Tuesday, January 11, 2005

Using a Router to Exchange VLAN Traffic

In late 2003 I described how part of my home network looked:

cable modem - cisco router - freebsd fw/gw - cisco switch - clients

This past weekend I decided to remove the firewall/gateway from the picture. When the router is deployed like this, it's called a "router on a stick."

cable modem - cisco router - cisco switch - clients

In that late 2003 story I explained how I set up 802.1q on the FreeBSD system to pass traffic between VLANs on the Cisco switch. Without that FreeBSD in place, I needed to configure my Cisco 2651XM router to exchange inter-VLAN traffic.

Luckily this Cisco document came to the rescue. The process was fairly simple. I administered the router via console cable, so none of my changes resulted in being locked out of one of the interfaces. I don't recommend letting anyone be able to connect to a Cisco router interface, in any case. (For a great presentation on router security, check out this .pdf of a presentation by Sean Convery and Matthew Franz.)

First I removed the IP address previously assigned to the interface facing the switch:

int fa0/1
no ip address

Next I created an IP address to handle VLAN 10, which is a network. Note the use of '0/1.1' instead of '0/1':

int fa0/1.1
encapsulation dot1Q 10
ip address

Then I created an IP address to handle VLAN 20, which is a network. Note the use of '0/1.2':

int fa0/1.2
encapsulation dot1Q 20
ip address

That's it. Now if a system on VLAN 10 needs to talk to a system on VLAN 20, the router will pass the traffic.

1 comment:

YesThatTom said...


Don't use .1 for vlan 10 and .2 for vlan 20! Use .10 for vlan 10 and .20 for vlan 20.

You'll thank me 5 years from now when your network grows to a zillion vlans.

Or not.

At least you didn't use .1 for vlan 20 and .1 for vlan 20! (Yes, I've seen people that call themselves Network Professionals do this!)