What You’ll Learn

What You’ll Need

Importing and Starting Your Lab Image

If you are familiar with importing a lab image and spinning up the lab environment, go ahead and perform those tasks, then skip to the next lab topic. Otherwise, perform the following steps.

  1. Log in to your Cisco Modeling Labs server web interface and click the IMPORT button on the right side of the page.

Note: If you are using a reserved DevNet lab, you will need to stop any preconfigured lab topologies before importing and running the VLAN lab topology. This will free up used environment resources, helping to ensure that your lab runs smoothly.

  1. Browse to find the downloaded network topology file, Router_on_a_Stick_Topology.yaml, that will be used for this lab.

  1. Click the IMPORT button to import the lab into the system. The Import Status window will appear, showing that the lab was successfully imported.

  1. Click GO TO LAB on the Import Status window to open the Cisco Modeling Labs Workbench area and display the lab topology.

Note: If you are using the reserved DevNet lab, the lab topology may initially look a little offset like this image. To resolve this display issue, simply scale your browser window size up or down.

  1. To spin up the Router on a Stick lab resources, click the SIMULATE button on the panel below the topology diagram, and then click the START LAB button.

Note: Be sure that you do not have any of the devices in the topology selected when starting the lab, or else you’ll only start the selected device.

  1. All nodes will display a green check mark when they are fully operational. This can take 1 to 5 minutes, depending on the Cisco Modeling Labs server’s load.

Note: To save time during spin-up, you can continue to the next topic and read the introduction material.

What Is a “Router on a Stick”?

As you are probably aware, VLANs allow network administrators to logically segment the users of a switched network based on the organization’s needs or security policy. By default, members of one VLAN are blocked from communicating with members of a different VLAN. However, there are many occasions where this type of inter-VLAN communication is required for normal business operations. In order to enable inter-VLAN communication, the data packets need to be routed verses switched. This means we need a Layer 3 device added to the infrastructure to enable this capability.

A router on a stick (as illustrated below) adds a router to the switched environment to provide routing capability. This deployment model uses a single trunk link configured on the switch side and a subinterface per VLAN configured on the router. This is only one of the methods that can provide this type of capability and what’s covered in this tutorial.

Review Switch VLAN Configuration

Based on the lab topology (shown in Step 1 below), you should have two VLANs configured on SW1. PC11 and PC12 are members of VLAN 10, while PC13 and PC14 are members of VLAN 20. You can validate this setup by reviewing the VLAN configurations on SW1.

  1. Click the SW1 switch in the lab topology to select it. The switch icon will turn blue, and the panel below the topology diagram will change to highlight topic areas for managing the switch.

  1. Click CONSOLE on the panel below the topology diagram, and then click OPEN CONSOLE in the middle of the displayed screen.

  1. The console screen will display various messages as part of the switch bootup and configuration process. Click the displayed console screen and press the Enter/Return key several times until you see the switch prompt.

Note: If your console screen does nothing when hitting the key, click the console screen several times and make sure that the white cursor is blinking on the console screen, then try again.

  1. Access privileged EXEC mode on SW1, then run the show vlan command and review the output.

You will notice that the corresponding ports for all four lab PCs have been assigned to the appropriate VLAN.

Validate VLAN Functionality

Based on the current switch configuration, the PCs in the same VLAN should be able to communicate with each other. However, the PCs in different VLANs should not be able to communicate because the router functionality has not been configured at this time.

  1. Open the CONSOLE for PC11, using the same steps performed previously to access SW1’s console. You should see the PC11 login prompt.

  1. Log in to PC11, using the credentials cisco and cisco*.

  1. From the prompt, use the ping command to test connectivity to all the other lab PCs, using the address information from the chart below.

Note: A ping on a Linux-based PC will be a continuous ping. To stop the ping, use the Ctrl + C key combination. You also have the option to specify how many pings to send. For instance, ping -c 4 192.168.2.1 would only send a count of four pings, then return the test results and automatically bring you back to the prompt.

As expected, PC11 can ping PC12 but not PC13 or PC14. This follows the current host segmentation policy as defined by the port VLAN assignments.

To enable inter-VLAN communication between your two VLANs, we need to add the router to our switched environment. The link between SW1 and RTR1 is connected and ready to go, but it must be configured as a trunk link on the switch side to allow VLAN traffic from both VLANs to traverse the link.

  1. From privileged EXEC mode on SW1, enter the following commands to configure interface G1/0 as a trunk link connecting to RTR1.

  1. To verify that G1/0 is configured for trunking and our two VLANs are allowed on the link, run the show interface trunk command.

From the output, you can see that interface G1/0’s trunking mode is on, and the status is trunking. Because you didn’t specify which VLANs were specifically allowed to use the trunk link, all VLANs are allowed to use it. Additional details are highlighted for the VLANs that are actually configured on the switch.

Configure the Router

On the router side, we have a single interface where traffic from multiple VLANs will be received. Each subinterface is configured with an IP address from the VLAN IP address pool, and this address serves as the default gateway address for that VLAN.

The default gateway is used to reach destinations that exist outside the current VLAN. If traffic is destined for an address that is not part of the source’s subnet, it gets sent to the default gateway. Let the router determine where to send the traffic.

With only two VLANs in this scenario, two subinterfaces are required.

  1. Access RTR1’s command prompt by selecting the router on the topology diagram and using the CONSOLE menu option.

  1. From privileged EXEC mode, run the show ip route command.

Currently, the router has no routing entries for traffic forwarding.

  1. Enter the following commands to configure the subinterfaces and default gateway IP addresses on interface G0/0.

The subinterface ID or numeric value following the specified parent interface g0/0 can be any numeric value that you desire, as long as it falls in the range of 1 to 4094. Just remember, the subinterface ID specifies an interface; it has no other connection to the VLANs.

However, it’s best practice to match the subinterface ID value with the VLAN number for ease of identification and troubleshooting purposes. Following this thought process, subinterface g0/0.10 would correspond to VLAN 10, while subinterface g0/0.20 would correspond to VLAN 20.

The IP address configured on the subinterface is typically the first available host address in the IP address pool assigned to the VLAN. This address is the default gateway IP address used by hosts in the VLAN to reach destinations outside of the assigned subnet.

The router doesn’t care which VLAN ingress traffic belongs to because it uses the destination IP address to make forwarding decisions. In fact, the router removes the VLAN tags on ingress.

So, if the router removes VLAN tags from ingress traffic, how does it know how to tag egress traffic destined to a host on the switch? That’s where the encapsulation dot1q <vlan id> configuration comes into play. It specifies the encapsulation protocol to use, dot1q, and which VLAN tag value should be added to the egress data packet. For example, in the configuration you just added, the command encapsulation dot1q 20 says add VLAN tag 20 to all egress traffic on this interface.

The no shutdown command is issued against the parent interface to ensure that it’s up for the subinterfaces to also be up.

  1. Repeat the show ip route command.

After performing the above configurations, we now see routing entries for the two subnets associated to the configured subinterfaces. The router now has the necessary information to forward traffic from one VLAN to another. It can do a lookup to determine which interface should be used to forward traffic to a specific subnet.

When traffic egresses the interface, the applicable VLAN tag is added.

Configure the PC Default Gateway

The PCs in the lab have an IP address configured that is part of the IP address pool assigned to the VLAN. But they do not have a default gateway address configured. If communication is just within the switched environment, a default gateway is not required. But if traffic needs to go to a destination outside the VLAN subnet, the default gateway is the VLAN egress point and needs to be configured.

  1. Access PC11’s command prompt via the CONSOLE menu option again. Use cisco and cisco as your credentials to log in to all PCs.

  2. From the prompt, enter the following command to configure the default gateway.

  1. Repeat this process for all other lab PCs, using the applicable commands shown here.

Validate Inter-VLAN Communication

With our new configuration in place, it’s time to see if inter-VLAN communication works as advertised.

  1. Access the command prompt for any lab PC.

  2. Ping one of the PCs assigned to the opposite VLAN. The ping should be successful, indicating that the Router on a Stick setup is working properly.

In the above example, the ping from PC13 in VLAN 20 to PC12 in VLAN 10 was successful. Feel free to test any other ping combination to validate the Router on a Stick configuration.

Congrats on completing this training tutorial! Please continue your learning through our community’s many other resources, helping folks get started on their CCNA journey.

Training Resources

Learn More