VLAN: Router-on-a-stick
fa0/0.10 Vlan 10, 172.16.1.32/27
fa0/0.20 Vlan 20, 172.16.1.64/27
fa0/0.30 Vlan 30, 172.16.1.96/27
fa0/0.100 native vlan 100
For vlan to work no router or multi-layer switch is needed, the router is there for intervlan routing. Vlan itself is a subnet, the switch interfaces can be configured into logical subnets, information within the same vlan can be forwarded however if one vlan needs to send frames across other vlan a layer3 device is needed.
Router0 (R1) Interface status:
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.1.1 YES manual up up
FastEthernet0/0.10 172.16.1.33 YES manual up up
FastEthernet0/0.20 172.16.1.65 YES manual up up
FastEthernet0/0.30 172.16.1.97 YES manual up up
FastEthernet0/0.100 unassigned YES manual up up
FastEthernet0/1 unassigned YES manual administratively down down
Vlan1 unassigned YES manual administratively down down
Switch vlan status:
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active
10 HQ_Network active Fa0/2, Fa0/3, Fa0/4, Fa0/5
20 IT_Network active Fa0/6, Fa0/7, Fa0/8
30 HR_Network active Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24
100 VLAN0100 active Fa0/9, Fa0/10, Fa0/11
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
It is best not to leave vtp domain as null even if it is only one switch. Configure vtp domain name, password and put to server mode, so that when a new switch (especially used switch) is deployed into this network vlan information will not be wiped out by the “new” switch.
Turned off DTP for all interface. A newly bought switch will have dynamic desirable configured on every interfaces, the purpose for this is well-intended by cisco however it is a bad feature as far as security is concerned.
Assigned the same native vlan for all trunk ports. Example:
int fa0/1
switchport mode trunk
switchport nonegotiate
switchport trunk native vlan <number>
cyruslab 