How to configure Router on a Stick

Hi
So I have comected a router to an L2 using router on a stick. they can see each other in CDP but they can not ping

Here is the Router Config
Building configuration…

Current configuration : 1182 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DUBCIPSLA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate slot 2 
no network-clock-participate slot 3 
no network-clock-participate slot 4 
!
dot11 syslog
ip source-route
 --More-- 

!

no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated

!
voice-card 0
!
voice-card 1
!
voice-card 2
!
voice-card 3
!
voice-card 4
!

archive
 log config
  hidekeys
!         
!

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.14
 encapsulation dot1Q 14
 ip address 25.14.2.190 255.255.255.0
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
line con 0
line aux 0
line vty 0 4
 login

HERE is the Switch configinterface GigabitEthernet1/0/36

 description link to ROUTER-FOR-IPSLA
 switchport trunk allowed vlan 14
 switchport mode trunk
!

Hello Michael

Your configuration of the subinterfaces and of the trunk look correct. Just verify that you have issued the “no shutdown” command on the physical router interface.

The first question that comes to mind is “where are you pinging from?” Remember that both the source and destination of a ping must have an IP address, and network connectivity must exist between the two. If you are pinging from the switch, then the problem is that there is no IP address configured on the switch. In order for connectivity to take place, you will have to create an SVI on the switch for VLAN 14 with an IP address in the same subnet as that of the subinterface of the router. For example, you must configure the following on the switch:

SW(config)# interface VLAN 14
SW(config-if)# ip address 25.14.2.191 255.255.255.0

Alternatively, you can create an access port on VLAN 14 and connect a PC with an IP address in the same subnet as that of the router’s subinterface, and ping from the PC to the router’s subinterface. This is the way the topology is configured in the Router on a Stick lesson below:

I suggest you go through the lesson in order to successfully configure the topology.

I hope this has been helpful!

Laz

1 Like

Hello again Michael

Here is the response you sent to me privately, I’m sharing it for the benefit of others on the forum as well:

Even so, you are capable of creating an SVI and assigning an IP address to it. L2 switches can be assigned IP addresses on their SVIs. What they can’t do is route between subnets/VLANs. So my initial explanation still stands.

In any case, I suggest you follow the lesson step by step which shows you all the details of configuring router on a stick.

I hope this has been helpful!

Laz

1 Like

Hello,

In a router in a stick config why do we use below config

interface GigabitEthernet0/1.1
 description ### LAN Interface ###
 encapsulation dot1Q 1 native

Hello Bikram

The set of commands you indicate here would do the following:

  1. A subinterface of G0/1.1 would be created on the G0/1 physical interface
  2. The subinterface uses dot1q encapsulation with a VLAN ID of 1
  3. The native keyword indicates that this VLAN will be the native VLAN

For more information about what a native VLAN is, take a look at this lesson.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

I have doubt how it works

Core Router#sh run int gi0/1.1
Building configuration...

Current configuration : 380 bytes
!
interface GigabitEthernet0/1.1
 description ### LAN Interface ###
 encapsulation dot1Q 1 native
 ip address 10.5.2.251 255.255.255.0
 ip flow ingress
 standby 0 ip 10.5.2.250
 standby 0 priority 120
 standby 0 preempt delay minimum 5
 standby 0 track 14 decrement 50
 service-policy input xxxxxxxxxxxxxxxxxxxxx
e


Core Router#sh ip arp 10.5.2.30
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.5.2.30               0   5cf3.fc57.f7b2  ARPA   GigabitEthernet0/1.1

10.5.2.30 is connected to port gi1/0.45 of Access switch

Access Switch#      sh run int gi1/0/45
Building configuration...

Current configuration : 245 bytes
!
interface GigabitEthernet1/0/45
 switchport voice vlan 350
 no logging event link-status
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 no snmp trap link-status
 mls qos trust cos
 auto qos trust
 spanning-tree portfast edge
end

Hello Bikram

It seems that you have more configuration parameters in your particular configuration. You are using HSRP on the subinterface of the Core Router, which means you must have at least one other Core Router that is providing a backup default gateway for the devices on this particular subnet. But that will work just fine, as long as the other core router is configured correctly.

Concerning your question about the ARP entry for that particular IP address, there doesn’t seem to be anything wrong with it. Can you clarify what your question is concerning this output?

Let us know and we’ll get back to you!

Laz

Hi Rene,

Do we think it will be possible to configure the Cisco Router for "router on a stick” with Firewall connected with Internet? Instead of connecting both the WAN and LAN interfaces of the router, we’d just need to connect one interface in our DMZ. The router is still accessible via a public IP address. I have a feeling this will be a popular request…

image

Q1) If I design like this what is the Pros & Cons of this kind of design
Q2) How can I configure both the device to work with router on a stick?

Thanks in Advance
Manami

Hello Manami

Yes it is possible to configure such a setup for your firewall and router. However, I’m not sure how useful it would be. Router on a stick is necessary when you have a device (such as an L2 switch) that cannot perform routing. Traffic is sent to the router for routing between subnets and sent back the same physical cable, but on a different interface/VLAN.

In the above case, the firewall is a device that can perform routing, so the router on a stick in this scenario would be unnecessary. Typically, you would have a switch connected to the DMZ port of the firewall to allow multiple servers in the DMZ to gain protected network access.

The more common “router on a stick” topologies that you will see when using a firewall is actually “firewall on a stick”. This is where you may have a L3 switch at the core of your network, and you want to protect it’s connection to the outside world. You can do this with a firewall on a stick configuration, where you create two subinterfaces on the firewall, on outside, and one inside. You could even create three subinterfaces and include the DMZ if you like.

Although this can be a very quick and easy way to add a firewall to your network, it is by no means best practice. It should only be used as a temporary solution until a more permanent and correct design can be achieved.

I hope this has been helpful!

Laz

Thanks Laz for your reply.

  1. Do we need to configure Router Interface in “Trunk Mode” connected with Firewall?

Would you mind if I request you to show me some configuration for both Router and Firewall connected with Internet.

Thanks in Advance
Manami

Hello Manami

Router on a stick and firewall on a stick are both configured in the same manner. You must create subinterfaces that will each correspond to a specific VLAN. You do not configure this using “trunk mode” for the interface, as this is a configuration available only on Layer 2 ports of switches. In order to configure router (or firewall) on a stick, you simply use the same commands as those found within this lesson.

You can find configurations and examples of both routers and firewalls connecting to the Internet throughout the lessons on this site. You can take a look at the following section for everything that has to do with firewalls:

For more specific scenarios, please let me know what you would like to see, and I can direct you to the best lesson to look at…

I hope this has been helpful!

Laz

2 Likes

What if I add another host on each VLAN ? Do I need to add any sub interface on the router for that device? Do I need add same or different default gateway for added devices in each VLAN?
Please let me know.
Thank you

Hello Jalendra

Once you have the router on a stick topology set up, you can then add as many hosts to each VLAN as you like without needing any changes in the configuration of the switch or the router. The only thing you must do is:

  1. Make sure that the host is connected to an access port on SW1 that is configured with the correct VLAN
  2. Make sure that the host is configured with an IP address in the range of the subnet corresponding to that VLAN
  3. Make sure to configure the host with the correct gateway address, which is the subinterface of the router that corresponds to that VLAN.

I hope this has been helpful!

Laz

1 Like

Hi Rene!
On the router on a stick lesson, you have only 1 device in each vlan, how do i configure if I add few more devices on each vlan?
Do I have to use same default gateway for all devices in each vlan?
Do I have to use same sub interface and same vlan id for added devices?
Please let me know.
Thank you

Hello Jalendra.

Take a look at this response here:

When adding a host to such a topology, there is no need to modify any of the subinterface configurations on the router, or the trunk configurations on the switch. Simply add the host with the appropriate IP address, gateway, and on a port that is on the correct VLAN.

I hope this has been helpful!

Laz

2 Likes

Hi - is the traffic possible with this scenario.

Router on a stick + L2 Switch + PA Firewall on a stick so that router could coommunicate with the firewall subinterface?

Hello Venus

If I understand correctly, you want to create two trunks on the switch, one trunk that connects to the router, and another that connects to the firewall. If you configure the router and the firewall correctly, and you put the subinterfaces of each device on the same VLANs and subnets, then the subinterfaces of the firewall and the router that are on the same VLAN will be able to communicate directly.

I hope this has been helpful!

Laz

Rene,
I have successfully configured router on a stick /w Internet. The router can ping 8.8.8.8 (Google) but my switch VLANs can’t. My VLANs are able to communicate to each other and systems Windows server & Windows 10 machines along with Linux and IP phone works fine. What am I doing wrong?
Thanks,
Pete

Hello Pete

Hmm, that sounds strange. If the router is able to route between VLANs, it should also be able to route to the Internet. Can you give us some more information about your topology? What kind of router are you using, and what is the config on the switch as well? If you could share those configs, we’ll be able to help you to further troubleshoot the problem.

I hope this has been helpful!

Laz