Troubleshooting Inter-VLAN Routing: SVIs, Router-on-a-Stick, and ARP Issues

The Inter-VLAN Routing Architecture

When a host on VLAN 10 needs to reach a host on VLAN 20, one of two paths handles the routing:

1. Multilayer Switch (SVI-based): SVIs (Switched Virtual Interfaces) on CORE-SW1 or DIST-SW1 route between VLANs. The switch uses ip routing global command.
2. Router on a Stick (Subinterface-based): R1-GW has subinterfaces (Gi0/0/1.10, Gi0/0/1.20, etc.) for each VLAN. Routed by the external router.

Both architectures can fail at different points. Let's diagnose the common problems.

Scenario 1: SVI in Down State (No Ports in VLAN)

Symptom: User on VLAN 10 cannot ping the VLAN 10 gateway (10.10.10.254). No route errors; the issue is locally stuck.

Network Setup: - Gateway SVI: VLAN 10 on CORE-SW1, IP 10.10.10.254. - Access Port: Gi1/0/10 (ACC-SW1) in VLAN 10, with host PC-1.

Step 1: Check SVI State

CORE-SW1# show interfaces Vlan 10
Vlan10 is down, line protocol is down
  Hardware is EtherSVI, address is 1111.2222.3333 (bia 1111.2222.3333)
  Internet address is 10.10.10.254 255.255.255.0
  MTU 1500 bytes, BW 1000000 Kbit/sec
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 2w3d
  Encapsulation failed, 0 collisions, 0 late collision
  0 input errors, 0 output errors, 0 collisions, 0 interface resets
  0 unknown protocol drops
  0 babbles, 0 late collisions, 0 deferred
  0 lost carrier, 0 no carrier
  0 output buffer failures, 0 output buffers swapped out

DIAGNOSIS: Vlan10 interface is down/down. An SVI goes down when there are no ports in its VLAN in an up state.

Step 2: Check if Ports Exist in VLAN 10

CORE-SW1# show vlan id 10
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   Users                            active    none

CORE-SW1# show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8
10   Users                            active    none

DIAGNOSIS: VLAN 10 exists but has zero ports. The SVI cannot come up without at least one port in the VLAN (up/up).

Root Cause: All access ports in VLAN 10 are either down, blocked by STP, or deleted. Let's check the distribution switch:

DIST-SW1# show vlan id 10
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   Users                            active    Gi1/0/10, Gi1/0/11, Gi1/0/12

DIST-SW1# show interfaces GigabitEthernet1/0/10 status
Port        Name                   Status       Vlan       Duplex Speed Type
Gi1/0/10    PC-1                   connected    10         full   auto  10/100/1000BaseTX

Ports exist on DIST-SW1. But the VLAN must be carried to CORE-SW1 via a trunk. Check the trunk:

DIST-SW1# show interfaces Port-Channel 1 trunk
Port        Vlans allowed on trunk
Po1         10,20,30,40,99,100

Port        Vlans allowed and active in management domain
Po1         10,20,30,40,99,100

Port        Vlans in spanning tree forwarding state and not pruned
Po1         10,20,30,40,99,100

VLAN 10 is active and forwarding on the trunk. It should arrive at CORE-SW1. Check:

CORE-SW1# show vlan id 10
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   Users                            active    Po1

Good, the VLAN is present on CORE-SW1, and it sees Po1 as a member. But earlier, we saw VLAN 10 on CORE-SW1 had "none" in the ports field. Let me re-check:

CORE-SW1# show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   Users                            active    Po1

So VLAN 10 has Po1 in it. The SVI should be up. But it showed as down earlier. Let's check again:

CORE-SW1# show interfaces Vlan 10 brief
Interface             Status          IP Address      Mask         Encapsulation
Vlan10                down            10.10.10.254    255.255.255.0 ARPA

Step 3: Check if IP Routing is Enabled

CORE-SW1# show ip route
% Routing tables are not initialized

DIAGNOSIS: IP routing is not enabled on CORE-SW1.

FIX: Enable routing:

CORE-SW1# configure terminal
CORE-SW1(config)# ip routing
CORE-SW1(config)# end

Verification:

CORE-SW1# show interfaces Vlan 10
Vlan10 is up, line protocol is up
  Hardware is EtherSVI, address is 1111.2222.3333 (bia 1111.2222.3333)
  Internet address is 10.10.10.254 255.255.255.0

SVI is now up/up. The host can now ping 10.10.10.254.

Scenario 2: All Ports in VLAN Are Down/Blocked

Symptom: VLAN 20 SVI shows up/up on CORE-SW1, but hosts in VLAN 20 cannot communicate.

Step 1: Check SVI State

CORE-SW1# show interfaces Vlan 20
Vlan20 is up, line protocol is up
  Internet address is 10.10.20.254 255.255.255.0

SVI is up.

Step 2: Check Ports in VLAN 20

CORE-SW1# show vlan id 20
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
20   Servers                          active    Po1

Po1 is a member. Let's check STP state:

CORE-SW1# show spanning-tree vlan 20 interface Port-Channel 1
Interface Po1 in VLAN 20
 Role: Root Port
 State: Forwarding

Po1 is forwarding for VLAN 20. Let's check the other side:

DIST-SW1# show spanning-tree vlan 20 interface Port-Channel 1
Interface Po1 in VLAN 20
 Role: Designated Port
 State: Blocking

DIAGNOSIS: Po1 is blocked for VLAN 20 on DIST-SW1! This is a spanning tree issue.

Root Cause: There may be a loop or another switch presenting itself as root for VLAN 20. Check the root bridge:

DIST-SW1# show spanning-tree vlan 20
...
Root ID    Priority  32788
           Address   1111.2222.3333
           Cost      0
           Port      0 (Root)
...

DIST-SW1 itself is the root for VLAN 20. It's blocking the port back to CORE-SW1.

Typical Cause: DIST-SW1 has a lower priority or bridge ID than CORE-SW1. If CORE-SW1 should be the root, increase DIST-SW1's priority:

DIST-SW1# configure terminal
DIST-SW1(config)# spanning-tree vlan 20 priority 32768
DIST-SW1(config)# end

Wait for STP convergence (30-50 seconds):

DIST-SW1# show spanning-tree vlan 20 interface Port-Channel 1
Interface Po1 in VLAN 20
 Role: Root Port
 State: Forwarding

Po1 is now forwarding. VLAN 20 hosts can now communicate.

Scenario 3: Wrong Default Gateway on Client

Symptom: Client on VLAN 30 (IP 10.10.30.50, gateway 10.10.30.254) cannot ping servers on VLAN 20. Ping to the VLAN 30 gateway works. Ping to 10.10.20.5 times out.

Network Setup: - VLAN 30 gateway: 10.10.30.254 on CORE-SW1. - VLAN 20 server: 10.10.20.5 on a server in VLAN 20.

Step 1: Check Routing on CORE-SW1

CORE-SW1# show ip route
C   10.10.10.0/24 is directly connected, Vlan10
C   10.10.20.0/24 is directly connected, Vlan20
C   10.10.30.0/24 is directly connected, Vlan30
C   10.10.40.0/24 is directly connected, Vlan40
C   10.10.50.0/24 is directly connected, Vlan50

Routes exist for all VLANs. Routing works.

Step 2: Verify Client Configuration

PC-30# ipconfig /all
Windows IP Configuration
...
   IPv4 Address. . . . . . . . . . . : 10.10.30.50
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.40.254
   ...

DIAGNOSIS: The client's default gateway is 10.10.40.254 (VLAN 40), not 10.10.30.254 (VLAN 30). The client is routing through the wrong gateway.

FIX: Reconfigure the client's default gateway or use DHCP with correct configuration:

PC-30# ipconfig /all
Default Gateway . . . . . . . . . . : 10.10.30.254

Now pings to VLAN 20 servers work.

Root Cause (If DHCP Assigned Wrong Gateway): Check DHCP server configuration:

CORE-SW1# show ip dhcp binding | include 10.10.30
IP address       Hardware address        Type   State                 Expiration
10.10.30.50      aabb.ccdd.eeff         DHCP   Active              Mar 28 2026 10:02 AM

Find the DHCP pool config:

CORE-SW1# show running-config | include dhcp
ip dhcp pool VLAN30
 network 10.10.30.0 255.255.255.0
 default-router 10.10.40.254
 ! (Wrong gateway!)

FIX: Correct the DHCP pool:

CORE-SW1# configure terminal
CORE-SW1(config)# ip dhcp pool VLAN30
CORE-SW1(config-dhcp)# default-router 10.10.30.254
CORE-SW1(config-dhcp)# exit
CORE-SW1(config)# end

Clients renewing DHCP will now get the correct gateway.

Scenario 4: ARP Not Resolving Across VLANs

Symptom: Client in VLAN 10 at 10.10.10.50 can ping the VLAN 10 gateway (10.10.10.254) but cannot ping the VLAN 20 gateway (10.10.20.254). Ping gives "Reply from 10.10.10.50" then times out with no response from 10.10.20.254.

Step 1: Check ARP Table on Client

PC-10# arp -a
Interface: 10.10.10.50 --- 0x2
  Internet Address      Physical Address      Type
  10.10.10.254          1111.2222.3333        dynamic
  10.10.20.254          (incomplete)
  10.10.10.50           aabb.ccdd.eeff        dynamic

ARP entry for 10.10.20.254 is incomplete. The client sent an ARP request but got no response.

Step 2: Check if Gateway Can Ping Back to Client

CORE-SW1# ping 10.10.10.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 10.10.10.50, timeout is 2 seconds:
.....
Success rate is 100 percent (5/5), roundtrip min/avg/max = 1/1/2 ms

VLAN 10 gateway can reach the client. The gateway can also reply to ARP:

CORE-SW1# show arp | include 10.10.10.50
Internet  10.10.10.50             1   aabb.ccdd.eeff  ARPA   Vlan10

Step 3: Verify VLAN 20 Gateway is Responding

CORE-SW1# show interfaces Vlan 20
Vlan20 is up, line protocol is up

The gateway is up. But is it reachable from VLAN 10? Routing may be blocked. Check STP for VLAN 10 to VLAN 20 path:

CORE-SW1# show spanning-tree vlan 10 interface Port-Channel 1
Interface Po1 in VLAN 10
 Role: Designated Port
 State: Forwarding

CORE-SW1# show spanning-tree vlan 20 interface Port-Channel 1
Interface Po1 in VLAN 20
 Role: Root Port
 State: Blocking

DIAGNOSIS: Po1 is blocked for VLAN 20. ARP requests from VLAN 10 clients cannot reach the VLAN 20 gateway because the port is blocked.

FIX: Resolve the STP blocking (as shown in Scenario 2).

Scenario 5: Router-on-a-Stick Subinterface Encapsulation Mismatch

Symptom: Traffic from VLAN 10 (routed by R1-GW via subinterface) cannot reach VLAN 10 servers. Routing appears to work (shows up/up) but data doesn't flow.

DIST-SW1 Config (Trunk to R1-GW):

interface GigabitEthernet1/0/25
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40
 switchport trunk native vlan 99

R1-GW Config:

interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/1.10
 encapsulation dot1q 10 native
 ip address 10.10.10.254 255.255.255.0
!
interface GigabitEthernet0/0/1.20
 encapsulation dot1q 20
 ip address 10.10.20.254 255.255.255.0

DIAGNOSIS: The encapsulation on GigabitEthernet0/0/1.10 specifies native, which tells the subinterface to use the native VLAN (99 on the trunk). But the IP address is for VLAN 10.

FIX: Remove native from the subinterface:

R1-GW# configure terminal
R1-GW(config)# interface GigabitEthernet0/0/1.10
R1-GW(config-subif)# no encapsulation dot1q 10 native
R1-GW(config-subif)# encapsulation dot1q 10
R1-GW(config-subif)# ip address 10.10.10.254 255.255.255.0
R1-GW(config-subif)# end

Verification:

R1-GW# show interfaces GigabitEthernet0/0/1.10
GigabitEthernet0/0/1.10 is up, line protocol is up
  Hardware is BuiltInEthernetSVI, address is 2222.3333.4444
  Internet address is 10.10.10.254 255.255.255.0
  MTU 1500 bytes, BW 1000000 Kbit/sec
  Encapsulation 802.1Q Virtual LAN, VLAN ID 10.

VLAN 10 traffic now flows through the subinterface.

Scenario 6: DHCP Relay Not Configured

Symptom: VLAN 20 clients cannot obtain IP addresses via DHCP. Manual IP configuration works fine.

Network Setup: - DHCP Server: 10.10.20.5 (wired directly to switch, no relay needed in VLAN 20). - VLAN 30 Client: Tries DHCP, gets no response.

Step 1: Check if DHCP Server is Reachable

VLAN30-CLIENT# ping 10.10.20.5
Pinging 10.10.20.5 with 32 bytes of data:
Reply from 10.10.20.5: bytes=32 time=2ms TTL=63
Reply from 10.10.20.5: bytes=32 time=1ms TTL=63
Reply from 10.10.20.5: bytes=32 time=2ms TTL=63

Ping works. Routing works. But DHCP is failing.

Step 2: Check DHCP Configuration on Gateway

CORE-SW1# show running-config | include dhcp
ip dhcp pool VLAN20
 network 10.10.20.0 255.255.255.0
 host 10.10.20.5 255.255.255.0

VLAN 20 has a local DHCP server. But for VLAN 30, there's no DHCP pool. The gateway should relay DHCP requests from VLAN 30 to the DHCP server in VLAN 20.

FIX: Configure DHCP relay on the VLAN 30 SVI:

CORE-SW1# configure terminal
CORE-SW1(config)# interface Vlan 30
CORE-SW1(config-if)# ip helper-address 10.10.20.5
CORE-SW1(config-if)# end

Verification:

CORE-SW1# show running-config interface Vlan 30 | include helper
 ip helper-address 10.10.20.5

VLAN 30 clients now receive DHCP leases from the server in VLAN 20.

Scenario 7: Asymmetric Routing (Traffic Doesn't Return)

Symptom: A client in VLAN 10 can ping a server in VLAN 20 successfully (request goes out, reply comes back). But when the server initiates traffic to the client, the client doesn't receive it.

Typical Cause: Return traffic takes a different path that is blocked.

Diagnosis Steps:

1. From client to server: CLIENT-10# tracert 10.10.20.5 Tracing route to 10.10.20.5 over a maximum of 30 hops: 1 10.10.10.254 (gateway in VLAN 10) [1 ms] 2 10.10.20.5 (server in VLAN 20) [2 ms]
2. From server to client: SERVER-20# tracert 10.10.10.50 Tracing route to 10.10.10.50 1 10.10.20.254 (gateway in VLAN 20) [1 ms] 2 Request timed out (path broken?) [timeout]

Diagnosis: Return traffic is hitting a blocked port or a different gateway. Check if Po1 is blocked for VLAN 10:

DIST-SW1# show spanning-tree vlan 10 interface Port-Channel 1
Interface Po1 in VLAN 10
 Role: Alternate Port
 State: Blocked

FIX: Adjust STP priorities or link costs to make both directions use the same path, or add a secondary uplink configured as backup root for VLAN 10.

Systematic Inter-VLAN Routing Troubleshooting Checklist

1. Gateway SVI state (on the multilayer switch): show interfaces vlan <vlan> | include up/down show ip routing ! Confirm 'ip routing' is enabled
2. Ports in the VLAN: show vlan id <vlan> ! At least one port must be in the VLAN (up).
3. Routes exist: show ip route ! Confirm routes are present for both source and destination VLANs.
4. STP not blocking the path: show spanning-tree vlan <vlan> interface <port> ! Confirm "Forwarding" state.
5. ARP working: show arp | include <ip> ! Gateway must have ARP entry for client.
6. Default gateway correct (on client): ipconfig /all ! Default gateway must match the VLAN's gateway IP.
7. DHCP relay (if using external DHCP server): show running-config interface vlan <vlan> | include helper ! Relay must be configured.
8. Router-on-a-stick encapsulation (if used): show interfaces <subinterface> ! VLAN ID must match the subinterface tag.

Key Takeaways

• SVIs must have at least one port in an up state to become active; enabling ip routing is also mandatory.
• ARP resolution across VLANs depends on the gateway being able to send replies back to the requesting VLAN; blocked STP ports break this.
• Default gateway on the client must match the VLAN's gateway IP; verify via ipconfig or DHCP pool configuration.
• DHCP relay (ip helper-address) is required when the DHCP server is on a different VLAN than the client.
• Router-on-a-stick subinterface encapsulation must match the VLAN tag, and native VLAN should only be specified if the subinterface is for the native VLAN.
• Use show spanning-tree vlan <vlan> interface <port> to diagnose STP-based blocking of inter-VLAN paths, not the port's operational status.