Routers usually come with slots where you can add extra modules for functionalities like VPN, switching and so on. In this article, I will be discussing one of the scenarios I faced recently where the same VLAN on a switch and a router installed with a switch module were seen as separate VLANs and I will show you two solutions to the issue.
The diagram below illustrates the scenario:
In the above diagram, interface e0/1 on the switch is an access port on VLAN 10; e0/0 is configured as a trunk port that is connected to Fa0/0 on the router. Fa0/0.10 is a sub-interface of Fa0/0 on the router and is configured with “encapsulation dot1q 10.” Fa1/10 on the router is a port on the switch module installed on the router and is also part of VLAN 10 on the router.
CCNA Training – Resources (Intense)
The problem is that the router was treating the VLAN 10 on the switch (connected via Fa0/0.10) as a separate VLAN from the VLAN 10 that was configured on its own self. This means that HOST A and HOST B could not communicate.
I wondered why this happened this way. My thinking was that since the interface on the switch that connected the router to VLAN 10 (on the switch) was configured as a trunk port, then the router should be able to “advertise” the same VLAN 10 configured on its own self to the switch.
Well, now I understand that my thinking was flawed, as explained to me by a friend of mine: Assuming all the switch ports on the router are in the default VLAN, then that VLAN is a broadcast domain on its own and, since every port (e.g., Fa0/0) on a router is in its own broadcast domain, then there cannot be communication between different broadcast domains by default.
Note: You can also find an explanation here about why VLANs separated by a router are not the same VLAN even if they have the same VLAN ID.
To show that this problem is as I have described, I have set up a lab like the one in the diagram. The configuration on the switch is as follows:
interface Ethernet0/0 switchport trunk encapsulation dot1q switchport mode trunk ! interface Ethernet0/1 switchport access vlan 10 switchport mode access
The configuration on the router (it’s just a router in GNS3 with the NM-16ESW module inserted into one of the slots) is as follows:
interface FastEthernet0/0 no ip address ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.100 255.255.255.0 ! interface FastEthernet1/10 switchport access vlan 10
Notice that HOST_A can ping the router (192.168.10.100) but not HOST_B. Let’s now get to the solutions.
Solution #1: Connect a switch port on the router to a port on the switch
This solution is quite straightforward – it’s like connecting two switches together through a trunk port. The “router” part of the router is actually not involved – it is just another device on the VLAN.
As you can see in the diagram above, I have connected a port on the switch (e0/2) to a port on the switch module of the router (Fa1/2). Both ports will be set to trunk mode. The configuration on the switch is as follows:
interface Ethernet0/2 switchport trunk encapsulation dot1q switchport mode trunk
The configuration on the router is as follows:
interface FastEthernet1/2 switchport trunk encapsulation dot1q switchport mode trunk
Now if I try to ping from HOST A to HOST B, we see that the ping goes through.
If you have a spare port on the switch module of your router, then this solution may be suitable for you. However, why would I want to waste two ports on my router (i.e., Fa0/0 and Fa1/2) and connect it to a switch just so that I can have the same VLAN on both sides?
Solution #2: Bridging using the IRB feature
This brings us to the second solution—bridging. IRB stands for integrated routing and bridging and it allows a protocol to be both bridged and routed on the same interface on a router. There is a great explanation of the IRB feature in this Cisco document.
The configuration to achieve this on the router is as follows:
bridge irb bridge 1 protocol ieee ! interface FastEthernet0/0.10 no ip address bridge-group 1 ! interface vlan 10 bridge-group 1
The command “bridge irb” enables the IRB feature on the router, while “bridge 1 protocol ieee” enables bridging on the router. I then assigned interfaces to the bridge-group I created using the “bridge-group” command.
To test this configuration, you can first shut down the Fa1/2 interface that we used for trunking to the switch and then ping from HOST A to HOST B:
Usually, this configuration will not be enough for a real network; you will also want to be able to route packets from bridged interfaces to routed interfaces: for example, hosts on VLAN 10 to the Internet. We do this by configuring a bridged virtual interface (BVI). By looking at the destination address, the router is able to determine whether to bridge the packet or to route it.
Hint: The concept of BVIs is similar to that of SVIs on switches that allow inter-VLAN routing on switches.
bridge 1 route ip interface bvi 1 ip address 192.168.10.100 255.255.255.0
To test this routing configuration, you can configure a loopback interface on the router (say 184.108.40.206) to serve as a test network and then configure the default gateway on the hosts as this BVI address (192.168.10.100) and then ping:
This brings us to the end of this article, where we have looked at ways of bridging the same VLAN on a switch and a router with an EtherSwitch module. The first method we looked at was connecting a trunk between the switch ports. The second method we considered was using the IRB feature.
I hope you have found this article helpful.
References and Further Reading
- Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB Feature: http://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html