Ok I need to get something straight because there have been many thoughts on the forum and I want to get down to the answer. Some say that if you have more than one vlan with ip addresses and enable ip routing that they route automatically. How can this be true? What routing protocol do they use and what if you only want select vlans to route.
To get it straight: vlans are a layer2 issue and IP is layer3. Simply defining ip ranges for your vlans will not suffice to realise inter-vlan connectivity. You must hav a layer3 device for that, either a suitable router or a layer3-capable switch.
That is basically all there is to it.
The only reason you need to run a routing protocol is if you need to propagate routes across multiple routers . As long as ip routing is turned on a single router, it knows about any directly connected devices and will route the packets accordingly. If you need to pass these routes to another router then you will need a routing protocol or use static routes across the network which is a pain for a network of any size and why routing protocols were developed in the first place.
Maybe a scenaro might help you understand this. Say you have a cat4503, you enter ther command vlan 2, vlan 3, vlan 4.
You have succesfully created 3 additional vlans. Remember that vlans are at layer2.
Then you assign those vlans to interfaces gi3/1, 2, 3, and 4, using the 'switchport access vlan
Now you have port 1 on vlan 1, port 2 on vlan 2, etc.
If you connect a host to each of those ports, thus seperate vlans, they can not talk to each other....period.
Now you decide to assign the ip networks 10.0.1.0/24, to vlan1, 10.0.2.0/24 to vlan 2, 10.0.3.0/24 to vlan3 and 10.0.4.0/24 to vlan4. You give your hosts on each port\vlan a valid host IP from those network.
The hosts on vlan1 - 4 can still not talk to each other until you do one of the following: 1> enter the 'interface vlan
2> Router on a stick. You create a trunk port (dot1q), connect that port to a router, configure the router fe interface for dot1q encapsulation, create the sub-interfaces that corrispond to the created vlans on the 4503, assign the sub-int valid host IPs from the vlan IP ranges, then point your hosts to those IPs as their default GW. Once again the layer 3 device (router) will route the IP packets because the routing table is populated with the connected subnets.
You would only need to do static\dynamic routes if you are using the layer3 device as a intermediary node to another network not directly connected to the device.
Hope that helps.
So just by issuing the ip routing it will route. I thought you needed to go a step further and tell the L3 switch what routing protocol to use and what VLANs to route between. What if you needed a vlan that wasn't allowed to talk to the other interfaces but needed a IP for managment?
The 'ip routing' command just tells the device that it needs so start acting as a layer3 device and enables the system to route IP packets.
The L3Switch will route traffic for any destination network it has in its routing tables. If it knows how to get to w.x.y.z network because it is in its routing table it will route to that network. When a network is directly connected to a device, as long as that interface is up\up, the routing table will be populated with the network, with a C noting the type of route (directly connected).
But if you try to route an IP packet destined for a.b.c.d network, and it is not directly connected to that layer3 device, you will need either a static route, a dynamic route learned via a routing protocol(rip, eigrp, is-is) or a default route.
Hope that helps
what if 10 3550's were trunked. Then that would mean all VLANs will route to each other just by issuing the ip routing command because they are directly connected. Is that correct?
OK this is bad I want to route between 30 of the 40 VLANs. 10 VLANs have to stay out of the routing because they are not allowed to talk to each other.
If you want you 10 vlans to be purely on layer 2 and do not talk to other vlans then donot make the L3 SVI on 3550 i.e do not give the vlan interface an IP. This will restrict them purely at layer 2.If yopu want them to talk to some vlans but not the other then you have to use ACL's to deny the IP traffic.
You can do that it will just take a bit more planning. If you have 30-40 vlans, 10 of them can't talk to one another, but the other 20-30 can, you can either just not assign the SVI (interface vlan) a layer3 addresses for those vlans, which will in effect keep the vlans strictly layer2 or you can get tricky and use VACLs. Depending on what you want your outcome to be, depends on which solution you will use. Keep in mind if you use the firet suggestion, those 10 vlans will NOT be able to talk to ANY vlan except itself; i.e. a vlan1 interface can talk to any other vlan1 interface, no other vlans, and visa versa for the other 10 vlans.
If you need to be able to route those 10 vlans to an extent but limit what vlans\subnets they can talk to, you'll need to do VACLs.