Fundamentals of VLAN's - Router on a stick

    Author:Navneet Gaur
    Date:Feb 2014
    Description:This document tries to explain the fundamental concepts related to "router on a stick"
    Note 1Index of all my documents
    Note 2To view the included images clearly, click on them
    Note 3Irrespective  of the dates of edit, Cisco Learning Network maintains the history and  keeps each edited version in its database for later reference
    Note 4www.navneetgaur.com

     

     

    Index

    • Reference Layout
    • Points to consider
    • Section 1

    Sample configuration

    • Section 2

    The inter-linking of Vlan numbers and the sub-interfaces

    • Section 3

    Situation 1 - Standard operation & Analysis

    Situation 2 - Different native vlans at both ends & Analysis

    Situation 3 - Different native vlans at both ends, within same network & Analysis

    Update: Caveat


    • 05 Aug 2017

    Update: Section 3 Situation 2

    The ARP problem

    • For further reading on ARP process

    https://learningnetwork.cisco.com/docs/DOC-23702

     

    Important note

    All the scenarios that have been mentioned in the following narration, used the following setup, with a fresh reboot with every change in configuration

    • A router running IOS version 12.x
    • A switch running IOS version 12.x as well
    • Three computers running different versions of windows


    One important factor that needs consideration in all the scenarios, is that,

    • before a ping request can be generated by the end device,
    • it needs to find out the mac address of its gateway, using address resolution protocol.


    Accordingly, for a lab setup, where the configuration on an already configured router may be altered to check the impact of the change, there are certain factors that merit consideration.

    These considerations relate to address resolution protocol - ARP query & cache, and the following discussion covers them to a certain extent.

    https://learningnetwork.cisco.com/thread/119282




    Reference Layout


    *Click on the image to enlarge

    Vlan - Router on a stick - S- Reference.png

     

     

    Points to consider

     

    Switch

    The switch has three Vlan's configured on it

    • Vlan 1 has a PC attached to it with an ip address 1.1.1.1
    • Vlan 2 has a PC attached to it with an ip address 2.1.1.1
    • Vlan 3 has a PC attached to it with an ip address 3.1.1.1

     

    • Switch's port numbered Gi0/5 is connected to the router

     

    Router

    The router has its main interface FastEthernet 0/0 subdivided into three virtual interfaces

    • FastEthernet 0/0.1 with an IP address - 1.1.1.251
    • FastEthernet 0/0.2 with an IP address - 2.1.1.251
    • FastEthernet 0/0.3 with an IP address - 3.1.1.251

     

     

     

    Section 1


    Sample configuration

     

    Switch

    • We are going to create three Vlan's on the switch
    • We are going to assign ports numbers from FastEthernet 0/1 to 0/12 to Vlan 1
    • We are going to assign ports numbers from FastEthernet 0/13 to 0/24 to Vlan 2
    • We are going to assign ports numbers from FastEthernet 0/25 to 0/36 to Vlan 3

     

    • We are going to connect the router to port numbered GigabitEthernet 0/5 on the switch
    • We are going to configure this port on the switch to work as a trunk port

     

    Commands

    configure terminal

    interface range FastEthernet 0/1 - 12

    ! The following command is a macro

    ! The result is as follows

    ! switchport mode is set to access

    ! spanning-tree portfast is enabled

    ! channel group is disabled

    switchport host

    switchport access vlan 1

    exit

     

    interface range FastEthernet 0/13 - 24

    switchport host

    switchport access vlan 2

    exit

     

    interface range FastEthernet 0/25 - 36

    switchport host

    switchport access vlan 3

    exit

     

    interface GigabitEthernet 0/5

    switchport trunk encapsulation dot1Q

    switchport mode trunk

    switchport trunk native vlan 1

    switchport nonegotiate

    end

    --------------------

     

    Router

    • We will connect one of routers FastEthernet interfaces, FastEthernet 0/0, to the switch's trunk port GigabitEthernet 0/5
    • Further, we will sub-divide this single FastEthernet 0/0 interface, virtually, in to three sub-interfaces
    • On a router, if an Ethernet interface is subdivided, it can route traffic only if it is configured to work with a trunking protocol, like ISL or 802.1q

     

    • We will associate the first sub-interface, FastEthernet 0/0.1, to Vlan numbered 1 and assign it an Ip address 1.1.1.251

    • We will associate the second sub-interface, FastEthernet 0/0.2, to Vlan numbered 2 and assign it an Ip address 2.1.1.251

    • We will associate the third sub-interface, FastEthernet 0/0.3, to Vlan numbered 3 and assign it an Ip address 3.1.1.251

     

    Commands

    configure terminal

    interface FastEthernet 0/0

    no shutdown

    exit

     

    interface FastEthernet 0/0.1

    encapsulation dot1Q 1 native

    ip address 1.1.1.251 255.0.0.0

    exit

     

    interface FastEthernet 0/0.2

    encapsulation dot1Q 2

    ip address 2.1.1.251 255.0.0.0

    exit

     

    interface FastEthernet 0/0.3

    encapsulation dot1Q 3

    ip address 3.1.1.251 255.0.0.0

    end

    --------------------

     

     

     

    Section 2


    The inter-linking of Vlan numbers and the sub-interfaces

     

    Point 1

    • This association between the Vlan number and the interface,, helps the router
    • To decide, where to send the incoming frame for further processing, by checking its Vlan tag
    • If an incoming frame has an "Vlan Id 2" "clipped on" to it, then that frame will be "sent" to the sub-interface that has been associated with Vlan-2

     

    *Click on the image to enlarge

    Vlan - Router on a stick - F0.png

     

    Logic

    • The interface to which an incoming frame will go to, is decided by the Vlan-Id-Tag attached on to it
    • If there is no Vlan-Id-Tag attached to the frame
    • The frame will be sent to the interface that has been configured as "native" interface using the command - Router(config-subif)#encapsulation dot1Q vlan number native
    • As a default, any interface, associated with Vlan-1, is automatically configured with the native command in the running configuration

     

    Point 2

    • This association between the Vlan number and the interface, helps the router
    • To decide, which "Vlan Id Number" to attach, to the outgoing frames
    • If the frame is going out of interface numbered FastEthernet 0/0.3, then attach Vlan-3 tag on to it

     

    *Click on the image to enlarge

    Vlan - Router on a stick - F1m.png

     

     

    Logic

    The Vlan-Id-Tag that needs to be attached to a frame that leaves the router, is decided by the frames destination Ip address / network

     

    Note

    • A subdivided FastEthernet interface is different from an interface that has multiple IP addresses configured on to it
    • An interface with multiple Ip's still works like a single interface and cannot read data that has been encapsulated with any one of the trunking protocols

     

     

     

    Section 3


    Situation 1: Standard operation

    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, GigabitEthernet 0/5

     

    Commands

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    show interfaces GigabitEthernet 0/5 switchport

    Switch#

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged

     

    • For frames coming in

          If the frame is untagged, send it to ports in Vlan-1

          If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    2. Configuration on the router

    On the router, we will designate the sub-interface FastEthernet0/0.1 as native interface

    *This has already been specified in the suggested sample configuration

     

    Commands

    configure terminal

    interface fastethernet 0/0.1

    encapsulation dot1q 1 native

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
    • This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
    • Because it is coming from a port
    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - S1m.png


    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.1" which has been configured to accept unmodified frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 1 native earlier

     

    Step 3 - Part II ARP

    • The source IP of the incoming frame is checked against the IP configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.1 has the network configured as 1.0.0.0 as well
    • Both the Ip addresses belong to the same network - 1.0.0.0, so further ARP processing takes place
    • Following this, PC-1.1.1.1 is able to resolve the mac address of its gateway & subsequently sends the ping frame

     

    Step 3 - Routing

    • When this ping frame arrives at routers interface FastEthernet 0/0.1
    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.3"

     

    Step 4

    • So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
    • And the frame is ejected towards the switch

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It checks the tag that reads Vlan-3
    • So, the switch sends the frame, out of the ports in Vlan-3

     

     

    The return journey is similar

    Step 1

    • A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
    • Because the frame is coming from a port
    • Which does not belong to the native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - S2.png


    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
    • So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
    • This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier

     

    Step 3 - Part II Routing

    • The destination IP is checked
    • The destination network is attached to the interface "FastEthernet 0/0.1"

     

    Step 4

    • The VLAN tag of the frame is removed and it is ejected towards the switch,
    • Because the interface from which this frame will be "ejected" - FastEthernet 0/0.1 - is configured as a "dot1Q native" interface on the router

     

    Step 5

    • The switch receives this frame on its trunk port GigabitEthernet 0/5
    • It analyzes the frame and can "see" that the frame does not have any tag attached to it
    • So, the switch sends the frame, out of the ports in Vlan-1
    • Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1

     

    Result

    The ping is successful

     

     

    Situation 2: Different native vlans at both ends

     

    The ARP problem

    Address Resolution Protocol - ARP can be considered to operate at Layer 2.5 from the perspective of Open System Interconnection model of networking.


    The reasons are as follows:

    • An ARP frame is limited to the local network boundary, network that can be reached by directly connected wires.
    • In the addressing portion, this frame includes mac addresses, to propagate itself within the network.
    • The contents include the senders IP address as well as the Ip address whose MAC address needs to be resolved.


    And here is the catch.

    • If somehow an ARP frame reaches an interface that does not have the reverse path back to the sender IP address that is included in the contents section, the router drops that reply.
    • The interesting part is that the contents of the frame are not "considered | supposed" to influence the routing decision.
    • The routing decision is influenced by IP addresses in the addressing portion of the frame, which in this case comprises only of MAC addresses.


    Scenario & Topology

    *Click on the image to enlarge

     

    Arp-1m.png

    • Consider the above topology. When R1 tries to ping 1.2.1.2, it sends an arp request out of its interface because it considers 1.2.1.2 to be in the local network - 1.0.0.0 because of the mask of 255.0.0.0.
    • However, when this arp resolution request reaches R2, after reading the contents - not the address field, R2 considers the reply to be directed for a network 1.0.0.0 that is not attached on the interface -{ Network 1.2.0.0 with a mask of 255.255.0.0 }- on which this request was received.
    • Therefore, R2 drops the reply.


    R2#debug arp

    *Mar  1 00:01:33.539: IP ARP req filtered src 1.1.1.1 c001.2ce8.0000, dst 1.2.1.2 0000.0000.0000 wrong cable, interface FastEthernet0/0


    Conclusion

    • That is the reason I consider ARP to operate at Layer 2.5 of the OSI model.
    • Although its scope is limited to the directly connected network - Layer 2,
    • it is still influenced by the IP networks - Layer 3, included in the contents, while replying.



    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, GigabitEthernet 0/5


    Commands

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    show interfaces GigabitEthernet 0/5 switchport

    Switch#

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged

     

    • For frames coming in

          If the frame is untagged, send it to ports in Vlan-1

          If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    2. Configuration on the router

    On the router, we will designate the sub-interface FastEthernet0/0.2 as native interface


    Commands

    configure terminal

    interface fastethernet 0/0.2

    encapsulation dot1q 2 native

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
    • This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251


    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified

    • Because it is coming from a port

    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - NS0.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept un-modified / un-tagged frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

     

    Step 3 - Part II ARP

    • For ARP reply, the source network of the incoming frame is checked against the network configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.2 has the network configured as 2.0.0.0
    • Both the networks are different
    • Therefore this arp frame is dropped
    • And accordingly, there is no return journey for this frame.

     

    Step 3 - Part III

    • Since PC - 1.1.1.1 is unable to resolve the mac address of its gateway, further frames cannot be built.

     

    Result

    The ping is un-successful

     

    Note
    • This can be modified by forcing the switch to attach a tag to all the VLANs by issuing the following command Switch(config)#vlan dot1Q native tag
    • By issuing this command all the outgoing frames from a switch will be tagged and now the frame from Vlan-1 will reach routers interface configured with Vlan-1, which in turn will be able to resolve the arp query for PC-1.1.1.1.

     

     

     

    Situation 3: Different native vlans at both ends

    However, now the IP address scheme matches on the native Vlan of the switch's trunk port, as well as the native Vlan on the routers interface

     

    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, just as before

     

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    Switch#

    show interface GigabitEthernet 0/5 switchport

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged


    • For frames coming in

         If the frame is untagged, send it to ports in Vlan-1   

         If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    Caveat
    • If the tag on an incoming frame on the switch trunk port,
    • Somehow reads "Vlan-1", i.e., the Vlan that is configured to accept un-tagged frames, the switch will drop the frames

     

    With the configuration that follows

    • Interface FastEthernet 0/0.1 on the router no longer belongs to the native vlan
    • And its IP address is 2.1.1.251
    • When PC-1.1.1.1 tries to ping PC-2.1.1.1, the router will try to resolve PC-2.1.1.1's mac address before forwarding any frame towards it.
    • ARP frames sent from the router, towards PC-2.1.1.1, will have a VLAN-1 tag attached to it.

    The router will send an initial ARP request to the switch,

    To find 2.1.1.1's mac address, through its FastEthernet 0/0.1 interface,

    With the tag of Vlan-1 attached to it,

    • The switch, however, will drop it because it expects un-tagged frames for its native VLAN, which is VLAN-1 on its side.
    • Subsequently, the router will fail to build the frame and an error of 'encapsulation failed' will result in failed ping
    • This applies to the native vlan configured on the switches trunk port
    • The stipulation is that the native vlan of a trunk port, under standard and normal configuration, will accept un-tagged frames and drop frames, if they are tagged with its vlan ID
    • That is Vlan-1 on the switch in this given scenario

     

     

    2. Configuration on the router

    On the router, we will again designate the sub-interface, FastEthernet0/0.2, which is associated with Vlan-2, as a native interface

     

    Commands

    configure terminal

    interface FastEthernet 0/0.2

    encapsulation dot1q 2 native

    exit

     

    However, we will change the addressing for the sub-interfaces

    Commands

    For FastEthernet 0/0.1

    configure terminal

    interface fastethernet 0/0.1

    encapsulation dot1q 1

    ip address 2.1.1.251 255.0.0.0

    end

     

    For FastEthernet 0/0.2

    configure terminal

    interface fastethernet 0/0.2

    encapsulation dot1q 2 native

    ip address 1.1.1.251 255.0.0.0

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.
    • This is an initial arp request sent from PC - 1.1.1.1 to find the mac address of the gateway 1.1.1.251

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
    • Because it is coming from a port
    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

     

    Vlan - Router on a stick - NS1.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept unmodified frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

     

    Step 3 - Part II ARP

    • The source IP of the incoming frame is checked against the IP configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.2 has the network configured as 1.0.0.0 as well
    • Both the Ip addresses belong to the same network - 1.0.0.0, so further ARP processing takes place
    • Following this, PC-1.1.1.1 is able to resolve the mac address of its gateway & subsequently sends the ping frame

     

    Step 3 - Routing

    • When this ping frame arrives at routers interface FastEthernet 0/0.2
    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.3"

     

    Step 4

    • So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
    • And the frame is ejected towards the switch

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It checks the tag that reads Vlan-3
    • So, the switch sends the frame, out of the ports in Vlan-3

     

    The return journey is similar

    Step 1

    • A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
    • Because it is coming from a port
    • Which does not belong to the native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - NS2.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
    • So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
    • This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier


    Step 3 - Part II Routing

    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.2"

     

    Step 4

    • The VLAN tag of the frame is removed and it is ejected towards the switch,
    • Because the interface from which this frame will be "ejected" - FastEthernet 0/0.2 - is configured as a "dot1Q native" interface

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It analyzes the frame and can "see" that the frame does not have any tag attached to it
    • So, the switch sends the frame, out of the ports in Vlan-1
    • Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1

     

    Result

    The ping is successful

     

     

     

    Final Notes

    Note One

    • The concept of native Vlan states that any frame belonging to the native Vlan will be sent without any modifications, i.e. un-tagged
    • Native Vlan is specific to each trunk port separately

     

    • For example, a trunk port 1 can treat Vlan-1 as native Vlan
    • While, trunk port 20 can treat Vlan-20 as native

     

    • This means that when frames are ejected out of trunk port 1, if the frames originated in Vlan-1, they will remain untagged
    • This means that when frames are ejected out of trunk port 20, if the frames originated in Vlan-20, they will remain untagged

     

    Also

    • If any unmodified frame enters trunk port 1, that frame will be sent to the ports on Vlan-1
    • If any unmodified frame enters trunk port 20, that frame will be sent to the ports on Vlan-20

     

    • Therefore, the native Vlan is specific to a given port
    • However, as a default, whenever a port operates as a trunk, Vlan-1 is automatically selected to be the native vlan for that port
    • This can always be modified

     

    Note Two

    • Even though the switch sends frames from the native vlan without any modification, it can be forced to avoid this behavior
    • By issuing the command, Switch(config)#vlan dot1Q native tag, a switch can be configured to tag all the frames, even if the frames come from native vlan configured on that trunk interface
    • However, this command is not available on all the switches

     

     

    -------------------------

    The End