Configuring InterVLAN Routing
- By Joe Astorino
- June 13, 2011
- 1 Comment
Introduction
In today’s technical tutorial blog we are going to be looking at one of the fundamental concepts of Cisco networking — InterVLAN routing. The concepts and configuration we will be looking at today will be fundamental in both real world networking and for your CCNA / ICND2 exam.
Before we jump in, let’s do a quick review of some terms here. We are talking about inter-vlan routing so let’s cover what that actually means. Inter-VLAN routing just means routing between VLANs. To understand routing between VLANs you need to understand what a VLAN is, what routing is and why you need to route between VLANs in the first place.
Introduction to VLANs
A virtual local area network (VLAN) is basically a logical grouping of ports on a switch or multiple switches that segments those ports into their own independent logical networks. VLANs allow us to segment our networks into many different pieces for many different reasons. Many times these VLANs are segmented by function. For example, you might have a 24 port switch with 8 ports in a server VLAN, 8 ports in a wireless VLAN, and 8 ports in a user VLAN. Typically, each VLAN is associated with a single layer 3 subnet. For example, if you had a VLAN each for servers, wireless and users, the server VLAN might be the 10.10.10.0/24 network, the wireless network might be the 10.10.20.0/24 network and the users might be the 10.10.30.0/24 network. Three separate VLANs, three separate networks.
Introduction to InterVLAN Routing
OK, so if VLANs segment our network into multiple independent logical networks, and each VLAN is it’s own layer 3 subnet, how do the VLAN’s communicate with each other? That is where interVLAN routing comes into play. Remember from your ICND1 studies the concept of routing. What is the purpose of a router? Generally, to route packets between different networks. Since each VLAN on the switch is its own network, if we want to pass traffic from one network to another, it needs to be routed. This is what we call interVLAN routing. So, if we have multiple VLANs on a switch and each VLAN is it’s own separate network, the different networks just don’t magically get to talk to each other. Packets need to be routed between the networks.
There are a few different ways to do this, but we will be looking at the most fundamental, and the one you need to be familiar with for your ICND2 exam. This is often referred to as “router on a stick”. Let’s look at a picture to find out why
Here we have a simple network with one router and one switch. On the switch, we will configure three VLANs as shown above. Remember, a switch (at least the kind we will be dealing with for CCNA) does not route packets, so to route between our three VLANs, we need a router involved in the process. We call this “router on a stick” because for packets to get between VLANs, they must leave the switch and go up to the router. The router will then route the packet from the source VLAN to the destination VLAN and send the packet right back out the same link it came in on in a “hairpin” like fashion. That means our router really needs three interfaces here — one for each VLAN. Awesome, but we only have a single fa0/0 interface on our router so how is that going to work? Sub-interfaces. We can configure a single physical interface to carry traffic for multiple VLANs using sub-interfaces. From the router’s point of view, it will have three different interfaces, each on in it’s own network even though we only have one physical connection. In order to send traffic for all three networks between the router and the switch, we will need a trunk. Recall that a trunk link allows us to pass more than one VLAN.
Switch Configuration
Now it’s time to get into the configuration. We will create our VLANs on our switch, and configure our trunk link up to the router. Port 1 connects to the router, so that will be our trunk link. Since we are working on a 48 port switch we will assign ports 2-16 to VLAN 10, ports 17-32 in VLAN 20 and ports 33-48 in VLAN 30. Let’s get started
Cat1(config)#vlan 10 Cat1(config-vlan)#name Data Cat1(config-vlan)#vlan 20 Cat1(config-vlan)#name Voice Cat1(config-vlan)#vlan 30 Cat1(config-vlan)#name Wireless Cat1(config-vlan)#exit Cat1(config-if-range)#interface range fa0/2 - 16 Cat1(config-if-range)#switchport mode access Cat1(config-if-range)#switchport access vlan 10 Cat1(config-if-range)#description Data VLAN Cat1(config-if-range)#no shutdown Cat1(config-if-range)#interface range fa0/17 - 32 Cat1(config-if-range)#switchport mode access Cat1(config-if-range)#switchport access vlan 20 Cat1(config-if-range)#description Voice VLAN Cat1(config-if-range)#no shutdown Cat1(config-if-range)#interface range fa0/33 - 48 Cat1(config-if-range)#switchport mode access Cat1(config-if-range)#switchport access vlan 30 Cat1(config-if-range)#description Wireless VLAN Cat1(config-if-range)#interface fa0/1 % Command exited out of interface range and its sub-modes. Not executing the command for second and later interfaces Cat1(config-if)#switchport trunk encapsulation dot1q Cat1(config-if)#switchport mode trunk Cat1(config-if)#no shutdown
Switch Verification
First, let’s verify our VLANs were created and that the proper ports are assigned to those VLANs
Cat1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
10 Data active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16
20 Voice active Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
30 Wireless active Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Fa0/48
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Good! Now, let’s make sure our trunk link came up properly
Cat1#show interface trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4094 Port Vlans allowed and active in management domain Fa0/1 1,10,20,30 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1,10,20,30
We can see in the command output that Fa0/1 is in the trunking status and that it is a 802.1Q trunk. We can see that the trunk is passing all VLANs across it.
Router Configuration
For our router config, we need to create three logical sub-interfaces and configure them with IP addresses in the correct VLAN. We also need to tell each sub-interface what VLAN to tag packets with using the encapsulation dot1q command That is about it!
R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fa0/0 R1(config-if)#no ip address R1(config-if)#no shutdown R1(config-if)#interface fa0/0.10 R1(config-subif)#encapsulation dot1q 10 R1(config-subif)#ip address 10.10.10.1 255.255.255.0 R1(config-subif)#description Data VLAN R1(config-subif)#interface fa0/0.20 R1(config-subif)#encapsulation dot1q 20 R1(config-subif)#ip address 10.10.20.1 255.255.255.0 R1(config-subif)#description Voice VLAN R1(config-subif)#interface fa0/0.30 R1(config-subif)#encapsulation dot1q 30 R1(config-subif)#ip address 10.10.30.1 255.255.255.0 R1(config-subif)#description Wireless VLAN
Router Verification
Let’s make sure our sub-interfaces are all up/up and that we can see routes in our routing table. We should see a directly connected route for each VLAN network.
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES manual up up
FastEthernet0/0.10 10.10.10.1 YES manual up up
FastEthernet0/0.20 10.10.20.1 YES manual up up
FastEthernet0/0.30 10.10.30.1 YES manual up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
R1#
R1#show ip route connected
10.0.0.0/24 is subnetted, 3 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0.10
C 10.10.20.0 is directly connected, FastEthernet0/0.20
C 10.10.30.0 is directly connected, FastEthernet0/0.30
Final Verification
It all looks great! Now, for the final test — Let’s add a test host to each VLAN and make sure we can ping between them. We will put a Cisco router on each VLAN to simulate hosts. I will put R2 into VLAN 10, R4 into VLAN 20 and R5 into VLAN 30. R2 is connected to the switch on port Fa0/2, R4 on port Fa0/4 and R5 on port Fa0/5. Since we initially assigned all those ports to VLAN 10 we will need to change a few things for our test. Namely, we need to assign port fa0/4 to VLAN 20 and port fa0/5 to VLAN 30. Let’s do that now…
Cat1(config)#interface fa0/4 Cat1(config-if)#switchport access vlan 20 Cat1(config-if)#interface fa0/5 Cat1(config-if)#switchport access vlan 30
OK, let’s configure our test routers. Since these routers are not really being used as routers per say but just as test hosts we will disable IP routing and configure them with a default gateway, just like a server or end user workstation.
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#no ip routing R2(config)#interface fa0/0 R2(config-if)#ip address 10.10.10.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#ip default-gateway 10.10.10.1
R4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R4(config)#no ip routing R4(config)#interface ethernet0/0 R4(config-if)#ip address 10.10.20.4 255.255.255.0 R4(config-if)#no shutdown R4(config-if)#exit R4(config)#ip default-gateway 10.10.20.1
R5#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R5(config)#no ip routing R5(config)#interface ethernet0/0 R5(config-if)#ip address 10.10.30.5 255.255.255.0 R5(config-if)#no shutdown R5(config-if)#exit R5(config)#ip default-gateway 10.10.30.1
OK, now for the big test. Can our “host” R2 in VLAN 10 talk to the others hosts in VLANs 20 and 30 respectively? Let’s find out!
R2#ping 10.10.20.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.20.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2#ping 10.10.30.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.30.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Beautiful! Let’s run through what happened when R2 pinged R4 for a second. R2 wanted to send a ping to 10.10.20.4. Since R2 has an IP address and mask of 10.10.10.2 255.255.255.0, it knows that 10.10.20.4 is not on it’s directly connected network so it sends the packet to it’s default-gateway, 10.10.10.1. The packet goes out our Fa0/1 trunk link up to R1. The packet is tagged as being in VLAN 10 with a 802.1Q VLAN tag. R1 gets the packet and looks at the destination IP address which is 10.10.20.4. R1 does a route lookup and finds a directly connected route for 10.10.20.0/24 out interface fa0/0.20. R1 routes the packet and sends it out fa0/0.20. The packet is tagged with a VLAN ID of 20. The packet goes back out our trunk link to the switch. The switch sees that the packet is in VLAN 20 and forwards the packet along to R4. When R4 replies, the reverse happens and the packet gets routed from VLAN 20 back to VLAN 10 in a similar fashion.
Summary
InterVLAN routing allows us to communicate between different VLANs. Each VLAN is an independent network of it’s own, so to communicate between VLANs we need to route. With a router on a stick setup, we use an 802.1Q trunk with router sub-interfaces to route between the various different VLANs.
You can also check out my youtube video on this topic here
Joe you finally helped me figure out the lsa type 4 which i never understood from all the texts i read and the courses i took many thanks
I have read this article which i understand fully but one thing nags me, the switchport trunk allowed list, ive been lazy and aways used vtp pruning, is there any clear way you can make me understand the allowed list with an example