Articles

Layer 3 Switching: Route Between VLANs in Hardware (2026)

March 15, 2026 6 min read intermediate

Layer 3 switching actually happens before packets reach their destination VLAN, not after.

Let’s see how it works. Imagine you have two VLANs: VLAN 10 (Sales) and VLAN 20 (Engineering). A user in VLAN 10 wants to access a server in VLAN 20.

Here’s a typical setup:

  • Switch: A Cisco Catalyst 3750 (or similar L3 switch)
  • VLAN 10: interface Vlan10, ip address 192.168.10.1 255.255.255.0
  • VLAN 20: interface Vlan20, ip address 192.168.20.1 255.255.255.0
  • Ports:
    • GigabitEthernet1/0/1 to GigabitEthernet1/0/10 are switchport access vlan 10
    • GigabitEthernet1/0/11 to GigabitEthernet1/0/20 are switchport access vlan 20
  • Routing: The switch itself acts as the default gateway for both VLANs. ip routing is enabled.

Now, a packet originates from 192.168.10.5 (Sales) destined for 192.168.20.10 (Engineering).

  1. Packet arrives at the switch: The packet enters the switch on a port assigned to VLAN 10.
  2. L2 Forwarding: The switch’s L2 engine looks at the destination MAC address. If it’s for a device in VLAN 10 on another port, it forwards it at L2.
  3. Inter-VLAN Destination: But here, the destination IP 192.168.20.10 is not on VLAN 10. The packet is destined for a different IP subnet.
  4. L3 Lookup: The switch’s L3 engine (often called the "Route Processor" or "Forwarding Information Base" - FIB) takes over. It consults its routing table. It sees that 192.168.20.0/24 is directly connected via interface Vlan20.
  5. Packet Rewrite (if needed): The switch needs to change the L2 header. The source MAC address will become the MAC address of interface Vlan20 (which is 192.168.20.1). The destination MAC address will be the MAC address of the target server 192.168.20.10.
  6. Hardware Forwarding: Crucially, this entire process—the L2 ingress, L3 lookup, L2 egress rewrite, and forwarding out the correct port—happens in Application-Specific Integrated Circuits (ASICs) within the switch’s hardware. This is why it’s so fast, often measured in tens or hundreds of millions of packets per second. A traditional router would send this packet to its CPU for processing, which is orders of magnitude slower.
  7. Packet exits: The packet is sent out on a port assigned to VLAN 20 with the correct L2 and L3 headers.

The key is that the switch isn’t routing in the traditional sense of sending packets between different physical interfaces or complex WAN links. It’s performing IP forwarding between directly connected subnets (VLANs) using its internal hardware paths.

To see this in action, you’d run show ip route on the switch. You’ll see entries like:

Gateway of last resort is not set

     192.168.10.0/24 is directly connected, Vlan10
     192.168.20.0/24 is directly connected, Vlan20

This tells the L3 engine that to reach 192.168.10.0/24, it should use the Vlan10 interface, and to reach 192.168.20.0/24, it should use the Vlan20 interface. When a packet arrives for 192.168.20.10 on a VLAN 10 port, the switch sees the destination IP is in the 192.168.20.0/24 subnet, checks its internal routing table, determines it’s a directly connected route via Vlan20, rewrites the L2 headers, and forwards it out the appropriate VLAN 20 port, all in hardware.

The most surprising true thing about Layer 3 switching is that the "routing" happens before the packet even reaches its destination VLAN’s Layer 2 domain. The switch identifies that the packet is not for its local VLAN and thus needs to be routed, performing the IP lookup and forwarding decision in hardware as it enters the switch, before it is ultimately sent out on the egress port belonging to the destination VLAN.

When you configure ip routing on a multi-layer switch, you are essentially telling the switch to enable its hardware-based IP forwarding engine. Each interface VlanX becomes a logical Layer 3 interface, acting as the default gateway for devices within that VLAN. The switch then builds an internal routing table of these directly connected subnets. When a packet arrives, the switch inspects the destination IP address. If that IP address belongs to a subnet other than the one the packet arrived on, the switch consults its routing table. If it finds a matching route (even a directly connected one), it forwards the packet to the appropriate egress port, performing any necessary Layer 2 header modifications (like changing the source MAC to the egress VLAN interface’s MAC) in hardware.

The actual hardware forwarding path is highly optimized. When a packet arrives on an ingress port, the switch’s ASICs immediately examine the destination IP address. If the destination IP is reachable via a directly connected VLAN interface on the same switch, the switch can determine the egress port and perform the necessary MAC address rewrite without involving the CPU. This is often referred to as "route-switching" or "CEF switching" (Cisco Express Forwarding), where a hardware FIB is maintained to accelerate lookups.

The next concept you’ll likely encounter is how to handle routing between your L3 switch and an external router, or how to implement more complex routing protocols like OSPF or BGP on the switch.

Want structured learning?

Take the full Computer Networking course →