Configuring Inter-VLAN Routing

Friday, April 23, 2010 in Networking by slowe | 8 comments

Yesterday I completed the configuration of inter-VLAN routing (aka “router on a stick”, or RoaS) as part of my ongoing CCNA preparation. A couple people mentioned that they would find the configuration useful, so I’m posting what I have. This is by no means a comprehensive treatise on the subject; for that, you should look elsewhere. Google can find you lots of sites with more in-depth and detailed information on the reasons behind the necessary configuration.

There are two primary components in a RoaS configuration:

  1. The configuration of the VLANs and VLAN trunking port on the switch
  2. The configuration of subinterfaces on the router

I describe how to configure each component below.

VLANs and VLAN Trunking

How to create VLANs varies between various switch types. On some switches, you’ll use the vlan database command in privileged EXEC mode. On other switches, you will use the vlan <VLAN ID> command while in global configuration mode. Regardless of which method is necessary for your particular Cisco switch, you will want to ensure that the switch has all the necessary VLANs defined.

After the VLANs have been defined, then you will need to configure the switch port connected to the router as a VLAN trunk port. This is pretty well covered elsewhere, but here is a quick review of the commands (these commands assume port 15 on module 0, a Fast Ethernet port):

switch(config)# int fa0/15
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk
switch(config-if)# switchport trunk allowed vlan 1,71-75
switch(config-if)# exit
switch(config)# exit
switch#

A couple notes about these commands:

  • Some switches only accept 802.1Q VLAN encapsulation; therefore, the switchport trunk encapsulation dot1q command isn’t supported because that’s the only encapsulation supported. So, the support for this command will vary from switch to switch.
  • You will want to specify the correct VLANs for your environment in the switchport trunk allowed vlan command.

At this point, the switch is configured correctly; now it’s time to move to the router.

Subinterfaces on the Router

For each VLAN that needs to be routed, you will need to create a subinterface on the router. Creating a subinterface is pretty easy, the commands look something like this:

router(config)# int fa0/0.1
router(config-if)# encapsulation dot1q 1 native
router(config-if)# ip address 192.168.1.1 255.255.255.0
router(config-if)# exit
router(config)# exit
router#

As before, there are a few notes to consider about these commands:

  • The number of the subinterface (the “1″ in fa0/0.1 above) is only locally significant and doesn’t need to match the VLAN ID, but matching the VLAN ID makes it easier to associate the subinterface with its configured VLAN ID. Again, as stated earlier, you’ll need a separate subinterface for each VLAN that you want to route.
  • Only specify the native keyword on the encapsulation dot1q command if this is the native VLAN on the switch side as well. Otherwise, the trunk won’t form as expected.
  • The IP address specified here will be the IP address of the default gateway for that VLAN/subnet.

For the physical interface itself, the interface needs to be up (so don’t issue a shutdown command), but the interface does not need to have any IP address associated with it.

With this configuration in place, you should be able to route between the VLANs; just specify the IP address of the subinterface on the router for that VLAN as the default gateway of the systems on that VLAN and you should be good to go.

If I’ve missed anything glaring please speak up in the comments and let me know.

Tags: , , ,

  1. Jason Ruz’s avatar

    Jason Ruz on Friday, April 23, 2010 at 6:32 pm

    Yeah, I ended up doing this for my home network which had a c2950-24. It should be noted that switches without anything other than 802.1q don’t need subinterfaces, making things much easier.

  2. Stef Van Dessel’s avatar

    Stef Van Dessel on Saturday, April 24, 2010 at 4:39 am

    Instead of creating sub-interfaces on physical interfaces (which can go down), it is better to create “Vlanxx” interfaces to put your L3 endpoint on. This way, the VLAN will stay active until the last physical link connected to that VLAN goes away.

    In your case:
    router(config)# int vlan1
    router(config-if)# ip address 192.168.1.1 255.255.255.0
    router(config-if)# exit
    router(config)# exit

    It doesn’t matter if the VLAN is native to a link or not.

  3. slowe’s avatar

    slowe on Saturday, April 24, 2010 at 9:05 am

    Stef,

    I *absolutely* could be wrong here…but I believe that the only way you can use VlanXX interfaces is if your switch also has Layer 3 functionality (like a Cisco Catalyst 3560 or similar). In those instances, you wouldn’t be creating a “router on a stick” configuration, you would be creating Layer 3 interfaces on the same device, and the VlanXX interfaces are definitely the best choice.

    Every single reference document I’ve seen, including the official CCNA preparation documents, specify the use of subinterfaces when configuring a “router on a stick” setup.

    Thanks!

  4. Justin Grote’s avatar

    Justin Grote on Saturday, April 24, 2010 at 3:28 pm

    Hi Scott,

    Great job on the notes. As to Stef’s comparison, it’s an either-or thing. You can either use subinterfaces or VLANs in a Cisco router (that’s whats great about Cisco, choice!), however VLANXX interfaces require you to mark an interface as a layer 2 switchport instead of using a layer 3 subinterface, so you’re not really treating it like a router port and more like a switch port, hence why the Cisco docs always talk about the subinterface method and is the most common recommended method in a router-on-a-switch design.

    Stef,

    while your method is correct, your justification doesn’t make sense because you don’t *want* those interfaces to be still available in a link failure, because if you want to do HSRP or some other form of layer 3 failover method, if the link goes down you *want* them to fail and automatically immediately fail over rather than waiting for a timeout.

    The only time you would is if you are bridging multiple interfaces together and using layer 2 technologies like STP or LACP for redundancy, but if you’re going to do that, you’re using your router more like a layer 3 switch and you should just use a layer 3 switch in that situation. Loopback addresses are a more useful way of ensuring an “always on” address for the router to use for management and routing table stabilization.

    In my opinion, Inter-VLAN routing is always best done by a layer 3 switch due to it being able to use hardware ASICS and switch that data at backplane speed between VLANs, rather than being bottlenecked up a single gigabit ethernet uplink to the router and back. You only need one layer 3 switch to perform interVLAN routing for all your other layer 2 switches. However, in a very small environment, there are benefits, such as if your router also provides non-ethernet WAN connectivity (T1, etc.) .

    Cheers,

    -Justin Grote

  5. Andy’s avatar

    Andy on Saturday, April 24, 2010 at 6:16 pm

    Scott,
    You are correct. Most Cisco “routers” (note the quotes) do not support SVI (Switch Virtual Interface) configuration (that is the interface vlanXX you mention above). Generally to do that you have to have a “switch” with L3 capabilities or a router with an Integrated Switching Module of some kind installed.
    Andy

  6. carlos’s avatar

    carlos on Sunday, June 6, 2010 at 9:06 pm

    I have a question:

    I hope someone can help me.

    I have a cisco switch 2900xl that is considered a layer two switch.
    I also have a cisco router 2621xm with two fast ethernet ports.

    I want to create vlan sub interfaces on the router on fa0/0
    ex.
    int fa0/0.20
    encapsulation dot1q 20
    ip address 192.168.2.254 255.255.255.0
    no shut

    int fa0/0.20
    encapsulation dot1q 30
    ip address 192.168.3.254 255.255.255.0
    no shut

    on the switch
    configuration:

    vlan database
    vlan 20 name 20

    vlan 30 name 30

    int vlan 20
    ip address 192.168.2.200 255.255.255.0
    no shut
    ip default-gateway 192.168.1.1
    int vlan 30
    ip address 192.168.3.200 255.255.255.0
    no shut
    ip default-gateway 192.168.1.1

    int fa0/2
    switchport mode access
    switchport access vlan 20

    int fa0/3
    switchport mode access
    switchport access vlan 30

    int fa0/5
    switchport trunk encap dot1q
    switchport mode trunk
    switchport allowed vlan 20
    switchport allowed vlan 30

    int vlan 1 – default
    ip address 192.168.1.11 255.255.255.0
    ip default-gateway 192.168.1.1
    no shut

    int fa0/1
    switchport mode access
    switchport access vlan 1

    what I’m trying to do is route all vlan traffice to one internet gateway ip 192.168.1.1. this ip belongs to IPCOP firewall with two phisical interfaces. one being red is connected to my cable modem, the other interface considered the green interface for the local network is statictly assigned 192.168.1.1, which is the gateway. This is a learning process for me, as this is my home lab, trainging for ccna. I hope this is not a burden to anyone, but any help will be greatly appreciated, if someone can school me on this.. Thank you for you time.

    on the switch i’ve cre

  7. tabang kona’s avatar

    tabang kona on Wednesday, November 17, 2010 at 8:48 am

    do you need to use the NO SHUTDOWN command when configuring a router subinterface? why?

    pleas help i’m wriitng friday

  8. no name’s avatar

    no name on Thursday, December 8, 2011 at 10:59 am

    Tabang

    you don’t need the “no shutdown” command when configuring subinterfaces, only use it on the regular interface