ROAS - Routing on a stick

In this exercise, we will go through step by step how to configure the router on a stick. We will set up the topology where a router is forwarding packets between the VLANs (virtual LANs). See, on the figure below

Router (R-1) - configuration

Connecting to 192.168.201.16:30161...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

% Please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]: no

This is the first a router information on the screen asking a us for initial configuration. We have two option, entering yes or no.

We enter no in the CLI command line, as we do not want to be guided by router for the basic configurations like: host name, passwords, network interfaces.

Router>show ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down down

GigabitEthernet0/1 unassigned YES unset administratively down down

GigabitEthernet0/2 unassigned YES unset administratively down down

GigabitEthernet0/3 unassigned YES unset administratively down down

Router>

We are confident that router in our lab has been just installed with fresh system. However, the best practise is to check existing connection.

We see all of them are administratively down and unassigned to IP addresses.

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#host R-1

R-1(config)#enable secret cisco

Next step is configure router host name and enable password for the enabled mode.

Here you can find lab about the passwords in cisco routers or switches. Telnet login

R-1(config)#int g0/0.10

R-1(config-subif)#encapsulation dot1q 10

R-1(config-subif)#ip address 10.1.10.254 255.255.255.0

R-1(config-subif)#no shut

R-1(config-subif)#int g0/0.20

R-1(config-subif)#encapsulation dot1q 20

R-1(config-subif)#ip address 10.1.20.254 255.255.255.0

R-1(config-subif)#no shut

R-1(config-subif)#int g0/0.30

R-1(config-subif)#encapsulation dot1q 30

R-1(config-subif)#ip address 10.1.30.254 255.255.255.0

R-1(config-subif)#no shut

R-1(config-subif)#int g0/0.40

R-1(config-subif)#encapsulation dot1q 40

R-1(config-subif)#ip address 10.1.40.254 255.255.255.0

R-1(config-subif)#no shut

R-1(config-subif)#int g0/0.50

R-1(config-subif)#encapsulation dot1q 50

R-1(config-subif)#ip address 10.1.50.254 255.255.255.0

R-1(config-subif)#no shut

Now, we are ready to configure router interfaces. As this router main role is transfer packets between VLANs on the single physical interface we need to set up few virtual interfaces as shown on left

So, the VLAN is separated by virtual interface. We need to remember to configure opposite interface to trunk mode, what we will do below.

In this topology we consider five VLANs (virtual LANS). Therefore, five virtual interfaces are created with assigned IP addresses. Selected encapsulation adding the information (tag) to the data packets. In the case of dot1q the VLAN ID is added to the packet frame.

R-1#show running-config

Building configuration...

--------------------------------------------------

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 10.1.10.254 255.255.255.0

!

interface GigabitEthernet0/0.20

encapsulation dot1Q 20

ip address 10.1.20.254 255.255.255.0

!

interface GigabitEthernet0/0.30

encapsulation dot1Q 30

ip address 10.1.30.254 255.255.255.0

!

interface GigabitEthernet0/0.40

encapsulation dot1Q 40

ip address 10.1.40.254 255.255.255.0

!

interface GigabitEthernet0/0.50

encapsulation dot1Q 50

ip address 10.1.50.254 255.255.255.0

-----------------------------------------------------

the rest lines are omitted!

Now is the time to check our settings.

The interfaces setting we can check on many ways. At this time we used two command lines: show running-config and show ip interfaces brief . These two commands give almost the same information about interfaces we set.

Additionally, the show ip interface brief command shows link and protocol statuses. It presents if interface does work on physical (L1) and protocol (L2) levels.

R-1#show ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down down

GigabitEthernet0/0.10 10.1.10.254 YES manual administratively down down

GigabitEthernet0/0.20 10.1.20.254 YES manual administratively down down

GigabitEthernet0/0.30 10.1.30.254 YES manual administratively down down

GigabitEthernet0/0.40 10.1.40.254 YES manual administratively down down

GigabitEthernet0/0.50 10.1.50.254 YES manual administratively down down

GigabitEthernet0/1 unassigned YES unset administratively down down

GigabitEthernet0/2 unassigned YES unset administratively down down

GigabitEthernet0/3 unassigned YES unset administratively down down

As has been seen on left, these virtual ports are still closed (down) as the physical port has not been opened, yet.

Also we can check routing table with defined routes. I have just omitted it in this post to make it a little shorter.

R-1(config)#int g0/0

R-1(config-if)#no shut

On Cisco router the port are closed as default. Therefore, we need to remeber to open port using no shut command.

R-1#show ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES NVRAM up up

GigabitEthernet0/0.10 10.1.10.254 YES NVRAM up up

GigabitEthernet0/0.20 10.1.20.254 YES NVRAM up up

GigabitEthernet0/0.30 10.1.30.254 YES NVRAM up up

GigabitEthernet0/0.40 10.1.40.254 YES NVRAM up up

GigabitEthernet0/0.50 10.1.50.254 YES NVRAM up up

GigabitEthernet0/1 unassigned YES NVRAM administratively down down

GigabitEthernet0/2 unassigned YES NVRAM administratively down down

GigabitEthernet0/3 unassigned YES NVRAM administratively down down

Core Switch - interfaces configuration

Okay, we are ready now, to configure Switch-Core, with its four of interfaces, to be worked in the trunk mode and one of interface in access mode. Thus, the Interface g1/0 must be set to access mode, the interfaces g0/1, g0/2 and g0/3 shall be configured in the trunk modes.

Switch(config)#host Switch-Core

Switch-Core(config)#enable secret cisco

Good practice is create host name for the device and set up a password for the enabled mode. Later this password will be required for remote connection of SSH protocol or even Telenet. Yes, we can remotely connect using telnet without password but will not be able to go further into enabled mode.

Switch-Core(config)#int range g0/0-3

Switch-Core(config-if-range)#switchport trunk encapsulation dot

Switch-Core(config-if-range)#switchport trunk encapsulation dot1q

Switch-Core(config-if-range)#switchport mode trunk

Switch-Core(config-if-range)#

We use range method to make configuration on four stated ports (g0/0, g0/1, g0/2, g0/3) in the same time. This is a efferent way to eliminate repeated typing in the command line. Four of ports are set with encapsulation method dot1q to ensure that trunk connection is on.

Switch-Core(config)#int g1/0

Switch-Core(config-if)#switchport mode access

One port states in access mode as connected to access device which is end node (called on our diagram VPC10).

Switch-Core#show int status

Port Name Status Vlan Duplex Speed Type

Gi0/0 connected trunk a-full auto RJ45

Gi0/1 connected trunk a-full auto RJ45

Gi0/2 connected trunk a-full auto RJ45

Gi0/3 connected trunk a-full auto RJ45

Gi1/0 connected 1 a-full auto RJ45

Gi1/1 notconnect 1 a-full auto RJ45

Gi1/2 notconnect 1 a-full auto RJ45

Gi1/3 notconnect 1 a-full auto RJ45

This command on the left checks the interfaces status. We see that four of ports are in the trunk mode with auto-full duplex mode. This is exactly a we intended.

Switch-Core#show int g1/0 switchport | incl Mode

Administrative Mode: static access

Operational Mode: static access

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Capture Mode Disabled

To confirm that interface g1/0 is configured in access mode we can use other useful command show interfaces g1/0 switchport | including Mode.

Administrative mode is set to the static access. Great, job done! Our core switch interfaces are set correctly.

Access Switches - interfaces configuration

Now we will focus on the access switches. We will go through port configurations. In this article the word port and interface I use interchangeable.

Switch(config)#host Access-1

Access-1(config)#enable secret cisco

Again, a good manner is to start from the host name and enabled password configuration. Now mentioned preciously, but used the enable secret instead of enable password makes the password "a little" encrypted (md5) what is always better than plain text.

Access-1(config)#int g0/0

Access-1(config-if)#switchport trunk encapsulation dot1q

Access-1(config-if)#switchport mode trunk

Following the topology from the top of this article each access switch is connected to the core switch. Remember to keep link between switches in trunk mode to ensure VLAN ID tags to be transferred with the packet frames.

Access-1(config)#int range g0/1-3

Access-1(config-if-range)#switchport mode access

Three of ports on each access switch stays in the access mode. Later we will assign the VLAN to physical switch ports providing control over network traffic and restrict access for some VLANs.

Access-1#show int status

Port Name Status Vlan Duplex Speed Type

Gi0/0 connected trunk a-full auto RJ45

Gi0/1 connected 1 a-full auto RJ45

Gi0/2 connected 1 a-full auto RJ45

Gi0/3 connected 1 a-full auto RJ45

Gi1/0 notconnect 1 a-full auto RJ45

Gi1/1 notconnect 1 a-full auto RJ45

Gi1/2 notconnect 1 a-full auto RJ45

Gi1/3 notconnect 1 a-full auto RJ45

Again, we always should check the configuration which we have just applied.

Access-1#show running-config

Building configuration...

interface GigabitEthernet0/0

switchport trunk encapsulation dot1q

switchport mode trunk

negotiation auto

!

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

negotiation auto

!

interface GigabitEthernet0/2

switchport mode access

negotiation auto

!

interface GigabitEthernet0/3

switchport mode access

negotiation auto

However, to confirm that access modes are installed on interfaces , we can use running-config file and see the ports information.

As stated on the left, we can see that three ports are in the access modes, and one port in trunk mode.

Now we ready to repeat the same configurations for Access-2 and Access-3 switches.

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#host Access-2

Access-2(config)#enable secret cisco

Access-2(config)#int g0/0

Access-2(config-if)#switchport trunk encapsulation dot1q

Access-2(config-if)#switchport mode trunk

Access-2(config-if)#int range g0/1-3

Access-2(config-if-range)#switchport mode access

Access-2(config-if-range)#end

On left, I have just repeated the same commands fort he switch called Access-2.

Switch(config)#host Access-3

Access-3(config)#enable secret cisco

Access-3(config)#int g0/0

Access-3(config-if)#switchport trunk encapsulation dot1q

Access-3(config-if)#switchport mode trunk

Access-3(config-if)#int range g0/1-3

Access-3(config-if-range)#switchport mode access

Access-3(config-if-range)#end

Access-3 switch configuration presented here.

Please, be aware that I omitted scripts for checking ports. My intention is not repeat typing and the article size.

I recommend that you should check each switch after performed configuration using show commands.

If you nor sure, look back to the switch Access-1 a few paragraphs above.

VLAN configuration

A VLAN ( Virtual Local Area Network) makes the network devices grouped in local order within the physical network. It means that "physical network" is divided logically into multiple virtual networks with its assigned devices. Each virtual network owns its broadcast domain. With this kind of network segmentation we can improve security efficiency.

Switch-Core(config)#vlan 10

Switch-Core(config-vlan)#name Engineering

Switch-Core(config-vlan)#vlan 20

Switch-Core(config-vlan)#name Finance

Switch-Core(config-vlan)#vlan 30

Switch-Core(config-vlan)#name Reception

Switch-Core(config-vlan)#vlan 40

Switch-Core(config-vlan)#name Sales

Switch-Core(config-vlan)#vlan 50

Switch-Core(config-vlan)#name Maintenance

Switch-Core(config-vlan)#vlan 101

Switch-Core(config-vlan)#name Public

Picture on left shows how VLAN was created using simple commands. We named each VLAN for easier recognition in the future. For example, VLAN 10 is named Engineering.

For purpose if this exercise we created six VLANs with different name. It is a enough VLANs to demonstrate later how the segmentation does work.

Switch-Core#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0, Gi1/1, Gi1/2, Gi1/3

10 Engineering active

20 Finance active

30 Reception active

40 Sales active

50 Maintenance active

101 Public active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Now, we checked the VLAN setting on the Switch-Core. Bolded text describes created VLANs.

The default VLAN is number 1, and it is recommended to change them to different to improve securry.

In this lab we leave default VLAN to VLAN 1.

Access-1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi0/2, Gi0/3, Gi1/0, Gi1/1

Gi1/2, Gi1/3

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Picture on left, presents VLAN configuration on Access-1 switch. We can see that there are no any created VLANs.

Switch-Core(config)#vtp domain ccna

Changing VTP domain name from NULL to ccna

Switch-Core(config)#vtp mode server

Device mode already VTP Server for VLANS.

Switch-Core(config)#vtp password securevtp

Setting device VTP password to securevtp

My favourable tool is VTP VLANTrunking Protocol, which allows the switches to a

Access-1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi0/2, Gi0/3, Gi1/0, Gi1/1

Gi1/2, Gi1/3

10 Engineering active Gi0/1

20 Finance active

30 Reception active

40 Sales active

50 Maintenance active

101 Public active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

Access-1#show vtp status

VTP Version capable : 1 to 3

VTP version running : 1

VTP Domain Name : ccna

VTP Pruning Mode : Disabled

VTP Traps Generation : Disabled

Device ID : 5057.b100.8000

Configuration last modified by 0.0.0.0 at 10-7-24 20:34:30

Local updater ID is 0.0.0.0 (no valid interface found)

Access-1(config)#vtp mode client

Setting device to VTP Client mode for VLANS.

Access-1(config)#vtp password securevtp

Setting device VTP password to securevtp

Access switches with limited access on their ports

Access-1(config)#int range g0/1-2

Access-1(config-if-range)#switchport access vlan 10

Access-1(config-if-range)#int g0/3

Access-1(config-if)#switchport access vlan 20

Access-2(config)#int g0/1

Access-2(config-if)#switchport access vlan 20

Access-2(config-if)#int range g0/2-3

Access-2(config-if-range)#switchport access vlan 30

Access-3(config)#int range g0/1-2

Access-3(config-if-range)#switchport access vlan 40

Access-3(config-if-range)#int g0/3

Access-3(config-if)#switchport access vlan 50

PC-1-40> show ip

NAME : VPCS[1]

IP/MASK : 10.1.10.100/24

GATEWAY : 10.1.10.254

DNS :

MAC : 00:50:79:66:68:97

LPORT : 20000

RHOST:PORT : 127.0.0.1:30000

MTU : 1500

Our PC(s) have following IP addresses:

PC-1-10 with IP address: 10.1.10.100

PC-2-10 with IP address: 10.1.10.101

PC-3-20 with IP address: 10.1.20.100

PC-4-20 with IP address: 10.1.20.101

PC-5-30 with IP address: 10.1.30.100

PC-6-30 with IP address: 10.1.30.101

PC-7-40 with IP address: 10.1.40.100

PC-8-20 with IP address: 10.1.40.101

PC-9-40 with IP address: 10.1.50.100

PC-1-10> ip 10.1.10.100 gateway 10.1.10.254

Checking for duplicate address...

PC1 : 10.1.10.100 255.255.255.0 gateway 10.1.10.254

PC-1-10> save

Saving startup configuration to startup.vpc

Check Connectivity - Ping between nodes

PC-1-10> ping 10.1.10.101

84 bytes from 10.1.10.101 icmp_seq=1 ttl=64 time=3.966 ms

84 bytes from 10.1.10.101 icmp_seq=2 ttl=64 time=1.799 ms

84 bytes from 10.1.10.101 icmp_seq=3 ttl=64 time=2.677 ms

84 bytes from 10.1.10.101 icmp_seq=4 ttl=64 time=6.269 ms

84 bytes from 10.1.10.101 icmp_seq=5 ttl=64 time=2.196 ms

PC-1-10> ping 10.1.20.100

84 bytes from 10.1.20.100 icmp_seq=1 ttl=63 time=24.461 ms

84 bytes from 10.1.20.100 icmp_seq=2 ttl=63 time=10.907 ms

84 bytes from 10.1.20.100 icmp_seq=3 ttl=63 time=14.753 ms

84 bytes from 10.1.20.100 icmp_seq=4 ttl=63 time=20.463 ms

84 bytes from 10.1.20.100 icmp_seq=5 ttl=63 time=32.771 ms

PC-1-10> ping 10.1.20.101

84 bytes from 10.1.20.101 icmp_seq=1 ttl=63 time=12.051 ms

84 bytes from 10.1.20.101 icmp_seq=2 ttl=63 time=10.107 ms

84 bytes from 10.1.20.101 icmp_seq=3 ttl=63 time=11.371 ms

84 bytes from 10.1.20.101 icmp_seq=4 ttl=63 time=12.206 ms

84 bytes from 10.1.20.101 icmp_seq=5 ttl=63 time=17.608 ms

Here, you can read article about the VLANs