It’s common in modern computer networks to segment off different computers using virtual LANs, commonly called VLANs.
How Does VLAN Tagging Work?
Internally, this functionality uses the IEEE 802.1Q VLAN tagging standard. To understand this protocol, it’s important to understand how layer 2 switches work.
The job of a switch is to handle individual network segments. All switches allow connected computers to communicate with each other, provided that they have correctly configured IP addressing. Since all the systems are on the same network segment, no routing takes place.
However, there are often cases where it is necessary to put computers on separate network segments from each other. This is commonly done for firewalling between different systems. For example, there is often no reason for computers used by the sales team to have access to research and development computers. Likewise, both departments may need controlled access into the company’s internal servers.
The solution to this problem is to use VLAN tagging to separate this traffic. Once separated, the two layer 2 network segments act completely separately from each other. Computers on one VLAN cannot communicate with computers on the other VLAN, and vice versa.
Cisco IOS Access Vs Trunk Ports
Switches differentiate between both the access ports, as well as the trunk ports in VLAN tagging. Access ports do not expect any received packets to have an assigned tag. The switch forwards all newly received packets to the other ports assigned to the VLAN. It will then add the tag to the packet and forward it out all assigned trunk ports.
Endpoints do not have to tag their own packets. In fact, this would be a major security risk, allowing these machines to jump between network segments at will. Instead, these computers are plugging into access ports. All tagging is handled by the switch and forwarded on to the router via a trunk port.
This allows a single switch to handle the traffic of multiple networks simultaneously; saving cost by reducing the number of switches needed.
However, this comes with its own challenges. Unless the switch in use includes layer 3 functionality, there is no way to route between the two network segments, making inter-VLAN communication impossible.
Router-on-a-stick is the solution to this problem. This network configuration uses a router tethered to the switch to provide this missing functionality. The router will receive all packets sent across the various network segments of the switch, and will retag any which need to be router to a new segment,
Layer 3 “Switches”
This is very similar to how layer 3 switches as well as home routers function. The difference is that in those devices, both layer 2 and layer 3 functionality is integrated into a single device. This separation is abstracted away by its software.
Specifically, OpenWRT uses what it calls the “CPU port” as a trunk port to the CPU in devices it is installed on. Switching is generally handled by a system on a chip which is segmented away and separate from the processor itself. Packets enter the ports of the router, are tagged by the SoC, and are forwarded to the processor for routing to their final destination.
Getting Started
In this tutorial, we will set up router-on-a-stick with Cisco IOS. Router-on-a-stick consists of a switch with multiple VLANs, and a router which allows packets to flow between each separate network. Packet Tracer provides a good testbed for this process.
To begin, we first need to add in all of our needed components. When you are done, your network should look like the following:
The switch will be configured with both VLANs 10 and 20. VLAN 10 will use a Class C address range at 192.168.1.0/24. VLAN 20 will use 192.168.2.0/24. Let’s configure this now. Double click the switch. Now click on the tab labeled “CLI”.
You may wish to disable automatic DNS resolution on each Cisco device used. Doing so will prevent it from attempting to resolve mistyped commands. To do so, run the following:
en conf t no ip domain-lookup
Now that we are in our switch, we need to run the following commands to configure VLAN 10. Please note that PC0 is plugged into the first FastEthernet port on this switch (f0/1):
en conf t int f0/1 switchport mode access switchport access vlan 10 int f0/2 switchport mode access switchport access vlan 20 int g0/1 switchport mode trunk
We now have both access ports enabled as well as our trunking port. The switch configuration is now completed. Close out of its CLI and open the router. When prompted, type “no” when asked to run the initial configuration dialog. After this, run the following commands:
en conf t int g0/1.10 encapsulation dot1q 10 ip address 192.168.1.1 255.255.255.0 int g0/1.20 encapsulation dot1q 20 ip address 192.168.2.1 255.255.255.0 int g0/0 no shut
The physical interface, as well as the two subinterfaces we created will now come online.
Now, open up the desktop on PC0. Click IP Configuration and set its address to 192.168.1.2 with a subnet mask of 255.255.255.0. Open the command prompt on this system and type “ping 192.168.1.1”. You should receive four replies back. Repeat this process on PC1. This time, specify 192.168.2.2 as the IP address and ping 192.168.2.1.
Be First to Comment