Fundamentals of VLAN's - Router on a stick

    Author:Navneet Gaur
    Date:Feb 2014
    Description:This document tries to explain the fundamental concepts related to "router on a stick"
    Note 1Index of all my documents
    Note 2To view the included images clearly, click on them
    Note 3Irrespective  of the dates of edit, Cisco Learning Network maintains the history and  keeps each edited version in its database for later reference
    Note 4

    How to stop notifications, that are generated when I edit any one of the pre-existing documents

    https://learningnetwork.cisco.com/message/406093

     

     

    Index

    • Reference Layout
    • Points to consider
    • Section 1

    Sample configuration

    • Section 2

    The inter-linking of Vlan numbers and the sub-interfaces

    • Section 3

    Situation 1 - Standard operation & Analysis

    Situation 2 - Different native vlans at both ends & Analysis

    Situation 3 - Different native vlans at both ends, within same network & Analysis

    Update: Caveat

     

     

     

    Reference Layout


    *Click on the image to enlarge

    Vlan - Router on a stick - S- Reference.png

     

     

    Points to consider

     

    Switch

    The switch has three Vlan's configured on it

    • Vlan 1 has a PC attached to it with an ip address 1.1.1.1
    • Vlan 2 has a PC attached to it with an ip address 2.1.1.1
    • Vlan 3 has a PC attached to it with an ip address 3.1.1.1

     

    • Switch's port numbered Gi0/5 is connected to the router

     

    Router

    The router has its main interface FastEthernet 0/0 subdivided into three virtual interfaces

    • FastEthernet 0/0.1 with an IP address - 1.1.1.251
    • FastEthernet 0/0.2 with an IP address - 2.1.1.251
    • FastEthernet 0/0.3 with an IP address - 3.1.1.251

     

     

     

    Section 1


    Sample configuration

     

    Switch

    • We are going to create three Vlan's on the switch
    • We are going to assign ports numbers from FastEthernet 0/1 to 0/12 to Vlan 1
    • We are going to assign ports numbers from FastEthernet 0/13 to 0/24 to Vlan 2
    • We are going to assign ports numbers from FastEthernet 0/25 to 0/36 to Vlan 3

     

    • We are going to connect the router to port numbered GigabitEthernet 0/5 on the switch
    • We are going to configure this port on the switch to work as a trunk port

     

    Commands

    configure terminal

    interface range FastEthernet 0/1 - 12

    ! The following command is a macro

    ! The result is as follows

    ! switchport mode is set to access

    ! spanning-tree portfast is enabled

    ! channel group is disabled

    switchport host

    switchport access vlan 1

    exit

     

    interface range FastEthernet 0/13 - 24

    switchport host

    switchport access vlan 2

    exit

     

    interface range FastEthernet 0/25 - 36

    switchport host

    switchport access vlan 3

    exit

     

    interface GigabitEthernet 0/5

    switchport trunk encapsulation dot1Q

    switchport mode trunk

    switchport trunk native vlan 1

    switchport nonegotiate

    end

    --------------------

     

    Router

    • We will connect one of routers FastEthernet interfaces, FastEthernet 0/0, to the switch's trunk port GigabitEthernet 0/5
    • Further, we will sub-divide this single FastEthernet 0/0 interface, virtually, in to three sub-interfaces
    • On a router, if an Ethernet interface is subdivided, it can route traffic only if it is configured to work with a trunking protocol, like ISL or 802.1q

     

    • We will associate the first sub-interface, FastEthernet 0/0.1, to Vlan numbered 1 and assign it an Ip address 1.1.1.251

    • We will associate the second sub-interface, FastEthernet 0/0.2, to Vlan numbered 2 and assign it an Ip address 2.1.1.251

    • We will associate the third sub-interface, FastEthernet 0/0.3, to Vlan numbered 3 and assign it an Ip address 3.1.1.251

     

    Commands

    configure terminal

    interface FastEthernet 0/0

    no shutdown

    exit

     

    interface FastEthernet 0/0.1

    encapsulation dot1Q 1 native

    ip address 1.1.1.251 255.0.0.0

    exit

     

    interface FastEthernet 0/0.2

    encapsulation dot1Q 2

    ip address 2.1.1.251 255.0.0.0

    exit

     

    interface FastEthernet 0/0.3

    encapsulation dot1Q 3

    ip address 3.1.1.251 255.0.0.0

    end

    --------------------

     

     

     

    Section 2


    The inter-linking of Vlan numbers and the sub-interfaces

     

    Point 1

    • This association between the Vlan number and the interface,, helps the router
    • To decide, where to send the incoming frame for further processing, by checking its Vlan tag
    • If an incoming frame has an "Vlan Id 2" "clipped on" to it, then that frame will be "sent" to the sub-interface that has been associated with Vlan-2

     

    *Click on the image to enlarge

    Vlan - Router on a stick - F0.png

     

    Logic

    • The interface to which an incoming frame will go to, is decided by the Vlan-Id-Tag attached on to it
    • If there is no Vlan-Id-Tag attached to the frame
    • The frame will be sent to the interface that has been configured as "native" interface using the command - Router(config-subif)#encapsulation dot1Q vlan number native
    • As a default, any interface, associated with Vlan-1, is automatically configured with the native command in the running configuration

     

    Point 2

    • This association between the Vlan number and the interface, helps the router
    • To decide, which "Vlan Id Number" to attach, to the outgoing frames
    • If the frame is going out of interface numbered FastEthernet 0/0.3, then attach Vlan-3 tag on to it

     

    *Click on the image to enlarge

    Vlan - Router on a stick - F1m.png

     

     

    Logic

    The Vlan-Id-Tag that needs to be attached to a frame that leaves the router, is decided by the frames destination Ip address / network

     

    Note

    • A subdivided FastEthernet interface is different from an interface that has multiple IP addresses configured on to it
    • An interface with multiple Ip's still works like a single interface and cannot read data that has been encapsulated with any one of the trunking protocols

     

     

     

    Section 3


    Situation 1: Standard operation

    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, GigabitEthernet 0/5

     

    Commands

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    show interfaces GigabitEthernet 0/5 switchport

    Switch#

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged

     

    • For frames coming in

          If the frame is untagged, send it to ports in Vlan-1

          If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    2. Configuration on the router

    On the router, we will designate the sub-interface FastEthernet0/0.1 as native interface

    *This has already been specified in the suggested sample configuration

     

    Commands

    configure terminal

    interface fastethernet 0/0.1

    encapsulation dot1q 1 native

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
    • Because it is coming from a port
    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - S1m.png


    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.1" which has been configured to accept unmodified frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 1 native earlier

     

    Step 3 - Part II

    • The source IP of the incoming frame is checked against the IP configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.1 has the network configured as 1.0.0.0 as well
    • Both the Ip addresses belong to the same network - 1.0.0.0, so further processing takes place

     

    Step 3 - Routing

    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.3"

     

    Step 4

    • So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
    • And the frame is ejected towards the switch

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It checks the tag that reads Vlan-3
    • So, the switch sends the frame, out of the ports in Vlan-3

     

     

    The return journey is similar

    Step 1

    • A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
    • Because the frame is coming from a port
    • Which does not belong to the native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - S2.png


    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
    • So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
    • This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier

     

    Step 3 - Part II

    • The source IP of this frame is checked against the IP configured on the interface
    • The source Ip is from the network 3.0.0.0
    • The routers interface FastEthernet 0/0.3 has the network configured as 3.0.0.0 as well
    • Both the Ip addresses belong to the same network - 3.0.0.0, so further processing takes place

     

    Step 3 - Routing

    • The destination IP is checked
    • The destination network is attached to the interface "FastEthernet 0/0.1"

     

    Step 4

    • Now the frame is not modified and ejected towards the switch, as it is
    • Because the interface from which this frame will be "ejected" - FastEthernet 0/0.1 - is configured as a "dot1Q native" interface on the router

     

    Step 5

    • The switch receives this frame on its trunk port GigabitEthernet 0/5
    • It analyzes the frame and can "see" that the frame does not have any tag attached to it
    • So, the switch sends the frame, out of the ports in Vlan-1
    • Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1

     

    Result

    The ping is successful

     

     

    Situation 2: Different native vlans at both ends

    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, GigabitEthernet 0/5


    Commands

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    show interfaces GigabitEthernet 0/5 switchport

    Switch#

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged

     

    • For frames coming in

          If the frame is untagged, send it to ports in Vlan-1

          If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    2. Configuration on the router

    On the router, we will designate the sub-interface FastEthernet0/0.2 as native interface


    Commands

    configure terminal

    interface fastethernet 0/0.2

    encapsulation dot1q 2 native

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.


    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified

    • Because it is coming from a port

    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - NS0.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept un-modified / un-tagged frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

     

    Step 3 - Part II

    • The source IP of the incoming frame is checked against the IP configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.2 has the network configured as 2.0.0.0
    • Both the networks are different
    • As the incoming frame is not within the same network, further processing cannot take place
    • Therefore this frame is dropped
    • And accordingly, there is no return journey for this frame.

     

    Result

    The ping is un-successful

     

     

     

    Situation 3: Different native vlans at both ends

    However, now the IP address scheme matches on the native Vlan of the switch's trunk port, as well as the native Vlan on the routers interface

     

    Two points of configuration

    • One at the switch
    • Second at the router

     

    1. Configuration on the switch

    The switch has the following configuration on its trunk port, just as before

     

    configure terminal

    interface GigabitEthernet 0/5

    switchport trunk native vlan 1

    end

     

    Switch#

    show interface GigabitEthernet 0/5 switchport

    Name: Gi0/5

    ---output omitted---

    Negotiation of Trunking: On

    Access Mode VLAN: 1 (default)

    Trunking Native Mode VLAN: 1 (VLAN0001)

    Voice VLAN: none

    ---output omitted---

     

     

    Logic

    • For frames being ejected out

          If the frame is from ports in Vlan-1 - Transmit it without any modification, i.e. un-tagged

          If the frame is from ports in Vlan-2 to 4094 - Transmit it after attaching an identifying tag, i.e. tagged


    • For frames coming in

         If the frame is untagged, send it to ports in Vlan-1   

          If the frame is tagged, send it to the Vlan indicated by the tag

     

     

    Caveat
    • If the tag on an incoming frame on the switch trunk port,
    • Somehow reads "Vlan-1", i.e., the Vlan that is configured to accept un-tagged frames, the switch will drop the frames
    • In the following condition, the frames sent towards PC in Vlan 2 with an ip 2.1.1.1
    • Will reach the router
    • However, when the router will send an initial ARP request to the switch,
    • To find 2.1.1.1s mac address,
    • With the tag of Vlan-1 attached to it,
    • The switch will drop it.
    • Subsequently, the router will fail to build the frame and an error of 'encapsulation failed' will result in failed ping
    • This applies to the native vlan configured on the switches trunk port
    • The stipulation is that the native vlan of a trunk port, under standard and normal configuration, will accept un-tagged frames and drop frames, if they are tagged with its vlan ID
    • That is Vlan-1 in this given scenario

     

     

    2. Configuration on the router

    On the router, we will again designate the sub-interface, FastEthernet0/0.2, which is associated with Vlan-2, as a native interface

     

    Commands

    configure terminal

    interface FastEthernet 0/0.2

    encapsulation dot1q 2 native

     

    However, we will change the addressing for the sub-interfaces

    Commands

    For FastEthernet 0/0.1

    configure terminal

    interface fastethernet 0/0.1

    encapsulation dot1q 1

    ip address 2.1.1.251 255.0.0.0

    end

     

    For FastEthernet 0/0.2

    configure terminal

    interface fastethernet 0/0.2

    encapsulation dot1q 2 native

    ip address 1.1.1.251 255.0.0.0

    end

     

     

    Analysis

    The PC attached to Vlan-1 with an IP 1.1.1.1 pings PC - 3.1.1.1, that is in Vlan-3

     

    Step 1

    • A frame is sent from PC - 1.1.1.1 to its gateway at 1.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, it is sent unmodified
    • Because it is coming from a port
    • Which belongs to native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

     

    Vlan - Router on a stick - NS1.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame is unmodified
    • So, it directs the frame to "FastEthernet 0/0.2" which has been configured to accept unmodified frames
    • With the help of the command - Router(config-subif)#encapsulation dot1q 2 native

     

    Step 3 - Part II

    • The source IP of the incoming frame is checked against the IP configured on the interface
    • The source Ip is from the network 1.0.0.0
    • The routers interface FastEthernet 0/0.2 has the network configured as 1.0.0.0 as well
    • Both the Ip addresses belong to the same network - 1.0.0.0, so further processing takes place

     

    Step 3 - Routing

    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.3"

     

    Step 4

    • So, the frame is modified and a tag is attached to it that says Vlan-3 - "the Vlan that FastEthernet 0/0.3 is part of"
    • And the frame is ejected towards the switch

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It checks the tag that reads Vlan-3
    • So, the switch sends the frame, out of the ports in Vlan-3

     

    The return journey is similar

    Step 1

    • A reply is sent from PC - 3.1.1.1 to its gateway at 3.1.1.251.

     

    Step 2

    • When this frame is "ejected" out of trunk port on the switch, a tag - "Vlan-3" - is attached to this frame
    • Because it is coming from a port
    • Which does not belong to the native vlan specified on the switch's trunk port

     

    *Click on the image to enlarge

    Vlan - Router on a stick - NS2.png

     

    Step 3 - Part I

    • When this frame is received by the router, the router can "see" that the frame has a tag that reads - "Vlan-3"
    • So, it directs the frame to "FastEthernet 0/0.3" which has been configured to accept frames having the tag - "Vlan-3"
    • This was done by issuing the command - Router(config-subif)#encapsulation dot1Q 3 - on this sub-interface earlier

     

    Step 3 - Part II

    • The source IP of this incoming frame is checked against the IP configured on the interface
    • It is within the same network, so further processing takes place

     

    Step 3 - Routing

    • The destination IP is checked
    • The destination network is attached to interface "FastEthernet 0/0.2"

     

    Step 4

    • Now the frame is not modified and ejected towards the switch, as it is
    • Because the interface from which this frame will be "ejected" - FastEthernet 0/0.2 - is configured as a "dot1Q native" interface

     

    Step 5

    • The switch receives the frame on its trunk port GigabitEthernet 0/5
    • It analyzes the frame and can "see" that the frame does not have any tag attached to it
    • So, the switch sends the frame, out of the ports in Vlan-1
    • Because, the native vlan configured on this switch's trunk port, GigabitEthernet 0/5, is Vlan-1

     

    Result

    The ping is successful

     

     

     

    Final Notes

    Note One

    • The concept of native Vlan states that any frame belonging to the native Vlan will be sent without any modifications, i.e. un-tagged
    • Native Vlan is specific to each trunk port separately

     

    • For example, a trunk port 1 can treat Vlan-1 as native Vlan
    • While, trunk port 20 can treat Vlan-20 as native

     

    • This means that when frames are ejected out of trunk port 1, if the frames originated in Vlan-1, they will remain untagged
    • This means that when frames are ejected out of trunk port 20, if the frames originated in Vlan-20, they will remain untagged

     

    Also

    • If any unmodified frame enters trunk port 1, that frame will be sent to the ports on Vlan-1
    • If any unmodified frame enters trunk port 20, that frame will be sent to the ports on Vlan-20

     

    • Therefore, the native Vlan is specific to a given port
    • However, as a default, whenever a port operates as a trunk, Vlan-1 is automatically selected to be the native vlan for that port
    • This can always be modified

     

    Note Two

    • Even though the switch sends frames from the native vlan without any modification, it can be forced to avoid this behavior
    • By issuing the command, Switch(config)#vlan dot1Q native tag, a switch can be configured to tag all the frames, even if the frames come from native vlan configured on that trunk interface
    • However, this command is not available on all the switches

     

     

    -------------------------

    The End