Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Inter-VLAN Routing

VLANs define separate broadcast domains and should be separate IP subnets. The only way to get traffic from one VLAN to another is to route between them (Inter-VLAN Routing). We have several choices for how to do this. We could have one router for every VLAN, with an Ethernet port on each connected to a switch port in each VLAN, and then interconnect all the routers; the problem here, of course, is that having so many routers and connections gets expensive and complicated, and latency can be bad.

We could get one big router with a lot of Ethernet ports and could connect one to a port in each VLAN on the switch. This is a little simpler, but still expensive and probably not as fast as it could be unless we really spend the cash.

Our last two choices are to use Router-on-a-Stick (honest, that's what it's called; we wouldn't make something like that up) or Layer 3 switching. The next section details Router-on-a-Stick.

Router-on-a-Stick

This feature takes advantage of trunk links: All VLANs can be transported across a trunk link to be distributed by the neighbor device. Suppose that we built a trunk from a switch to a router? We'd need at least a FastEthernet port on the router, and it would have to support either ISL or 802.1Q. Now all we need to do is build routable interfaces, one for each VLAN.

We do this by using sub-interfaces. A sub-interface is a virtual interface that is spawned from the physical interface, and uses the physical interface for Layer 1 connectivity. A sub-interface can be given an IP address and mask, can be shut down or enabled, can run routing protocols—in fact, there isn't much that a physical interface can do that a sub-interface can't. So if our router has a FastEthernet interface, we can configure it to run 802.1Q, build a subinterface for each VLAN, give those sub-interfaces IP addresses in the appropriate subnets for each VLAN, and let the router route between the VLANs whose traffic is coming up that trunk link. A frame destined for VLAN 30 could come up the trunk link from VLAN 10 to the Router's VLAN 10 sub-interface, get routed to VLAN 30, and leave that same port from the VLAN 30 sub-interface. The hosts in each VLAN will use the sub-interface configured for their VLAN as their default gateway.

The following example configures Router-on-a-Stick for inter-vlan routing between VLANs 10 and 30, using 802.1Q trunking on interface FastEthernet 0/1:

Router(config)#int fa0/1
Router(config-if)#no ip address
Router(config-if)#interface fa0/1.1
Router(config-sub-if)#encapsulation dot1q 1 native
!
! Creates sub-interface for Native VLAN 1
! (Required for dot1q functionality)
!
Router(config-sub-if)#int fa0/1.10
Router(config-sub-if)#encap dot1q 10
Router(config-sub-if)#ip address 10.10.10.1  255.255.255.0
!
! Creates sub-interface for VLAN 10 and
! applies IP address in VLAN10's subnet
!
Router(config-sub-if)#int fa0/1.30
Router(config-sub-if)#ip address 10.30.30.1  255.255.255.0
Router(config-sub-if)#encap dot1q 30
!
! Creates sub-interface for VLAN 30 and
! applies IP address in VLAN30's subnet
!

Figure 12.12 illustrates a typical Router-on-a-Stick application.

Figure 12.12

Figure 12.12 Router-on-a-Stick.

L3 Switching

Layer 3 switching is beyond the scope of this exam but deserves mention because it is important and cool.

A Layer 3 switch has the capability to create a virtual routed interface for each VLAN, and route between virtual interfaces for inter-vlan routing. It's similar to Router-on-a-Stick, except that there is no stick, and the router is internal to the switch and extremely fast. If you are routing a lot of inter-vlan traffic, buying and configuring a Layer 3 switch will bring you serious gains in throughput.

Not every switch is Layer 3 capable; the lowly 2960 cannot do it, but a 3550 will. Layer 3 switches are more expensive than Layer 2 switches, but are much more capable.

  • + Share This
  • 🔖 Save To Your Account