Inter-VLAN Routing on a Cisco Router
Layer 2 Ethernet switches provide VLAN feature, which allow us to make logical segmentation in physical LAN. VLANs or virtual LANs divide a physical network with single broadcast domain into multiple broadcast domains. However, these layer 2 switches cannot forward traffic across multiple VLANs (and they should not!). A layer 3 switch or router iS needed to perform routing function between these VLANs which is called interVLAN routing.
Router RequirementsA router that is to be employed for performing inter-VLAN routing, must be supporting the VLAN tagging technology being employed by your switches. Switch Configurations Multiple VLANs traffic will be presented on a single port of the router. This is done by configuring a trunk or tagged port in the switch.Then, configure trunk port to carry VLAN traffic of all the different VLANs for which you want to perform inter VLAN routing. This trunk port will be connected to the router port. Make note of the VLAN tagging method (ISL or dot1Q) that you have configured on your switch. Router Configurations In order to receive multiple VLANs traffic coming from your switch on a single router port, we will create multiple logical interfaces inside the single physical interface of the router. All of these multiple logical interfaces will be treated as separate interfaces in the routing process. Follow these step: Select the desired interface (e.g. fastethernet 0/0 in this example) to configure and turn on the interface:Router(config)#interface fastethernet 0/0 Router(config-if)#no shutdown Router(config-if)#no ip address
Now create a logical interface in the selected physical interface:Router(config-if)#int fastethernet 0/0.n
Here, n represent the new logical interface number. Although, you can use any number for new logical interface, but for ease of management and later reference, recommended way is to use the number of the VLAN as the logical interface number. For example, to configure a logical interface for VLAN 10:
Router(config-if)#int fastethernet 0/0.10
Then, configure encapstulation type and VLAN for above configured logical interface: Router(config-subif)#encapsulation dot1q 10
Encapsulation type may be dot1q or isl, followed by the VLAN number assigned to this logical interface.
Configure an IP address to the logical interface:Router(config-subif)#ip address XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY Where XXX.XXX.XXX.XXX represents ip address, while YYY.YYY.YYY.YYY represents subnet mask. Assigned IP Address must be in the range of the available IP addresses for the particular VLAN, you had assigned to this logical interface. This logical interface will act as a gateway to all the VLAN hosts, for interconnection to other VLANs and networks.
You need to repeat the steps 2 to 4 for each VLAN participating in inter-VLAN routing.
Rest of the routing configurations will be same as for normal subnets connected to router interfaces. All of these multiple logical interfaces will be treated exactly same as separate interfaces in the routing process. Now the all important access lists. Configure requisite access-lists as per your organizational security policy, to allow and restrict particular traffic going from one VLAN to another and apply them to the logical interfaces the same way you apply them to physical interfaces on a router. In order to allow routing updates go through the router from one VLAN to another, it is necessary to turn off split-horizon. This will allow the routing update coming from one interface to go out the same interface. Router(config-if)#no ip split-horizon
Be mindful, that "no ip split-horizon" will be issued on the router's particular physical interface for which you want to disable split-horizon. |
