ROAS - Routing on a stick
In this exercise, we will go through step by step how to configure the router on a stick. We will set up the topology where a router is forwarding packets between the VLANs (virtual LANs). See, on the figure below
Router (R-1) - configuration
Connecting to 192.168.201.16:30161...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]: no
This is the first a router information on the screen asking a us for initial configuration. We have two option, entering yes or no.
We enter no in the CLI command line, as we do not want to be guided by router for the basic configurations like: host name, passwords, network interfaces.
Router>show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
Router>
We are confident that router in our lab has been just installed with fresh system. However, the best practise is to check existing connection.
We see all of them are administratively down and unassigned to IP addresses.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host R-1
R-1(config)#enable secret cisco
Next step is configure router host name and enable password for the enabled mode.
Here you can find lab about the passwords in cisco routers or switches. Telnet login
R-1(config)#int g0/0.10
R-1(config-subif)#encapsulation dot1q 10
R-1(config-subif)#ip address 10.1.10.254 255.255.255.0
R-1(config-subif)#no shut
R-1(config-subif)#int g0/0.20
R-1(config-subif)#encapsulation dot1q 20
R-1(config-subif)#ip address 10.1.20.254 255.255.255.0
R-1(config-subif)#no shut
R-1(config-subif)#int g0/0.30
R-1(config-subif)#encapsulation dot1q 30
R-1(config-subif)#ip address 10.1.30.254 255.255.255.0
R-1(config-subif)#no shut
R-1(config-subif)#int g0/0.40
R-1(config-subif)#encapsulation dot1q 40
R-1(config-subif)#ip address 10.1.40.254 255.255.255.0
R-1(config-subif)#no shut
R-1(config-subif)#int g0/0.50
R-1(config-subif)#encapsulation dot1q 50
R-1(config-subif)#ip address 10.1.50.254 255.255.255.0
R-1(config-subif)#no shut
Now, we are ready to configure router interfaces. As this router main role is transfer packets between VLANs on the single physical interface we need to set up few virtual interfaces as shown on left
So, the VLAN is separated by virtual interface. We need to remember to configure opposite interface to trunk mode, what we will do below.
In this topology we consider five VLANs (virtual LANS). Therefore, five virtual interfaces are created with assigned IP addresses. Selected encapsulation adding the information (tag) to the data packets. In the case of dot1q the VLAN ID is added to the packet frame.
R-1#show running-config
Building configuration...
--------------------------------------------------
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.10.254 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 10.1.30.254 255.255.255.0
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 10.1.40.254 255.255.255.0
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 10.1.50.254 255.255.255.0
-----------------------------------------------------
the rest lines are omitted!
Now is the time to check our settings.
The interfaces setting we can check on many ways. At this time we used two command lines: show running-config and show ip interfaces brief . These two commands give almost the same information about interfaces we set.
Additionally, the show ip interface brief command shows link and protocol statuses. It presents if interface does work on physical (L1) and protocol (L2) levels.
R-1#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/0.10 10.1.10.254 YES manual administratively down down
GigabitEthernet0/0.20 10.1.20.254 YES manual administratively down down
GigabitEthernet0/0.30 10.1.30.254 YES manual administratively down down
GigabitEthernet0/0.40 10.1.40.254 YES manual administratively down down
GigabitEthernet0/0.50 10.1.50.254 YES manual administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
As has been seen on left, these virtual ports are still closed (down) as the physical port has not been opened, yet.
Also we can check routing table with defined routes. I have just omitted it in this post to make it a little shorter.
R-1(config)#int g0/0
R-1(config-if)#no shut
On Cisco router the port are closed as default. Therefore, we need to remeber to open port using no shut command.
R-1#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM up up
GigabitEthernet0/0.10 10.1.10.254 YES NVRAM up up
GigabitEthernet0/0.20 10.1.20.254 YES NVRAM up up
GigabitEthernet0/0.30 10.1.30.254 YES NVRAM up up
GigabitEthernet0/0.40 10.1.40.254 YES NVRAM up up
GigabitEthernet0/0.50 10.1.50.254 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Core Switch - interfaces configuration
Okay, we are ready now, to configure Switch-Core, with its four of interfaces, to be worked in the trunk mode and one of interface in access mode. Thus, the Interface g1/0 must be set to access mode, the interfaces g0/1, g0/2 and g0/3 shall be configured in the trunk modes.
Switch(config)#host Switch-Core
Switch-Core(config)#enable secret cisco
Good practice is create host name for the device and set up a password for the enabled mode. Later this password will be required for remote connection of SSH protocol or even Telenet. Yes, we can remotely connect using telnet without password but will not be able to go further into enabled mode.
Switch-Core(config)#int range g0/0-3
Switch-Core(config-if-range)#switchport trunk encapsulation dot
Switch-Core(config-if-range)#switchport trunk encapsulation dot1q
Switch-Core(config-if-range)#switchport mode trunk
Switch-Core(config-if-range)#
We use range method to make configuration on four stated ports (g0/0, g0/1, g0/2, g0/3) in the same time. This is a efferent way to eliminate repeated typing in the command line. Four of ports are set with encapsulation method dot1q to ensure that trunk connection is on.
Switch-Core(config)#int g1/0
Switch-Core(config-if)#switchport mode access
One port states in access mode as connected to access device which is end node (called on our diagram VPC10).
Switch-Core#show int status
Port Name Status Vlan Duplex Speed Type
Gi0/0 connected trunk a-full auto RJ45
Gi0/1 connected trunk a-full auto RJ45
Gi0/2 connected trunk a-full auto RJ45
Gi0/3 connected trunk a-full auto RJ45
Gi1/0 connected 1 a-full auto RJ45
Gi1/1 notconnect 1 a-full auto RJ45
Gi1/2 notconnect 1 a-full auto RJ45
Gi1/3 notconnect 1 a-full auto RJ45
This command on the left checks the interfaces status. We see that four of ports are in the trunk mode with auto-full duplex mode. This is exactly a we intended.
Switch-Core#show int g1/0 switchport | incl Mode
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Capture Mode Disabled
To confirm that interface g1/0 is configured in access mode we can use other useful command show interfaces g1/0 switchport | including Mode.
Administrative mode is set to the static access. Great, job done! Our core switch interfaces are set correctly.
Access Switches - interfaces configuration
Now we will focus on the access switches. We will go through port configurations. In this article the word port and interface I use interchangeable.
Switch(config)#host Access-1
Access-1(config)#enable secret cisco
Again, a good manner is to start from the host name and enabled password configuration. Now mentioned preciously, but used the enable secret instead of enable password makes the password "a little" encrypted (md5) what is always better than plain text.
Access-1(config)#int g0/0
Access-1(config-if)#switchport trunk encapsulation dot1q
Access-1(config-if)#switchport mode trunk
Following the topology from the top of this article each access switch is connected to the core switch. Remember to keep link between switches in trunk mode to ensure VLAN ID tags to be transferred with the packet frames.
Access-1(config)#int range g0/1-3
Access-1(config-if-range)#switchport mode access
Three of ports on each access switch stays in the access mode. Later we will assign the VLAN to physical switch ports providing control over network traffic and restrict access for some VLANs.
Access-1#show int status
Port Name Status Vlan Duplex Speed Type
Gi0/0 connected trunk a-full auto RJ45
Gi0/1 connected 1 a-full auto RJ45
Gi0/2 connected 1 a-full auto RJ45
Gi0/3 connected 1 a-full auto RJ45
Gi1/0 notconnect 1 a-full auto RJ45
Gi1/1 notconnect 1 a-full auto RJ45
Gi1/2 notconnect 1 a-full auto RJ45
Gi1/3 notconnect 1 a-full auto RJ45
Again, we always should check the configuration which we have just applied.
Access-1#show running-config
Building configuration...
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
switchport mode access
negotiation auto
!
interface GigabitEthernet0/3
switchport mode access
negotiation auto
However, to confirm that access modes are installed on interfaces , we can use running-config file and see the ports information.
As stated on the left, we can see that three ports are in the access modes, and one port in trunk mode.
Now we ready to repeat the same configurations for Access-2 and Access-3 switches.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#host Access-2
Access-2(config)#enable secret cisco
Access-2(config)#int g0/0
Access-2(config-if)#switchport trunk encapsulation dot1q
Access-2(config-if)#switchport mode trunk
Access-2(config-if)#int range g0/1-3
Access-2(config-if-range)#switchport mode access
Access-2(config-if-range)#end
On left, I have just repeated the same commands fort he switch called Access-2.
Switch(config)#host Access-3
Access-3(config)#enable secret cisco
Access-3(config)#int g0/0
Access-3(config-if)#switchport trunk encapsulation dot1q
Access-3(config-if)#switchport mode trunk
Access-3(config-if)#int range g0/1-3
Access-3(config-if-range)#switchport mode access
Access-3(config-if-range)#end
Access-3 switch configuration presented here.
Please, be aware that I omitted scripts for checking ports. My intention is not repeat typing and the article size.
I recommend that you should check each switch after performed configuration using show commands.
If you nor sure, look back to the switch Access-1 a few paragraphs above.
VLAN configuration
A VLAN ( Virtual Local Area Network) makes the network devices grouped in local order within the physical network. It means that "physical network" is divided logically into multiple virtual networks with its assigned devices. Each virtual network owns its broadcast domain. With this kind of network segmentation we can improve security efficiency.
Switch-Core(config)#vlan 10
Switch-Core(config-vlan)#name Engineering
Switch-Core(config-vlan)#vlan 20
Switch-Core(config-vlan)#name Finance
Switch-Core(config-vlan)#vlan 30
Switch-Core(config-vlan)#name Reception
Switch-Core(config-vlan)#vlan 40
Switch-Core(config-vlan)#name Sales
Switch-Core(config-vlan)#vlan 50
Switch-Core(config-vlan)#name Maintenance
Switch-Core(config-vlan)#vlan 101
Switch-Core(config-vlan)#name Public
Picture on left shows how VLAN was created using simple commands. We named each VLAN for easier recognition in the future. For example, VLAN 10 is named Engineering.
For purpose if this exercise we created six VLANs with different name. It is a enough VLANs to demonstrate later how the segmentation does work.
Switch-Core#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0, Gi1/1, Gi1/2, Gi1/3
10 Engineering active
20 Finance active
30 Reception active
40 Sales active
50 Maintenance active
101 Public active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Now, we checked the VLAN setting on the Switch-Core. Bolded text describes created VLANs.
The default VLAN is number 1, and it is recommended to change them to different to improve securry.
In this lab we leave default VLAN to VLAN 1.
Access-1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3, Gi1/0, Gi1/1
Gi1/2, Gi1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Picture on left, presents VLAN configuration on Access-1 switch. We can see that there are no any created VLANs.
Switch-Core(config)#vtp domain ccna
Changing VTP domain name from NULL to ccna
Switch-Core(config)#vtp mode server
Device mode already VTP Server for VLANS.
Switch-Core(config)#vtp password securevtp
Setting device VTP password to securevtp
My favourable tool is VTP VLANTrunking Protocol, which allows the switches to a
Access-1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3, Gi1/0, Gi1/1
Gi1/2, Gi1/3
10 Engineering active Gi0/1
20 Finance active
30 Reception active
40 Sales active
50 Maintenance active
101 Public active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Access-1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : ccna
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5057.b100.8000
Configuration last modified by 0.0.0.0 at 10-7-24 20:34:30
Local updater ID is 0.0.0.0 (no valid interface found)
Access-1(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
Access-1(config)#vtp password securevtp
Setting device VTP password to securevtp
Access switches with limited access on their ports
Access-1(config)#int range g0/1-2
Access-1(config-if-range)#switchport access vlan 10
Access-1(config-if-range)#int g0/3
Access-1(config-if)#switchport access vlan 20
Access-2(config)#int g0/1
Access-2(config-if)#switchport access vlan 20
Access-2(config-if)#int range g0/2-3
Access-2(config-if-range)#switchport access vlan 30
Access-3(config)#int range g0/1-2
Access-3(config-if-range)#switchport access vlan 40
Access-3(config-if-range)#int g0/3
Access-3(config-if)#switchport access vlan 50
PC-1-40> show ip
NAME : VPCS[1]
IP/MASK : 10.1.10.100/24
GATEWAY : 10.1.10.254
DNS :
MAC : 00:50:79:66:68:97
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
Our PC(s) have following IP addresses:
PC-1-10 with IP address: 10.1.10.100
PC-2-10 with IP address: 10.1.10.101
PC-3-20 with IP address: 10.1.20.100
PC-4-20 with IP address: 10.1.20.101
PC-5-30 with IP address: 10.1.30.100
PC-6-30 with IP address: 10.1.30.101
PC-7-40 with IP address: 10.1.40.100
PC-8-20 with IP address: 10.1.40.101
PC-9-40 with IP address: 10.1.50.100
PC-1-10> ip 10.1.10.100 gateway 10.1.10.254
Checking for duplicate address...
PC1 : 10.1.10.100 255.255.255.0 gateway 10.1.10.254
PC-1-10> save
Saving startup configuration to startup.vpc
Check Connectivity - Ping between nodes
PC-1-10> ping 10.1.10.101
84 bytes from 10.1.10.101 icmp_seq=1 ttl=64 time=3.966 ms
84 bytes from 10.1.10.101 icmp_seq=2 ttl=64 time=1.799 ms
84 bytes from 10.1.10.101 icmp_seq=3 ttl=64 time=2.677 ms
84 bytes from 10.1.10.101 icmp_seq=4 ttl=64 time=6.269 ms
84 bytes from 10.1.10.101 icmp_seq=5 ttl=64 time=2.196 ms
PC-1-10> ping 10.1.20.100
84 bytes from 10.1.20.100 icmp_seq=1 ttl=63 time=24.461 ms
84 bytes from 10.1.20.100 icmp_seq=2 ttl=63 time=10.907 ms
84 bytes from 10.1.20.100 icmp_seq=3 ttl=63 time=14.753 ms
84 bytes from 10.1.20.100 icmp_seq=4 ttl=63 time=20.463 ms
84 bytes from 10.1.20.100 icmp_seq=5 ttl=63 time=32.771 ms
PC-1-10> ping 10.1.20.101
84 bytes from 10.1.20.101 icmp_seq=1 ttl=63 time=12.051 ms
84 bytes from 10.1.20.101 icmp_seq=2 ttl=63 time=10.107 ms
84 bytes from 10.1.20.101 icmp_seq=3 ttl=63 time=11.371 ms
84 bytes from 10.1.20.101 icmp_seq=4 ttl=63 time=12.206 ms
84 bytes from 10.1.20.101 icmp_seq=5 ttl=63 time=17.608 ms