The general principle of VLAN implementation is to isolate networks as a means of minimizing the size of the existing broadcast domain, however in doing so, many users are cut off from other users within other VLAN domains and require that layer three (IP) communication be established in order for those broadcast domains to re-establish communication through reachable routes. The implementation of a layer three switch offers an ideal means for supporting VLAN routing whilst reducing operating costs. One of the constraints however of VLAN routing is the need for strict IP address management.
Generally however the VLAN routing principle is applicable to small scale networks on which users belong to different network segments and IP addresses of users are seldom changed.
After VLANs are configured, the hosts in different VLANs are unable to directly communicate with each other at Layer 2. It is therefore necessary to facilitate the communication through the creation of routes between VLANs. There are generally two main methods via which this is achieved, the first relies on the implementation of a router connected to the layer 2 switch. VLAN communication is then routed through the router before being forwarded to the intended destination. This may be over separate physical links, which leads to port wastage and extra link utilization, or via the same physical interface as shown in the example.
The second method relies on the use of a layer 3 switch that is capable of performing the operation of both the switch and the router in one single device as a more cost effective mechanism.
In order to allow communication over a single trunk interface, it is necessary to logically segment the physical link using sub-interfaces. Each sub-interface represents a logical link for the forwarding of VLAN traffic before being routed by the router via other logical sub-interfaces to other VLAN destinations. Each subinterface must be assigned an IP address in the same network segment as the VLAN that it is created for as well as 802.1Q encapsulation to allow for VLAN association as traffic is routed between VLANs.
It is also necessary to configure the type of the Ethernet port of the switch that connects to the router as either a Trunk or Hybrid link type, and allow frames of the associated VLANs (VLAN 2 & VLAN 3 in this case) to pass.
The trunk link between the switch and the router must be established for support of traffic for multiple VLANs, through the port link-type trunk or port link-type hybrid command as well as the port trunk allow-pass vlan 2 3 or port hybrid vlan 2 3 command respectively. Once the trunk is established, the VLAN sub-interfaces must be implemented to allow the logical forwarding of traffic between VLANs over the trunk link.
The sub-interface on a router is defined in the interface view using the interface <interface-type interface-number.sub-interface number> command where the sub-interface number represents the logical interface channel within the physical interface. The command dot1q termination vid <vlan-id> is used to perform two specific functions. Where a port receives a VLAN packet, it will initially remove the VLAN tag from the frame and forward this packet via layer three routing.
For packets being sent out, the port adds a tag to the frame before sending it out, in accordance with the respective VLAN and IP settings for the router’s logical interface. Finally the arp-broadcast enable command is applied to each logical interface. This is necessary as the capability for ARP to broadcast on sub-interfaces is not enabled by default. If ARP broadcasts remain disabled on the sub-interface, the router will directly discard packets. The route to the sub-interface generally is considered as a blackhole route in these cases since the packet is effectively lost without a trace. If ARP broadcasts are enabled on the sub-interface, the system is able to construct a tagged ARP broadcast packet and send the packet from the sub-interface.
Following the configuration of VLAN routing between VLAN 2 and VLAN 3, the ping application can be used to verify reachability. The example demonstrates how Host A (192.168.2.2) in VLAN 2 is capable of reaching Host B (192.168.3.2) in VLAN 3. The TTL reflects that the packet has traversed the router to reach the destination in VLAN 2.
The implementation of L3 switches brings about benefits to the process of VLAN routing that are not possible through the use of a router. One of those features is the ability to forward VLAN traffic with very little delay due to support of what is known as line speed forwarding as a result of bottom layer ASIC chips that allow traffic to be forwarded based on hardware rather than software. Along with this is the fact that a single device is used with no trunk link that may otherwise face congestion under heavy traffic loads. VLAN routing when using a layer 3 switch relies on the implementation of VLAN interfaces (VLANIF). If multiple users on a network belong to different VLANs, each VLAN requires a VLANIF that acts as the VLAN gateway and so must associate with an IP address relevant to the network of the VLAN. If a large number of VLANs exist however, this can tally up to a large number of IP addresses being required to support each VLANIF, as well as the hosts that are part of the VLAN with which the VLANIF is associated. Through the VLANIF, routing between different VLANs can be supported.
Configuration of VLAN routing on a switch operating at layer 3 requires that the VLANs be initially created and the interfaces be assigned to those respective VLANS. The configuration follows the principles for configuration of VLANs covered as part of the VLAN principles. This involves defining the port link-type for each port and the PVID that is associated with each port interface.
Configuration of VLAN routing is implemented by creating VLAN interfaces that are to operate as gateway interfaces for each VLAN within the layer 3 switch. Entering the VLANIF view is achieved via the interface vlanif <vlan-id> command, where the vlan-id refers to the associated VLAN. The IP address for the interface should be in the same network segment as the hosts. This IP address shall represent the gateway for the hosts and support the inter-VLAN communication.
The dot1q termination vid <vlan-id> command is used to perform two specific functions. Where a port receives a VLAN packet, it will initially remove the VLAN tag from the frame and forward this packet via layer 3 routing. For packets being sent out, the port adds a tag to the packet before sending it out, in accordance with the respective VLAN and IP settings for the routers logical interface.
The switch must be configured to allow frames carried over the switch/router medium to be tagged, either through the use of the trunk command or using tagged hybrid interfaces. Additionally the VLAN traffic must be permitted over this link using the port trunk allow-pass vlan <vlan> or port hybrid tagged vlan <vlan> command.