Inter-VLAN Routing (Router on a Stick)
In order for 2 VLANS to be able to communicate, the traffic must be routed. This can be done either by a multi-layer switch which will have routing capabilities, or the packets can be routed by a router.
As an example, I have 2 VLANS, VLAN 10 and VLAN 20 which have subnets 10.0.10.0/24 and 10.0.20.0/24 respectively. In order to have traffic from one subnet communicate with the other routing would have to take place. Furthermore the switch I have used in the example below is a layer 2 switch so there is no routing functionality available so I am forced to use a router.
This leaves me with 2 options.
1/ Plug my router into my switch with 2 cables. Configure 1 port on the router to be in subnet 10.0.10.0/24 and in VLAN 10, and configure a second port to be in subnet 10.0.20.0/24 and associate that port to VLAN 20.
This is not a major issue, and this is something that could easily be configured, however it will require a router with 2 interfaces free for me to use. What if I had more than 2 VLAN’s? What if I had 200 VLAN’s (Not an uncommon scenario)? Not only would this mean I need a router with 200 interfaces, but it would also mean that my switch would need 200 interfaces. So far this is not looking like a very scalable solution.
2/ I can plug my router in my switch with a single cable. Configure Sub-interfaces on the router and associate each sub-interface to each VLAN. This is FAR more scalable and would allow me to configure more than 2 VLAN’s on a single interface
NOTE: A sub-interface is a logical separation of the physical interface. Each sub-interface can be configured as if it were a physical port on the device.
As you can see from the above, option 2 is the only logical solution for scalability and ease. There is however one small problem with using this option. In order to have multiple VLAN’s been sent over a single cable/port the port needs to be configured as a Trunk port. In my example I have already configured the switch and made FastEthernet 0/23 a trunk port using dot1q as my encapsulation protocol. (Port f0/23 on the switch is plugged into the router’s port f0/1)
Here is the breakdown of the configuration needed to configure a Router on a stick.
AOIP.ORG# ping 10.0.10.2
Confirming that ping does not work to the interface VLAN 10 on my switch which has IP address 10.0.10.2
AOIP.ORG# ping 10.0.20.2
Confirming that ping does not work to the interface VLAN 20 on my switch which has IP address 10.0.20.2
AOIP.ORG(config)# interface fastethernet 0/1.10
This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘10’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.
AOIP.ORG(config-subif)# encapsulation dot1q 10
Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 10
AOIP.ORG(config-subif)# ip address 10.0.10.1 255.255.255.0
Associate an IP address to the sub-interface
AOIP.ORG(config-subif)# exit
AOIP.ORG(config)# interface fastethernet 0/1.20
This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘20’. NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.
AOIP.ORG(config-subif)# encapsulation dot1q 20
Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 20
AOIP.ORG(config-subif)# ip address 10.0.20.1 255.255.255.0
Associate an IP address to the sub-interface
AOIP.ORG(config-subif)# exit
AOIP.ORG(config)# exit
AOIP.ORG# ping 10.0.10.2
Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this
AOIP.ORG# ping 10.0.20.2
Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this
In order to complete the design and installation of the above, all computers that are in VLAN 10 would need to have their Default-gateway configured as 10.0.10.1 and machines in VLAN 20 would need their Default-gateway configured as 10.0.20.1.
When a machine from VLAN 10 tries to communicate with a machine in VLAN 20 the following will take place
1/ Packet enters the switch
2/ The Switch will send the packet via the TRUNK port on VLAN 10 to the router.
3/ The router will receive the packet on sub-interface f0/1.10 tagged as VLAN 10
4/ The router will remove the TAG on the packet and do a lookup in the routing table
5/ The router will encapsulate the packet with a TAG for VLAN 20
6/ The router will send the packet via the TRUNK to the switch on VLAN 20 through sub-interface f0/1.20
7/ The switch will receive the packet on the trunk port on VLAN 20
8/ The switch will send the packet to the destination computer.
Below is the live demo.
Related posts:
- Configuring a Trunk port on a Cisco Switch
- VTP (VLAN Trunking Protocol)
- Configuring an Access port on a Cisco switch
- Concept and Configuring VLAN’S
- Configuring SPAN on a Cisco Switch
August 30th, 2009 at 03:31
Hi,
Thank you! I would now go on this blog every day!
January 13th, 2010 at 23:37
This is very helpful. Would this also work if the switch in your example was a layer 3 switch configured to do the routing and is connected to a simple Internet router with DHCP used for sharing access to the Internet?? How would this be configured for hosts, on their own subnet, connected directly to the switch?? And can this be set up so access to the hosts can be gained from the Internet?? This is what I am trying to accomplish:
Single Router with Layer-3 Switch and with multiple LAN subnets
Internet
|
| 1.1.1.0/24
|
Internet Router
|
| 10.0.0.0/24
|
Layer-3 Switch
| | |
| LAN 2 |
| with UM |
| 10.0.2.0/24 |
| |
LAN 1 LAN 3
with UM with UM
10.0.1.0/24 10.0.3.0/24
January 14th, 2010 at 10:56
Hi Gavin,
If you had a multi layer switch (Layer 3 switch) then yes you could bypass the router all together.
So let’s look at that first, before we get into the second step of having a router connected to the internet as well.
On the switch you would require 2 VLAN interfaces, since the hosts in each VLAN still require a default gateway in their own subnet.
This can be achieved with the ‘interface vlan {vlan number}’ command, which will put you into the ‘virtual interface’ of the VLAN.
You could then attach an IP address to that interface, and do the same for your second VLAN as well
You then need to make sure that routing has been enabled on the multi layer switch with the command ‘ip routing’
At this point the hosts in VLAN 10 (as an example) would use the IP address of ‘interface vlan 10’ as their default gateway.
Hosts in VLAN 20 would use the IP address of ‘interface vlan 20’ as their default gateway, and traffic would be routed between the 2 VLANS.
Your second point was regarding DHCP on the router. You could actually configure this on the multi-layer switch as well, giving the switch the capabilities to issue IP addresses to the hosts, which is my preferred method.
So granting the users access to the internet would just involve a static route on the switch pointing to the internet router.
“ip route 0.0.0.0 0.0.0.0 {ip address of the router}”
Your last point, is to have the hosts accessible from the internet, this really depends on your internet service that you are using.
In order to have the hosts connect to the internet, NAT needs to be configured on the internet router to translate all internal addresses into a single (usually) IP address that is public (Often referred to as NAT overload or PAT). However, in order for the reverse to happen, each internal host requires its own public IP address, and this would be achieved using static NAT on the internet router to associate a public IP address to each of the internal hosts. This of course is only possible if you have multiple public addresses, and that depends on the type of service you have from your internet service provider.
Hope this helps out, and feel free to ask if any of the above needs clarification, or if I missed the point ?
Regards,
Jay
February 8th, 2010 at 21:55
I am absolutely blown away at how terrific the stuff is on this site. I have written down this website and I really intend on coming back to the site in the next few days. Great job keep up the great work!