Can switches do VLAN routing?

Question

I have been learning about VLANs and I am wondering if switch can be used for communication between two VLANs.

Since switches support trunk links and already know the destination/source (VID) of the frame could they be used to send the frame from one VLAN to the other?

vlan network example

For example in this image above I was wondering why the router is needed if this switch already receives the VID of each VLAN. Why can't switch forward the frame to the targeted VLAN but needs the router to do it thus prolonging the transfer time of the frame to the router and back?

NB a tagged frame doesn't have destination/source VIDs - just one VID typically - so there's no way a switch operating purely at L2 can know if a frame is intended for a different VLAN on that basis. — psmears, Mar 08 '17 at 15:14
If you were to "join" two VLANs together like that they'd effectively be the same VLAN. Then there's no point to using two separate VLAN IDs. — user253751, Mar 08 '17 at 20:58
Even if they could, that would not be useful in any way I can imagine. For example, IP wouldn't work because ARP wouldn't work. There might be some protocols that would work under such conditions, but do you know of any that are widely used? — David Schwartz, Mar 08 '17 at 21:05
@DavidSchwartz Every ethernet-based protocol would work on this. Why would ARP not work if a switch effectively joins to VLANs together? — Andreas Krey, Mar 09 '17 at 18:02
@Kosta Could you be more explicit about what exactly your question is? Some of us are reading it to mean different things. For example, I read it to be essentially "could a switch be used to send a frame from one VLAN to the other?" (That is, "can a switch route between two VLANs?"). It appears others seem to be at the opposite extreme, thinking you mean "Can I take data coming out port A on VLANB and make it go into port C on VLAND" (which is still ambiguous about whether you mean on the same or separate switch for port C). And others seem to have interpretations in between. Please clarify. — Loduwijk, Mar 09 '17 at 18:22
@Kosta And also, do you mean 'can the switch do it' or 'can I ad-hoc a hardware solution myself (one other user seems to be going with this)'? — Loduwijk, Mar 09 '17 at 18:25
@AndreasKrey The question is about routing, not switching. If you join two VLANs together, they're just one segment. — David Schwartz, Mar 09 '17 at 18:53
@DavidSchwartz I read the question to be about routing as well, but you cannot say that for certain. The question can be read multiple ways (it is ambiguous). Asker needs to elaborate. We are all spinning our wheels in vain. — Loduwijk, Mar 09 '17 at 18:58
A lot of Juniper switches have limited L3 capability. For example, EX4200's can allow you to create an L3 interface (internally) that will allow 2 separate vlans to talk (although only on that switch, it wont go over trunks) — IT_User, Mar 09 '17 at 19:39
@Aaron I was wondering if a switch could be used to send a frame from one VLAN to the different VLAN in the same "physical network" , as you pointed out. In my Networking class i learned that routers do that and not switches but I was not sure why switches cannot be used for that. (Knowing that it can be "hacked" via hardware and configuration is nice but I was looking into an explanation why can't this be done on L2 regularly) — Kosta S., Mar 09 '17 at 20:54
@Kosta_S You might want to edit the question to elaborate. Also, if I am understanding the question correctly then, I think the answer you are looking for is simply "That's not how it was designed." While two VLANs can be on the same physical hardware, from a logical point of view (ie: You are drawing the network topology on paper) you should to treat separate VLANs just as though they were in fact separate LANs. The fact that they can reside on the same hardware is irrelevant. The whole point of inventing VLANs was specifically to virtually separate the traffic as if not on the same hardware — Loduwijk, Mar 09 '17 at 21:50
@KostaS. Routers do not send frames between two VLANs - they take the frame apart to get an IP packet, then put the IP packet into a new frame on the other VLAN. — user253751, Mar 09 '17 at 23:27
@KostaS. Also as I said before - if you could do that with a switch then it would just be one VLAN with two IDs, so what would be the point? — user253751, Mar 09 '17 at 23:28

score 19 · Answer 1 · answered Mar 08 '17 at 14:10

19

L2 switches cannot do Inter-VLAN routing, since they only take care of L2 network stuff, that is, forward frames between links. If it is a L3 switch, then it can do IP protocol routing between VLANs.

answered Mar 08 '17 at 14:10

Tero Kilkanen

36,796
3
41
63

5

A " L3 switch" is not a switch! It is a router. – Ian Ringrose Mar 08 '17 at 18:55
4

@Ian Whilst you are technically correct, most products listed as being a router have a limited number of ports and often act as modems too. If you search for `L3 Switch`, you will find the device you're looking for. – Roshan Bhumbra Mar 08 '17 at 19:10
2

@IanRingrose Technically, an "L3 switch" is a combined *bridge* and *gateway*. – chrylis -cautiouslyoptimistic- Mar 09 '17 at 05:35
2

VLAN _is_ layer 2. – Lightness Races in Orbit Mar 09 '17 at 16:59

score 11 · Answer 2 · answered Mar 08 '17 at 14:16

11

VLANs are used to create different subnets which means different broadcast domains. You need to have either a router or a Layer-3 switch in order to forward traffic between different VLANs (different subnets).

answered Mar 08 '17 at 14:16

Khaled

36,533
8
72
99

2

VLAN and subnet are two different things – Lightness Races in Orbit Mar 09 '17 at 16:58
@LightnessRacesinOrbit Technically, you are correct. Many people do not treat them that way though. I have seen many people (including online VLAN articles) treat the topic as though the mapping of subnet-toVLAN is 1-to-1, and I think many people probably configure them that way. You are correct though; they are separate and need not line up. – Loduwijk Mar 09 '17 at 17:20
@Aaron: As such, I do not understand the at least 10 upvotes on this answer. (FWIW, in the specific telecom networks for which I develop equipment, there is no practical or assumed mapping of subnet to VLAN whatsoever.) – Lightness Races in Orbit Mar 09 '17 at 17:32
These 'subnets' are usually called 'virtual networks'...VLANs. But a single VLAN does not necessarily need to have the same ID on every link it is using. – Andreas Krey Mar 09 '17 at 17:44

JFL · Answer 3 · 2017-03-08T22:12:54.193

Routing is a layer 3 function, while VLAN only concern Layer 2.

When a computer A want to send data to another host B, using the IP protocol it will first check if B is in the same network as himself (comparing the network portion of its own address and the destination IP address).

If B IP address is in the same network, A will then perform an ARP request to find the MAC address of B.
If B is not alive or not in the same VLAN, the ARP request will not have an answer and A will not send anything else (the communication fail).
If B IP address belong to another IP network, then A will lookup in its routing table, found the IP address of the router C (usually its default gateway) and will send the packet to C (once again performing an ARP request to find C MAC address).

So if you don't have a router with an interface in both network you cannot have communication between two hosts in two separates IP networks.

Even if there's some kind of bridges between two VLAN (unusual but possible), or the two hosts are in the same VLAN but have IP address in different IP networks, the communication is not possible without a router, since A will not try to send a frame to B (because it's IP configuration tell it it needs a router).

Now, as other answers pointed out, if your switch is a Layer 3 switch, that means you have in one box both a switch and a router. If configured correctly, the router function of you switch will route between the different VLANs.
The main advantage of Layer 3 switches (opposed to a separate router) is that you can route between different VLANs at full wire speed (I.E. as fast as the switching process).

score 2 · Answer 4 · answered Mar 08 '17 at 20:06

2

Other answers here deal with network theory, so I will not comment on that. As for actual network hardware in the real world, which is related to but different from network theory, the answer is yes. You can buy a network switch which can handle VLAN traffic.

A network switch used to be viewed as a layer 2 device, but many switches do more than that these days. Sometimes routers are labeled as a "layer 3 switch." Switches with more than just layer 2 functionality are also sometimes referred to as a "layer 2.5 switch"

answered Mar 08 '17 at 20:06

Loduwijk

565
3
5
15

1

VLAN is a layer 2 functionality. – Lightness Races in Orbit Mar 09 '17 at 16:59
@LightnessRacesinOrbit I could not remember for sure, as it's been years since I did any VLAN configuring. If that is the case, perhaps you should leave that comment on the *other* answers here since the top rated answers all contradict your comment here. Actually, hold on a moment... the entire point of a VLAN is that it is a separate network hence layer 3. Are you sure it's a layer 2 thing? Still, either way, your comment is better left on the higher rated answers. – Loduwijk Mar 09 '17 at 17:17
@Aaron: I _did_ leave that comment on the other answers; you even replied to one of them! And, yes, I am sure. VLAN tags are inserted into Ethernet frames. – Lightness Races in Orbit Mar 09 '17 at 17:33
@LightnessRacesinOrbit I see a comment by you only on one of the other answers, the one I responded to, and that was a different comment. "VLAN = L2" and "VLAN != subnet" are different comments. I agree with you that "VLAN != subnet." I'm not so sure about your "VLAN = L2" though. I suppose that depends on what your definition of "is ... functionality" is, though specifically in regards to the original question at hand, the question is talking about layer 3 functionality. At least, that's how I read the question: routing between networks (and a VLAN is, logically anyway, just another LAN). No? – Loduwijk Mar 09 '17 at 17:46
_"'VLAN = L2' and 'VLAN != subnet' are different comments"_ The underlying point I am making is precisely the same - that answers discussing Layer 3 technology entirely miss the mark. Not sure why you're getting so hung up on where and when I'm commenting, tbqh. – Lightness Races in Orbit Mar 09 '17 at 17:47
_"routing between networks (and a VLAN is, logically anyway, just another LAN)"_ Yes, by replacing the VLAN tag in the Ethernet frame with some other VLAN tag. Nothing to do with Layer 3. Nothing to do with IP, or subnets, or gateways, or "routers". The question _should_ use a term like "replace VLAN tag" instead of "route" to be less confusing, but the end result is basically the same when we use the English meaning of the word "route". – Lightness Races in Orbit Mar 09 '17 at 17:48
The original question does not use the word 'routing', actually. 'send the frame' is quite layer2-ish. – Andreas Krey Mar 09 '17 at 17:55
@LightnessRacesinOrbit I'm not hung up on where or when you're commenting. I was responding to your statement that "I did leave that comment on the other answers" and "You even replied to one of them". I was merely pointing out that I do not see your comment (VLAN = L2) on any other answers, including answers that expressly state that VLAN = L3. I'm not really hung up about you at all; I mostly agree with what you've said in this thread. I'm just commenting. – Loduwijk Mar 09 '17 at 18:09
I do, however, read the question as "can a switch be used to send a frame from one VLAN to another?" Since, from the network administrator's point of view, VLAN (virtual LAN) = LAN, the question (as I read it) might as well be asking "Can I use a switch to get data from one LAN to another?" And since LAN is generally referring to 1 network extending out to as far as layer 2 communication goes (going through a router generally viewed as going to a different LAN, at least among those I've worked with), I can say Q is logically equivalent to "Can I route between VLANs?" – Loduwijk Mar 09 '17 at 18:17
Again, I think we are hung up on semantics and OP needs to clarify. The question can be read multiple ways. – Loduwijk Mar 09 '17 at 18:17
Also, if I am actually incorrect about any of the specific statements I made, feel free to clarify. I do believe though that we believe mostly the same thing and are just reading the question differently. – Loduwijk Mar 09 '17 at 18:18
@AndreasKrey: The question title is _"Can switches do VLAN routing?"_. – Lightness Races in Orbit Mar 09 '17 at 18:30
_"I do not see your comment"_ I've already addressed that. I did say the same thing on all the other relevant answers. Let's move on from this silly subject. – Lightness Races in Orbit Mar 09 '17 at 18:32

score 1 · Answer 5 · answered Mar 09 '17 at 17:22

1

Funnily this isn't supported by VLAN switches - you can't configure them to connect, say, VLAN3 on port A to VLAN5 on port B.

You could hack this by using two ports, configure one to have VLAN3 untagged, and the other VLAN5 untagged, and then connect them with a cable. (Didn't try this, but don't see why it shouldn't work.)

answered Mar 09 '17 at 17:22

Andreas Krey

111
2

@Andreas_Krey Umm... are you sure? You cannot route between two networks? VLANs are just virtual networks (hence the name), and you can route between them same as you can any other two networks. Perhaps we are hung up on semantics, as is evidence by the difference between network theory and real world network hardware, as others are in this thread. – Loduwijk Mar 09 '17 at 17:29
@Aaron Routing is something different, I'm (and proabably the Q as well) talk about having different (and potentially multiple) VLAN ids for the same VLAN on different ports. – Andreas Krey Mar 09 '17 at 17:52
@Andreas_Krey Perhaps. I just reread the Q and I can see how you can read it differently than me. What I see is "could they [switches] be used to send the frame from one VLAN to the other". I see this as a question where the asker just isn't viewing VLANs logically as "just another LAN" and is asking if he can route between them with a switch. I could be wrong. – Loduwijk Mar 09 '17 at 18:05
Your hack would work if, and only if, you either disable STP or have a device that does VLAN aware STP. Naive STP type implementations are going to go "omg, network loop, must kill it before it kills me". I discovered this the hardway when doing work involving cisco routers, bridges and vlans. – Kaithar Mar 09 '17 at 20:53

score 1 · Answer 6 · answered Mar 09 '17 at 23:29

If I'm interpreting this correctly, you want a switch that receives a frame with VLAN 5 (for example) to forward it with VLAN 6.

This would be pointless. Instead of doing this you could simply take all your devices that use VLAN 6 and move them to VLAN 5 instead.

Because it's pointless, switch vendors didn't add any way to do it.

score -1 · Answer 7 · answered Mar 09 '17 at 04:37

Intra-VLAN traffic is forwarded between mac addresses of the VLAN network. For a "frame" to leave that network, it must be forwarded to the mac address of a routing capable device. This can be a switch, firewall, or router. So if a frame from VLAN A wants to reach VLAN B, VLAN A will send the frame to the mac address of the default gateway, VLAN B will do the same. If those gateways are on a switch, then the switch is routing packets between the vlans, same for a router. You may want to use a firewall, however, if you need to control access back and forth between the vlans.

In the modern world: Think of switches as routers with a lot of ports. Think of routers as switches with less ports, but higher availability. Think of firewalls as routers that can support higher layer services, like intrusion detection, antivirus, SSL proxy, application services, NAT, etc.

Can switches do VLAN routing?

7 Answers7