Subscribe to the Non-Human & AI Identity Journal

Inter-VLAN Routing

Inter-VLAN routing is the Layer 3 function that allows traffic to move between VLANs through a router or Layer 3 switch. It is operationally necessary in many networks, but it also creates the policy chokepoint where weak rules or excessive exceptions can undermine the intended isolation between segments.

Expanded Definition

Inter-VLAN routing is the mechanism that lets hosts in separate VLANs exchange packets through a Layer 3 device, usually a router or a Layer 3 switch. In practice, it is the point where a network that was intentionally segmented for containment becomes routable again under explicit policy. That makes it different from simple VLAN membership, which only places interfaces into broadcast domains, and from general routing, which may connect many networks without regard to segmentation intent.

For security teams, the important distinction is that inter-VLAN routing is not just a connectivity feature. It is the enforcement layer where access between user, server, OT, guest, or management segments is permitted, restricted, inspected, or logged. Guidance on governance and control design aligns well with the NIST Cybersecurity Framework 2.0, especially where segmentation supports protective architecture and risk reduction. Definitions vary across vendors when they describe subinterfaces, SVIs, or routed firewall interfaces, but the security meaning is consistent: traffic is being allowed across an isolation boundary under policy.

The most common misapplication is treating inter-VLAN routing as a purely network engineering task, which occurs when teams enable routes before defining filtered paths, logging requirements, and administrative ownership.

Examples and Use Cases

Implementing inter-VLAN routing rigorously often introduces policy complexity, requiring organisations to weigh cleaner segmentation against the operational cost of maintaining detailed access rules and exceptions.

  • A campus network permits finance workstations in one VLAN to reach an ERP server VLAN while blocking direct access to engineering or guest VLANs.
  • A data centre uses a Layer 3 switch to route between application and database VLANs, but only after traffic passes through a firewall policy that records and restricts the sessions.
  • A healthcare environment separates clinical devices, administrative endpoints, and visitor Wi-Fi into distinct VLANs, then routes only approved service flows between them to reduce lateral movement.
  • A cloud-connected branch office uses routed VLANs for voice and data, with ACLs on the routed interface to prevent peer-to-peer access that would violate local policy.
  • A management network keeps switch administration, backup tooling, and monitoring systems in isolated VLANs, with inter-VLAN routing limited to a small set of privileged sources.

Where segmentation is part of a broader control program, practitioners often map routed trust boundaries to NIST CSF protective and monitoring outcomes, then validate that each routed path serves a documented business need. The real challenge is not whether routing works, but whether every permitted path is justified, reviewed, and observable.

Why It Matters for Security Teams

Inter-VLAN routing matters because segmentation only reduces risk when the boundaries are enforced in a disciplined way. If routing rules are too broad, a compromise in one VLAN can quickly become a path into sensitive services, management planes, or credential stores. If routing is too rigid, business units bypass the design through ad hoc exceptions, unmanaged appliances, or shadow networks, which can be even harder to secure.

Security teams should treat the routed boundary as a policy control surface: define what must be allowed, what must be denied, what must be logged, and what should trigger alerting. That approach fits naturally with NIST firewall guidance and broader segmentation practices, because the practical objective is to prevent uncontrolled east-west movement. It also intersects with identity when administrative access to routing devices, switches, and monitoring platforms is protected through strong authentication and least privilege. In other words, inter-VLAN routing is as much about who can change the path as it is about who can use it.

Organisations typically encounter the blast radius of weak inter-VLAN routing only after a compromise spreads beyond the first affected segment, at which point the routing policy becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022, NIS2 and DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Segmentation and access enforcement underpin controlled communication paths across VLAN boundaries.
NIST SP 800-53 Rev 5 SC-7 Boundary protection controls address managed traffic flow between network segments.
ISO/IEC 27001:2022 A.13.1.3 Segregation in networks is a standard control area for controlling inter-network traffic.
NIS2 NIS2 expects proportionate technical measures that limit the impact of internal network compromise.
DORA Operational resilience requires controlled internal connectivity for critical networked services.

Restrict routed paths to approved flows and review cross-segment access as part of least-privilege design.