Routers usually come with slots where you can add extra modules for functionalities like VPN, switching and so on. In this article, I will be discussing one of the scenarios I faced recently where the same VLAN on a switch and a router installed with a switch module were seen as separate VLANs and I will show you two solutions to the issue.

The diagram below illustrates the scenario:

The Problem

In the above diagram, interface e0/1 on the switch is an access port on VLAN 10; e0/0 is configured as a trunk port that is connected to Fa0/0 on the router. Fa0/0.10 is a sub-interface of Fa0/0 on the router and is configured with “encapsulation dot1q 10.” Fa1/10 on the router is a port on the switch module installed on the router and is also part of VLAN 10 on the router.

CCNA Training – Resources (Intense)

The problem is that the router was treating the VLAN 10 on the switch (connected via Fa0/0.10) as a separate VLAN from the VLAN 10 that was configured on its own self. This means that HOST A and HOST B could not communicate.

I wondered why this happened this way. My thinking was that since the interface on the switch that connected the router to VLAN 10 (on the switch) was configured as a trunk port, then the router should be able to “advertise” the same VLAN 10 configured on its own self to the switch.

Well, now I understand that my thinking was flawed, as explained to me by a friend of mine: Assuming all the switch ports on the router are in the default VLAN, then that VLAN is a broadcast domain on its own and, since every port (e.g., Fa0/0) on a router is in its own broadcast domain, then there cannot be communication between different broadcast domains by default.

Note: You can also find an explanation here about why VLANs separated by a router are not the same VLAN even if they have the same VLAN ID.

To show that this problem is as I have described, I have set up a lab like the one in the diagram. The configuration on the switch is as follows:

interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access

The configuration on the router (it’s just a router in GNS3 with the NM-16ESW module inserted into one of the slots) is as follows:

interface FastEthernet0/0
 no ip address
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.100 255.255.255.0
!
interface FastEthernet1/10
 switchport access vlan 10

Notice that HOST_A can ping the router (192.168.10.100) but not HOST_B. Let’s now get to the solutions.

Solution #1: Connect a switch port on the router to a port on the switch

This solution is quite straightforward – it’s like connecting two switches together through a trunk port. The “router” part of the router is actually not involved – it is just another device on the VLAN.

As you can see in the diagram above, I have connected a port on the switch (e0/2) to a port on the switch module of the router (Fa1/2). Both ports will be set to trunk mode. The configuration on the switch is as follows:

interface Ethernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk

The configuration on the router is as follows:

interface FastEthernet1/2
 switchport trunk encapsulation dot1q
 switchport mode trunk

Now if I try to ping from HOST A to HOST B, we see that the ping goes through.

If you have a spare port on the switch module of your router, then this solution may be suitable for you. However, why would I want to waste two ports on my router (i.e., Fa0/0 and Fa1/2) and connect it to a switch just so that I can have the same VLAN on both sides?

Solution #2: Bridging using the IRB feature

This brings us to the second solution—bridging. IRB stands for integrated routing and bridging and it allows a protocol to be both bridged and routed on the same interface on a router. There is a great explanation of the IRB feature in this Cisco document.

The configuration to achieve this on the router is as follows:

bridge irb
bridge 1 protocol ieee
!
interface FastEthernet0/0.10
 no ip address
 bridge-group 1
!
interface vlan 10
 bridge-group 1

The command “bridge irb” enables the IRB feature on the router, while “bridge 1 protocol ieee” enables bridging on the router. I then assigned interfaces to the bridge-group I created using the “bridge-group” command.

To test this configuration, you can first shut down the Fa1/2 interface that we used for trunking to the switch and then ping from HOST A to HOST B:

Usually, this configuration will not be enough for a real network; you will also want to be able to route packets from bridged interfaces to routed interfaces: for example, hosts on VLAN 10 to the Internet. We do this by configuring a bridged virtual interface (BVI). By looking at the destination address, the router is able to determine whether to bridge the packet or to route it.

Hint: The concept of BVIs is similar to that of SVIs on switches that allow inter-VLAN routing on switches.

bridge 1 route ip
interface bvi 1
 ip address 192.168.10.100 255.255.255.0

To test this routing configuration, you can configure a loopback interface on the router (say 1.1.1.1) to serve as a test network and then configure the default gateway on the hosts as this BVI address (192.168.10.100) and then ping:

Summary

This brings us to the end of this article, where we have looked at ways of bridging the same VLAN on a switch and a router with an EtherSwitch module. The first method we looked at was connecting a trunk between the switch ports. The second method we considered was using the IRB feature.

I hope you have found this article helpful.

References and Further Reading

  • Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB Feature: http://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html