/
Sign up to Ping Labz!
Already have an account? Sign in
VLAN

Inter-VLAN Routing: SVI vs Router-on-a-Stick (with Real IOS XE Config)

The two ways to route between VLANs on Cisco: SVIs on an L3 switch and router-on-a-stick. Real IOS XE config for both, the performance gap, and the gotchas.
J
5 min read
Inter-VLAN routing SVI vs router-on-a-stick feature image, PingLabz
Table of Contents
In: VLAN, Fundamentals

The moment your network has more than one VLAN and the hosts in those VLANs need to talk to each other, you need inter-VLAN routing. There are two ways to do it on Cisco gear: a Layer 3 switch with SVIs, and a router with sub-interfaces on a trunk. Both work. One is faster, simpler, and what you should use in production. The other is what you build in the lab or on a budget. This post walks through both with real IOS XE config and explains why one wins.

For the L2 fundamentals, see the VLAN and Layer 2 switching pillar. For routing protocols that ride on top once inter-VLAN routing is in place, see the OSPF pillar.

The two approaches

Switched Virtual Interfaces (SVIs)
How it works
L3 switch creates a virtual interface per VLAN with an IP address. Forwarding happens in switch ASIC at line rate.
Where it lives
Modern enterprise design. Catalyst 9300/9500, Nexus 9000, anything with L3 capability.
Router-on-a-stick
How it works
L2 switch trunks all VLANs to a router. Router has a sub-interface per VLAN with an IP. Forwarding happens in router CPU or NPU.
Where it lives
Lab work, branches with an L2-only switch and a small router, or environments with strict separation between switching and routing teams.

The performance gap between the two is large. An SVI on a Catalyst 9300 routes at wire-speed (40 Gbps+ per port). A router-on-a-stick uplink is bounded by both the router's forwarding capacity and the trunk's bandwidth, and every inter-VLAN packet crosses the trunk twice (in on one VLAN, out on another). For anything more than a small office, SVIs are the only correct answer.

The lab topology

Three VLANs across one Layer 3 switch, plus one router as the alternative router-on-a-stick path for comparison. IP scheme:

USERS
VLAN10
Subnet10.10.10.0/24
SVI / router subinterface IP10.10.10.1
SERVERS
VLAN20
Subnet10.10.20.0/24
SVI / router subinterface IP10.10.20.1
VOICE
VLAN30
Subnet10.10.30.0/24
SVI / router subinterface IP10.10.30.1

Method 1: SVIs on a Layer 3 switch

The configuration is short. Most of it is enabling routing globally and giving each VLAN's SVI an IP.

! Enable IP routing globally (off by default on Catalyst switches)
ip routing
!
! Create the VLANs in the database
vlan 10
 name USERS
vlan 20
 name SERVERS
vlan 30
 name VOICE
!
! Create the SVI for each VLAN and give it the gateway IP
interface Vlan10
 description USERS gateway
 ip address 10.10.10.1 255.255.255.0
 no shutdown
!
interface Vlan20
 description SERVERS gateway
 ip address 10.10.20.1 255.255.255.0
 no shutdown
!
interface Vlan30
 description VOICE gateway
 ip address 10.10.30.1 255.255.255.0
 no shutdown
!
! Access ports assigned to their VLANs
interface range GigabitEthernet1/0/1 - 12
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
!
interface range GigabitEthernet1/0/13 - 24
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast

That is it. A host in VLAN 10 with default gateway 10.10.10.1 can now ping a host in VLAN 20 with default gateway 10.10.20.1. The switch's ASIC handles the forwarding in hardware.

Verify it worked:

Switch# show ip route connected
C        10.10.10.0/24 is directly connected, Vlan10
C        10.10.20.0/24 is directly connected, Vlan20
C        10.10.30.0/24 is directly connected, Vlan30

Switch# show ip interface brief | exclude unassigned
Interface              IP-Address      OK?  Method Status                Protocol
Vlan10                 10.10.10.1      YES  manual up                    up
Vlan20                 10.10.20.1      YES  manual up                    up
Vlan30                 10.10.30.1      YES  manual up                    up

The "Protocol up" on each SVI matters. An SVI is "up/up" only if there is at least one active access or trunk port carrying that VLAN. If no port is in the VLAN, the SVI shows up/down even if the IP is configured correctly. That single behavior catches many "my gateway is unreachable" troubleshooting sessions.

Method 2: Router-on-a-stick

The switch is L2-only. A single uplink trunk to the router carries all three VLANs. The router has three sub-interfaces, one per VLAN.

On the switch:

vlan 10
 name USERS
vlan 20
 name SERVERS
vlan 30
 name VOICE
!
! Trunk uplink to the router
interface GigabitEthernet1/0/24
 description Uplink to R1 (router-on-a-stick)
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk encapsulation dot1q     ! Some platforms need this; others infer
!
! Access ports as before
interface range GigabitEthernet1/0/1 - 12
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast

On the router:

interface GigabitEthernet0/0
 no shutdown
 ! No IP on the physical; all IP lives on sub-interfaces
!
interface GigabitEthernet0/0.10
 description USERS gateway
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 description SERVERS gateway
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 description VOICE gateway
 encapsulation dot1Q 30
 ip address 10.10.30.1 255.255.255.0

The router routes between the sub-interfaces just like it would between two physical interfaces. The frame comes in tagged for VLAN 10, gets stripped to a packet, gets routed, and gets re-tagged for VLAN 20 on the way back out the same physical interface.

Verify on the router:

R1# show ip route
C    10.10.10.0/24 is directly connected, GigabitEthernet0/0.10
C    10.10.20.0/24 is directly connected, GigabitEthernet0/0.20
C    10.10.30.0/24 is directly connected, GigabitEthernet0/0.30

Performance comparison

Forwarding rate
SVI on L3 switch
Line rate per port (multi-Gbps to 100G+)
Router-on-a-stick
Bounded by router CPU/NPU and the single trunk
Latency added per inter-VLAN hop
SVI on L3 switchMicroseconds (ASIC)
Router-on-a-stick
Hundreds of microseconds to milliseconds (software forwarding)
Bottleneck
SVI on L3 switchPer-port bandwidth
Router-on-a-stick
Trunk bandwidth (and every packet crosses it twice)
Failure domain if router/switch fails
SVI on L3 switch
One physical box. Mitigate with stack/VSS/StackWise Virtual.
Router-on-a-stick
One physical box. Mitigate with HSRP/VRRP on the router pair.

The voice VLAN special case

On a port serving an IP phone with a daisy-chained PC, two VLANs ride one port: the data VLAN (untagged) and the voice VLAN (tagged, sometimes called "auxiliary VLAN"). The configuration:

interface GigabitEthernet1/0/5
 switchport mode access
 switchport access vlan 10
 switchport voice vlan 30
 spanning-tree portfast

The phone learns the voice VLAN via CDP or LLDP-MED from the switch and starts tagging its own traffic. The PC plugged into the phone sends untagged frames that the switch puts into VLAN 10. The router or SVI then handles routing between the two as usual.

Common gotchas

Hosts in VLAN A cannot ping hosts in VLAN B
ip routing is not enabled globally on the L3 switch. (Default off on many Catalyst lines.)
SVI shows up/down even with correct IP
No active port in the VLAN. Bring up at least one access port assigned to that VLAN.
One VLAN routes, another does not (router-on-a-stick)
Sub-interface encapsulation dot1Q <id> missing or wrong VLAN number.
VLAN works on trunk but native VLAN traffic fails
Native VLAN mismatch between switch and router/peer switch. Force native VLAN consistency or never use native VLAN for routed traffic.
Inter-VLAN ping works but iperf shows tiny throughput
Router-on-a-stick uplink is saturated. Either upgrade the trunk to higher-speed or migrate to SVI on an L3 switch.

Key takeaways

SVIs on a Layer 3 switch are the right answer for inter-VLAN routing in any environment with more than one or two access switches. Router-on-a-stick is the right answer for labs and small branches with L2-only switches. The two configs are syntactically different but conceptually identical: each VLAN gets an L3 interface with the gateway IP, and traffic between VLANs flows through it. The performance gap between hardware-forwarded SVI traffic and software-forwarded router-on-a-stick traffic is what drives the design choice for production.

For the L2 foundations, see the VLAN pillar.

Written by

J

View all posts
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.