CCNP Switch Lab 4-1 Inter-VLAN Routing with an External Router
Topology
Objective
- Configure inter-VLAN routing using an external router, also known as a router on a stick.
Background
Inter-VLAN routing using an external router can be a cost-effective solution when it is necessary to segment a network into multiple broadcast domains. In this lab, you split an existing network into two separate VLANs on the access layer switches, and use an external router to route between the VLANs. An 802.1Q trunk connects the switch and the Fast Ethernet interface of the router for routing and management. Static routes are used between the gateway router and the ISP router. The switches are connected via an 802.1Q EtherChannel link.
Note: This lab uses Cisco 1841 routers with Cisco IOS Release 12.4(24)T1 and the Advanced IP Services image c1841 -advipservicesk9-mz.124-24.T1 .bin. The switches are Cisco WS-C2960-24TT-L with the Cisco IOS image c2960-lanbasek9 mz.122-46.SE.bin. You can use other routers (such as 2801 or 2811), switches (such as 2950), and Cisco IOS Software versions if they have comparable capabilities and features. Depending on the router or switch model and Cisco IOS Software version, the commands available and output produced might vary from what is shown in this lab.
Required Resources
- 2 routers (Cisco 1841 with Cisco IOS Release 12.4(24)T1 Advanced IP Services or comparable)
- 2 switches (Cisco 2960 with the Cisco IOS Release 12.2(46)SE C2960-LANBASEK9-M image or comparable)
- Serial and Ethernet cables
Step 1: Prepare the switches and routers for the lab.
a. Cable the network as shown in the topology diagram. On each switch, erase the startup configuration, delete the vlan.dat file, and reload the switches. Refer to Lab 1 -1, “Clearing a Switch” and Lab 1 -2, “Clearing a Switch Connected to a Larger Network” to prepare the switches for this lab.
b. Erase the startup configuration and reload the routers.
Step 2: Configure the hosts.
Configure PC hosts A and B with the IP address, subnet mask (/24), and default gateway shown in the
topology.
Step 3: Configure the routers.
a. Configure the ISP router for communication with your gateway router. The static route used for the internal networks provides a path for the local network from the ISP. In addition, configure a loopback interface on the ISP router to simulate an external network.
Router(config)# hostname ISP ISP(config)# interface Loopback0 ISP(config-if)# ip address 200.200.200.1 255.255.255.0 ISP(config-if)# interface Serial0/0/0 ISP(config-if)# ip address 192.168.1. 2 255.255.255.0 ISP(config-if)# no shutdown ISP(config-if)# exit ISP(config)# ip route 172.16.0.0 255.255.0.0 192.168.1. 1
b. Configure the Gateway router to communicate with the ISP router. Notice the use of a static default route. The default route tells the router to send any traffic with an unknown destination network to the ISP router.
Router(config)# hostname Gateway Gateway(config)# interface Serial0/0/0 Gateway(config-if)# ip address 192.168.1. 1 255.255.255.0 Gateway(config-if)# clockrate 64000 Gateway(config-if)# no shutdown Gateway(config-if)# exit Gateway(config)# ip route 0.0.0.0 0.0.0.0 192.168.1. 2
c. Verify connectivity from the Gateway router using the ping command. Was this ping successful?
_______________________________________________________________________________
The ping will be successful if the serial connection is set up properly.
Step 4: Configure the switches.
a. Configure the switch hostnames and IP addresses on the management VLAN according to the diagram. By default, VLAN 1 is used as the management VLAN. Create a default gateway on both access layer switches using the ip default gateway ip_address command.
The following is a sample configuration for switch ALS1.
Switch(config)# hostname ALS1 ALS1(config)# interface vlan 1 ALS1(config-if)# ip address 172.16.1.101 255.255.255.0 ALS1(config-if)# no shutdown ALS1(config-if)# exit ALS1(config)# ip default-gateway 172.16.1.1 The following is a sample configuration for switch ALS2. Switch(config)# hostname ALS2 ALS2(config)# interface vlan 1 ALS2(config-if)# ip address 172.16.1.102 255.255.255.0 ALS2(config-if)# no shutdown ALS2(config-if)# exit ALS2(config)# ip default-gateway 172.16.1.1
b. (Optional) Set an enable secret password and configure the vty lines for Telnet access to the switch.
ALS1(config)# enable secret cisco ALS1(config)# line vty 0 15 ALS1(config-line)# password cisco ALS1(config-line)# login ALS1(config-line)# end ALS2(config)# enable secret cisco ALS2(config)# line vty 0 15 ALS2(config-line)# password cisco ALS2(config-line)# login ALS2(config-line)# end
c. By default, how many lines are available for Telnet on the access switches?
_______________________________________________________________________________
Sixteen lines are available by default.
Step 5: Confirm the VLANs.
a. Verify that the only existing VLANs are the built-in VLANs. Issue the show vlan command from privileged mode on both access layer switches.
Which VLAN is the default management VLAN for Ethernet? What types of traffic are carried on this VLAN?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
The default management VLAN is VLAN 1. Management traffic usually includes traffic for managing the switches, including VTP frames. VLAN 1 is also the default native VLAN, so untagged frames are assigned to this VLAN by default on 802.1q trunk links.
Step 6: Configure trunk links and EtherChannel on switches.
a. Use the Fast Ethernet 0/11 and 0/12 ports of ALS1 and ALS2 to create an EtherChannel trunk between the switches.
ALS1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ALS1(config)# interface range fastEthernet 0/11 - 12 ALS1(config-if-range)# switchport mode trunk ALS1(config-if-range)# channel-group 1 mode desirable ALS1(config-if-range)# end ALS2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. ALS2(config)# interface range fastEthernet 0/11 - 12 ALS2(config-if-range)# switchport mode trunk ALS2(config-if-range)# channel-group 1 mode desirable ALS2(config-if-range)# end
b. Verify the EtherChannel configuration using the show etherchannel command.
ALS1# show etherchannel 1 summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) PAgP Fa0/11(P) Fa0/12(P)
Step 7: Configure VTP.
a. Set up the VTP domain for the access layer switches in global configuration mode. The default VTP mode is server for both switches. Configure ALS2 as a VTP client, and leave ALS1 as a server. Configure the VTP domain name and version on VTP server ALS1.
ALS2(config)# vtp mode client Setting device to VTP CLIENT mode.
ALS1(config)# vtp domain SWLAB Changing VTP domain name from NULL to SWLAB %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to SWLAB. ALS1(config)# vtp version 2
b. Use the show vtp status command to verify the ALS1 VTP configuration and that client ALS2 has learned the new VTP domain information from ALS1.
Step 8: Configure VLANs and switch access ports.
a. Configure the VLAN 100 named Payroll and VLAN 200 named Engineering on VTP server ALS1.
ALS1(config)# vlan 100 ALS1(config-vlan)# name Payroll ALS1(config-vlan)# vlan 200 ALS1(config-vlan)# name Engineering
b. Use the show vlan brief command on ALS2 to verify that ALS2 has learned the new VLANs from ALS1.
c. Configure the switch access ports for the hosts according to the diagram. Statically set the switch port mode to access, and use Spanning Tree PortFast on the interfaces. Assign the host attached to ALS1 Fast Ethernet 0/6 to VLAN 100, and the host attached to ALS2 Fast Ethernet 0/6 to VLAN 200.
d. Use the show vlan brief command to verify that Fa0/6 is in VLAN 100 on ALS1 and in VLAN 200 on ALS2.
Step 9: Configure ALS1 trunking to the Gateway router.
Configure switch ALS1 interface Fast Ethernet 0/1 for trunking with the Gateway router Fast Ethernet interface, according to the topology diagram.
ALS1(config)# interface fastEthernet 0/1 ALS1(config-if)# switchport mode trunk ALS1(config-if)# end
Note: Optionally, you can apply the spanning-tree portfast trunk command to interface Fa0/1 of switch ALS1. This allows the link to the router to rapidly transition to the forwarding state despite being a trunk.
Step 10: Configure the Gateway router Fast Ethernet interface for VLAN trunking.
The native VLAN cannot be configured on a subinterface for Cisco IOS releases earlier than 12.1(3)T. The native VLAN IP address must be configured on the physical interface. Other VLAN traffic is configured on subinterfaces. Cisco IOS release 12.1(3)T and later support native VLAN configuration on a subinterface with the encapsulation dot1q native command. If a subinterface is configured using the encapsulation dot1q native command, the configuration on the physical interface is ignored. This technique is used in the lab configuration.
a. Create a subinterface for each VLAN. Enable each subinterface with the proper trunking protocol, and configure it for a particular VLAN with the encapsulation command. Assign an IP address to each subinterface, which hosts on the VLAN can use as their default gateway.
The following is a sample configuration for the Fast Ethernet 0/0 interface.
Gateway(config)# interface fastEthernet 0/0 Gateway(config-if)# no shut The following is a sample configuration for the VLAN 1 subinterface. Gateway(config)# interface fastEthernet 0/0.1 Gateway(config-subif)# description Management VLAN 1 Gateway(config-subif)# encapsulation dot1q 1 native Gateway(config-subif)# ip address 172.16.1.1 255.255.255.0
Note: For enhanced switch security, it is considered best practice to use independent unused VLANs for native and management VLANs.
The following is a sample configuration for the VLAN 100 subinterface.
Gateway(config-subif)# interface fastEthernet 0/0.100 Gateway(config-subif)# description Payroll VLAN 100 Gateway(config-subif)# encapsulation dot1q 100 Gateway(config-subif)# ip address 172.16.100.1 255.255.255.0 The following is a sample configuration for the VLAN 200 subinterface. Gateway(config-subif)# interface fastEthernet 0/0.200 Gateway(config-subif)# description Engineering VLAN 200 Gateway(config-subif)# encapsulation dot1q 200 Gateway(config-subif)# ip address 172.16.200.1 255.255.255.0 Gateway(config-subif)# end
b. Use the show ip interface brief command to verify the interface configuration and status.
c. Use the show interfaces description command to verify the interface status and description assigned.
d. Use the show vlans command on the Gateway router.
e. Use the show cdp neighbor detail command on the Gateway router to verify that ALS1 is a neighbor. Telnet to the IP address given in the CDP information.
Yes, because the subnet given by CDP was a directly connected subnet to the router
Step 11: Verify inter-VLAN routing on the Gateway router and the host devices.
a. Ping to the 200.200.200.1 ISP loopback interface from either host. Was this ping successful?
_______________________________________________________________________________
_______________________________________________________________________________
Yes, if the hosts are set up with the correct IP addresses and default gateways. This is because the static routes on Gateway and ISP make it possible for pings to make it to ISP and then back to the hosts.
b. Ping from Host A to Host B. Was this ping successful?
_______________________________________________________________________________
_______________________________________________________________________________
Yes, if the hosts are set up with the correct IP addresses and default gateways, because Gateway routes between the VLANs
c. Telnet to the ALS2 VLAN 1 management IP address from the Engineering host. Was this Telnet successful?
_______________________________________________________________________________
_______________________________________________________________________________
Yes, if the hosts are set up with the correct IP addresses and default gateways, because Gateway routes between the VLANs. If any of the tests failed, make the necessary corrections to the configurations for the router and switches.
Router Interface Summary Table
|
Router Interface Summary |
||||
| Router Model | Ethernet Interface #1 |
Ethernet Interface #2 |
Serial Interface #1 |
Serial Interface #2 |
| 1700 | Fast Ethernet 0 (FA0) |
Fast Ethernet 1 (FA1) |
Serial 0 (S0) | Serial 1 (S1) |
| 1800 | Fast Ethernet 0/0 (FA0/0) |
Fast Ethernet 0/1 (FA0/1) |
Serial 0/0/0 (S0/0/0) |
Serial 0/0/1 (S0/0/1) |
| 2600 | Fast Ethernet 0/0 (FA0/0) |
Fast Ethernet 0/1 (FA0/1) |
Serial 0/0 (S0/0) | Serial 0/1 (S0/1) |
| 2800 | Fast Ethernet 0/0 (FA0/0) |
Fast Ethernet 0/1 (FA0/1) |
Serial 0/0/0 (S0/0/0) |
Serial 0/0/1 (S0/0/1) |
| Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. Rather than list all combinations of configurations for each router class, this table includes identifiers for the possible combinations of Ethernet and serial interfaces in the device. The table does not include any other type of interface, even though a specific router might contain one. For example, for an ISDN BRI interface, the string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. | ||||
Router ISPDevice Configurations (Instructor version)
hostname ISP ! interface Loopback0 ip address 200.200.200.1 255.255.255.0 ! interface Serial0/0/0 ip address 192.168.1.2 255.255.255.0 no shutdown ! ip route 172.16.0.0 255.255.0.0 192.168.1.1 ! end
Router Gateway
hostname Gateway ! interface FastEthernet0/0 no shutdown ! interface FastEthernet0/0.1 description Management VLAN 1 encapsulation dot1Q 1 native ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0.100 description Payroll VLAN 100 encapsulation dot1Q 100 ip address 172.16.100.1 255.255.255.0 ! interface FastEthernet0/0.200 description Engineering VLAN 200 encapsulation dot1Q 200 ip address 172.16.200.1 255.255.255.0 ! interface Serial0/0/0 ip address 192.168.1.1 255.255.255.0 clockrate 64000 no shutdown ! ip route 0.0.0.0 0.0.0.0 192.168.1.2 ! end
Note: VLAN and VTP commands do not display in the running configuration when the switch is in client or server mode. It is only displayed in transparent mode.
Switch ALS1
hostname ALS1 ! enable secret cisco ! interface Port-channel1 switchport mode trunk ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/6 switchport access vlan 100 switchport mode access spanning-tree portfast ! interface FastEthernet0/11 switchport mode trunk channel-group 1 mode desirable ! interface FastEthernet0/12 switchport mode trunk channel-group 1 mode desirable ! interface Vlan1 ip address 172.16.1.101 255.255.255.0 no shutdown ! ip default-gateway 172.16.1.1 ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
Switch ALS2
hostname ALS2 ! enable secret cisco ! interface Port-channel1 switchport mode trunk ! interface FastEthernet0/6 switchport access vlan 200 switchport mode access spanning-tree portfast ! interface FastEthernet0/11 switchport mode trunk channel-group 1 mode desirable ! interface FastEthernet0/12 switchport mode trunk channel-group 1 mode desirable ! interface Vlan1 ip address 172.16.1.102 255.255.255.0 no shutdown ! ip default-gateway 172.16.1.1 ! line vty 0 4 password cisco login line vty 5 15 password cisco login ! end
More Resources