Fundamentals of VLAN's - Router On A Stick

The Cisco Learning Network Log in Register Premium Library Help
Home Certifications Community Learning Center IT Careers Store Browse Search
Home > CCENT/CCNA R&S Study Group > Documents
Actions
Fundamentals of VLAN's - Router on a stick Log in / Register to participate in the

community & access resources like:
Created by Navneet.Gaur on Feb 17, 2014 5:32 AM. Last modified by Navneet.Gaur on Aug 5, 2017 4:36 PM.
IT Training Videos and Seminars
Cisco Certification Study Groups
Cisco Certification Exam Topics
Author: Navneet Gaur
Date: Feb 2014 Register for free
now.
Description: This document tries to explain the fundamental concepts related to "router on a stick"
Note 1 Index of all my documents Learn more about The Cisco Learning
Note 2 To view the included images clearly, click on them
Network and our Premium Subscription
options.
Note 3 Irrespective of the dates of edit, Cisco Learning Network maintains the history and keeps each edited
version in its database for later reference
Note 4 www.navneetgaur.com
More Like This

Configuring VLANs
Index
Reference Layout A quick summarized view to Private
VLAN (PVLAN)
Points to consider
Dynamic Trunking Protocol.PDF
Section 1
Cheatsheets: Vlan
Sample configuration
Section 2 VLAN and trunking.docx
The inter-linking of Vlan numbers and the sub-interfaces
Section 3
Situation 1 - Standard operation & Analysis
Situation 2 - Different native vlans at both ends & Analysis Incoming Links
Situation 3 - Different native vlans at both ends, within same network & Analysis
Re: Can you Make this Vlan topology
Update: Caveat
ROAS lab. Unexpected results. Why?
05 Aug 2017 Re: Vlan and Router on a stick
question
Update: Section 3 Situation 2
The ARP problem Re: Inter-VLAN Routing
For further reading on ARP process Re: Inter-VLAN Routing via a Cisco
https://learningnetwork.cisco.com/docs/DOC-23702 1841 router
Re: Configuring Router on a stick
Important note
All the scenarios that have been mentioned in the following narration, used the following setup, with a fresh reboot
with every change in configuration
A router running IOS version 12.x
A switch running IOS version 12.x as well
Three computers running different versions of windows
One important factor that needs consideration in all the scenarios, is that,
before a ping request can be generated by the end device,
it needs to find out the mac address of its gateway, using address resolution protocol.
Accordingly, for a lab setup, where the configuration on an already configured router may be altered to check the
impact of the change, there are certain factors that merit consideration.
These considerations relate to address resolution protocol - ARP query & cache, and the following discussion
covers them to a certain extent.
https://learningnetwork.cisco.com/thread/119282
Reference Layout
*Click on the image to enlarge
Points to consider
Switch
The switch has three Vlan's configured on it
Vlan 1 has a PC attached to it with an ip address 1.1.1.1
Switch's port numbered Gi0/5 is connected to the router
Router
The router has its main interface FastEthernet 0/0 subdivided into three virtual interfaces
FastEthernet 0/0.1 with an IP address - 1.1.1.251
Section 1
Sample configuration
Switch
We are going to create three Vlan's on the switch
We are going to assign ports numbers from FastEthernet 0/1 to 0/12 to Vlan 1
We are going to connect the router to port numbered GigabitEthernet 0/5 on the switch
We are going to configure this port on the switch to work as a trunk port
Commands
configure terminal
interface range FastEthernet 0/1 - 12
! The following command is a macro
! The result is as follows
! switchport mode is set to access
! spanning-tree portfast is enabled
! channel group is disabled
switchport host
switchport access vlan 1
exit

switchport host
exit

switchport host
exit
interface GigabitEthernet 0/5

switchport trunk encapsulation dot1Q
switchport mode trunk
switchport trunk native vlan 1
switchport nonegotiate
end
--------------------
Router
We will connect one of routers FastEthernet interfaces, FastEthernet 0/0, to the switch's trunk port GigabitEthernet 0/5
Further, we will sub-divide this single FastEthernet 0/0 interface, virtually, in to three sub-interfaces
On a router, if an Ethernet interface is subdivided, it can route traffic only if it is configured to work with a trunking protocol, like ISL or
802.1q
We will associate the first sub-interface, FastEthernet 0/0.1, to Vlan numbered 1 and assign it an Ip address 1.1.1.251
We will associate the second sub-interface, FastEthernet 0/0.2, to Vlan numbered 2 and assign it an Ip address 2.1.1.251
We will associate the third sub-interface, FastEthernet 0/0.3, to Vlan numbered 3 and assign it an Ip address 3.1.1.251
Commands
configure terminal
interface FastEthernet 0/0
no shutdown
exit
interface FastEthernet 0/0.1

encapsulation dot1Q 1 native
ip address 1.1.1.251 255.0.0.0
exit

encapsulation dot1Q 2
ip address 2.1.1.251 255.0.0.0
exit

encapsulation dot1Q 3
ip address 3.1.1.251 255.0.0.0
end
--------------------
Section 2
The inter-linking of Vlan numbers and the sub-interfaces
Point 1
This association between the Vlan number and the interface,, helps the router
To decide, where to send the incoming frame for further processing, by checking its Vlan tag
If an incoming frame has an "Vlan Id 2" "clipped on" to it, then that frame will be "sent" to the sub-interface that has been associated
with Vlan-2
Logic
The interface to which an incoming frame will go to, is decided by the Vlan-Id-Tag attached on to it
If there is no Vlan-Id-Tag attached to the frame
The frame will be sent to the interface that has been configured as "native" interface using the command - Router(config-
subif)#encapsulation dot1Q vlan number native
As a default, any interface, associated with Vlan-1, is automatically configured with the native command in the running
configuration
Point 2
This association between the Vlan number and the interface, helps the router
To decide, which "Vlan Id Number" to attach, to the outgoing frames
If the frame is going out of interface numbered FastEthernet 0/0.3, then attach Vlan-3 tag on to it
Logic
The Vlan-Id-Tag that needs to be attached to a frame that leaves the router, is decided by the frames destination Ip address /
network
Note
A subdivided FastEthernet interface is different from an interface that has multiple IP addresses configured on to it
An interface with multiple Ip's still works like a single interface and cannot read data that has been encapsulated with any one of the
trunking protocols
Section 3
Situation 1: Standard operation
Two points of configuration
One at the switch
Second at the router
1. Configuration on the switch

The switch has the following configuration on its trunk port, GigabitEthernet 0/5
Commands
configure terminal
end
show interfaces GigabitEthernet 0/5 switchport

Switch#
Name: Gi0/5
---output omitted---
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (VLAN0001)
Voice VLAN: none
Logic
For frames being ejected out
If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged
If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged
For frames coming in

If the frame is untagged, send it to ports in Vlan-1
If the frame is tagged, send it to the Vlan indicated by the tag
2. Configuration on the router

On the router, we will designate the sub-interface FastEthernet0/0.1 as native interface
*This has already been specified in the suggested sample configuration
Commands
configure terminal
interface fastethernet 0/0.1
encapsulation dot1q 1 native
end
Analysis
The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3
Step 1
A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251
Step 2
When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
Because it is coming from a port
Which belongs to native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame is unmodified
So, it directs the frame to "FastEthernet 0/0.1" which has been configured to accept unmodified frames
With the help of the command - Router(config-subif)#encapsulation dot1q 1 native earlier
Step 3 - Part II ARP

The source IP of the incoming frame is checked against the IP configured on the interface
The source Ip is from the network 1.0.0.0
The routers interface FastEthernet 0/0.1 has the network configured as 1.0.0.0 as well
Both the Ip addresses belong to the same network - 1.0.0.0, so further ARP processing takes place
Following this, PC-1.1.1.1 is able to resolve the mac address of its gateway & subsequently sends the ping frame
Step 3 - Routing
When this ping frame arrives at routers interface FastEthernet 0/0.1
The destination IP is checked
The destination network is attached to interface "FastEthernet 0/0.3"
Step 4
So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
And the frame is ejected towards the switch
Step 5
The switch receives the frame on its trunk port GigabitEthernet 0/5
It checks the tag that reads Vlan-3
So, the switch sends the frame, out of the ports in Vlan-3
The return journey is similar

Step 1
A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.
Step 2
When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
Because the frame is coming from a port
Which does not belong to the native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier
Step 3 - Part II Routing

The destination network is attached to the interface "FastEthernet 0/0.1"
Step 4
The VLAN tag of the frame is removed and it is ejected towards the switch,
Because the interface from which this frame will be "ejected" - FastEthernet 0/0.1 - is configured as a "dot1Q native" interface on the
router
Step 5
The switch receives this frame on its trunk port GigabitEthernet 0/5
It analyzes the frame and can "see" that the frame does not have any tag attached to it
Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1
Result
The ping is successful
Situation 2: Different native vlans at both ends

The ARP problem
Address Resolution Protocol - ARP can be considered to operate at Layer 2.5 from the perspective of Open System
Interconnection model of networking.
The reasons are as follows:

An ARP frame is limited to the local network boundary, network that can be reached by directly connected wires.
In the addressing portion, this frame includes mac addresses, to propagate itself within the network.
The contents include the senders IP address as well as the Ip address whose MAC address needs to be resolved.
And here is the catch.

If somehow an ARP frame reaches an interface that does not have the reverse path back to the sender IP address that
is included in the contents section, the router drops that reply.
The interesting part is that the contents of the frame are not "considered | supposed" to influence the routing decision.
The routing decision is influenced by IP addresses in the addressing portion of the frame, which in this case comprises
only of MAC addresses.
The ARP&problem
Scenario Topology
Consider the above topology. When R1 tries to ping 1.2.1.2, it sends an arp request out of its interface because it
considers 1.2.1.2 to be in the local network - 1.0.0.0 because of the mask of 255.0.0.0.
However, when this arp resolution request reaches R2, after reading the contents - not the address field, R2 considers
the reply to be directed for a network 1.0.0.0 that is not attached on the interface -{ Network 1.2.0.0 with a mask of
255.255.0.0 }- on which this request was received.
Therefore, R2 drops the reply.
R2#debug arp
*Mar 1 00:01:33.539: IP ARP req filtered src 1.1.1.1 c001.2ce8.0000, dst 1.2.1.2 0000.0000.0000 wrong cable,
interface FastEthernet0/0
Conclusion
That is the reason I consider ARP to operate at Layer 2.5 of the OSI model.
Although its scope is limited to the directly connected network - Layer 2,
it is still influenced by the IP networks - Layer 3, included in the contents, while replying.

One at the switch

The switch has the following configuration on its trunk port, GigabitEthernet 0/5
Commands
configure terminal
end
show interfaces GigabitEthernet 0/5 switchport

Switch#
Name: Gi0/5
Voice VLAN: none
Logic


On the router, we will designate the sub-interface FastEthernet0/0.2 as native interface
Commands
configure terminal
end
Analysis
Step 1
Step 2

Step 3 - Part I
So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept un-modified / un-tagged frames
With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

For ARP reply, the source network of the incoming frame is checked against the network configured on the interface
The routers interface FastEthernet 0/0.2 has the network configured as 2.0.0.0
Both the networks are different
Therefore this arp frame is dropped
And accordingly, there is no return journey for this frame.
Step 3 - Part III

Since PC - 1.1.1.1 is unable to resolve the mac address of its gateway, further frames cannot be built.
Result
The ping is un-successful
Note
This can be modified by forcing the switch to attach a tag to all the VLANs by issuing the following command
Switch(config)#vlan dot1Q native tag
By issuing this command all the outgoing frames from a switch will be tagged and now the frame from Vlan-1 will reach
routers interface configured with Vlan-1, which in turn will be able to resolve the arp query for PC-1.1.1.1.
Situation 3: Different native vlans at both ends

However, now the IP address scheme matches on the native Vlan of the switch's trunk port, as well as the native Vlan on the
routers interface

One at the switch

The switch has the following configuration on its trunk port, just as before
configure terminal
end
Switch#
show interface GigabitEthernet 0/5 switchport
Name: Gi0/5
Voice VLAN: none
Logic

Caveat
If the tag on an incoming frame on the switch trunk port,

Somehow reads "Vlan-1", i.e., the Vlan that is configured to accept un-tagged frames, the switch will drop the frames
Caveat
With the configuration that follows
Interface FastEthernet 0/0.1 on the router no longer belongs to the native vlan
And its IP address is 2.1.1.251
When PC-1.1.1.1 tries to ping PC-2.1.1.1, the router will try to resolve PC-2.1.1.1's mac address before forwarding any
frame towards it.
ARP frames sent from the router, towards PC-2.1.1.1, will have a VLAN-1 tag attached to it.
The router will send an initial ARP request to the switch,
To find 2.1.1.1's mac address, through its FastEthernet 0/0.1 interface,
With the tag of Vlan-1 attached to it,
The switch, however, will drop it because it expects un-tagged frames for its native VLAN, which is VLAN-1 on its side.
Subsequently, the router will fail to build the frame and an error of 'encapsulation failed' will result in failed ping
This applies to the native vlan configured on the switches trunk port
The stipulation is that the native vlan of a trunk port, under standard and normal configuration, will accept un-tagged
frames and drop frames, if they are tagged with its vlan ID
That is Vlan-1 on the switch in this given scenario

On the router, we will again designate the sub-interface, FastEthernet0/0.2, which is associated with Vlan-2, as a native
interface
Commands
configure terminal
exit
However, we will change the addressing for the sub-interfaces

Commands
For FastEthernet 0/0.1
configure terminal
encapsulation dot1q 1
ip address 2.1.1.251 255.0.0.0
end
For FastEthernet 0/0.2

configure terminal
ip address 1.1.1.251 255.0.0.0
end
Analysis
Step 1
Step 2
Step 3 - Part I
So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept unmodified frames
With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

The source IP of the incoming frame is checked against the IP configured on the interface
The routers interface FastEthernet 0/0.2 has the network configured as 1.0.0.0 as well
Both the Ip addresses belong to the same network - 1.0.0.0, so further ARP processing takes place
Following this, PC-1.1.1.1 is able to resolve the mac address of its gateway & subsequently sends the ping frame
Step 3 - Routing
When this ping frame arrives at routers interface FastEthernet 0/0.2
Step 4
So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
And the frame is ejected towards the switch
Step 5
It checks the tag that reads Vlan-3
The return journey is similar

Step 1
A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.
Step 2
When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
Which does not belong to the native vlan specified on the switch's trunk port
Step 3 - Part I
When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier
Step 3 - Part II Routing

Step 4
The VLAN tag of the frame is removed and it is ejected towards the switch,
Because the interface from which this frame will be "ejected" - FastEthernet 0/0.2 - is configured as a "dot1Q native" interface
Step 5
It analyzes the frame and can "see" that the frame does not have any tag attached to it
Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1
Result
The ping is successful
Final Notes
Note One
The concept of native Vlan states that any frame belonging to the native Vlan will be sent without any modifications, i.e. un-tagged
Native Vlan is specific to each trunk port separately
For example, a trunk port 1 can treat Vlan-1 as native Vlan

While, trunk port 20 can treat Vlan-20 as native
This means that when frames are ejected out of trunk port 1, if the frames originated in Vlan-1, they will remain untagged
This means that when frames are ejected out of trunk port 20, if the frames originated in Vlan-20, they will remain untagged
Also
If any unmodified frame enters trunk port 1, that frame will be sent to the ports on Vlan-1
If any unmodified frame enters trunk port 20, that frame will be sent to the ports on Vlan-20
Therefore, the native Vlan is specific to a given port
However, as a default, whenever a port operates as a trunk, Vlan-1 is automatically selected to be the native vlan for that port
This can always be modified
Note Two
Even though the switch sends frames from the native vlan without any modification, it can be forced to avoid this behavior
By issuing the command, Switch(config)#vlan dot1Q native tag , a switch can be configured to tag all the frames, even if the frames
come from native vlan configured on that trunk interface
However, this command is not available on all the switches
-------------------------
The End
92959 Views Categories: Tags:
Average User Rating
(23 ratings)
MOST LIKED
7
Comments
Milan Feb 28, 2014 4:36 AM
Great Work Navneet.......Bookmarked.....
Actions
Fabiola May 4, 2014 11:05 AM
Nice explanation Navneet!
Actions
Navneet.Gaur May 4, 2014 11:19 AM
Milan.
1. Thank you !
Fabiola.
1. Thank you for all the nice comments !
Take care, both of you,

Navneet.
Actions
Fabiola May 4, 2014 12:58 PM
You are very welcome Navneet, thanks for sharing the content you produce :)
Actions
ARandall Jun 13, 2014 5:36 AM
Great Work Naveet............again your your grapical illusrations integrated with your knowledge base helps to enchance my
understanding of the logical process of packet forwarding !
Alvin
Actions
Lee Jun 13, 2014 7:12 AM
Thank you very much!
Actions
Navneet.Gaur Jun 13, 2014 7:20 AM
Hi Alvin.
1. I appreciate your wonderful comments.
Thank you and take care,

Navneet.
Lee,
It is a pleasure !
Take care,
Navneet.
Actions
Terms & Conditions Privacy Statement Cookie Policy Trademarks Languages Follow us:

Fundamentals of VLAN's - Router On A Stick

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Fundamentals of VLAN's - Router On A Stick

Hochgeladen von

Copyright:

Verfügbare Formate

The Cisco Learning Network Log in Register Premium Library Help

Home Certifications Community Learning Center IT Careers Store Browse Search

Home > CCENT/CCNA R&S Study Group > Documents

Fundamentals of VLAN's - Router on a stick Log in / Register to participate in the

More Like This

Switch's port numbered Gi0/5 is connected to the router

interface range FastEthernet 0/13 - 24

interface range FastEthernet 0/25 - 36

interface GigabitEthernet 0/5

interface FastEthernet 0/0.1

interface FastEthernet 0/0.2

interface FastEthernet 0/0.3

*Click on the image to enlarge

*Click on the image to enlarge

1. Configuration on the switch

show interfaces GigabitEthernet 0/5 switchport

For frames coming in

2. Configuration on the router

*Click on the image to enlarge

Step 3 - Part II ARP

The return journey is similar

*Click on the image to enlarge

Step 3 - Part II Routing

Situation 2: Different native vlans at both ends

The reasons are as follows:

And here is the catch.

Two points of configuration

1. Configuration on the switch

show interfaces GigabitEthernet 0/5 switchport

For frames coming in

2. Configuration on the router

*Click on the image to enlarge

Step 3 - Part II ARP

Step 3 - Part III

Situation 3: Different native vlans at both ends

Two points of configuration

1. Configuration on the switch

For frames coming in

If the tag on an incoming frame on the switch trunk port,

2. Configuration on the router

However, we will change the addressing for the sub-interfaces

For FastEthernet 0/0.2

*Click on the image to enlarge

Step 3 - Part II ARP

The return journey is similar

*Click on the image to enlarge

Step 3 - Part II Routing

For example, a trunk port 1 can treat Vlan-1 as native Vlan

92959 Views Categories: Tags:

Average User Rating

Milan Feb 28, 2014 4:36 AM

Great Work Navneet.......Bookmarked.....

Fabiola May 4, 2014 11:05 AM

Nice explanation Navneet!

Navneet.Gaur May 4, 2014 11:19 AM

1. Thank you for all the nice comments !

Take care, both of you,

Fabiola May 4, 2014 12:58 PM

ARandall Jun 13, 2014 5:36 AM

Lee Jun 13, 2014 7:12 AM

Thank you very much!

Navneet.Gaur Jun 13, 2014 7:20 AM

1. I appreciate your wonderful comments.