In my last post, I walked through the basic ideas behind inter-VLAN routing; be sure to read the article if you need to. The set-up involved connecting a port in each VLAN to a router Ethernet interface, and the router was unaware of the VLANs: as far as it was concerned, it was simply routing traffic at layer 3. Nevertheless, the mechanism allowed one VLAN to communicate with another, which was the intended goal. But, as you may have noted, it was far from an efficient scenario—although mastering it is excellent training in understanding the core concepts of VLANs.
What are its chief deficiencies? First, we must use a switch port in each VLAN to uplink to the router. With two VLANs, this is not much of a problem, but what about twenty VLANs? We’ll probably need to trunk in a switch purely for holding all the uplinks! We would then have to carefully ensure that each port was placed in the right VLAN. Worse, we’d need twenty physical router interfaces. Clearly, this approach will not scale to any appreciable size.
Fortunately, a solution is available, and it is usually called a router-on-a-stick. It requires only one switch port to be used, and one physical router interface. As you may have guessed, it takes advantage of a switch’s trunking ability, which uses IEEE 802.1Q tagging to be able to identify and pass frames from any VLAN over a trunk link.
Here is our starting scenario: we have John and Paul in VLAN 2, named RubberSoul on the switch, and George and Ringo in VLAN 3, named Revolver. All the other ports are assigned to a default VLAN which I’ve created, numbered 50. You can read about the why and wherefores of this in my previous VLAN articles. The router has an Ethernet0 interface, which is connected to the switch’s Gi0/24 port, and this is the only uplink we need. As for the IP details, John and Paul are in the 192.168.1.0 network, and George and Ringo are in 192.168.2.0.
To start our configuration, we’ll make Gi0/24 a trunk port with 802.1Q encapsulation:
Switch> enable Switch# configure terminal Switch(config)# interface gi0/24 Switch(config-if)# description Uplink to Router Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk native vlan 50 Switch(config-if)# end Switch# show interfaces gi0/24 trunk ---Sample output--- Port Mode Encapsulation Status Native vlan ---- ---- ------------- ------ ----------- Gi0/24 on 802.1q trunking 50 Port Vlans allowed on trunk Gi0/24 1-4094 ---Output omitted---
Having made the port a trunk, I set its native VLAN to 50, which is the custom default we’re using here. Recall that 802.1Q does not tag frames in the native VLAN as they cross the trunk—although, in this scenario, we won’t be using the default VLAN anyway. Issuing show vlan brief simply confirms the settings already in place as per the schematic: John and Paul are in VLAN 2 (RubberSoul) and George and Ringo are in VLAN 3 (Revolver):
Switch# show vlan brief ---Sample output--- VLAN Name Status Ports ---- ---- ------ ----- 1 default active 2 RubberSoul active Gi0/1, Gi0/2 3 Revolver active Gi0/3, Gi0/4 50 Default active Gi0/5, Gi0/6, Gi0/7, Gi0/8 Gi0/9, Gi0/10, Gi0/11, Gi0/12 ---More ports omitted---
It’s time to configure the router. Since we have only one router interface here, how can we establish it as the default gateway in each VLAN? After all, the example in my previous article used a separate physical router interface for each VLAN, and those interfaces were assigned IP addresses in their appropriate networks. We can’t assign multiple IP addresses to a single router interface.
The problem is solved via the use of subinterfaces, which you can think of as logical interfaces associated with a single physical interface. We will create a subinterface on E0 for each VLAN network; since we have two VLANs we wish to route between, this will entail the creation of two subinterfaces, identified as E0.1 and E0.2. Each one of these ‘virtual’ interfaces is given an IP address in the relevant network, as you might expect, and is also associated with the correct VLAN. Enough theory—the practice is quite straightforward:
Router> en Router# configure terminal Router(config)# interface e0.1 Router(config-subif)# description Interface in RubberSoul VLAN Router(config-subif)# ip address 192.168.1.254 255.255.255.0 Router(config-subif)# encapsulation dot1q 2 Router(config-subif)# interface e0.2 Router(config-subif)# description Interface in Revolver VLAN Router(config-subif)# ip address 192.168.2.254 255.255.255.0 Router(config-subif)# encapsulation dot1q 3
Note the prompt the IOS shows when configuring a subinterface. As with a ‘real’ interface, you can assign a description as well as an IP address. The new command here is encapsulation dot1q, which is followed by the VLAN number with which to associate this subinterface. Since we also have a default VLAN, 50, let’s also configure a subinterface for this, even though we have no devices in it. Let’s assume it corresponds to network 192.168.3.0:
Router(config-subif)# interface e0.3 Router(config-subif)# description Interface in Default VLAN Router(config-subif)# ip address 192.168.3.254 255.255.255.0 Router(config-subif)# encapsulation dot1q 50 native
We use the native parameter here, to indicate that this subinterface is to be associated with the trunk’s native VLAN, which we configured on the switch to be 50. Any un-tagged frames arriving at the router’s E0 interface will be directed to subinterface E0.3. All that remains to do is to bring up the physical E0 interface:
Router(config-subif)# interface e0 Router(config-if)# no shutdown Router(config-if)# end
Subinterfaces are dependent upon the master physical interface being active; when we bring up E0, all its subinterfaces come along for the ride. With this configuration, the VLANs can happily pass traffic. Before we follow a live example, let’s view the routing table:
Router# show ip route ---Sample output--- Gateway of last resort is not set C 192.168.1.0 is directly connected, Ethernet0.1 C 192.168.2.0 is directly connected, Ethernet0.2 C 192.168.3.0 is directly connected, Ethernet0.3
The table clearly shows that all three networks are directly attached via the three subinterfaces, all of which are logical subdivisions of the physical E0 interface. The first of the entries is the VLAN 2, or RubberSoul, network; the second is the VLAN 3, or Revolver network; and the last is the VLAN 50, or Default, network.
Let’s follow some frames. John wishes to send a packet of data to Ringo. He knows Ringo is in another IP network, so he pops the packet in a frame and sends it to his default gateway, which is 192.168.1.254. Suppose he doesn’t know the MAC address for this gateway destination; he therefore makes an ARP request. This ARP broadcast goes to the switch, which limits it to ports in the same VLAN as John, the RubberSoul VLAN, numbered 2.
Paul gets his copy and discards it, since his IP address doesn’t match. The switch also sends a copy of the broadcast frame out through the trunk on Gi0/24, tagged via 802.1Q with VLAN 2. Now the router’s subinterfaces come into play. The only reason each one was associated with a VLAN was to allow incoming frames to be forwarded to the right logical destination. The frame enters E0, and the VLAN number is read. Since it’s VLAN 2, the ARP request is passed to the E0.1 subinterface, which we earlier associated with VLAN 2 and which has an IP address of 192.168.1.254. This now responds with the MAC address of the physical E0 interface, and John caches the reply. He can now send a unicast frame, via the same process, to the E0 interface and, since John is in VLAN 2, the packet ends up at subinterface E0.1.
Now the destination IP address is determined and matched in the routing table. The destination network, Ringo’s, is 192.168.2.0, which is found through E0.2. The packet is sent to this subinterface. Let’s assume another ARP request is needed to find Ringo’s MAC address. The request is broadcast from the E0.2 subinterface, which is in VLAN 3. Thus, the frame is tagged with this VLAN as it traverses the trunk. The switch sends the broadcast to all the active ports in VLAN 3. Ringo responds with his MAC, which crosses the trunk once more, tagged with VLAN 3, to be forwarded by the router to E0.2. This subinterface can now send John’s packet directly to Ringo, again via the trunk, tagged as VLAN 3.
At heart, this scenario is little different from wiring up separate router interfaces. But it’s much less hassle to create since you need only a single trunk port and a single router interface. Don’t let the idea of associating router subinterfaces with VLANs beguile you into thinking that VLANs are now becoming a layer 3 concept. They’re firmly layer 2 ideas, implemented on switches. The subinterfaces are like the post-boxes for individual tenants inside a flat. There is just one physical letterbox, but inside is a doorkeeper who reads the address on each and transfers it to the appropriate post-box inside:
In the next article, we’ll explore an even cleaner scenario for inter-VLAN routing: a layer 3 switch.