0

Configuring Inter-VLAN Routing (Route-Based)

In this lab, we are going to configure Inter-VLAN routing on a Cisco Router. We will configure the router to route traffic between multiple VLANs.

Introduction

By default, a switch will put all ports into VLAN ID 1 which becomes one large broadcast domain that is why one switch is a single broadcast domain. VLANs are logical divisions on a network device and they break large broadcast domains into smaller ones. This means that each VLAN creates its own broadcast domain on a single physical switch therefore the VLAN will be treated likes it’s own subnet.

With that, we can jump straight into configuration.

Build the topology

I will be building my topology on EVE-NG. You can however use Packet Tracer or GNS3.
Add the following nodes to your workspace. The commands will not vary, however, output may vary a bit

  • 3 Windows 7 machines.
  • 1 Cisco vIOS L2 or IOU L2 image or similar that emulates the Catalyst 2960 or 3560 switches.
  • 1 Cisco vIOS L3 or IOU L3 image or similar that emulates the 1841 Integrated Services Routers, 2911 or similar Cisco Routers.

IP Addressing

  • VLAN 10 – FINANCE – 10.1.10.0/24
  • VLAN 20 – INFRASTRUCTURE – 10.1.20.0/24
  • VLAN 30 – HUMAN RESOURCE – 10.1.30.0/24
topology

Once you have connected the nodes. You can fire them up and start our configurations from the switch.

Configure VLANs on the Switch

As a first step we are going to configure VLANs on our Switch.

Switch>en
Switch#
Switch#
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
Switch(config)#
Switch(config)#vlan 10
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#name FINANCE
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#vlan 20
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#name INFRASTRUCTURE
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#vlan 30
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#name HUMAN-RESOURCE
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#
Switch(config-vlan)#exit
Switch(config)#
Switch(config)#exit
Switch#
Switch#
*Apr 21 16:09:55.862: %SYS-5-CONFIG_I: Configured from console by console

Once you type exit to go back to the User Mode, your VLANs will be created. We can verfiy the created VLANs using the command below;

Switch#
Switch#show vlan brie

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi1/0, Gi1/1, Gi1/2, Gi1/3
10   FINANCE                          active
20   INFRASTRUCTURE                   active
30   HUMAN-RESOURCE                   active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#

All our VLANs exist but at the moment, we haven’t assigned any ports to the specific VLANs. As you can also note, all ports by default are in VLAN ID 1.

Assign ports to VLANs

Here we are going to assign ports to the created VLANs using the below commands on the interface configuration level;

Switch#
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
Switch(config)#int gig
Switch(config)#int gigabitEthernet 0/1
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport mode
Switch(config-if)#switchport mode acce
Switch(config-if)#switchport mode access
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport acc
Switch(config-if)#switchport access vlan 10
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#interf
Switch(config)#interface gig
Switch(config)#interface gigabitEthernet 0/2
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport mod
Switch(config-if)#switchport mode ac
Switch(config-if)#switchport mode access
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport acc
Switch(config-if)#switchport access vlan 20
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#
Switch(config)#
Switch(config)#int gi
Switch(config)#int gigabitEthernet 0/3
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport mod
Switch(config-if)#switchport mode acc
Switch(config-if)#switchport mode access
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport acc
Switch(config-if)#switchport access vlan 30
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#
Switch(config)#
Switch(config)#exit
Switch#
*Apr 21 16:18:55.367: %SYS-5-CONFIG_I: Configured from console by console

We can go back again and verify our switchport assignments using the below command;

Switch#
Switch#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi1/0, Gi1/1, Gi1/2
                                                Gi1/3
10   FINANCE                          active    Gi0/1
20   INFRASTRUCTURE                   active    Gi0/2
30   HUMAN-RESOURCE                   active    Gi0/3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#

Once we have confirmed our configurations, we can save our configurations using the below commands.

Switch#
Switch#
Switch#copy run
Switch#copy running-configst
Switch#copy running-config st
Switch#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
Compressed configuration from 3227 bytes to 1535 bytes[OK]
Switch#
Switch#
Switch#
Switch#
*Apr 21 16:26:25.372: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Apr 21 16:26:26.126: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
Switch#
Switch#
Switch#write
Switch#write mem
Switch#write memory
Building configuration...
Compressed configuration from 3227 bytes to 1535 bytes[OK]
Switch#
*Apr 21 16:26:33.886: %GRUB-5-CONFIG_WRITING: GRUB configuration is being updated on disk. Please wait...
*Apr 21 16:26:34.608: %GRUB-5-CONFIG_WRITTEN: GRUB configuration was written to disk successfully.
Switch#

Assign IP Addresses.

Using the table above, we are going to assign ip addresses to our Windows 7 machines.
For VLAN 10 – FINANCE
IPaddress 10.1.10.50/24
Gateway 10.1.10.254

ip address assingment

For VLAN 20 – INFRASTRUCTURE
IP Address 10.1.20.50/24
Gateway 10.1.20.254

ip address assingment

For VLAN 30 – HUMAN – RESOURCE
IP Address 10.1.30.50/24
Gateway 10.1.30.254

ip address assingment

Once all this is done, we can now configure the trunk interface. This is the interface that is going to carry single/multiple vlan traffic upstream to the router. The router will do the routing between the vlans.

At the moment, all pings will fail since each VLAN is on a different subnet.

NB

Configure Trunk Interface

On the switch, the interface to be configured as a trunk interface is the one connecting to our gateway router. This will allow the interface to carry vlan traffic upstream.

Switch>
Switch>en
Switch#
Switch#
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#
Switch(config)#interf
Switch(config)#interface gi
Switch(config)#interface gigabitEthernet 0/0
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport trun
Switch(config-if)#switchport trunk en
Switch(config-if)#switchport trunk encapsulation do
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport mod
Switch(config-if)#switchport mode trun
Switch(config-if)#switchport mode trunk
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#swi
Switch(config-if)#switchport trun
Switch(config-if)#switchport trunk all
Switch(config-if)#switchport trunk allowed vlan
Switch(config-if)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

Switch(config-if)#switchport trunk allowed vlan 10,20,30
Switch(config-if)#
Switch(config-if)#no shut
Switch(config-if)#
Switch(config-if)#exit
Switch(config)#
Switch(config)#exit
Switch#
*Apr 21 16:55:29.946: %SYS-5-CONFIG_I: Configured from console by console

The command Switch(config-if)#switchport trunk allowed vlan 10,20,30 is used to allow specific vlans on the trunk interface. You can choose the vlans that you want to allow on trunk.
You can confirm interface trunk by using the command #show interface trunk

Switch#
Switch#
Switch#show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/0       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/0       10,20,30

Port        Vlans allowed and active in management domain
Gi0/0       10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/0       10,20,30
Switch#

Configure the Gateway Router

In this step, we will now configure our gateway router to route traffic between these three configured vlans. To do this, we are going to configure sub interfaces on a single interface that will be the gateway for each VLANs’ assigned ip addresses. The sub interfaces will be configured with encapsulation 802 dot 1q tagging for each of their own VLAN ID. This method is also known as Router-on-a-stick Inter-VLAN routing or simply route-based.

You can learn how to configure basic settings on a Cisco Router here.

We can then jump into our router and configure the sub interfaces and encapsulation.

GATEWAY>
GATEWAY>en
GATEWAY#
GATEWAY#
GATEWAY#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
GATEWAY(config)#
GATEWAY(config)#
GATEWAY(config)#
GATEWAY(config)#int e0/0.10
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#enc
GATEWAY(config-subif)#encapsulation do
GATEWAY(config-subif)#encapsulation dot1Q 10
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#ip add 10.1.10.254 255.255.255.0
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#exit
GATEWAY(config)#int e0/0.20
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#enc
GATEWAY(config-subif)#encapsulation dot
GATEWAY(config-subif)#encapsulation dot1Q 20
GATEWAY(config-subif)#
GATEWAY(config-subif)#ip add 10.1.20.254 255.255.255.0
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#exit
GATEWAY(config)#
GATEWAY(config)#int e0/0.30
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#enc
GATEWAY(config-subif)#encapsulation dot
GATEWAY(config-subif)#encapsulation dot1Q 30
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#ip add 10.1.30.254 255.255.255.0
GATEWAY(config-subif)#
GATEWAY(config-subif)#
GATEWAY(config-subif)#exit
GATEWAY(config)#
GATEWAY(config)#
GATEWAY(config)#
GATEWAY(config)#int e0/0
GATEWAY(config-if)#
GATEWAY(config-if)#
GATEWAY(config-if)#no shut
GATEWAY(config-if)#
GATEWAY(config-if)#exit
GATEWAY(config)#
GATEWAY(config)#
GATEWAY(config)#exi
*Apr 21 17:04:26.310: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 21 17:04:27.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
GATEWAY(config)#exit
GATEWAY#

NB
The GATEWAY(config-subif)#encapsulation dot1Q 30 has to match the VLAN ID otherwise the users on VLAN30 may not reach the gateway.

This command will bind the sub-interface to a particular 802 dot 1q tagged VLAN ID

You can confirm the sub-interfaces as below;

GATEWAY#
GATEWAY#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/0.10             10.1.10.254     YES manual up                    up  
Ethernet0/0.20             10.1.20.254     YES manual up                    up  
Ethernet0/0.30             10.1.30.254     YES manual up                    up  
Ethernet0/1                unassigned      YES unset  administratively down down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
GATEWAY#

Once you have confirmed, you can save your configurations.

GATEWAY#
GATEWAY#copy run
GATEWAY#copy running-config sta
GATEWAY#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
GATEWAY#
GATEWAY#
GATEWAY#write mem
GATEWAY#write memory
Building configuration...
[OK]
GATEWAY#
GATEWAY#

You can confirm pings are successfull. From VLAN 10 we can ping across all other VLANs as well as its own gateway.

That’s it folks, we have come to end of this exciting lab.

bl4ckwidow

Co-Founder of Labing Overload. I am a Web Developer/Network Engineer turned CyberSecurity Engineer. FOSS enthusiast. Cisco Technologies enthusiast. Network Penetration Tester.

Leave a Reply

Your email address will not be published. Required fields are marked *