Re: Why am i able to ping between vlans using router on a stick

clgunz · ‎03-16-2023

Hello,

i suppose i dont understand encapsulation and de-encapsulation as well as i thought. i have setup a router on a stick using three vlans. there are three interfaces. one doesnt have a sub-interface. one has one subinterface for the native vlan. the other has three subinterfaces for my three vlans and the native vlan. i thought that i should not be allowed to send any kind of traffic to a vlan that i wasnt encapsulating for such as dot1q 10, dot1q 20, dot1q 30 and dot1q 1 native.

i figured that the vlan tag is to be utilized once the router has done its work and the frame is back on a layer 2 device but i am able to ping from any host to any host in all vlans.

M02@rt37 · ‎03-17-2023

Hello @clgunz

It's possible that you have not properly configured the switch ports that connect to the router.

Each switch port that connects to the router should be configured as a trunk port, with the appropriate VLANs allowed to pass through the trunk. This ensures that frames with VLAN tags are allowed to pass through the switch to the router, and frames without VLAN tags are forwarded to the native VLAN.

If the switch ports are not configured correctly, frames may be forwarded to the wrong VLAN, resulting in unexpected connectivity between hosts in different VLANs.

It's also worth noting that ping tests may not always accurately reflect whether VLANs are properly segmented. Ping tests only verify connectivity at the network layer (Layer 3) and do not account for VLAN tags at the data link layer (Layer 2).

Please attach you configuration to go further.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

clgunz · ‎03-17-2023

if a port is attached to a host then the command switchport mode access, and then the command switchport access vlan x was used. the hosts that share a vlan have their own address space and default gateway. the trunk is configured using the switchport mode trunk command. the router interfaces all use the encapsulation dot1q x command for their respective vlans, except where encapsulation dot1q 1 native is used on one of the sub-interfaces.

i have to learn how to upload the sample file.

MHM Cisco World · ‎03-17-2023

are you run SW as L2 or L3 ??

clgunz · ‎03-17-2023

SW is layer 2 device. i havent used the allowed vlans command as i dont think its necessary. i wouldnt have expected this kind of behavior. each vlan (there are 4 with one being the native vlan), has a pair of pcs and is on a separate address space. i have the sub-interfaces encapsulated so the subnet correlates to the pc pair (eg. 192.168.0.1 for pcs 192.168.0.2 or 3 and vlan 10). the trunk to the router is a default trunk. certainly i expect that the pcs that belong to their respective vlan and since all but two are on the same switch, the router doesnt come in to play for routing packets for the majority. when i had the network assembled without the router then everything seemed to behave as expected (i am going to repeat the experiment to verify).

was i right to assume that i should not be able to ping pcs on another subnet if they arent in the same vlan, using the default trunk?

MHM Cisco World · ‎03-17-2023

can you draw topology ?

clgunz · ‎03-17-2023

am working on that rt now. my mistake, there isnt a native vlan (that was my other project).

clgunz · ‎03-17-2023

I will upload the file as soon as i clean up the default tags so it is easier to follow.

clgunz · ‎03-17-2023

i would appreciate any tips on how to format the screen shots so they are easier to read, thank you.