nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Routing between VLANs questions

MrXpert

Hi,
I've just started working on the ICND2 material but I haven't got any course books yet as am waiting for the new edition of Odom's book to come out in a few weeks. I have watched a few videos about routing between VLANs and decided to just give it a try in PT. Can anyone please look at my below configuration for my router and switch and see what they think of it? so far I have set up one switch(OFFICE-SWITCH) and one router (OFFICE-R1). I have added a few extra fast ethernet/ethernet ports to the OFFICE-R1 router in order to connect up extra cables to the switch to carry the VLAN Traffic. I think it would be difficult to add more Fast ethernet ports onto the router as there's additional slots available on the router in PT.

The office router is connected to a HeadOffice router where some NAT is going on there. The OFFICE-R1 has three DHCP pools. The OFFICE-SWITCH has three VLANs on it. Each ip host in each VLAN can ping another host in another VLAN. I ran a tracert command from one of the hosts and its default gateway is 172.32.0.1 or 172.16.0.1 or 10.0.0.1 dependent on which host I am pinging from.

OFFICE-R1#show run
Building configuration...

Current configuration : 1544 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname OFFICE-R1
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.4
ip dhcp excluded-address 10.0.0.1 10.0.0.2
ip dhcp excluded-address 172.32.0.1 172.32.0.2
!
ip dhcp pool OFFICE
network 172.16.0.0 255.255.0.0
default-router 172.16.0.1
ip dhcp pool TECH
network 172.32.0.0 255.255.0.0
default-router 172.32.0.1
ip dhcp pool ADMIN
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
!
!
!
username HQ-R1 password 0 hello
username Teddy password 0 bear
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description LAN
ip address 172.16.0.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description WAN
ip address 192.168.0.2 255.255.255.252
encapsulation ppp
ppp authentication chap
ip nat outside
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Ethernet1/1
description TECH LAN 172.32.0.0
ip address 172.32.0.1 255.255.0.0
duplex auto
speed auto
!
ip nat inside source list 1 interface Serial0/0 overload
ip classless
!
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
banner login ^C
****************************************************************
THIS IS THE OFFICE-R1 router.
**************************************************************** ^C
!
!
!
!
line con 0
password 240478
login
line vty 0 4
login local
!
!
!
end

Now the Office-Switch

OFFICE-SWITCH#show run
Building configuration...

Current configuration : 2230 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname OFFICE-SWITCH
!
enable password 7 0822455D0A16
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
switchport mode access
!
interface FastEthernet0/3
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000A.41C1.E555
switchport port-security mac-address sticky 0040.0BCD.6A32
switchport port-security mac-address sticky 0090.2B9C.2DD6
!
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0009.7CC2.D589
!
interface FastEthernet0/6
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 00D0.97AD.B4D8
!
interface FastEthernet0/7
switchport access vlan 2
!
interface FastEthernet0/8
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
ip address 172.16.0.2 255.255.0.0
!
interface Vlan2
ip address 172.32.0.2 255.255.0.0
!
interface Vlan3
no ip address
!
interface Vlan20
no ip address
!
!
line con 0
password 7 0873181E5D4E5D
login
!
line vty 0 4
password 7 0822455D0A1654
login
privilege level 15
line vty 5 15
password 7 0822455D0A1654
login
privilege level 15
!
!
end

A big thank you for reading all this and if you can help then that would be great!

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

nbeacham

I see on the office switch you configured the IP address on interface Vlan 1 and Vlan 2, this is incorrect.
Look up router on a stick, you need to configure your sub interfaces on the office router with 802.1Q encapsulation and also be sure to configure a switch trunk port with the same encapsulation.

pham0329

There's multiple ways to route traffic between VLANs, and your way is one of them, although it's not very practical. As you've found out, you need one interface on the router for each VLAN, and on a production network with lots of VLANs, that's not a viable solution.

The other 2 ways to route between VLANs is as nbeacham said, use a router-on-a-stick configuration. In this situation, you setup a trunk between your switch, and the router. The switch tags the data going to the router, and the router retag the frame for the destination vlan and send it back out to the switch.

Third way is to use a L3 switch, which is a lot simpler and more scalable, but is not covered in ICND2.

MrXpert

Hey thanks for all your help! I got it working. The router on the stick method is much more scalable as you mentioned. I setup four VLANS and used the router to allocate IP addresses automatically using DHCP and i was really pleased with how it was able to know which IP to give out and without fuss.

MrXpert

I'm back for an update and also some help please.Using PT.

The small network I set up has a router (HQ-R1) connected to a switch (1STFL-SWITCH). There is also another switch(called GROUND-SWITCH) which is connected to 1STFL-SWITCH via a cross over cable. This is all in one building.I setup the 1STFL-SWITCH as the vtp server and the ground floor (i.e GROUND-SWITCH) as the client. All seems to be working fine there with all the vlans groups being sent across the trunk link. All i had to do then was ensure the interfaces on the GROUND-SWITCH were in the correct vlan IDs

Within 1STFL-SWITCH are vlans ADMIN, SALES and TECH. The GROUND-SWITCH has vlans TECH and HR
So basically this means physically there's tech staff on both floors of the office and they belong to the TECH vlan

I tested pinging everything I could from sub interfaces to ip host on each vlan and it works fine.

my ip addressing scheme is such

SALES=VLAN 20
TECH=VLAN 30
HR= VLAN 40
ADMIN=VLAN 50

SALES ON 192.168.20.0 /24
TECH ON 192.168.30.0/24
HR ON 192.168.40.0 /24
ADMIN ON 192.168.50.0/24

My questions are what happens if the company has another building like on a campus lan style topology and they want to have inter vlan routing between there also? would I need to connect up the HQ-R1 (in the original building) to their new switch? or would they simply have a switch which was trunked to one of existing switches?

What if in this new building they wanted a router as well. Would the routers need to have sub interfaces to each other?

I hope i'm making sense

network 29th sept VLANS, trunks.jpg

advanex1

It sounds to me like you're getting more into the design of networks, which is a completely different certification. You could do it with the server switch being trunked to another switch across the campus, but you have to keep in mind - what kind of cable do you use, how far is the distance, is that a viable option, etc. etc...

Depends on how you would want to connect the routers together as well. Do you want to use hub and spoke? Do you want to allow both routers to face and route to the internet?

You're making sense, but it's not necessarily something you have to worry about for the certification. That's something you need to look up in design and understand the concepts behind it.

MrXpert

thanks for your help.

When I was setting up the VLAN management interface on the switches, I set these to 192.168.1.2 (1STFL-SWITCH)and 192.168.1.3(GROUND-SWITCH). I set the ip default gateway command on each switch to "192.168.1.1" which is the IP address of the fa0/0 interface of the router on a stick. Is that OK?
Or should I also create further virtual management interfaces on these switches to reflect each vlan that exists? for example
Vlan 20 = management interface of 192.168.20.9
vlan 30 = management interface of 192.168.30.9

at the moment with only one vlan management interface assigned per switch, all the nodes can ping these addresses and I can telnet from any host to any switch. It is working correctly as far as I can see but i just wanted if the method i have used seems right.

1STFL-SWITCH CONFIG
interface Vlan1
description MANAGEMENT VLAN1
ip address 192.168.1.2 255.255.255.0
!
ip default-gateway 192.168.1.1

GROUND-SWITCH CONFIG
interface Vlan1
ip address 192.168.1.3 255.255.255.0
!
ip default-gateway 192.168.1.1

HQ-R1 CONFIG
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0.20
description SUB INTERFACE TRUNK ON VLAN 20 IN 192.168.20.0/24 SUBNET
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/0.30
description SUB INTERFACE TRUNK ON VLAN 30 IN 192.168.30.0/24 SUBNET
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
interface FastEthernet0/0.40
description SUB INTERFACE TRUNK ON VLAN 40 IN 192.168.40.0/24 SUBNET
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
!
interface FastEthernet0/0.50
description SUB INTERFACE ON VLAN 50 ADMIN ON 192.168.50.0/24 SUBNET
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/3/0
no ip address
shutdown
!
interface Serial0/3/1
description WAN
ip address 172.16.0.2 255.255.0.0
encapsulation ppp
ppp authentication chap

pham0329

advanex1 wrote: »

You're making sense, but it's not necessarily something you have to worry about for the certification. That's something you need to look up in design and understand the concepts behind it.

That's something that he needs to worry about for the real world!

advanex1

pham0329 wrote: »

That's something that he needs to worry about for the real world!

Pham, I agree.

MrXpert - yes, it looks fine. sometimes I throw the f0/0.1 subinterface and run the encapsulation dot1q from that, depends on how I feel for the day. I like working with subinterfaces rather than the physical for the native vlan. The management IP's on your switches look fine though.

Forgot to say that since you are already using ROAS and the fact that you are routing between vlans, that gives you the option of keeping your management interfaces on the same network/subnet as the f0/0 interface on your router. To me, it's easier to track this way. Any PC should be able to telnet into your management interfaces if your intervlan routing is configured correctly.

pham0329

My questions are what happens if the company has another building like on a campus lan style topology and they want to have inter vlan routing between there also? would I need to connect up the HQ-R1 (in the original building) to their new switch? or would they simply have a switch which was trunked to one of existing switches?

What if in this new building they wanted a router as well. Would the routers need to have sub interfaces to each other?

If you have another building, you're probably going to want to use a L3 switch, rather than a ROAS. From there, you can either trunk the connection between the two L3 switches, or you would route between them using routing protocols. The advantage of routing between them is that broadcast from one building, is confined to that building, and doesn't traverse the link into the other building. If you have redundant switches, routing between them would mean that you're using routing protocols for convergence, rather than STP.