NetPilot
Back to Blog
Tutorial6 min

VLAN and Inter-VLAN Routing Lab for Beginners

Hands-on VLAN lab: create VLANs, configure trunks, and set up router-on-a-stick inter-VLAN routing. Full configs and verification included.

S
Sarah Chen
Network Engineer

VLANs and inter-VLAN routing are fundamental to every enterprise network — and a major part of the CCNA exam. But configuring them involves multiple devices working together, which is where most students get stuck.

This lab walks through the entire process: creating VLANs, configuring trunk links, and setting up router-on-a-stick for inter-VLAN routing.

To generate this lab instantly:

Build a VLAN lab with 2 switches, 1 router doing router-on-a-stick,
3 VLANs (10-Sales, 20-Engineering, 30-Management), and 2 PCs per VLAN.
Use 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 for each VLAN.

The Lab Topology

  • R1 — router with a single physical link to SW1, using subinterfaces for inter-VLAN routing
  • SW1 — core switch, trunks to R1 and SW2
  • SW2 — access switch, connects to end hosts
  • 6 PCs — 2 per VLAN (Sales, Engineering, Management)

Step 1: Create VLANs on Both Switches

VLANs must exist on every switch that carries traffic for them.

SW1:

hostname SW1
!
vlan 10
 name Sales
vlan 20
 name Engineering
vlan 30
 name Management

SW2:

hostname SW2
!
vlan 10
 name Sales
vlan 20
 name Engineering
vlan 30
 name Management

Verify VLANs were created:

SW1# show vlan brief
 
VLAN Name                             Status    Ports
---- -------------------------------- --------- --------------------
1    default                          active
10   Sales                            active
20   Engineering                      active
30   Management                       active

Step 2: Configure Access Ports

Access ports belong to a single VLAN and connect to end devices (PCs, printers, phones).

SW2 — assign PCs to VLANs:

! Sales PCs
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport mode access
 switchport access vlan 10
!
! Engineering PCs
interface FastEthernet0/3
 switchport mode access
 switchport access vlan 20
!
interface FastEthernet0/4
 switchport mode access
 switchport access vlan 20
!
! Management PCs
interface FastEthernet0/5
 switchport mode access
 switchport access vlan 30
!
interface FastEthernet0/6
 switchport mode access
 switchport access vlan 30

Key points:

  • switchport mode access — the port carries traffic for only one VLAN
  • switchport access vlan 10 — assigns the port to VLAN 10
  • PCs in the same VLAN can communicate. PCs in different VLANs cannot — not yet.

Step 3: Configure Trunk Links

Trunk ports carry traffic for multiple VLANs between switches (and between a switch and a router).

SW2 — trunk to SW1:

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

SW1 — trunk to SW2 and trunk to R1:

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
!
interface GigabitEthernet0/2
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Verify trunk status:

SW1# show interfaces trunk
 
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1
Gi0/2       on           802.1q         trunking      1
 
Port        Vlans allowed on trunk
Gi0/1       10,20,30
Gi0/2       10,20,30

What to check:

  • Status: trunking — both ends agreed on trunk mode
  • Encapsulation: 802.1q — the standard VLAN tagging protocol
  • Vlans allowed — only the VLANs you specified should be listed

Common mistake: if one side is set to trunk and the other is access, the trunk won't form. Both sides must match.

Step 4: Router-on-a-Stick

This is where inter-VLAN routing happens. R1 has a single physical connection to SW1, but uses subinterfaces — one per VLAN — to route between them.

R1 configuration:

hostname R1
!
interface GigabitEthernet0/0
 no shutdown
!
interface GigabitEthernet0/0.10
 description Sales VLAN
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 description Engineering VLAN
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 description Management VLAN
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0

How it works:

  • GigabitEthernet0/0 — the physical interface. Must be no shutdown but has no IP address.
  • GigabitEthernet0/0.10 — a subinterface. The .10 is just a label (convention is to match the VLAN number).
  • encapsulation dot1Q 10 — tells the router "frames tagged with VLAN 10 belong to this subinterface"
  • ip address 192.168.10.1 — the default gateway for all devices in VLAN 10

The router receives tagged frames from the trunk, matches them to the correct subinterface, and routes between subinterfaces just like it routes between physical interfaces.

Step 5: Configure PC Default Gateways

Each PC needs an IP address in its VLAN's subnet and a default gateway pointing to the router's subinterface.

PCVLANIP AddressDefault Gateway
PC110192.168.10.10192.168.10.1
PC210192.168.10.11192.168.10.1
PC320192.168.20.10192.168.20.1
PC420192.168.20.11192.168.20.1
PC530192.168.30.10192.168.30.1
PC630192.168.30.11192.168.30.1

Step 6: Verify Everything

Test within the same VLAN (should work):

PC1> ping 192.168.10.11
Reply from 192.168.10.11: bytes=32 time<1ms TTL=128

Test across VLANs (the real test):

PC1> ping 192.168.20.10
Reply from 192.168.20.10: bytes=32 time=2ms TTL=127

Notice the TTL dropped from 128 to 127 — that means the packet went through R1 (one hop). Inter-VLAN routing is working.

Verify on the router:

R1# show ip interface brief
 
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  up                    up
GigabitEthernet0/0.10      192.168.10.1    YES manual up                    up
GigabitEthernet0/0.20      192.168.20.1    YES manual up                    up
GigabitEthernet0/0.30      192.168.30.1    YES manual up                    up

All subinterfaces should show up/up.

Common Mistakes

1. Forgot no shutdown on the physical interface

The subinterfaces inherit the physical interface's state. If GigabitEthernet0/0 is down, all subinterfaces are down.

2. Wrong encapsulation VLAN number

! Wrong — VLAN tag doesn't match the subinterface's intended VLAN
interface GigabitEthernet0/0.10
 encapsulation dot1Q 20
 
! Correct
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10

3. Trunk not allowing the VLAN

If show interfaces trunk doesn't list VLAN 10, traffic for that VLAN won't cross the trunk. Check switchport trunk allowed vlan.

4. PC default gateway wrong or missing

If a PC can ping its default gateway (the router subinterface) but can't ping across VLANs, the other PC's default gateway is probably wrong.

5. VLAN doesn't exist on a switch in the path

VLANs must be created on every switch that carries traffic for that VLAN. If SW1 has VLAN 10 but SW2 doesn't, traffic won't reach PCs on SW2 in VLAN 10.

What's Next

With VLANs and inter-VLAN routing working, good next topics to practice:

  • OSPF — add OSPF to R1 so it can advertise VLAN subnets to other routers. See the OSPF configuration lab guide.
  • ACLs — restrict traffic between VLANs (e.g., block Management VLAN from reaching Sales)
  • DHCP — configure R1 as a DHCP server for each VLAN instead of static IP addresses
  • Port security — limit which MAC addresses can connect to access ports

All of these build on the VLAN foundation you just configured. You can practice them in CCNA labs or generate a custom lab with AI.

Ready to practice? Get started with NetPilot — describe your VLAN topology and get a working lab in under 2 minutes.

Try NetPilot Free

Build enterprise-grade network labs in seconds with AI assistance

Get Started Free