The moment your network has more than one VLAN and the hosts in those VLANs need to talk to each other, you need inter-VLAN routing. There are two ways to do it on Cisco gear: a Layer 3 switch with SVIs, and a router with sub-interfaces on a trunk. Both work. One is faster, simpler, and what you should use in production. The other is what you build in the lab or on a budget. This post walks through both with real IOS XE config and explains why one wins.
For the L2 fundamentals, see the VLAN and Layer 2 switching pillar. For routing protocols that ride on top once inter-VLAN routing is in place, see the OSPF pillar.
The two approaches
| Method | How it works | Where it lives |
|---|---|---|
| Switched Virtual Interfaces (SVIs) | L3 switch creates a virtual interface per VLAN with an IP address. Forwarding happens in switch ASIC at line rate. | Modern enterprise design. Catalyst 9300/9500, Nexus 9000, anything with L3 capability. |
| Router-on-a-stick | L2 switch trunks all VLANs to a router. Router has a sub-interface per VLAN with an IP. Forwarding happens in router CPU or NPU. | Lab work, branches with an L2-only switch and a small router, or environments with strict separation between switching and routing teams. |
The performance gap between the two is large. An SVI on a Catalyst 9300 routes at wire-speed (40 Gbps+ per port). A router-on-a-stick uplink is bounded by both the router's forwarding capacity and the trunk's bandwidth, and every inter-VLAN packet crosses the trunk twice (in on one VLAN, out on another). For anything more than a small office, SVIs are the only correct answer.
The lab topology
Three VLANs across one Layer 3 switch, plus one router as the alternative router-on-a-stick path for comparison. IP scheme:
| VLAN | Name | Subnet | SVI / router subinterface IP |
|---|---|---|---|
| 10 | USERS | 10.10.10.0/24 | 10.10.10.1 |
| 20 | SERVERS | 10.10.20.0/24 | 10.10.20.1 |
| 30 | VOICE | 10.10.30.0/24 | 10.10.30.1 |
Method 1: SVIs on a Layer 3 switch
The configuration is short. Most of it is enabling routing globally and giving each VLAN's SVI an IP.
! Enable IP routing globally (off by default on Catalyst switches)
ip routing
!
! Create the VLANs in the database
vlan 10
name USERS
vlan 20
name SERVERS
vlan 30
name VOICE
!
! Create the SVI for each VLAN and give it the gateway IP
interface Vlan10
description USERS gateway
ip address 10.10.10.1 255.255.255.0
no shutdown
!
interface Vlan20
description SERVERS gateway
ip address 10.10.20.1 255.255.255.0
no shutdown
!
interface Vlan30
description VOICE gateway
ip address 10.10.30.1 255.255.255.0
no shutdown
!
! Access ports assigned to their VLANs
interface range GigabitEthernet1/0/1 - 12
switchport mode access
switchport access vlan 10
spanning-tree portfast
!
interface range GigabitEthernet1/0/13 - 24
switchport mode access
switchport access vlan 20
spanning-tree portfastThat is it. A host in VLAN 10 with default gateway 10.10.10.1 can now ping a host in VLAN 20 with default gateway 10.10.20.1. The switch's ASIC handles the forwarding in hardware.
Verify it worked:
Switch# show ip route connected
C 10.10.10.0/24 is directly connected, Vlan10
C 10.10.20.0/24 is directly connected, Vlan20
C 10.10.30.0/24 is directly connected, Vlan30
Switch# show ip interface brief | exclude unassigned
Interface IP-Address OK? Method Status Protocol
Vlan10 10.10.10.1 YES manual up up
Vlan20 10.10.20.1 YES manual up up
Vlan30 10.10.30.1 YES manual up upThe "Protocol up" on each SVI matters. An SVI is "up/up" only if there is at least one active access or trunk port carrying that VLAN. If no port is in the VLAN, the SVI shows up/down even if the IP is configured correctly. That single behavior catches many "my gateway is unreachable" troubleshooting sessions.
Method 2: Router-on-a-stick
The switch is L2-only. A single uplink trunk to the router carries all three VLANs. The router has three sub-interfaces, one per VLAN.
On the switch:
vlan 10
name USERS
vlan 20
name SERVERS
vlan 30
name VOICE
!
! Trunk uplink to the router
interface GigabitEthernet1/0/24
description Uplink to R1 (router-on-a-stick)
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk encapsulation dot1q ! Some platforms need this; others infer
!
! Access ports as before
interface range GigabitEthernet1/0/1 - 12
switchport mode access
switchport access vlan 10
spanning-tree portfastOn the router:
interface GigabitEthernet0/0
no shutdown
! No IP on the physical; all IP lives on sub-interfaces
!
interface GigabitEthernet0/0.10
description USERS gateway
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description SERVERS gateway
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
description VOICE gateway
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0The router routes between the sub-interfaces just like it would between two physical interfaces. The frame comes in tagged for VLAN 10, gets stripped to a packet, gets routed, and gets re-tagged for VLAN 20 on the way back out the same physical interface.
Verify on the router:
R1# show ip route
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0.10
C 10.10.20.0/24 is directly connected, GigabitEthernet0/0.20
C 10.10.30.0/24 is directly connected, GigabitEthernet0/0.30Performance comparison
| Metric | SVI on L3 switch | Router-on-a-stick |
|---|---|---|
| Forwarding rate | Line rate per port (multi-Gbps to 100G+) | Bounded by router CPU/NPU and the single trunk |
| Latency added per inter-VLAN hop | Microseconds (ASIC) | Hundreds of microseconds to milliseconds (software forwarding) |
| Bottleneck | Per-port bandwidth | Trunk bandwidth (and every packet crosses it twice) |
| Failure domain if router/switch fails | One physical box. Mitigate with stack/VSS/StackWise Virtual. | One physical box. Mitigate with HSRP/VRRP on the router pair. |
The voice VLAN special case
On a port serving an IP phone with a daisy-chained PC, two VLANs ride one port: the data VLAN (untagged) and the voice VLAN (tagged, sometimes called "auxiliary VLAN"). The configuration:
interface GigabitEthernet1/0/5
switchport mode access
switchport access vlan 10
switchport voice vlan 30
spanning-tree portfastThe phone learns the voice VLAN via CDP or LLDP-MED from the switch and starts tagging its own traffic. The PC plugged into the phone sends untagged frames that the switch puts into VLAN 10. The router or SVI then handles routing between the two as usual.
Common gotchas
| Symptom | Cause |
|---|---|
| Hosts in VLAN A cannot ping hosts in VLAN B | ip routing is not enabled globally on the L3 switch. (Default off on many Catalyst lines.) |
| SVI shows up/down even with correct IP | No active port in the VLAN. Bring up at least one access port assigned to that VLAN. |
| One VLAN routes, another does not (router-on-a-stick) | Sub-interface encapsulation dot1Q <id> missing or wrong VLAN number. |
| VLAN works on trunk but native VLAN traffic fails | Native VLAN mismatch between switch and router/peer switch. Force native VLAN consistency or never use native VLAN for routed traffic. |
| Inter-VLAN ping works but iperf shows tiny throughput | Router-on-a-stick uplink is saturated. Either upgrade the trunk to higher-speed or migrate to SVI on an L3 switch. |
Key takeaways
SVIs on a Layer 3 switch are the right answer for inter-VLAN routing in any environment with more than one or two access switches. Router-on-a-stick is the right answer for labs and small branches with L2-only switches. The two configs are syntactically different but conceptually identical: each VLAN gets an L3 interface with the gateway IP, and traffic between VLANs flows through it. The performance gap between hardware-forwarded SVI traffic and software-forwarded router-on-a-stick traffic is what drives the design choice for production.
For the L2 foundations, see the VLAN pillar.
