and Paul into RubberSoul, and George and Ringo into Revolver. As per the schematic, John and Paul are connected to ports Gi0/1 and Gi0/2, George and Ringo to ports Gi0/3 and Gi0/4:
Switch(config)# interface range gi0/1 - 2 Switch(config-if-range)# switchport access vlan 2 Switch(config-if-range)# interface range gi0/3 – 4 Switch(config-if-range)# switchport access vlan 3 Switch(config-if-range)# end Switch# show vlan brief ---Sample output--- VLAN Name Status Ports ---- ---- ------ ----- 1 default active 2 RubberSoul active Gi0/1, Gi0/2 3 Revolver active Gi0/3, Gi0/4 50 Default active Gi0/5, Gi0/6, Gi0/7, Gi0/8 Gi0/9, Gi0/10, Gi0/11, Gi0/12 ---More ports omitted---
Everything looks good: the VLANs are created and the ports correctly assigned. The switch will, of course, prevent traffic from passing between these VLANs, so we must now bring the router into play. In the earlier scenario, the router’s two interfaces, E0 and E1, connected to ports on the two switches. Now we have only one switch with two VLANs being used. So we must connect one router interface to a port in the RubberSoul VLAN, and the other interface to a port in the Revolver VLAN. I’ll use the switch’s highest ports for this, to keep them separate. I’ll place Gi0/23 into RubberSoul and Gi0/24 into Revolver:
Switch# configure terminal Switch(config)# interface gi0/23 Switch(config-if)# description Uplink to RubberSoul gateway Switch(config-if)# switchport access vlan 2 Switch(config-if)# interface gi0/24 Switch(config-if)# description Uplink to Revolver gateway Switch(config-if)# switchport access vlan 3 Switch(config-if)# end Switch# show vlan brief ---Sample output--- VLAN Name Status Ports ---- ---- ------ ----- 1 default active 2 RubberSoul active Gi0/1, Gi0/2, Gi0/23 3 Revolver active Gi0/3, Gi0/4, Gi0/24 50 Default active Gi0/5, Gi0/6, Gi0/7, Gi0/8 Gi0/9, Gi0/10, Gi0/11, Gi0/12 ---More ports omitted---
The output of show vlan brief confirms the VLAN groupings: John and Paul, on Gi0/1 and Gi0/2, are members of RubberSoul, as is Gi0/23, the uplink to the default gateway for that VLAN. George and Ringo, on Gi0/3 and Gi0/4, are members of Revolver, as is Gi0/24, the uplink to the default gateway for that VLAN.
Next, we ensure the hosts have the correct IP details: John and Paul are in 192.168.1.0 and George and Ringo are in 192.168.2.0. Another way of saying this is that VLAN 2 (RubberSoul) corresponds to the IP network 192.168.1.0 and VLAN 3 (Revolver) corresponds to the IP network 192.168.2.0. The hosts in each VLAN are given a default gateway of the router interface for that VLAN, just as before.
Finally, we’ll connect the E0 router interface to port Gi0/23, making it the RubberSoul gateway, and the E1 interface to Gi0/24, making it the Revolver gateway. Here’s the router configuration:
Router> enable Router# configure terminal Router(config)# interface e0 Router(config-if)# description Interface on RubberSoul network Router(config-if)# ip address 192.168.1.254 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# interface e1 Router(config-if)# description Interface on Revolver network Router(config-if)# ip address 192.168.2.254 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# end
If you’re thinking, ‘that’s exactly the same configuration as in the earlier example’, you’re quite right. After all, the router doesn’t know about the VLANs—or care. It could be connected to two separate switches for all it knows. As it happens, it’s connected to two ports on the same switch, but the ports are in separate VLANs. Issuing show ip route will display the two directly connected networks, as it did before.
Let’s talk through the route a packet from Paul to Ringo will take. Paul wants to send data to Ringo’s address, which is 192.168.2.2. Paul takes his own address, 192.168.1.2, and applies his own subnet mask to it in order to discover his network address, which is 192.168.1.0. He then applies the mask to Ringo’s address, which yields 192.168.2.0. Since these networks don’t match, Paul knows that Ringo is not a member of his local network, and must send the packet to his default gateway. This has been configured as 192.168.1.254, which is the E0 router interface.
Now, suppose that Paul doesn’t know the MAC address of this router interface. He will send out an ARP broadcast saying, ‘will the device with IP 192.168.1.254 please tell me his MAC?’ This goes to the switch on port Gi0/2, which is in VLAN 2, RubberSoul. As the frame is a broadcast, the switch will send it from all active ports in the same VLAN: thus, John will get a copy and discard it (since his IP doesn’t match), and the router’s E0 interface will get a copy, since it is also connected to a switch port in VLAN 2. The interface’s IP matches, so it responds to Paul with its MAC address, which Paul caches for future use.
Now Paul places his packet in a frame and sends it to the router’s E0 interface. Here, the packet is extracted and the destination IP address—Ringo’s—is matched against the routing table. A match is found: the 192.168.2.0 network is located out of E1, so the packet is forwarded to that interface. If Ringo’s MAC address isn’t known to the router, it will also send an ARP request by broadcasting and, since E1 is connected to a switch port in VLAN 3, Revolver, only George and Ringo will receive it. Ringo will respond and now the router can forward the packet in an Ethernet frame to Ringo, in VLAN 3.
If you’re new to this, then I recommend trying my configuration out in a simulator like Packet Tracer or Boson’s NetSim. Think through the packet’s journey as described above and it will become clear. Always keep in mind that the router’s job is simply to facilitate the swapping of data from one VLAN to another. The router, in this scenario, knows nothing about VLANs—they are a layer 2 concept that only the switches need to worry about.
In my next article, I will consider the drawbacks of this approach to inter-VLAN routing, and we will investigate the more efficient router-on-a-stick scenario.