Configuring InterVLAN Routing on Cisco Routers (Router on a stick)
In order for workstations from one VLAN to communicate with hosts that are located in other VLANs, even if they are connected to the same Layer 2 switch, you need to have a router that would handle the Layer 3 routing between the different VLANs. The router has to be connected to the switch through a Trunk port. When traffic is sent over a trunk port, each packet is marked with the VLAN number to which it belongs. This allows the participating devices to handle the packets correctly.
The trunk interface on the router is divided into subinterfaces with the matching IP addresses for each VLAN subnet.
Here we have an example of a configured trunk port on Cisco 2811 router that is connected to a Layer 2 switch:
Video version of this article
Enter the configuration mode:
Enter the interface configuration mode for the FastEthernet0/0 interface and clear previous configuration:
no ip address
Configure the interface for the default VLAN 1 that serves as the network management VLAN (notice how we don’t create a FastEthernet0/0.1 subinterface because this is the default, or native, VLAN):
ip address 192.168.1.1 255.255.255.0
Configure the subinterface for the Sales Department:
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
Configure the subinterface for the Accounting Department:
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0
Configure the subinterface for the Administration Department:
encapsulation dot1q 100
ip address 192.168.100.1 255.255.255.0
I highly recommend to put interface descriptions under each subinterface with the “description” command. This has no effect on any other interface settings, but makes the configuration much more easier to read and return to.Important!
Note how we reference the VLAN number (20) in the “encapsulation dot1q <20>” command and in the subinterface name “interface FastEthernet0/0.20“. You can actually enter any number you want for the subinterface, after the period (FastEthernet0/0.X), but in the encapsulation configuration you must enter the exact and correct VLAN number of the subnet you’re configuring.
On your Layer 2 switch you also need to have a trunk port, in addition to the access ports that connect users from various VLANs (this article describes how to configure that).
After you make sure that the switch has the trunk port configured, all of the needed VLANs have been created with the correct VLAN numbers (10, 20 and 100), connect the switch trunk port to the FastEthernet0/0 interface of the router.
In order for hosts from different VLANs to be able to communicate with each other, you need to have the following in place:
- each workstation needs to be connected to an access port on the switch that is configured with the correct VLAN
- each port connected to a workstation needs to have the following configuration lines present:
switchport access vlan Х
For example, a port connecting workstation from the Accounting Department:
switchport access vlan 20
- each workstation needs to have an IP address from the correct subnet.
Host in the Sales Department would have an IP address of 192.168.10.5 255.255.255.0, for example
- each workstation needs to be configured with the correct default gateway – it should be set to the IP address of the subinterface on the router that belongs in the same VLAN as the workstation.
For example, for Sales Department this would be 192.168.10.1
- All the relevant interfaces on the switch and the router need to be up and connected
The command “show ip inter brief” will show you the state of all interfaces on each device. The used interfaces should have a state of “Up/Up“.
The above configuration should result in all hosts being able to see all other hosts, no matter which VLAN they belong to (including the IP addresses on the router’s interfaces). You should check the availability issuing the “ping” command from any host or router.
Don’t forget to save the configuration with the “write” or “copy run start” commands. Otherwise you will lose all your configuration changes after the next reload.
This article was written by Alexey Yurchenko