VLANs and Inter-VLAN Routing

# CHAPTER 12

VLANs and Inter-VLAN Routing #

1. Introduction #

In Chapter 1, we defined a Switch as a device that connects computers together within a single building. But what if you have a massive 48-port switch, and you want to separate the HR computers from the Guest Wi-Fi computers for security? Historically, you had to buy two entirely separate physical switches. Today, we use software. We can digitally slice a single physical switch into multiple virtual switches using VLANs (Virtual Local Area Networks). However, a major architectural problem arises: computers in different VLANs are mathematically isolated. They cannot talk to each other. In this chapter, we will learn how to bridge that gap using the critical concept of Inter-VLAN Routing.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define the concept and security benefits of a VLAN.

• Understand how VLAN Tagging (802.1Q) works.

• Explain why a Layer 2 Switch cannot route traffic between different VLANs.

• Describe the architectural design of "Router-on-a-Stick."

• Explain the function of a Layer 3 (Multilayer) Switch.

3. Beginner-friendly Explanations #

The Virtual Walls: Imagine a large open-plan office (a physical switch). Everyone can hear everyone else shouting (Broadcast traffic). You want the Accounting team to have a private conversation. Instead of building a physical brick wall to separate them, you use soundproof glass partitions (VLANs).

• VLAN 10 (Accounting)

• VLAN 20 (Marketing)

People inside VLAN 10 can only hear other people in VLAN 10. They are completely isolated from VLAN 20.

The Messenger (Inter-VLAN Routing): What if Accounting needs to pass a document to Marketing? They cannot pass it through the glass wall. They must hand the document to the Office Manager (The Router). The Office Manager walks out of the Accounting room, walks into the Marketing room, and hands over the document. This is Inter-VLAN Routing.

4. VLAN Basics and Tagging #

When you configure a switch, you assign physical ports to a specific VLAN.

• Ports 1-10 -> VLAN 10 (IP Subnet: 10.0.10.0/24)

• Ports 11-20 -> VLAN 20 (IP Subnet: 10.0.20.0/24)

When a packet leaves the switch to go to the router, the switch must tell the router which VLAN the packet came from. It does this using 802.1Q VLAN Tagging. The switch literally injects a tiny "Tag" containing the number 10 or 20 into the Ethernet Frame.

5. Router-on-a-Stick Architecture #

How do you connect the Router to the Switch? If you have 5 VLANs, you could plug 5 physical cables from the Switch into 5 different ports on the Router. This is incredibly wasteful.

The Solution: Router-on-a-Stick.

1. 1. You run a single physical cable from the Switch to the Router.

1. 2. You configure that switch port as a Trunk Port. A Trunk Port is allowed to carry traffic for ALL VLANs simultaneously.

1. 3. On the Router, you take the single physical interface (GigabitEthernet0/1) and chop it up into Sub-Interfaces (GigabitEthernet0/1.10, GigabitEthernet0/1.20).

1. 4. You assign each Sub-Interface to a different VLAN and give it the Default Gateway IP address for that VLAN.

*Traffic Flow:* The packet from Accounting (VLAN 10) goes up the stick to the router. The router receives it on Sub-Interface .10, removes the VLAN 10 tag, routes it, applies a VLAN 20 tag, sends it out Sub-Interface .20, and it travels back down the exact same stick to Marketing.

6. The Modern Upgrade: Layer 3 Switches #

Router-on-a-Stick was the standard for 20 years. However, sending all internal building traffic up a single physical cable creates a massive bandwidth bottleneck.

Today, enterprise networks use Layer 3 Switches (Multilayer Switches). A Layer 3 Switch is a hybrid: it has the high-speed physical ports of a Switch, but the internal "brain" (Routing Table) of a Router. It can route traffic between VLANs internally on its own silicon microchips at lightning speed, completely eliminating the need for an external Router-on-a-Stick.

7. Diagrams/Visual Suggestions #

*Visual Concept: Router-on-a-Stick* Draw a Router at the top, a Switch at the bottom, connected by one vertical line (The Stick). Below the switch, draw two PCs (Red PC in VLAN 10, Blue PC in VLAN 20). Draw the path of the data from the Red PC, up the stick to the router, turning around inside the router, and coming back down the stick to the Blue PC.

8. Best Practices #

• Security through Segmentation: You must always place your IoT devices (Smart TVs, Security Cameras, Wi-Fi Thermostats) into an isolated VLAN. These devices are notoriously insecure. If a hacker breaches your Smart TV, and it is on the same VLAN as your HR database, the hacker has instant access. If it is on an isolated VLAN, the router's firewall can strictly block the TV from ever speaking to the HR servers.

9. Common Mistakes #

• Native VLAN Mismatch: A Trunk Port carries tagged traffic. However, it also carries "untagged" traffic on a designated "Native VLAN" (usually VLAN 1 by default). If the switch thinks the Native VLAN is 1, but the router thinks the Native VLAN is 99, all untagged management traffic will fall into a black hole and the network will fail.

10. Mini Project: Subnet Planning for VLANs #

When deploying VLANs, you must tie every VLAN to a unique IP Subnet. Plan a small office:

• VLAN 10 (Management): 10.0.10.0/24 | Default Gateway: 10.0.10.1

• VLAN 20 (Employees): 10.0.20.0/24 | Default Gateway: 10.0.20.1

• VLAN 30 (Guest Wi-Fi): 10.0.30.0/24 | Default Gateway: 10.0.30.1

*Notice the organizational symmetry. Making the third octet of the IP address match the VLAN ID is an enterprise best practice.*

11. Practice Exercises #

1. 1. Explain why a Layer 2 Switch cannot physically forward a packet from VLAN 10 to VLAN 20 without the assistance of a routing device.

1. 2. Contrast the architectural bandwidth limitations of a Router-on-a-Stick setup versus a Layer 3 Multilayer Switch.

12. MCQs with Answers #

13. Interview Questions #

• Q: Explain the concept of Inter-VLAN routing. Why is it necessary to use a Router (or Layer 3 Switch) to allow communication between two computers on the same physical switch?

• Q: Describe the Router-on-a-Stick architecture. How are router sub-interfaces utilized in this design?

• Q: From a cybersecurity perspective, explain the immense value of network segmentation using VLANs.

14. FAQs #

Q: Can I ping a computer in another VLAN if I don't have a router? A: Absolutely not. VLANs physically segment the broadcast domain at Layer 2. Without a Layer 3 routing device to act as the default gateway and bridge the two subnets, the two computers are mathematically invisible to each other.

15. Summary #

In Chapter 12, we brought routing inside the building. We explored Virtual LANs (VLANs), the software mechanism used to segment a single physical switch into isolated security zones. We identified the fundamental problem of Layer 2 isolation and solved it using Inter-VLAN Routing. We mapped the legacy, single-cable Router-on-a-Stick architecture, relying on 802.1Q trunking and router sub-interfaces, and contrasted it with the high-speed modern deployment of Layer 3 Multilayer Switches. By mastering VLAN routing, we can architect secure, segmented corporate LANs.

16. Next Chapter Recommendation #

We know how to route data across physical switch ports. But what if there are no cables at all? Proceed to Chapter 13: Wireless Routing and Wi-Fi Networks.