router on a stick question

I'm going to have to disagree with this. The parent interface is vlan 1 when using dot1q on a router. If you set another vlan as native, the parent interface starts tagging.

I've used this set up a few times, the first time to use a 2620 with a single interface as a NAT router on a PPPOE connection with an IPSec tunnel to my work. PPPOE doesn't work on sub-interfaces, so I had to use the parent interface and enable vlan 1 on my switch. Worked flawlessly.

I am also currently using this setup for OSPF adjaceny between my works 2 core routers at our datacenter.

The management vlan should be tagged, but it does not need to be vlan 1. Best practices are to change the management vlan to something other than 1 and use tagging for that traffic. Then don't use the native vlan at all, or use it for transit traffic.

Config example (my old PPPOE setup):
[code:1]
interface FastEthernet0/0
description DLS-Inet (PPPoE)
no ip address
speed 100
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0.23
description Sec-D -inside
encapsulation dot1Q 23
ip address 192.168.23.1 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface FastEthernet0/0.100
encapsulation dot1Q 100 native
!
[/code:1]

nO WAY, managemente vlan MUST have a subif, and athe appropiate ip address, Think the correct Setup looks like this:


interface fastethernet 0/0.1
description administrative
encapsulation dot1q 1 native
ip address 10.10.10.1 255.255.2555.0

interface fastethernet 0/0.2
encapstulation dot1q 2
ip address 20.20.20.1 255.255.255.0

interface fastethernte 0/0.3
encapsulation dot1q 3
ip address 30.30.30.1 255.255.255.0


So, int the switch you have switchport configured as belongs to vlan 1, 2 and 3, and the pcs in each vlan o each port, must point to the ip address of the subinterface of the router as the default gateway.

the same applies for isl.

Make sure vlan 1 is in the allowed vlan list on the switch:

switchport trunk allowed vlan 1-3

and make sure vlan 1 is the native vlan:

switchport trunk native vlan 1


then it should work as expected.

Ta I'll give that go when I get home.

havohej, my understandiing of it is that because I'm using 802.1q then the management vlan, vlan 1 is not required to be on a sub interface. I think thats only required when using ISL.

So basically fa0/0 has ip address 192.168.1.1, and the two sub interfaces have 2.1 and 3.1 respectively. All vlans are using the 3 interfaces as their gateways etc etc.

We'll i'm guessing both ways will work. Based on Cisco press they state that based on 802.1Q, VLAN 1 is the native Vlan by default and no 802.1Q headers are added to frames. So the native vlan should be configured on the physical interface instead of the sub interface an no encapsulation should be used.

I havn't tried configuring the native vlan on a sub interface but I assume that it would work. I'll give it a go anyway.

FYI, my previous setup worked using the physical interface as the native vlan (Vlan1).

On the subject of a router on a stick set-up, what would be the best way to set-up the interface? Assuming you have one ethernet interface for the LAN and one serial for the WAN, and you have a few class c address spaces. Would you use subinterfaces on the ethernet interface or secondary addresses? I'm curious about opinions for this type of design.

jwj answering your question, in some old model of routers, and it depends in the capabilities of the router, like the ios you have, and also if the switch to where the router is connected is vlan capable, sometimes the only solution is to use a secondary ip address of the second subnet in the router fastethernet physical interface, isnted of creating subinterfaces, por each new lan subnet.

NO matter which model you choose, it works, both ways, but technically talking, the performance, and control level works best with subifs, than with secondary address, why??

with secondary address you add a second subnet (broadcast domain) within the only vlan (1 by default), so broadcast originated from any ip address of the same vlan, are propagated to pcs withing the same vlan, but two network address share the same vlan, so they share the broadcast from both vlans, (not recommended).

Indeed, if you hardware and software supports, subinfs, and vlan segementation is a MUST.

I'm going to have to disagree with this. The parent interface is vlan 1 when using dot1q on a router. If you set another vlan as native, the parent interface starts tagging.

djabsp, please be more explicit, with what you disagree????

Yeah, I just started working on a small network that has secondary addresses instead of subinterfaces. I was wondering why they set it up like that, and I found out its because they aren't using VLANs. Oh well, I'm redesigning it anyways. Thanks havohej.

I'm going to have to disagree with this. The parent interface is vlan 1 when using dot1q on a router. If you set another vlan as native, the parent interface starts tagging.

djabsp, please be more explicit, with what you disagree????

sorry.. putting vlan 1 on a sub-interface and setting it to native for management.

[code:1]
interface fastethernet 0/0.1
description administrative
encapsulation dot1q 1 native
ip address 10.10.10.1 255.255.2555.0
[/code:1]

the parent interface is automatically vlan 1 and native (until a sub-int is defined as native). Which interface is used for management is up to the user, but i do prefer managment traffic over tagged-interface instead of the native interface whenever possible, but that is just personal preference.