Cisco.

com Worldwide Home

Products & Services(menu)

Support(menu)

How to Buy(menu)

Training & Events(menu)

Partners(menu)

Guest
Search
enUS Cisco

AxmTYklsjo190QW
AxmTYklsjo190QW
Support

...

Technology Support

LAN Switching

Layer-Three Switching and Forwarding

Configure

Configuration Examples and TechNotes

Configuring InterVLAN Routing with

Catalyst 3750/3560/3550 Series Switches
Translations
Download
Print

Updated:September 26, 2014

Document ID:41260
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Background Theory
Configure
Network Diagram
Configurations
Verify
Troubleshoot
Troubleshooting Procedure
Related Information

Introduction
This document explains how to configure interVLAN routing with Cisco Catalyst
3750/3560/3550 series switches. The document provides a sample configuration for interVLAN
routing with a Catalyst 3550 series switch that runs enhanced multilayer image (EMI) software
in a typical network scenario. The document uses a Catalyst 2950 series switch and a Catalyst
2948G switch as Layer 2 (L2) closet switches that connect to the Catalyst 3550. The Catalyst
3550 configuration also has a default route for all traffic that goes to the Internet when the next
hop points to a Cisco 7200VXR router. You can substitute a firewall or other routers for the
Cisco 7200VXR router.

Prerequisites
 Requirements

Ensure that you meet these requirements before you attempt this configuration:

Knowledge of how to create VLANs

For more information, refer to Creating Ethernet VLANs on Catalyst Switches.

Knowledge of how to create VLAN trunks

For more information, refer to the Configuring VLAN Trunks section of Configuring VLANs.

Components Used

The information in this document is based on these software and hardware versions:

Catalyst 3550-48 that runs Cisco IOS Software Release 12.1(12c)EA1 EMI

Catalyst 2950G-48 that runs Cisco IOS Software Release 12.1(12c)EA1 EI

Catalyst 2948G that runs Catalyst OS (CatOS) version 6.3(10)

Note: The configuration from the Cisco 7200VXR is not relevant, so this document does not
show the configuration.

The information in this document was created from the devices in a specific lab environment. All
of the devices used in this document started with a cleared (default) configuration. If your
network is live, make sure that you understand the potential impact of any command.

Related Products

This configuration can also be used with these hardware and software versions:

Any Catalyst 3750/3560/3550 switch that runs EMI software or standard multilayer image (SMI) Cisco
IOS Software Release 12.1(11)EA1 and later

Any Catalyst 2900XL/3500XL/2950/3550 or CatOS switch model, used as the access layer switch

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Theory
In a switched network, VLANs separate devices into different collision domains and Layer 3
(L3) subnets. Devices within a VLAN can communicate with each other without the need for
routing. Devices in separate VLANs require a routing device to communicate with one another.

L2-only switches require an L3 routing device. The device is either external to the switch or in
another module on the same chassis. A new breed of switches incorporate routing capability
within the switch. An example is the 3550. The switch receives a packet, determines that the
packet belongs to another VLAN, and sends the packet to the appropriate port on the other
VLAN.

A typical network design segments the network based on the group or function to which the
device belongs. For example, the engineering VLAN only has devices that relate to the
engineering department, and the finance VLAN only has devices that relate to finance. If you
enable routing, the devices in each VLAN can talk to one another without the need for all the
devices to be in the same broadcast domain. Such a VLAN design also has an additional benefit.
The design allows the administrator to restrict communication between VLANs with use of
access lists. In the example in this document, you can use access lists to restrict the engineering
VLAN from access to devices on the finance VLAN.

The switch does not route non-IP packets between VLANs and routed ports. You can forward
these non-IP packets with fallback bridging. In order to use this feature, you must have the IP
services image, formerly known as the enhanced multilayer image (EMI), installed on your
switch.

Here is a link to a video (available on Cisco Support Community ) that demonstrates how to
configure the InterVLAN routing on a Catalyst 3550 series switch:

How To Configure InterVLAN Routing On Layer 3 Switches

Configure
In this section, you are presented with the information to configure the features described in this
document.

Note: Use the Command Lookup Tool (registered customers only) to find more information on
the commands used in this document.

Network Diagram

This document uses this network setup:

 In this diagram, a small sample network with the Catalyst 3550 provides interVLAN routing
between the various segments. By default, the Catalyst 3550 switch acts as an L2 device with
disablement of IP routing. In order to make the switch function as an L3 device and provide
interVLAN routing, you must enable IP routing globally.

These VLANs are the three VLANs that the user defines:

VLAN 2user VLAN

VLAN 3server VLAN

VLAN 10management VLAN

The default gateway configuration on each server and host device must be the VLAN interface
IP address that corresponds on the 3550. For example, for servers, the default gateway is
10.1.3.1. The access layer switches, which are the Catalyst 2950 and 2948G, are trunked to the
Catalyst 3550 switch.
 The default route for the Catalyst 3550 points to the Cisco 7200VXR router. The Catalyst 3550
uses this default route to route traffic destined for the Internet. Therefore, traffic for which the
3550 does not have a routing table entry forwards to the 7200VXR for process.

Practical Tips

Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native
VLAN on one end of the trunk is different than the native VLAN on the other end, the traffic of the native
VLANs on both sides cannot be transmitted correctly on the trunk. This failure to transmit correctly can imply
some connectivity issues in your network.

Separate the management VLAN from the user or server VLAN, as in this diagram. The management
VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in
the user or server VLAN does not affect the management of switches.

Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices
that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can cause potential
issues for the management of switches, as the second tip explains.

Use a Layer 3 (routed) port to connect to the default gateway port. In this example, you can easily replace a
Cisco 7200VXR router with a firewall that connects to the Internet gateway router.

Do not run a routing protocol between the Catalyst 3550 and the Internet gateway router. This example
configures a static default route on the 3550 instead. This setup is best if there is only one route to the Internet.
Make sure to configure static routes, preferably summarized, on the gateway router (7200VXR) for subnets that
can be reached by the Catalyst 3550. This step is very important because this configuration does not use routing
protocols.

If you have two Catalyst 3550 switches in your network, you can dual connect the access layer switches to
both 3550 switches. Run Hot Standby Router Protocol (HSRP) between the switches to provide redundancy in
the network. For more information on the configuration of HSRP, refer to the Configuring HSRP section of
Configuring IP Services.

If you need additional bandwidth for the uplink ports, you can configure EtherChannel. EtherChannel also
provides link redundancy in the case of a link failure.

Configurations

This document uses these configurations:

Catalyst 3550

Catalyst 2950

Catalyst 2948G

Catalyst 3550 (Catalyst 3550-48 Switch)

Cat3550#showrunningconfig
Buildingconfiguration...

Currentconfiguration:3092bytes

version12.1

noservicesingleslotreloadenable

noservicepad

servicetimestampsdebuguptime

servicetimestampsloguptime

noservicepasswordencryption

hostnameCat3550

ipsubnetzero

!EnableIProutingforinterVLANrouting.

iprouting

!!

spanningtreeextendsystemid

interfaceFastEthernet0/1

noipaddress

!Outputsuppressed.

interfaceFastEthernet0/5

descriptiontoSERVER_1
!ConfiguretheserverporttobeintheserverVLAN,VLAN3.

switchportaccessvlan3

!Configuretheporttobeanaccessporttopreventtrunknegotiationdelays.

switchportmodeaccess

noipaddress

!ConfigurePortFastforinitialSpanningTreeProtocol(STP)delay.Referto!
UsingPortFastandOtherCommandstoFixWorkstationStartupConnectivityDelays!
formoreinformation.

spanningtreeportfast

!Outputsuppressed.

interfaceFastEthernet0/48

descriptionToInternet_Router

!Theportthatconnectstotherouterconvertsintoarouted(L3)port.

noswitchport

!ConfiguretheIPaddressonthisport.

ipaddress200.1.1.1255.255.255.252

interfaceGigabitEthernet0/1

descriptionTo2950

!ConfigureIEEE802.1(dot1q)trunking,withnegotiation,ontheL2switch.!If
thereisnotsupportforDynamicTrunkingProtocol(DTP)onthefarswitch,!issue
theswitchportmodetrunkcommandtoforcetheswitchporttotrunkmode.!Note:
Thedefaulttrunkingmodeisdynamicauto.Ifyouestablishatrunklink!withthe
defaulttrunkingmode,thetrunkdoesnotappear!intheconfiguration,eventhough
atrunkhasbeenestablishedon!theinterface.Usetheshowinterfacestrunk
commandtoverifythe!establishmentofthetrunk.

switchporttrunkencapsulationdot1q

noipaddress

interfaceGigabitEthernet0/2

descriptionTo2948G

switchporttrunkencapsulationdot1q

noipaddress

interfaceVlan1

noipaddress

shutdown

interfaceVlan2

descriptionUSER_VLAN

!ThisIPaddressisthedefaultgatewayforusers.

ipaddress10.1.2.1255.255.255.0

interfaceVlan3

descriptionSERVER_VLAN

!ThisIPaddressisthedefaultgatewayforservers.

ipaddress10.1.3.1255.255.255.0

interfaceVlan10

descriptionMANAGEMENT_VLAN

!ThisIPaddressisthedefaultgatewayforotherL2switches.

ipaddress10.1.10.1255.255.255.0
!

ipclassless

!Thisroutestatementallowsthe3550tosendInternettrafficto!thedefault
routerwhich,inthiscase,isthe7200VXR(Fe0/0interface).

iproute0.0.0.00.0.0.0200.1.1.2

iphttpserver

linecon0

linevty515

end

Note: Since the 3550 has configuration as a VLAN Trunk Protocol (VTP) server, the switch does
not display the VTP configuration. This behavior is standard. This switch uses these commands
to create a VTP server with the three VLANs that the user defined from global configuration
mode:

Cat3550(config)#vtpdomaincisco

Cat3550(config)#vtpmodeserver

Cat3550(config)#vlan2

Cat3550(configvlan)#nameUSER_VLAN

Cat3550(configvlan)#exit

Cat3550(config)#vlan3

Cat3550(configvlan)#nameSERVER_VLAN

Cat3550(configvlan)#exit

Cat3550(config)#vlan10

Cat3550(configvlan)#nameMANAGEMENT

Catalyst 2950 (Catalyst 2950G-48 Switch)

Cat2950#showrunningconfig

Buildingconfiguration...

Currentconfiguration:2883bytes
!

version12.1

noservicesingleslotreloadenable

noservicepad

servicetimestampsdebuguptime

servicetimestampsloguptime

noservicepasswordencryption

hostnameCat2950

ipsubnetzero

spanningtreeextendsystemid

interfaceFastEthernet0/1

noipaddress

!Outputsuppressed.

interfaceFastEthernet0/16

noipaddress

interfaceFastEthernet0/17

descriptionSERVER_2

switchportaccessvlan3

switchportmodeaccess

noipaddress

spanningtreeportfast

!Outputsuppressed.
!

interfaceFastEthernet0/33

descriptionHOST_1

!ConfigureHOST_1tobetheuserVLAN,VLAN2.

switchportaccessvlan2

switchportmodeaccess

noipaddress

spanningtreeportfast

!Outputsuppressed.

interfaceGigabitEthernet0/1

switchporttrunkencapsulationdot1q

noipaddress

interfaceGigabitEthernet0/2

noipaddress

interfaceVlan1

noipaddress

noiproutecache

shutdown

interfaceVlan10

descriptionMANAGEMENT

!ThisIPaddressmanagesthisswitch.

ipaddress10.1.10.2255.255.255.0

noiproutecache

!
!Configurethedefaultgatewaysothattheswitchisreachablefromother!
VLANs/subnets.ThegatewaypointstotheVLAN10interfaceonthe3550.

ipdefaultgateway10.1.10.1

iphttpserver

linecon0

linevty515

end

Note: Since the Catalyst 2950 has configuration as a VTP client, the switch does not display the
VTP configuration. This behavior is standard. The 2950 acquires the VLAN information from
the VTP server, which is the 3550. This 2950 switch uses these commands to make the switch a
VTP client in the VTP domain cisco from global configuration mode:

Cat2950(config)#vtpdomaincisco

Cat2950(config)#vtpmodeclient

Catalyst 2948G Switch

Cat2948G>(enable)showconfig

Thiscommandshowsnondefaultconfigurationsonly.

Use'showconfigall'toshowbothdefaultandnondefaultconfigurations.

...........

..................

..

begin

#*****NONDEFAULTCONFIGURATION*****

#time:FriJun301995,05:04:47

!
#version6.3(10)

#systemwebinterfaceversion(s)

#test

#system

setsystemnameCat2948G

#framedistributionmethod

setportchannelalldistributionmacboth

#vtp

!ConfiguretheVTPdomaintobethesameasthe3550,theVTPserver.

setvtpdomaincisco

!ChoosetheVTPmodeasclientforthisswitch.

setvtpmodeclient

#ip

!ConfigurethemanagementIPaddressinVLAN10.

setinterfacesc01010.1.10.3/255.255.255.010.1.10.255

setinterfacesl0down

setinterfaceme1down

!Definethedefaultroutesothattheswitchisreachable.

setiproute0.0.0.0/0.0.0.010.1.10.1
 !

#setbootcommand

setbootconfigregister0x2

setbootsystemflashbootflash:cat4000.6310.bin

#module1:0portSwitchingSupervisor

#module2:50port10/100/1000Ethernet

!ConfigureHOST_2andSERVER_3portsinrespectiveVLANs.

setvlan22/2

setvlan32/23

setportname2/2ToHOST_2

setportname2/23toSERVER_3

!Configuretrunkto3550withdot1qencapsulation.

settrunk2/49desirabledot1q11005

end

Verify
This section provides information you can use to confirm your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show
commands. Use the OIT to view an analysis of show command output.

Catalyst 3550

show vtp status

Cat3550#showvtpstatus

VTPVersion:2

ConfigurationRevision:3

MaximumVLANssupportedlocally:1005

NumberofexistingVLANs:8
 VTPOperatingMode:Server

VTPDomainName:cisco

VTPPruningMode:Disabled

VTPV2Mode:Disabled

VTPTrapsGeneration:Disabled

MD5digest:0x540xC00x4A0xCE0x470x250x0B0x49

Configurationlastmodifiedby200.1.1.1at319301:06:24

LocalupdaterIDis10.1.2.1oninterfaceVl2(lowestnumberedVLANinterface
found)

show interfaces trunk

Cat3550#showinterfacestrunk

PortModeEncapsulationStatusNativevlan

Gi0/1desirable802.1qtrunking1

Gi0/2desirable802.1qtrunking1

PortVlansallowedontrunk

Gi0/114094

Gi0/214094

PortVlansallowedandactiveinmanagementdomain

Gi0/113,10

Gi0/213,10

PortVlansinspanningtreeforwardingstateandnotpruned

Gi0/113,10

Gi0/213,10

show ip route

Cat3550#showiproute

Codes:Cconnected,Sstatic,IIGRP,RRIP,Mmobile,BBGP

DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea

N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
 E1OSPFexternaltype1,E2OSPFexternaltype2,EEGP

iISIS,L1ISISlevel1,L2ISISlevel2,iaISISinterarea

*candidatedefault,Uperuserstaticroute,oODR

Pperiodicdownloadedstaticroute

Gatewayoflastresortis200.1.1.2tonetwork0.0.0.0

200.1.1.0/30issubnetted,1subnets

C200.1.1.0isdirectlyconnected,FastEthernet0/48

10.0.0.0/24issubnetted,3subnets

C10.1.10.0isdirectlyconnected,Vlan10

C10.1.3.0isdirectlyconnected,Vlan3

C10.1.2.0isdirectlyconnected,Vlan2

S*0.0.0.0/0[1/0]via200.1.1.2

Catalyst 2950

show vtp status

Cat2950#showvtpstatus

VTPVersion:2

ConfigurationRevision:3

MaximumVLANssupportedlocally:250

NumberofexistingVLANs:8

VTPOperatingMode:Client

VTPDomainName:cisco

VTPPruningMode:Disabled

VTPV2Mode:Disabled

VTPTrapsGeneration:Disabled

MD5digest:0x540xC00x4A0xCE0x470x250x0B0x49

Configurationlastmodifiedby200.1.1.1at319301:06:24

show interfaces trunk

Cat2950#showinterfacestrunk

PortModeEncapsulationStatusNativevlan
 Gi0/1desirable802.1qtrunking1

PortVlansallowedontrunk

Gi0/114094

PortVlansallowedandactiveinmanagementdomain

Gi0/113,10

PortVlansinspanningtreeforwardingstateandnotpruned

Gi0/113,10

Catalyst 2948G

show vtp domain

Cat2948G>(enable)showvtpdomain

DomainNameDomainIndexVTPVersionLocalModePassword

cisco12client

VlancountMaxvlanstorageConfigRevisionNotifications

810233disabled

LastUpdaterV2ModePruningPruneEligibleonVlans

200.1.1.1disableddisabled21000

show trunk

Cat2948G>(enable)showtrunk

*indicatesvtpdomainmismatch

PortModeEncapsulationStatusNativevlan

2/49desirabledot1qtrunking1

PortVlansallowedontrunk


2/4911005

PortVlansallowedandactiveinmanagementdomain

2/4913,10

PortVlansinspanningtreeforwardingstateandnotpruned

2/4913,10

Troubleshoot
Use this section to troubleshoot your configuration.

Troubleshooting Procedure

Follow these instructions:

1. If you are not able to ping devices within the same VLAN, check the VLAN assignment of the source and
destination ports to make sure that the source and destination are in the same VLAN.

In order to check the VLAN assignment, issue the show port mod/port command for CatOS or the show
interface status command for Cisco IOS Software.

If the source and destination are not in the same switch, make sure that you have configured trunking properly. In
order to check the configuration, issue the show trunk command for CatOS or the show interfaces trunk
command for Cisco IOS Software. Also, check that the native VLAN matches on either side. Make sure that the
subnet mask matches between the source and destination devices.

2. If you are not able to ping devices in different VLANs, make sure that you can ping the respective default
gateway.

Note: See Step 1.

Also, make sure that the default gateway of the device points to the correct VLAN interface IP address. Make
sure that the subnet mask matches.

3. If you are not able to reach the Internet, make sure that the default route on the 3550 points to the correct IP
address, and that the subnet address matches the Internet gateway router.

In order to check, issue the show ip interface interface-id command and the show ip route command. Make sure
that the Internet gateway router has routes to the Internet and the internal networks