Introduction
Building a switch and router network is a cornerstone exercise in any networking curriculum, and Lab 10.Consider this: 4 – 3 is designed to give students hands‑on experience with the fundamental concepts of LAN segmentation, inter‑VLAN routing, and basic network security. Consider this: by the end of this lab, you will have a fully functional topology that includes multiple switches, a router, and several end‑devices, all configured to communicate across separate VLANs while maintaining isolation where required. This article walks you through every step of the process, explains the underlying theory, and provides troubleshooting tips so you can complete the lab with confidence and a solid grasp of real‑world networking practices And that's really what it comes down to..
Lab Objectives
- Create and configure VLANs on two managed switches.
- Set up a trunk link between the switches to carry multiple VLAN traffic.
- Configure a router‑on‑a‑stick (single‑interface router) to enable inter‑VLAN routing.
- Assign IP addressing using a structured subnet scheme.
- Test connectivity with ping, traceroute, and basic security checks.
- Document the topology and capture configuration snapshots for future reference.
Required Equipment
| Device | Minimum Specification |
|---|---|
| 2 × Managed Switches (e.On the flip side, g. , Cisco 2960) | 24 ports, VLAN support, 802.1Q trunking |
| 1 × Router (e.That's why g. , Cisco 2901) | At least one Gigabit Ethernet interface |
| 4 × PCs or laptops | Ethernet NIC, TCP/IP stack |
| Console cables & RJ‑45 straight‑through cables | For device access and inter‑device links |
| Terminal emulator (PuTTY, Tera Term, etc. |
Network Design Overview
+-------------------+
| Router |
| (Router‑on‑a‑Stick)|
+--------+----------+
|
Trunk (Gig0/0)
|
+--------------+--------------+
| |
+-----+-----+ +-----+-----+
| Switch 1 | | Switch 2 |
+-----+-----+ +-----+-----+
| |
+-----+-----+ +-----+-----+
| PC‑A (VLAN10) | | PC‑B (VLAN20) |
+---------------+ +---------------+
- VLAN 10 – “Engineering” – 192.168.10.0/24
- VLAN 20 – “Sales” – 192.168.20.0/24
- VLAN 30 – “Management” – 192.168.30.0/24 (optional extension)
The router’s single physical interface will be sub‑interface‑enabled (e.g., Gig0/0.10, Gig0/0.20) to act as the default gateway for each VLAN. All switches will carry the VLANs via a trunk link, while access ports will be assigned to the appropriate VLAN.
Step‑by‑Step Configuration
1. Basic Device Preparation
- Power on all devices and connect console cables.
- Set a hostname for each device to simplify later troubleshooting.
Switch1> enable
Switch1# configure terminal
Switch1(config)# hostname SW1
SW1(config)# exit
Repeat for SW2 and Router (hostname R1).
- Disable unused services (CDP, HTTP) if not needed for the lab to reduce noise.
SW1(config)# no cdp run
SW1(config)# no ip http server
2. VLAN Creation on Switches
On SW1:
SW1# configure terminal
SW1(config)# vlan 10
SW1(config-vlan)# name Engineering
SW1(config-vlan)# exit
SW1(config)# vlan 20
SW1(config-vlan)# name Sales
SW1(config-vlan)# exit
Repeat the same VLAN definitions on SW2 to ensure consistency Worth keeping that in mind..
3. Assign Access Ports
Assume ports FastEthernet0/1 and 0/2 are for PC‑A (VLAN 10) and PC‑B (VLAN 20) respectively And that's really what it comes down to..
SW1(config)# interface range fa0/1 - 2
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
SW1(config-if-range)# exit
SW1(config)# interface fa0/3
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 20
Do the same on SW2, mapping the appropriate ports to each VLAN Nothing fancy..
4. Configure the Trunk Link
Connect SW1 GigabitEthernet0/1 to SW2 GigabitEthernet0/1. Set both ends as trunk ports.
SW1(config)# interface gi0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 10,20
SW1(config-if)# exit
SW2(config)# interface gi0/1
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan 10,20
SW2(config-if)# exit
5. Router‑on‑a‑Stick Configuration
Connect the router’s GigabitEthernet0/0 to SW1 Gi0/1 (the trunk). Enable sub‑interfaces for each VLAN And it works..
R1# configure terminal
R1(config)# interface gig0/0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface gig0/0.On the flip side, 10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip address 192. 168.10.1 255.255.255.
R1(config)# interface gig0/0.20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip address 192.Here's the thing — 168. 20.1 255.So 255. 255.
If you added VLAN 30, create `gig0/0.30` with `192.168.30.1/24`.
### 6. Assign Default Gateways on PCs
| PC | IP Address | Subnet Mask | Default Gateway |
|----|------------|-------------|-----------------|
| PC‑A (VLAN 10) | 192.10 | 255.Practically speaking, 10. 0 | 192.Practically speaking, 255. Which means 168. In real terms, 255. 168.Because of that, 168. 255.Practically speaking, 168. Day to day, 20. 0 | 192.255.1 |
| PC‑B (VLAN 20) | 192.10.Practically speaking, 10 | 255. 20.
Configure these settings manually or via DHCP (optional – see “Optional DHCP” section).
### 7. Verify VLAN and Trunk Status
On each switch:
```bash
SW1# show vlan brief
SW1# show interfaces trunk
You should see VLAN 10 and 20 listed as active, and the trunk port displaying “trunking” with the allowed VLANs.
8. Test Inter‑VLAN Connectivity
From PC‑A, ping the router’s VLAN 10 interface:
C:\> ping 192.168.10.1
Then ping the VLAN 20 gateway:
C:\> ping 192.168.20.1
If both succeed, try pinging PC‑B (192.168.20.Plus, 10). Successful replies confirm that the router is correctly routing between VLANs.
Scientific Explanation
Why Use a Router‑on‑a‑Stick?
A router‑on‑a‑stick configuration leverages 802.1Q tagging to multiplex several logical networks over a single physical link. The router examines the VLAN tag on each Ethernet frame, strips it, and forwards the packet based on the destination IP address.
- Cost efficiency – only one physical interface is required on the router, reducing hardware expenses.
- Scalability – adding a new VLAN only needs a new sub‑interface, not additional cabling.
- Security – traffic from one VLAN cannot reach another without explicit routing policies, preserving logical segregation.
How VLAN Tagging Works
When a frame leaves an access port, the switch adds an 802.Trunk ports forward these tagged frames unchanged, allowing downstream devices (other switches or routers) to interpret the VLAN context. Here's the thing — 1Q tag containing a 12‑bit VLAN identifier (VID). The tag sits between the source MAC address and the EtherType/Length fields. Untagged frames are only allowed on access ports, ensuring end‑devices remain unaware of VLAN mechanics And it works..
Inter‑VLAN Routing Process
- Ingress Switch – Receives a frame from PC‑A on VLAN 10, forwards it to the router via the trunk.
- Router – Sub‑interface
gig0/0.10receives the frame, removes the tag, performs L3 lookup, and determines the destination is in VLAN 20. - Egress Switch – Router re‑adds a VLAN 20 tag on the outbound interface (
gig0/0.20) and sends the frame across the trunk. - Destination Switch – Strips the tag on the access port for PC‑B, delivering the frame.
Understanding this flow is essential for troubleshooting, especially when you encounter “native VLAN” mismatches or “VLAN pruning” issues.
Optional Enhancements
DHCP Server on the Router
Instead of static IPs, configure a DHCP pool per VLAN:
R1(config)# ip dhcp pool ENG
R1(dhcp-config)# network 192.168.10.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.10.1
R1(dhcp-config)# exit
R1(config)# ip dhcp pool SALES
R1(dhcp-config)# network 192.In real terms, 168. Even so, 20. Because of that, 0 255. Even so, 255. 255.So 0
R1(dhcp-config)# default-router 192. 168.20.
Enable DHCP service and verify with `ipconfig /renew` on the PCs.
### Basic Access Control Lists (ACLs)
To restrict traffic, create an ACL that blocks Sales from accessing Engineering resources:
```bash
R1(config)# access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R1(config)# access-list 100 permit ip any any
R1(config)# interface gig0/0.20
R1(config-if)# ip access-group 100 out
Test by attempting to ping 192.168.10.10 from PC‑B; the request should be dropped And it works..
Troubleshooting Checklist
| Symptom | Likely Cause | Diagnostic Command |
|---|---|---|
| PCs cannot ping each other | VLAN mismatch on access ports | show vlan brief on switches |
| Router does not receive traffic | Trunk not allowing VLANs | show interfaces trunk |
| Ping to router succeeds, inter‑VLAN fails | Sub‑interface not configured or shutdown | show ip interface brief on router |
| Duplicate IP address error | Overlapping static/DHCP assignments | show ip dhcp binding |
| Unexpected broadcast traffic on wrong VLAN | Native VLAN set incorrectly on trunk | show interfaces gi0/1 switchport |
Always start with layer‑1 (cabling), then layer‑2 (VLANs, trunk), and finally layer‑3 (IP addressing, routing). Use the debug commands sparingly on production gear; they are invaluable in a lab environment.
Frequently Asked Questions
Q1: Can I use a single‑mode fiber link for the trunk instead of copper?
A: Yes, provided both switches support SFP modules and the same wavelength. The configuration stays identical; only the physical interface changes (e.g., interface TenGigabitEthernet0/1).
Q2: What is the “native VLAN” and why does it matter?
A: The native VLAN is the VLAN that is sent untagged on a trunk. By default it is VLAN 1. If two trunk ports have different native VLANs, untagged traffic may be misplaced, leading to communication failures. Explicitly set the native VLAN to an unused ID (e.g., 99) to avoid accidental leakage Practical, not theoretical..
SW1(config)# interface gi0/1
SW1(config-if)# switchport trunk native vlan 99
Q3: Do I need to enable routing on the router?
A: Modern Cisco IOS routers have IP routing enabled by default. If you disabled it earlier, re‑enable with ip routing in global configuration mode.
Q4: How many VLANs can a single switch support?
A: Most enterprise switches support up to 4094 VLAN IDs (12‑bit field). Practical limits are usually defined by memory and CPU resources, not the protocol itself.
Q5: Is a router‑on‑a‑stick the same as a Layer‑3 switch?
A: Functionally they both provide inter‑VLAN routing, but a Layer‑3 switch does it in hardware (faster) and often does not require a separate router device. The router‑on‑a‑stick model is useful for learning the routing process and for small deployments That's the whole idea..
Conclusion
Lab 10.4 – 3 offers a compact yet powerful introduction to VLAN segmentation, trunking, and inter‑VLAN routing. By following the steps outlined above, you will have:
- Created multiple VLANs and associated them with specific access ports.
- Established a trunk link that reliably carries tagged traffic between switches.
- Implemented a router‑on‑a‑stick that routes packets across VLAN boundaries while preserving logical isolation.
- Verified the design with connectivity tests, captured configuration snapshots, and applied optional DHCP and ACL enhancements.
Beyond the lab, the skills you’ve practiced—designing a clean IP scheme, configuring sub‑interfaces, and troubleshooting common VLAN issues—translate directly to real‑world network deployments. Whether you’re preparing for Cisco CCNA/CCNP exams or building a small office network, mastering this lab equips you with a solid foundation for scalable, secure, and well‑organized network architectures. Keep the configuration files, revisit the troubleshooting checklist, and experiment with additional features such as Spanning Tree Protocol (STP), PortFast, and QoS to deepen your expertise. Happy networking!
Beyond the Basics: Enhancing Reliability and Security
| Feature | Why It Matters | How to Implement |
|---|---|---|
| Spanning‑Tree Protocol (STP) | Prevents layer‑2 loops when redundant links exist. That said, | spanning-tree mode pvst on all switches; enable spanning-tree portfast on edge ports. Here's the thing — |
| PortFast & BPDU Guard | Speeds up access‑port transition to forwarding state while protecting against rogue bridges. | interface gi0/2 → spanning-tree portfast and spanning-tree bpduguard enable. |
| DHCP Snooping | Stops malicious DHCP servers from distributing rogue IP addresses. | ip dhcp snooping on the switch; mark trusted interfaces. |
| Dynamic ARP Inspection (DAI) | Disallows spoofed ARP replies that could lead to man‑in‑the‑middle attacks. But | ip arp inspection vlan 10,20,30 on the switch. That's why |
| QoS (Quality of Service) | Guarantees bandwidth for latency‑sensitive traffic (VoIP, video). In practice, | policy-map QoS‑Policy → class voice → priority. |
| VLAN Hopping Prevention | Stops attackers from using double‑tagged frames to bypass VLAN isolation. | switchport protected on access ports; remove unused VLANs. |
| Logging & SNMP | Enables proactive monitoring and alerting. | logging buffered 4096 and snmp-server community public RO. |
Tip: Always keep a copy of the running configuration (
show running-config) after any major change. Usecopy running-config startup-configto make the changes persistent across reboots Small thing, real impact. Simple as that..
Common Pitfalls and How to Avoid Them
| Issue | Symptom | Fix |
|---|---|---|
| Untagged traffic appears on a trunk | Devices on a VLAN cannot communicate. | |
| Routing loop | Packets keep bouncing between sub‑interfaces. | Check that the DHCP pool matches the subnet and that the router sub‑interface is up. |
| Router‑on‑a‑stick interface goes down | GigabitEthernet0/0 shows down. That said, |
Verify switchport trunk native vlan matches on both ends. Also, |
| DHCP lease not assigned | Clients show “No IP address”. | Disable ip helper-address on the router if not needed; check for duplicate sub‑interface configs. |
Next Steps in Your Networking Journey
- Implement Redundancy – Add a second router or a Layer‑3 switch and configure HSRP/VRRP for gateway failover.
- Explore Layer‑3 Switch Features – Move the routing function onto a multi‑layer switch to reduce latency.
- Set Up Monitoring – Deploy NetFlow or sFlow to analyze traffic patterns across VLANs.
- Automate with Ansible – Store your configurations in Git and push changes automatically.
- Simulate Attacks – Use tools like
ettercaporscapyto test VLAN security measures.
Final Thoughts
Lab 10.4 – 3 has walked you through the core of modern campus networking: segmentation, trunking, and inter‑VLAN routing. By mastering these fundamentals, you gain the confidence to design networks that are not only logically sound but also resilient and secure. Every configuration change you make now echoes into larger, more complex infrastructures—whether you’re deploying a data‑center fabric, a branch office, or a campus backbone Simple as that..
Take the time to document your work, revisit the troubleshooting checklist, and experiment with the advanced features listed above. But each tweak sharpens your understanding and prepares you for certifications like CCNA, CCNP, or even CCIE. Remember: a well‑segmented network is the backbone of performance and security in any organization. Good luck, and keep building!
Where to Go From Here
With the foundational pieces in place—VLAN segmentation, trunk links, and router‑on‑a‑stick inter‑VLAN routing—you’re ready to tackle the next layer of network design. Consider the following expansion paths:
| Direction | Why It Matters | Quick Start |
|---|---|---|
| Zero‑Touch Provisioning | Automate device onboarding at scale. Still, | Deploy Cisco DNA Center or use Ansible playbooks to load baseline configs. |
| Software‑Defined Networking | Centralize control and policy. | Experiment with OpenFlow or Cisco SD‑WAN on a small lab. |
| Advanced Security | Protect segmented traffic from lateral movement. | Implement MAC‑based authentication, SPAN/monitor ports, and ACLs on both switches and routers. On the flip side, |
| High Availability | Reduce downtime for mission‑critical services. | Configure HSRP/VRRP, GLBP, or EVPN‑EVPN for failover and load balancing. |
| Performance Optimization | Ensure QoS and low latency for critical applications. | Enable QoS policies, use DiffServ, and monitor bandwidth with NetFlow. |
Each of these avenues builds on the same principles you’ve practiced: clear logical boundaries, well‑defined interfaces, and a disciplined approach to configuration management. As you grow more comfortable, you’ll find that the same patterns apply whether you’re working on a small branch office or a sprawling campus core.
Closing Thoughts
Lab 10.Which means by mastering VLANs, trunking, and router‑on‑a‑stick routing, you’ve laid the groundwork for more sophisticated designs that can scale, secure, and perform under load. 4 – 3 has taken you through the essential steps of creating a secure, segmented, and routable network using Cisco hardware. Remember that the true test of a network engineer is not just the ability to configure devices, but to anticipate problems, document solutions, and iterate toward a more resilient architecture Turns out it matters..
Keep experimenting, keep troubleshooting, and keep documenting. Each configuration you write and each packet you trace brings you closer to becoming a confident, seasoned network professional. Happy networking!
