Network segmentation is one of those concepts that sounds straightforward until you actually sit down and try to wire it up. I wanted to go beyond just reading about VLANs — I wanted to actually configure them, watch the traffic flow, and prove inter-VLAN communication works end-to-end. So I set up a GNS3 lab using a QEMU-based Cisco Layer 3 switch, built a three-PC topology across three VLANs, and got a successful ping from PC1 all the way to PC3.
This post walks through everything: setting up GNS3 with VMware, importing the Layer 3 switch as a QEMU VM, building the topology, configuring VLANs, setting up SVIs as gateways, and verifying inter-VLAN routing works.
The Problem
By default, devices in different VLANs cannot communicate with each other. That's the whole point of VLANs — isolation. But in a real network, you still need controlled communication between segments (e.g., the Sales team reaching the IT team's servers). That's where a Layer 3 switch with SVI (Switched Virtual Interface) routing comes in.
The goal of this lab:
- Create three VLANs (VLAN 6 — SALES, VLAN 7 — HR, VLAN 8 — IT)
- Connect one VPCS (virtual PC) to each VLAN
- Configure a trunk port on the switch
- Set up SVI gateways for each VLAN
- Enable IP routing so PCs on different VLANs can ping each other
Topology
IP Plan:
| Device | Interface | IP Address | Subnet Mask | Gateway | VLAN |
|---|---|---|---|---|---|
| PC1 | e0 | 10.0.1.1 | 255.255.255.0 | 10.0.1.254 | VLAN 6 |
| PC2 | e0 | 10.0.2.1 | 255.255.255.0 | 10.0.2.254 | VLAN 7 |
| PC3 | e0 | 10.0.3.1 | 255.255.255.0 | 10.0.3.254 | VLAN 8 |
| SVI VLAN 6 | — | 10.0.1.254 | 255.255.255.0 | — | — |
| SVI VLAN 7 | — | 10.0.2.254 | 255.255.255.0 | — | — |
| SVI VLAN 8 | — | 10.0.3.254 | 255.255.255.0 | — | — |
Step 1 — Set Up GNS3 VM in VMware
Before anything else, GNS3 needs a backend VM to run QEMU-based appliances. The standard setup uses VMware Workstation with the GNS3 VM image.
- Download VMware Workstation Pro and install it (accept the EULA, add it to system PATH).
- Download the GNS3 VM
.ovafile from gns3.com/software/download-vm — choose the VMware Workstation version. - In VMware, go to File > Open, select the
.ova, give it a name, and click Import. - Power on the GNS3 VM. You'll see the GNS3 server IP and port in the console.
- Open GNS3 on your host, run the Setup Wizard, and choose Run appliances in a virtual machine.
- Select VMware as the virtualization engine, pick your imported VM from the dropdown, and finish the wizard.
- Go to Edit > Preferences > GNS3 VM, tick Enable the GNS3 VM, and click Apply.
Step 2 — Import the Layer 3 Switch as a QEMU VM
The Cisco IOSvL2 switch runs as a QEMU VM inside GNS3. Here's how to get it in.
- Download the
cisco-iosvl2.gns3aappliance file from the GNS3 Marketplace. - In GNS3, click the Switches icon in the left panel, then click + New template at the bottom.
- Choose Import an appliance (.gns3a extension) and browse to the downloaded file.
- Select Install the appliance on the GNS3 VM (recommended).
- On the required files screen, select the IOSvL2 version that shows Ready to install and click Next.
- The switch will now appear as Cisco IOSvL2 under the Switches panel.
Step 3 — Build the Topology
- Drag one Cisco IOSvL2 switch onto the canvas.
- Drag three VPCS nodes (PC1, PC2, PC3) onto the canvas.
- Connect them:
- PC1
e0→ Switche0 - PC2
e0→ Switche1 - PC3
e0→ Switche2
- PC1
- Add text labels for IP addresses, VLAN names, and gateway values.
- Start all devices (green play button).
Step 4 — Configure VLANs on the Switch
Double-click the switch to open its console. Run:
Switch> enable
Switch# configure terminal
Switch(config)# vlan 6
Switch(config-vlan)# name SALES
Switch(config-vlan)# exit
Switch(config)# vlan 7
Switch(config-vlan)# name HR
Switch(config-vlan)# exit
Switch(config)# vlan 8
Switch(config-vlan)# name IT
Switch(config-vlan)# exit
Switch# show vlan brief
Expected output:
VLAN Name Status Ports
---- -------------------------------- --------- --------------------------------
1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3
6 SALES active
7 HR active
8 IT active
Step 5 — Configure Access Ports
Assign each switch port to the correct VLAN:
Switch# configure terminal
! PC1 connects on Gi0/0 → VLAN 6
Switch(config)# interface gi0/0
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 6
Switch(config-if)# exit
! PC2 connects on Gi0/1 → VLAN 7
Switch(config)# interface gi0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 7
Switch(config-if)# exit
! PC3 connects on Gi0/2 → VLAN 8
Switch(config)# interface gi0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 8
Switch(config-if)# exit
Step 6 — Configure the Trunk Port
On a Layer 3 switch doing inter-VLAN routing, the uplink ports carrying multiple VLANs need to be trunk ports. If you have an uplink or a router-on-a-stick setup, configure it like this:
Switch(config)# interface gi0/3
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# exit
Switch# show interfaces trunk
Step 7 — Configure SVI Gateways and Enable IP Routing
This is the heart of inter-VLAN routing. Each VLAN gets a virtual interface (SVI) with an IP that acts as the default gateway for devices in that VLAN.
Switch# configure terminal
! Enable IP routing — only needed once
Switch(config)# ip routing
! SVI for VLAN 6
Switch(config)# interface vlan 6
Switch(config-if)# ip address 10.0.1.254 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
! SVI for VLAN 7
Switch(config)# interface vlan 7
Switch(config-if)# ip address 10.0.2.254 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
! SVI for VLAN 8
Switch(config)# interface vlan 8
Switch(config-if)# ip address 10.0.3.254 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# do write
Step 8 — Assign IPs to the PCs
Open each VPCS console and assign its IP and gateway:
PC1:
PC1> ip 10.0.1.1/24 10.0.1.254
PC1> save
PC2:
PC2> ip 10.0.2.1/24 10.0.2.254
PC2> save
PC3:
PC3> ip 10.0.3.1/24 10.0.3.254
PC3> save
How to Verify
1. Check VLANs exist on the switch
Switch# show vlan brief
All three VLANs (6, 7, 8) should be listed as active.
2. Check trunk interface
Switch# show interfaces trunk
Verify the trunk port is up and the expected VLANs are listed.
3. Ping from PC1 to PC3 (cross-VLAN)
PC1> ping 10.0.3.1
Expected output:
84 bytes from 10.0.3.1 icmp_seq=2 ttl=63 time=1.784 ms
84 bytes from 10.0.3.1 icmp_seq=3 ttl=63 time=1.735 ms
84 bytes from 10.0.3.1 icmp_seq=4 ttl=63 time=1.547 ms
What I Learned
Working through this lab made a few things click that had always felt a bit abstract:
VLANs are logical, not physical. Three PCs connected to the same physical switch are completely isolated from each other just by VLAN assignment. It's powerful and the configuration is surprisingly minimal.
SVIs are elegant. Instead of needing a separate router, you assign virtual IPs directly to VLAN interfaces on the L3 switch. The switch handles routing internally. ip routing is the one command that unlocks this.
Access vs. trunk is everything. Getting confused between access ports (one VLAN, for end devices) and trunk ports (multiple VLANs, for switch-to-switch or switch-to-router links) is probably the most common source of VLAN misconfigurations.
GNS3 VM setup matters. Running QEMU-based appliances like the Cisco IOSvL2 requires the GNS3 VM to be properly configured and reachable. If the VM isn't green in GNS3, the switch won't start — so fixing the VM setup first saves a lot of frustration later.
Common Mistakes
| Mistake | What Happens | Fix |
|---|---|---|
Forgetting ip routing on the switch |
Pings between VLANs fail silently | Run ip routing in global config mode |
| Wrong VLAN ID on access port | PC is in the wrong VLAN; can't reach its gateway | Double-check with show vlan brief
|
| SVI IP on wrong subnet | Gateway unreachable from the PC | Match the SVI IP to the PC's subnet |
Missing no shutdown on SVI |
SVI stays down; routing doesn't work | Always add no shutdown after assigning IP |
| GNS3 VM not running | QEMU switch won't start | Ensure VM is powered on and green in GNS3 |
| Dot1q encapsulation skipped | Trunk port won't pass VLAN traffic | Add switchport trunk encapsulation dot1q before switchport mode trunk
|
Conclusion
This lab is a great way to understand how VLANs actually work in practice — not just the theory. Setting up the environment from scratch (VMware, GNS3 VM, importing the QEMU switch) teaches you to troubleshoot the virtualization layer before you even get to networking. And once the topology is up, watching a ping travel from PC1 in VLAN 6 across the L3 switch into VLAN 8 and land on PC3 makes the whole concept of inter-VLAN routing concrete.
Top comments (0)