Virtual local area network (VLAN) technology isolates broadcast domains, preventing users in different VLANs from communicating with each other. However such users sometimes need to communicate, so inter-vlan communication is needed.
Generally, there are three ways to implement inter-VLAN communication.
1. Using a Router’s Physical Interfaces
As the following figure, PC1 and PC2 are belong to different VLAN( and network segments). To enable communication between the PCs, R1 connects to SW1 through two physical interfaces (GE0/0/1 and G0E/0/2). The two physical interfaces are set as the default gateways of PCs in VLAN 10 and VLAN 20, respectively. So the router can forward traffic from one network segment to another.
The Layer 3 interfaces of the router cannot process data frames with VLAN tags. Therefore, the interfaces of the switch connected to the router must be set to the access type.
One physical interface of the router can function as the gateway of only one VLAN, meaning that the number of required physical interfaces is determined by the quantity of the deployed VLANs. Therefore, the scalability of Layer 3 communication using the physical interfaces of a router is poor.
2. Using a Router’s Sub-interfaces
A sub-interface is a logical interface created on a router's Ethernet interface and is identified by a physical interface number and a sub-interface number. Similar to a physical interface, a sub-interface can perform Layer 3 forwarding.
And different from a physical interface, a sub-interface can terminate data frames with VLAN tags. You can create multiple sub-interfaces on one physical interface. After connecting the physical interface to the trunk interface of the switch, the physical interface can provide Layer 3 forwarding services for multiple VLANs.
As the following figure, R1 connects to SW1 through a physical interface (GE0/0/1). Two sub-interface(GE0/0/1.10 and GE0/0/1.20) are created on the physical interface and used as the default gateways of VLAN 10 and VLAN 20, respectively.
When R1 receives a data frame with VLAN 10, it forwards the frame to GE 0/0/1.10 for processing. GE0/0/1.10 removes the VLAN 10 and forwards the frame without the VLAN tag to GE0/0/1.20, GE0/0/1.20 adds the VLAN tag 20 to the frame and forwards the frame to SW1.
This shows that a sub-interface implements VLAN tag termination as follows:
l Removes VLAN tags from the received packets before forwarding or processing the packets.
l Adds VLAN tags to the packets before forwarding the packets.
Sub-interface configuration
[R1]interface GigabitEthernet0/0/1.10 // Creates a sub-interface. For easy memorization, a sub-interface number is generally the same as the VLAN ID to be terminated on the sub-interface.
[R1-GigabitEthernet0/0/1.10]dot1q termination vid 10 // Enable dot1q VLAN tag termination for single-tagged packets on a sub-interface.
[R1-GigabitEthernet0/0/1.10j]ip address 192.168.10.254 24
[R1-GigabitEthernet0/0/1.10]arp broadcast enable // By default ARP broadcast is not enabled on VLAN tag termination sub-interfaces. VLAN tag termination sub-interfaces cannot forward broadcast packets and automatically discard received ones.
3. Using VLAN-IF interfaces
A Layer 2 switch provides only Layer 2 switching functions. A Layer 3 switch provides routing functions through Layer 3 interfaces (such as VLANIF interfaces) as well as the functions of a Layer 2 Switch. A VLANIF interface is a Layer 3 logical interface that can remove and add VLAN tags. VLANIF interfaces therefore can be used to implement inter-VLAN communication. A VLANIF interface number is the same as the ID of its corresponding VLAN. For example, VLANIF 10 is created based on VLAN 10.
As the following figure, assumes that the required ARP or MAC address entries already exist on the PCs and the Layer 3 Switch.
The communication process between PC1 and PC2 is as follows:
1. PC1 performs a calculation based on its local IP address and finds that the destination device PC2 is not on its network segment. PC1 then determines that Layer 3 communication is required and sends the traffic destined for PC2 to its gateway. Data frame Sent by PC1: Source MAC = MAC1, destination MAC = MAC2
2. After receiving the packet sent from PC1 to PC2,the switch decapsulates the packet and finds that the destination MAC address is the MAC address of VLANIF 10. The switch then sends the packet to the routing module for further processing.
3. The routing module finds that the destination IP address is 192.168.20.2, which is not the IP address of its local interface, and determines that this packet needs to be forwarded at Layer 3. By searching the routing table, the routing module finds a matching route - the direct route generated by VLANIF 20 - for this packet.
4. Because the matching route is a direct route, the switch determines that the packet has reached the last hop. It searches its ARP table for 192.168.20.2, obtains the corresponding MAC address, and sends the packet to the switching module for re-encapsulation.
5. The switching module searches its MAC address table to determine the outbound interface of the frame and whether the frame needs to carry a VLAN tag. Data frame sent by the switching module: source MAC = MAC2,destination MAC = MAC3,VLAN tag = none.
VLAN-if configuration.
Basic configurations:
[SW1]vlan batch 10 20
[SW1] interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1] port link-type access
[SW1-GigabitEthernet0/0/1] port default vlan 10
[SW1] interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2] port link-type access
[SW1-GigabitEthernet0/0/2] port default vlan 20
Configure VLANIF interfaces:
[SW1]interface Vlanif 10
[SW1-Vlanif10]ip address 192.168.10.254 24
[SW1]interfaceVlanif20
[SW1-Vlanif20]ip address 192.168.20.254 24
The interface vlanif vlan-id command creates a VLANIF interface and displays the VLANIF interface view. The vlan-id specifies the ID of the VLAN associated with the VLANIF interface. The IP address of a VLANIF interface is used as the gateway IP address of a PC and must be on the same network segment as the IP address of the PC.
