[ CCNA · DOMAIN 2 · TROUBLESHOOTING · PLAIN-ENGLISH ANSWER ]
WHY CAN'T MY VLANs PING EACH OTHER?_
It's not a bug — it's by design. VLANs are separate subnets, and crossing between them requires routing. Here's the fix.
[ ▶ SHORT ANSWER ]
VLANs can't ping each other by default because each VLAN is a separate broadcast domain and a separate IP subnet, and a switch only forwards within a VLAN at Layer 2. Moving traffic between VLANs requires a Layer 3 device to route it. Fix it with inter-VLAN routing: either router-on-a-stick (a router with 802.1Q subinterfaces, one per VLAN, each acting as that subnet's default gateway) or a Layer 3 switch with a Switched Virtual Interface (SVI) per VLAN. Also confirm each host's default gateway points at that router/SVI address.
You built VLAN 10 and VLAN 20, plugged in two PCs, and they can't ping across. Good news: that's exactly how it's supposed to work. A switch only forwards traffic within a VLAN. Because each VLAN is its own subnet, anything destined for a different subnet has to be routed — and a plain Layer 2 switch doesn't route.
The checklist
Before blaming the config, confirm the basics:
- Each VLAN has its own subnet (e.g. VLAN 10 = 192.168.10.0/24, VLAN 20 = 192.168.20.0/24).
- Each PC's default gateway is set to the router/SVI address for its own VLAN.
- There is a Layer 3 device actually routing between the subnets.
Fix 1 — Router-on-a-stick (ROAS)
One router, one trunk link, and a subinterface per VLAN. Each subinterface is tagged for its VLAN and holds that subnet's gateway IP:
R1(config)# interface g0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 192.168.10.1 255.255.255.0
R1(config)# interface g0/0.20
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 192.168.20.1 255.255.255.0
Don't forget to make the switch port facing the router a trunk.
Fix 2 — Layer 3 switch (SVI)
On a multilayer switch, enable routing and create an SVI per VLAN:
SW(config)# ip routing
SW(config)# interface vlan 10
SW(config-if)# ip address 192.168.10.1 255.255.255.0
SW(config)# interface vlan 20
SW(config-if)# ip address 192.168.20.1 255.255.255.0
Still failing?
Nine times out of ten the remaining cause is a wrong default gateway on the host, a port left in access mode where a trunk is needed, or a native VLAN mismatch on the trunk. Check those in order.
★ RELATED QUESTIONS
[ Do I need a router to route between VLANs? ]
You need a Layer 3 device — either a router (router-on-a-stick) or a Layer 3 / multilayer switch using SVIs. A plain Layer 2 switch cannot route between VLANs on its own.
[ What is router-on-a-stick? ]
Router-on-a-stick (ROAS) uses a single trunk link from a switch to a router, split into subinterfaces — one per VLAN, each tagged with 802.1Q and holding that VLAN's gateway IP. It's the classic single-router way to do inter-VLAN routing.
[ Why does the host's default gateway matter? ]
A host sends off-subnet traffic to its default gateway. If the gateway isn't set, or points to the wrong VLAN's interface, the host can't reach other VLANs even when routing is configured correctly.
★ READ NEXT
[ ▶ RELATED PLAIN-ENGLISH ANSWERS ]
[ ★ PRACTICE IT, DON'T JUST READ IT ]
Concepts stick when you drill them. Run
today's Daily CCNA Drill to build a streak, or jump straight into the related labs and tools: