Inter-VLAN Routing (Router on a Stick)
In order for 2 VLANS to be able to communicate, the traffic must be routed. This can be done either by a multi-layer switch which will have routing capabilities, or the packets can be routed by a router (Router on a Stick)
As an example, I have 2 VLANS, VLAN 10 and VLAN 20 which have subnets 10.0.10.0/24 and 10.0.20.0/24 respectively. In order to have traffic from one subnet communicate with the other routing would have to take place. Furthermore the switch I have used in the example below is a layer 2 switch so there is no routing functionality available so I am forced to use a router.
This leaves me with 2 options.
1/ Plug my router into my switch with 2 cables. Configure 1 port on the router to be in subnet 10.0.10.0/24 and in VLAN 10, and configure a second port to be in subnet 10.0.20.0/24 and associate that port to VLAN 20.
This is not a major issue, and this is something that could easily be configured, however it will require a router with 2 interfaces free for me to use. What if I had more than 2 VLAN’s? What if I had 200 VLAN’s (Not an uncommon scenario)? Not only would this mean I need a router with 200 interfaces, but it would also mean that my switch would need 200 interfaces. So far this is not looking like a very scalable solution.
2/ I can plug my router in my switch with a single cable. Configure Sub-interfaces on the router and associate each sub-interface to each VLAN. This is FAR more scalable and would allow me to configure more than 2 VLAN’s on a single interface
NOTE: A sub-interface is a logical separation of the physical interface. Each sub-interface can be configured as if it were a physical port on the device.
As you can see from the above, option 2 is the only logical solution for scalability and ease. There is however one small problem with using this option. In order to have multiple VLAN’s sent over a single cable/port the port needs to be configured as a Trunk port. In my example I have already configured the switch and made FastEthernet 0/23 a trunk port using dot1q as my encapsulation protocol. (Port f0/23 on the switch is plugged into the router’s port f0/1)
Here is the breakdown of the configuration needed to configure a Router on a stick.
AOIP.ORG# ping 10.0.10.2
Confirming that ping does not work to the interface VLAN 10 on my switch which has IP address 10.0.10.2
AOIP.ORG# ping 10.0.20.2
Confirming that ping does not work to the interface VLAN 20 on my switch which has IP address 10.0.20.2
AOIP.ORG(config)# interface fastethernet 0/1.10
This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘10’.
NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.
AOIP.ORG(config-subif)# encapsulation dot1q 10
Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 10
AOIP.ORG(config-subif)# ip address 10.0.10.1 255.255.255.0
Associate an IP address to the sub-interface
AOIP.ORG(config-subif)# exit
AOIP.ORG(config)# interface fastethernet 0/1.20
This enters the interface FastEthernet 0/1 and creates a sub-interface named ‘20’.
NOTE: It is a wise idea to name your sub-interface the same as the VLAN number you are going to allocate it to for help with troubleshooting.
AOIP.ORG(config-subif)# encapsulation dot1q 20
Configures the sub-interface to be encapsulated with dot1q, and allocates this sub-interface to VLAN 20
AOIP.ORG(config-subif)# ip address 10.0.20.1 255.255.255.0
Associate an IP address to the sub-interface
AOIP.ORG(config-subif)# exit
AOIP.ORG(config)# exit
AOIP.ORG# ping 10.0.10.2
Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this
AOIP.ORG# ping 10.0.20.2
Confirm that ping now works, you will notice the first ping failed, but this is purely a ARP delay that caused this
In order to complete the design and installation of the above, all computers that are in VLAN 10 would need to have their Default-gateway configured as 10.0.10.1 and machines in VLAN 20 would need their Default-gateway configured as 10.0.20.1.
When a machine from VLAN 10 tries to communicate with a machine in VLAN 20 the following will take place
- Packet enters the switch
- The Switch will send the packet via the TRUNK port on VLAN 10 to the router.
- The router will receive the packet on sub-interface f0/1.10 tagged as VLAN 10
- The router will remove the TAG on the packet and do a lookup in the routing table
- The router will encapsulate the packet with a TAG for VLAN 20
- The router will send the packet via the TRUNK to the switch on VLAN 20 through sub-interface f0/1.20
- The switch will receive the packet on the trunk port on VLAN 20
- The switch will send the packet to the destination computer.
Below is the live demo.
