Config Lab: ROAS Basics 1
#ROAS can be one of those topics that seemed to be clear when you read about it, but when you see a sample test question, you just sit there and scratch your head wondering exactly what to do. ROAS can require you to connect several small pieces of information to complete a configuration. Today’s lab gives you practice at connecting the ideas.
The Lab Exercise
Requirements
Layer 2 switches forward Ethernet frames using Layer 2 logic, so that frames sent inside one VLAN flow only to devices in that same VLAN. To allow traffic between devices in different VLANs, a Layer 3 routing service must be used, typically in the form of a Layer 3 switch or a router. This lab asks you to configure routing between VLANs with one router, connected to one switch with an 802.1Q trunk, with the router using a Router on a Stick (ROAS) configuration.
Configure both router R1 and switch SW1 (as a Layer 2 switch only) so that R1 will route IP packets between the three subnets shown at the bottom of the figure. The specific rules for this lab are:
- On the router, configure ROAS using only subinterfaces.
- On the router, use a subinterface number to match the VLAN ID for subnet 10.0.2.0/24.
- On the router, for the other subinterfaces, choose the next two numbers as subinterface numbers. For example, if you picked subinterface 101 for the first subinterface, use 102 and 103 for the next two.
- On the router, assign the IP addresses used on the trunk by referring to the figure and then choosing the numerically-lowest IP address in the respective subnets.
- To determine the VLAN IDs to use, refer on the initial configuration of the switch plus the figure.
- Assume all router interfaces shown in the lab are physically working
- Assume all PCs have been configured with an address on the correct IPv4 subnet and are working.
Figure 1: ROAS with three VLAN’s
Initial Configuration
Examples 1 and 2 show the beginning configuration state of R1 and SW1.
hostname R1
!
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/2
ip address 10.1.1.1 255.255.255.0
no shutdownExample 1: R1 Config
hostname SW1
!
vlan 20
!
vlan 30
!
interface GigabitEthernet1/0/1
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 30
switchport mode accessExample 2: SW1 Config
Config Lab Intro Video
The above lab intro – the text, figures, and initial configuration – tells you all you need to know. But if you want a little more, with a little different slant on what to do in this lab, watch this lab intro video!
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
| Device | Lab Port | Â CML Port |
| SW1 | G1/1/1 | G1/0 |
| SW1 | G1/0/1 | G0/1 |
| SW1 | G1/0/2 | G0/2 |
| SW1 | G1/0/3 | G0/3 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
|
Device |
IP Address |
User/password |
|
PC1 |
10.1.1.100 |
cisco/cisco |
|
PC2 |
10.0.2.100 |
cisco/cisco |
|
PC3 |
10.0.3.100 |
cisco/cisco |
|
PC4 |
10.0.4.100 |
cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: ROAS with three VLAN’s
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 20
ip address 10.0.3.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 30
ip address 10.0.4.1 255.255.255.0Example 3: R1 Config
interface GigabitEthernet1/1/1
! This next line is needed only in older switches... and in CML/VIRL/PT
switchport trunk encapsulation dot1q
switchport mode trunkExample 4: SW1 Config
Older switches that support both ISL and 802.1Q require the switchport trunk encapsulation dot1q command, which sets the specific type of trunking header. Newer switches support only the 802.1Q standard and will reject that command. So uncomment and use the switchport trunk encapsulation dot1q command as needed.
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
The configuration of ROAS can often be confusing for those new to routers and VLANs on switches. ROAS configuration allows a router to be used to route between multiple VLANs using a single trunk interface which is connected into the switched network. Using one router interface has an obvious advantage versus having to use a different physical router interface per VLAN. Having to use one physical router interface per VLAN would cause us to quickly run out of physical interfaces on all but the smallest networks.
For this lab, you were tasked with configuring a ROAS configuration on R1, with matching configuration on switch SW1. The lab requirements asked you to use subinterfaces only, and to use a subinterface number equal to the VLAN ID for subnet 10.0.2.0/24 (the subnet on the left). These instructions require several steps of analysis, as follows:
- Per the figure, subnet 10.0.2.0/24 is listed with port G0/1.
- Per the initial configuration of switch SW1, G0/1 is an access port, with no access VLAN defined, so it must be in VLAN 1.
- Per the requirements, the R1 configuration should use subinterface .1 for subnet 10.0.2.0/24
- VLAN 1 is the default VLAN to be used as the native VLAN.
All of these facts combine to result in the first group of three commands in Example 3. Note that because the native VLAN is used with a subinterface, the command encapsulation dot1q 1 native needed to include the native keyword.
The requirements asked that you use the next two subinterface numbers, so Example 3 shows subinterfaces .2 and .3. Note that the subinterface numbers do not have to match the VLAN IDs. To connect to VLAN 20, R1 uses the encapsulation dot1q 20 subcommand under subinterface .2. Similarly, R1 uses the encapsulation dot1q 30 subcommand under the .3 subinterface to connect to VLAN 30.
Finally, note that ROAS would not work without switch configuration as well. Example 4 shows the required configured on SW4’s G1/0 interface, switchport mode trunk, to manually enable 802.1Q trunking on the link connected to R1.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
| # | Summary | Detail |
| 1 | CPT does not support the show vlans command on routers. | The best command to view the results of ROAS config on routers is the show vlans command. As of our most recent testing (V8.2), CPT does not support this command on routers. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- From each of the PCs, attempt to ping the other PCs.
- To verify the configuration on R1 you could either check the configuration directly with the show running-config command or by displaying the current ROAS configuration on the device by using the show vlans command.
Config Lab Review Video
Want to hear more about this lab’s solution? Check out the video to the left.
For the SW1 config solution the trunk should be on interface GigabitEthernet1/1/1 (currently it says interface GigabitEthernet1/0).
Hi, Wendell,
Good day,
In the above topology diagram,
SW1, GigEth interfaces are marked as, 1/0/1, 1/0/2, and 1/0/3.
But in the above Example2: SW1 Config, these same interfaces, perhaps, marked as, GigEth 0/1, 0/2, and, 0/3 respectively.
This creates a doubt, is this, a print error or not?
Hi Punya (and Emil),
Yep, there were errors, just fixed. The older version of this lab used other interface IDs, and looks like we failed to update the example text for the newer interface ID convention when we updated the .pkt and CML files. Thanks for letting me know. Should be good now.
Wendell
hello Mr Odom
can we use the switchport mode dynamic desirable between a switch and a router???
and please can you give me an example on how to configure the physical interface, (not on the subinterface) in a router to consider this physical interface to be using the native VLAN.
1) Nope. The routers do not support dynamic negotiation of trunking. The switch needs “switchport mode trunk” instead when connected to a router.
2) It’s easy, because it looks just like there’s no trunking. Seriously.
interface gigabitEthernet 0/0
ip address 10.1.1.1 255.255.255.0
That’s it, not mention of VLAN ID, of trunking, etc. The router does not tag frames for the interface. Then subinterfaces configure the other VLANs and the associated interfaces. Check out Chapter 17 of the CCNA 200-301 OCG Volume 1 for details.
Hello,
Thank you for the pkt lab.
Should the interface G0/1 on the router be configured with the command ‘no ip address’ before configuring the sub interfaces
Hi John,
You could if you want to ensure there’s no IP address configured there. The starting point of this lab showed no IP address on the physical interface, so the lab doesn’t need one. As long as you understand the physical interface should not have an IP address configured on it, you’re good.
in example 17-2 of the book there is an option to put the native vlan ip address on the physical interface. so for gi0/1 you could put ip address 10.0.2.1 255.255.255.0 if there was NO requirement for the lab to use ONLY subinterfaces. Am i correct?
Exactly! 100% correct.
Hello grendal,
Thank you for the lab. Mai ask please why the keyword native added in’ encapsulation dot1Q 1 native’ i thought the keyword native is only appended to set the native VLAN to something other than VLAN 1.
However, the native VLAN is 1 in this case?
Thank you
Hi John,
To configure a router to associate the native VLAN with a subinterface, rather than the physical interface, that’s when you use the “native” keyword. VLAN 1 is the default native VLAN. But it’s really just a matter of what Cisco chose when they made up the commands.
Hi I achieved the correct config but used g0/1 w/ 10.0.2.1/24 instead of using the subinterface as shown in the answer and I still achieved connectivity between all devices.
Hey Wendell,
The switchport trunk encapsulation dot1q command is rejected at the interface configuration mode level in CPT. I have seen this throughout my studies with the labs using CPT. Current version I am using is Version 8.2.0.0162. This can indeed be confusing for newer users as they understand the command is essential to support 802.1q trunking. I do see your note about newer switches only supporting 802.1q standard versus older ones that support ISL as well but I don’t see a note in the “known packet tracer issues” tab regarding the rejection of this command. Just FYI and thanks a bunch.
Hey Ermundo,
I understand. I also like giving folks a little nudge to think about this point. If the goal was to make people experts at CPT, I’d probably clean up the lab. Instead, the lab requires a pause to ponder… what happens when the command is rejected? In real life, you might find older models that require the command, and newer that reject it… and show commands will reveal what it’s using. And the exam could well have one question that shows the config, and another that doesn’t. So I’m leaving the lab alone, hoping it generates that kind of exploration.
Greetings
With the show vlans command on R1 doesn’t show the vlans configured and trucking on the results
Hey Alasan,
Thanks for letting me know. I updated the known issues table. It is unsurprising given its relative obscurity, but, unfortunately, CPT doesn’t support the show vlans command on routers.
Hi Wendell,
I did this lab on PT, also adding the allowed VLANs on SW1. Is that also okay? I suppose the difference is that, without adding the VLANs, all VLANs are allowed by default?
Thanks,
Sam
Sam,
It’s absolutely ok, and encouraged. The lab steps give you enough structure, but you should branch out and try things.
Indeed, all VLANs are allowed unless some are removed from the allowed list. But it’s a dangerous command, so be careful in production!
This was straightforward, but I thought it strange that vlan 1 on the switch is shut down and the configuration works. In fact, even when shut down, the sh int trunk command lists vlan 1 as active. Appreciate anyone that can explain this behavior, thanks!
Hi Paloski,
I’m a little unsure if the following is what’s confusing you, but let me offer a few words.
First, the lab requires no layer 3 switching functions at all. Instead, it asks for routing as done on a router with the ROAS feature. The router doesn’t use a VLAN interface (like interface VLAN 1) to achieve that. So, if you’re looking at the switch’s interface VLAN 1, note that it has nothing to do with the function listed in the lab… so the state of the VLAN 1 interface is unimportant to making the lab work.
Second, many people confuse the ideas of “VLAN interface” with “VLAN”. For example, show interface vlan 1 displays the status of the VLAN interface for VLAN 1, while show vlan id 1 displays the VLAN. The VLAN interface is the switch’s layer 3 interface into the VLAN, where the switch can list configuration of layer 3 details like an IP address/mask. If the lab had asked for layer 3 switching, we’d have used VLAN interfaces and they would need to be active. Check out this lab for just that: https://www.certskills.com/clab301/
Hope this helps…
Wendell
Very clear explanation, thanks!
Hello
the question is not about this lab but somewhat related
so im having this default gateway problem
like i created almost the same lab in pkt tracer (same fig but different ips).the lower pcs were able to ping this router.router was able to ping pcs.
pc2 here i kpt in vlan 20
and pc3 and 4 in vlan 10
now wen i ping the pcs in the same vlan ie vlan 10 they worked ,the pc in different vlans ping didnt work(but pings from all pcs to router worked)
Later i saw that with pc2 , pc3 and pc3 hv the default gatewsay setting (in this lab of ROAS)pointing to subinterfaces configured on the router.
so i configured also, and then all pings between vlans worked .
my question is about the default gateway ?
i understand that here we configure because of different vlans
but what if i only hv 1 vlan ?do i still need to configure it?
also y all the pcs were able to ping the router earlier even wen no default gateway was set?
sorry for long question
Hosts (aka endpoints) have this logic:
To send a packet whose destination is in the same subnet as itself, send the packet directly.
To send a packet whose destination is in some other subnet, send the packet to the default router.
When you used a PC to ping the IP address of the router address in the same subnet, the PC’s default router setting wasn’t used. It worked because both the PC and router had working interfaces in the same subnet.
When you pinged from a PC to addresses in other subnets, before configuring the default router correctly, those failed, due to the incorrect default router setting.
If you changed a design to use one subnet and one VLAN, indeed, the default router setting would be unnecessary. It’s unlikely you’d ever find that in a production network, but easy enough to try in lab. And if that’s the case… you don’t need a router, either. 🙂
Hello
I hope you are well.
Is it possible to have static route in between PC2,3 and 4 as well?
I understand PC1 is connected to a separate physical port on router, but my assumption was that since one port has been divided into separate virtual ports and each have their own IP address representing their vlan’s gateway, it should be possible to route in between one virtual port to another virtual port through the same physicals port. Lets say instead of PC2 there was a network device which PC3 and 4 needed to access and PC1 was replaced with WAN and acted as routers default gateway. I did try to create a lab, I used layer 2 switch and was able to ping each default gateway from each vlan, however, when I tried to create static route in-between virtual interfaces, it was not doing it! Although I could understand why since I was trying to route a subnet ID into a default gateway! (specially if that gateway was a part of routers native vlan).
Is it even possible?
Thank you and have a wonderful day!
Hi Ali,
All is well with the Odom’s! Thanks for asking.
Hey, I’m not quite understanding what you’re attempting from the description. So, ignoring any layer 2 switches, focus on the hosts and the routers. The routers need a route to each subnet – they can learn those as connected, static, or with a routing protocol. The hosts need a default router setting that refers to a reachable router in the same subnet as the host. If you then take that topology you’re trying to build, have you met the above rules? EG, if there’s a router with a missing route, you need to add it. Often overlooked are the reverse routes back to the source. EG, if you’re thinking of pinging from PC1 to PC2, you configure static routes for PC2’s subnet, but forget to add routes in the various routers for PC1’s subnet.
Hope this helps…
Thank you very much or you response and I’m glad to hear that you are doing well!
Yes, you are absolutely right! I was not aware that after creating virtual interfaces on router and connecting them to their related vlan’s on the same subnets, router will populate the routing table by itself, so I was trying to statically enter those routs into the routing table; manually!
I used to work in an environment where we only had a Layer 3 distribution switch connected to several Layer 2 switches (access) and to a firewall ( none Cisco product ) and the firewall was doing all the routing and had imbedded switch ports as well, most of the routing entries needed to be manual.
I must add, I am extremely enjoying reading your books, it’s great to learn about fundamentals of how things works and wanted to thank you for all your efforts to make such a grate product.
Have a wonderful day.
Glad the answer helped! And great to hear that the books are working for you.
Hi, Wendell
I originally intend telnet SW1 from any pc to management , now only pc2 do so,
I configured interface vlan 1 a ipaddress 10.0.2.2 on SW1 . Why R1 don’t automatically add the sw1’s interface vlan 1 ip address into its route table ?
Hi ZJG,
For SW1 to communicate with hosts in a different subnet than itself, it’ll also need a default gateway setting. Try adding “ip default-gateway 10.0.2.1” to point to R1’s address in the same subnet.