Router-on-a-stick works, but it funnels every inter-VLAN packet through a single physical link to an external router — a bottleneck that caps throughput and adds latency. A Layer 3 switch eliminates that bottleneck entirely by routing between VLANs in hardware using its own switching ASIC. On a Catalyst 9300, inter-VLAN traffic moves at wire speed with sub-microsecond latency because the routing decision happens in the same silicon that handles Layer 2 forwarding.
In the PingLabz Switching Lab, CORE-SW1 is the Layer 3 boundary. Every VLAN has an SVI on CORE-SW1, and all inter-VLAN traffic routes through it without ever leaving the chassis.
How SVI-Based Routing Works
A Switch Virtual Interface (SVI) is a logical Layer 3 interface tied to a VLAN. When you create interface Vlan 10 and assign it an IP address, that address becomes the default gateway for all devices in VLAN 10. The switch treats the SVI exactly like a routed interface — it appears in the routing table, participates in ARP, and forwards packets between subnets.
When a host in VLAN 10 (10.10.10.50) wants to reach a host in VLAN 20 (10.10.20.100), the traffic flow is:
- The VLAN 10 host sends the packet to its default gateway — the VLAN 10 SVI (10.10.10.1) on CORE-SW1.
- CORE-SW1 receives the frame on a trunk port, strips the VLAN 10 tag, and hands it to the routing engine.
- The routing engine looks up the destination (10.10.20.100) in the routing table and finds it is directly connected via the VLAN 20 SVI (10.10.20.1).
- CORE-SW1 ARP-resolves 10.10.20.100 in VLAN 20, rewrites the frame with the new destination MAC, tags it as VLAN 20, and sends it out the appropriate trunk.
- The frame reaches the destination host on ACC-SW2.
The critical difference from router-on-a-stick: steps 2 through 4 happen entirely within CORE-SW1's switching hardware. There is no external link, no subinterface overhead, and no single-link bottleneck.
[DIAGRAM: CORE-SW1 with SVIs for VLAN 10 (10.10.10.1), VLAN 20 (10.10.20.1), VLAN 30 (10.10.30.1), VLAN 40 (10.10.40.1), VLAN 50 (10.10.50.1). Trunk links going down to DIST-SW1 and DIST-SW2. Show a packet from VLAN 10 being routed to VLAN 20 entirely inside CORE-SW1.]
Prerequisites
Before configuring inter-VLAN routing on CORE-SW1:
- VLANs must exist on CORE-SW1. Either create them locally or allow them via VTP.
- Trunk links must carry the VLANs between access/distribution and CORE-SW1.
- At least one port in each VLAN must be up for the SVI line protocol to come up. A trunk port carrying the VLAN counts.
- The switch must support Layer 3 routing. Catalyst 9300 and 9500 support this with the appropriate license. The Catalyst 9200L (used as ACC-SW1/2/3) does not support full Layer 3 routing — it can have management SVIs but not
ip routing.
Configuring Inter-VLAN Routing on CORE-SW1
Step 1: Enable IP Routing
CORE-SW1(config)# ip routing
This single command activates the Layer 3 forwarding engine. Without it, the switch behaves as a Layer 2 device — SVIs can receive traffic destined to their own IP but will not forward between subnets. This is the most commonly missed step.
Step 2: Create SVIs for Each VLAN
CORE-SW1(config)# interface Vlan10
CORE-SW1(config-if)# description Users - Default Gateway
CORE-SW1(config-if)# ip address 10.10.10.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan20
CORE-SW1(config-if)# description Servers - Default Gateway
CORE-SW1(config-if)# ip address 10.10.20.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan30
CORE-SW1(config-if)# description Management
CORE-SW1(config-if)# ip address 10.10.30.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan40
CORE-SW1(config-if)# description Voice
CORE-SW1(config-if)# ip address 10.10.40.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan50
CORE-SW1(config-if)# description Guest - Internet Only
CORE-SW1(config-if)# ip address 10.10.50.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
Each SVI acts as the default gateway for its VLAN. Hosts in VLAN 10 point to 10.10.10.1, hosts in VLAN 20 to 10.10.20.1, and so on.
Notice we do not create an SVI for VLAN 99 (Native) or VLAN 999 (Parking). The native VLAN carries untagged trunk control traffic and should not have an IP gateway. The parking VLAN is a black hole for unused ports — giving it a routed SVI defeats its purpose.
Step 3: Configure DHCP Relay (Optional but Common)
If your DHCP server lives in VLAN 20 (10.10.20.10), clients in other VLANs need the switch to relay their DHCP broadcasts to the server. Configure ip helper-address on each client-facing SVI:
CORE-SW1(config)# interface Vlan10
CORE-SW1(config-if)# ip helper-address 10.10.20.10
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan40
CORE-SW1(config-if)# ip helper-address 10.10.20.10
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface Vlan50
CORE-SW1(config-if)# ip helper-address 10.10.20.10
CORE-SW1(config-if)# exit
The ip helper-address converts DHCP broadcast packets into unicast packets directed at 10.10.20.10. Without this, DHCP clients in VLAN 10, 40, and 50 will never receive an IP address — DHCP broadcasts do not cross VLAN boundaries.
Step 4: Configure Default Gateway on Access Switches
The access-layer switches (ACC-SW1, ACC-SW2, ACC-SW3) need a default gateway so their management SVIs can reach other subnets. Since these are Layer 2 switches, they use ip default-gateway:
ACC-SW1(config)# ip default-gateway 10.10.30.1
This tells ACC-SW1 to forward any management traffic (SSH, SNMP, syslog) destined outside the 10.10.30.0/24 subnet to CORE-SW1's VLAN 30 SVI.
Verification
show ip interface brief
CORE-SW1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan10 10.10.10.1 YES manual up up
Vlan20 10.10.20.1 YES manual up up
Vlan30 10.10.30.1 YES manual up up
Vlan40 10.10.40.1 YES manual up up
Vlan50 10.10.50.1 YES manual up up
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset up up
Port-channel1 unassigned YES unset up up
Port-channel2 unassigned YES unset up up
All SVIs show up/up. If any show up/down, see Troubleshooting SVI Up/Down Issues for the full diagnostic walkthrough.
show ip route
CORE-SW1# show ip route
Codes: C - connected, S - static, O - OSPF
...
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Vlan10
L 10.10.10.1/32 is directly connected, Vlan10
C 10.10.20.0/24 is directly connected, Vlan20
L 10.10.20.1/32 is directly connected, Vlan20
C 10.10.30.0/24 is directly connected, Vlan30
L 10.10.30.1/32 is directly connected, Vlan30
C 10.10.40.0/24 is directly connected, Vlan40
L 10.10.40.1/32 is directly connected, Vlan40
C 10.10.50.0/24 is directly connected, Vlan50
L 10.10.50.1/32 is directly connected, Vlan50
Every VLAN subnet appears as a directly connected route. This routing table is what allows CORE-SW1 to forward packets between any two VLANs.
Ping Test Between VLANs
From a user workstation in VLAN 10 (10.10.10.50), pinging a server in VLAN 20:
PC-User> ping 10.10.20.100
Pinging 10.10.20.100 with 32 bytes of data:
Reply from 10.10.20.100: bytes=32 time<1ms TTL=127
Reply from 10.10.20.100: bytes=32 time<1ms TTL=127
Reply from 10.10.20.100: bytes=32 time<1ms TTL=127
Reply from 10.10.20.100: bytes=32 time<1ms TTL=127
Ping statistics: 4 sent, 4 received, 0% loss
The TTL decreases by 1 (from 128 to 127), confirming the packet traversed one Layer 3 hop — CORE-SW1.
Traceroute Verification
PC-User> tracert 10.10.20.100
Tracing route to 10.10.20.100 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.1
2 <1 ms <1 ms <1 ms 10.10.20.100
Trace complete.
One hop to the gateway (CORE-SW1 Vlan10 SVI), then directly to the destination. No additional hops because CORE-SW1 has a directly connected route to VLAN 20.
L3 Switch vs Router-on-a-Stick: When to Use Each
| Factor | Layer 3 Switch (SVI) | Router-on-a-Stick |
|---|---|---|
| Throughput | Wire-speed (hardware ASIC) | Limited by single link bandwidth |
| Latency | Sub-microsecond | Router processing latency |
| Scalability | Handles dozens of VLANs easily | Degrades as VLANs increase |
| Cost | Higher (L3 switch license) | Lower (any router + switch) |
| Complexity | Simpler (single device) | More cabling and config |
| Best for | Production campus networks | Small labs, CCNA study, budget environments |
For the PingLabz Switching Lab and any production campus network, SVI-based routing on a Layer 3 switch is the correct choice. Router-on-a-stick is a learning tool and a fallback for environments that lack Layer 3 switching capability. See Inter-VLAN Routing with Router-on-a-Stick for that configuration.
Integrating with Routing Protocols
Once ip routing is enabled and SVIs are configured, CORE-SW1 can participate in dynamic routing protocols. If the campus connects to a WAN or other routing domains, you can run OSPF on the SVIs:
CORE-SW1(config)# router ospf 1
CORE-SW1(config-router)# network 10.10.10.0 0.0.0.255 area 0
CORE-SW1(config-router)# network 10.10.20.0 0.0.0.255 area 0
CORE-SW1(config-router)# network 10.10.30.0 0.0.0.255 area 0
CORE-SW1(config-router)# passive-interface Vlan10
CORE-SW1(config-router)# passive-interface Vlan20
CORE-SW1(config-router)# passive-interface Vlan50
CORE-SW1(config-router)# exit
Mark user-facing SVIs as passive-interface to prevent OSPF hellos from flooding into end-device VLANs. Only SVIs that connect to other OSPF routers should form adjacencies. For a deeper dive, see the OSPF series.
Troubleshooting
Symptom: Hosts in different VLANs cannot ping each other, but hosts in the same VLAN work fine. Cause: ip routing is not enabled on CORE-SW1. Without it, the switch has SVIs that respond to their own IP but refuse to forward between subnets. Fix: Run show ip route — if it shows no connected routes for the VLAN subnets (or the command itself fails), enter ip routing in global config.
Symptom: SVI shows up/down for a specific VLAN. Cause: No active port in that VLAN on CORE-SW1. This includes trunk ports — if the VLAN is not in the trunk's allowed list, the SVI has no active ports and goes down. Fix: Verify the VLAN is in the trunk allowed list with show interfaces trunk. If the VLAN is missing, add it: switchport trunk allowed vlan add <vlan>. See Troubleshooting SVI Up/Down Issues.
Symptom: Hosts get IP addresses via DHCP but cannot reach hosts in other VLANs. Cause: The host's default gateway is wrong, or the DHCP scope hands out the wrong gateway IP. Fix: Verify the host's default gateway matches the SVI IP for its VLAN. Check the DHCP scope configuration to ensure the gateway option is correct.
Symptom: DHCP clients in VLAN 10 do not receive IP addresses. Cause: The ip helper-address is missing on the VLAN 10 SVI, or the DHCP server is unreachable from CORE-SW1. Fix: Add ip helper-address <dhcp-server-ip> under the SVI. Verify CORE-SW1 can ping the DHCP server. Check that the DHCP server has a scope for the 10.10.10.0/24 subnet.
Key Takeaways
- Layer 3 switches route between VLANs in hardware at wire speed — no external router bottleneck.
- The
ip routingcommand is mandatory. Without it, SVIs exist but the switch will not forward between subnets. - One SVI per VLAN acts as the default gateway. Map each SVI's IP to the VLAN's subnet (10.10.10.1 for VLAN 10, etc.).
- Use
ip helper-addresson client-facing SVIs to relay DHCP traffic to a centralized DHCP server. - SVI-based routing on a Layer 3 switch is the standard for campus networks. Router-on-a-stick is for labs and budget environments.
Next: Configuring Voice VLANs on Cisco Switches for IP Phones covers the special access port configuration that lets a single port carry both data and voice traffic.