Inter-VLAN Routing — Router-on-a-Stick

VLANs are separate broadcast domains — a device in VLAN 10 cannot communicate with a device in VLAN 20 without passing through a Layer 3 device. Router-on-a-Stick is the classic solution: a single physical cable connects a router to a switch as a trunk link, and the router uses subinterfaces — one per VLAN — to route traffic between them. All inter-VLAN routing flows over that single trunk link, which is why it is called "router-on-a-stick."

Before starting, complete VLAN Creation and Management, Assigning VLANs to Switch Ports, and Trunk Port Configuration. This lab builds directly on all three.

1. How Router-on-a-Stick Works

A standard router interface can only be in one subnet. To route between multiple VLANs over a single physical link, IOS supports subinterfaces — logical subdivisions of a physical interface, each configured with its own IP address and 802.1Q VLAN encapsulation.

Component	Role
Physical interface (e.g., `Gi0/0`)	Must be enabled (`no shutdown`) but has no IP address itself
Subinterface (e.g., `Gi0/0.10`)	One per VLAN — has an IP address and 802.1Q encapsulation set to that VLAN's ID
Trunk link (switch side)	Switch port facing the router must be configured as a trunk port
Default gateway (PC side)	Each PC's default gateway is set to the IP address of its VLAN's subinterface

Traffic Flow — VLAN 10 to VLAN 20

When PC1 (VLAN 10) sends a packet to PC2 (VLAN 20), here is what happens step by step:

Step	What Happens
1	PC1 sends the packet to its default gateway: `192.168.10.1` (the router's Gi0/0.10 subinterface)
2	The switch receives the frame on PC1's access port (VLAN 10), tags it with VLAN 10, and forwards it up the trunk to the router
3	The router receives the tagged frame on Gi0/0, reads the VLAN 10 tag, and processes it on subinterface Gi0/0.10
4	The router makes a routing decision — the destination (192.168.20.x) is reachable via Gi0/0.20
5	The router forwards the packet out Gi0/0.20, tagging it with VLAN 20
6	The switch receives the VLAN 20 tagged frame, strips the tag, and delivers it to PC2's access port

Router-on-a-Stick vs Layer 3 Switch

Feature	Router-on-a-Stick	Layer 3 Switch (SVI)
Hardware needed	Router + switch (two devices)	One multilayer switch
Bottleneck	All inter-VLAN traffic flows through one physical link	Routing done internally at wire speed
Cost	Lower — reuses existing router	Higher — multilayer switch required
Best for	Small networks, labs, CCNA exam scenarios	Enterprise networks with high inter-VLAN traffic
CCNA exam coverage	✅ Core topic	✅ Core topic — see Layer 3 Switch Lab

For a conceptual overview of inter-VLAN routing methods, see Inter-VLAN Routing.

2. Lab Topology & IP Addressing

                    ┌─────────────────┐
                    │   NetsTuts_R1   │
                    │                 │
                    │  Gi0/0.10 ──── 192.168.10.1/24  (VLAN 10 gateway)
                    │  Gi0/0.20 ──── 192.168.20.1/24  (VLAN 20 gateway)
                    │  Gi0/0.30 ──── 192.168.30.1/24  (VLAN 30 gateway)
                    │  Gi0/0 (trunk) │
                    └────────┬────────┘
                             │ 802.1Q Trunk
                             │ (Gi0/0 ←→ Gi0/1)
                    ┌────────┴────────┐
                    │  NetsTuts_SW1   │
                    ├─────────────────┤
                    │ Fa0/1 → VLAN 10 │──── PC1  (192.168.10.10/24  GW: 192.168.10.1)
                    │ Fa0/2 → VLAN 20 │──── PC2  (192.168.20.10/24  GW: 192.168.20.1)
                    │ Fa0/3 → VLAN 30 │──── PC3  (192.168.30.10/24  GW: 192.168.30.1)
                    └─────────────────┘

Device	Interface	IP Address	VLAN	Role
NetsTuts_R1	Gi0/0.10	192.168.10.1 /24	10	Default gateway for VLAN 10
NetsTuts_R1	Gi0/0.20	192.168.20.1 /24	20	Default gateway for VLAN 20
NetsTuts_R1	Gi0/0.30	192.168.30.1 /24	30	Default gateway for VLAN 30
NetsTuts_SW1	Gi0/1	N/A (trunk)	All	Trunk link to router
PC1	NIC	192.168.10.10 /24	10	End device — VLAN 10
PC2	NIC	192.168.20.10 /24	20	End device — VLAN 20
PC3	NIC	192.168.30.10 /24	30	End device — VLAN 30

3. Step 1 — Configure the Switch

The switch needs three things: VLANs created, access ports assigned, and the uplink to the router configured as a trunk. This builds directly on previous labs — commands are shown in full for completeness.

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Create VLANs ──────────────────────────────────────────
NetsTuts_SW1(config)#vlan 10
NetsTuts_SW1(config-vlan)#name SALES
NetsTuts_SW1(config-vlan)#vlan 20
NetsTuts_SW1(config-vlan)#name HR
NetsTuts_SW1(config-vlan)#vlan 30
NetsTuts_SW1(config-vlan)#name IT
NetsTuts_SW1(config-vlan)#vlan 999
NetsTuts_SW1(config-vlan)#name NATIVE-UNUSED
NetsTuts_SW1(config-vlan)#exit

! ── Assign access ports ───────────────────────────────────
NetsTuts_SW1(config)#interface FastEthernet0/1
NetsTuts_SW1(config-if)#description PC1-VLAN10
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/2
NetsTuts_SW1(config-if)#description PC2-VLAN20
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 20
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#interface FastEthernet0/3
NetsTuts_SW1(config-if)#description PC3-VLAN30
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 30
NetsTuts_SW1(config-if)#exit

! ── Configure trunk uplink to router ─────────────────────
NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#description Trunk-to-NetsTuts_R1
NetsTuts_SW1(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW1(config-if)#switchport mode trunk
NetsTuts_SW1(config-if)#switchport nonegotiate
NetsTuts_SW1(config-if)#switchport trunk allowed vlan 10,20,30
NetsTuts_SW1(config-if)#switchport trunk native vlan 999
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Switch fully configured — VLANs created, access ports assigned, trunk uplink to the router set with native VLAN 999 and only required VLANs allowed.

4. Step 2 — Enable the Physical Interface on the Router

The physical interface (Gi0/0) must be enabled with no shutdown but must not have an IP address assigned to it. All IP addressing goes on the subinterfaces. Assigning an IP to the physical interface is a common mistake that causes routing confusion.

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description Trunk-to-NetsTuts_SW1
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

Physical interface enabled — no IP address. The subinterfaces will carry all IP addressing for each VLAN.

5. Step 3 — Configure Subinterfaces

Create one subinterface per VLAN. Each subinterface needs two commands: encapsulation dot1q [vlan-id] to associate it with a specific VLAN, and ip address to assign the default gateway IP for that VLAN.

Subinterface Naming Convention

The subinterface number (e.g., .10 in Gi0/0.10) does not have to match the VLAN ID — but matching them is a universal best practice that makes the configuration self-documenting and easier to troubleshoot.

Configuring Subinterfaces for VLANs 10, 20, and 30

! ── Subinterface for VLAN 10 (SALES) ─────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.10
NetsTuts_R1(config-subif)#description Gateway-VLAN10-SALES
NetsTuts_R1(config-subif)#encapsulation dot1q 10
NetsTuts_R1(config-subif)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

! ── Subinterface for VLAN 20 (HR) ────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.20
NetsTuts_R1(config-subif)#description Gateway-VLAN20-HR
NetsTuts_R1(config-subif)#encapsulation dot1q 20
NetsTuts_R1(config-subif)#ip address 192.168.20.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

! ── Subinterface for VLAN 30 (IT) ────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.30
NetsTuts_R1(config-subif)#description Gateway-VLAN30-IT
NetsTuts_R1(config-subif)#encapsulation dot1q 30
NetsTuts_R1(config-subif)#ip address 192.168.30.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

Three subinterfaces configured — each serving as the default gateway for its VLAN. The prompt changes to (config-subif)# when inside a subinterface.

Subinterface Command Breakdown

Command	What It Does	Why It Matters
`interface GigabitEthernet0/0.10`	Creates subinterface .10 on the physical Gi0/0 interface	The .10 suffix is the subinterface number — match it to the VLAN ID for clarity
`description Gateway-VLAN10-SALES`	Labels the subinterface for documentation	Essential in production — makes the purpose of each subinterface immediately clear
`encapsulation dot1q 10`	Associates this subinterface with VLAN 10 — the router will process frames tagged with VLAN 10 on this subinterface	This is the binding between the subinterface and the VLAN — without it, the router ignores tagged frames for this VLAN
`ip address 192.168.10.1 255.255.255.0`	Assigns the default gateway IP for the VLAN 10 subnet	All PCs in VLAN 10 must set this as their default gateway

Native VLAN on the router: If your trunk uses a non-default native VLAN (e.g., 999), add encapsulation dot1q 999 native on the corresponding subinterface. The native keyword tells the router that frames on this subinterface arrive untagged:

NetsTuts_R1(config)#interface GigabitEthernet0/0.999
NetsTuts_R1(config-subif)#encapsulation dot1q 999 native
NetsTuts_R1(config-subif)#exit

6. Complete Router Configuration

! ══════════════════════════════════════════════════════════
! NetsTuts Router-on-a-Stick Baseline — NetsTuts_R1
! ══════════════════════════════════════════════════════════

NetsTuts_R1>en
NetsTuts_R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Enable physical interface (no IP address) ─────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0
NetsTuts_R1(config-if)#description Trunk-to-NetsTuts_SW1
NetsTuts_R1(config-if)#no shutdown
NetsTuts_R1(config-if)#exit

! ── VLAN 10 subinterface ──────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.10
NetsTuts_R1(config-subif)#description Gateway-VLAN10-SALES
NetsTuts_R1(config-subif)#encapsulation dot1q 10
NetsTuts_R1(config-subif)#ip address 192.168.10.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

! ── VLAN 20 subinterface ──────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.20
NetsTuts_R1(config-subif)#description Gateway-VLAN20-HR
NetsTuts_R1(config-subif)#encapsulation dot1q 20
NetsTuts_R1(config-subif)#ip address 192.168.20.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

! ── VLAN 30 subinterface ──────────────────────────────────
NetsTuts_R1(config)#interface GigabitEthernet0/0.30
NetsTuts_R1(config-subif)#description Gateway-VLAN30-IT
NetsTuts_R1(config-subif)#encapsulation dot1q 30
NetsTuts_R1(config-subif)#ip address 192.168.30.1 255.255.255.0
NetsTuts_R1(config-subif)#exit

NetsTuts_R1(config)#end
NetsTuts_R1#wr
Building configuration...
[OK]
NetsTuts_R1#

7. Verification

show ip interface brief

Confirms all subinterfaces are up and have the correct IP addresses:

NetsTuts_R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/0.10  192.168.10.1    YES manual up                    up
GigabitEthernet0/0.20  192.168.20.1    YES manual up                    up
GigabitEthernet0/0.30  192.168.30.1    YES manual up                    up

The physical interface shows "unassigned" — correct, it has no IP. All three subinterfaces show "up/up" with their gateway IPs confirmed. If a subinterface shows "down/down", the physical interface is likely down or the trunk is not operational.

show ip route

Confirms the router has automatically learned connected routes for all three VLAN subnets — no static routes needed:

NetsTuts_R1#show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0.10
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0.10
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet0/0.20
L        192.168.20.1/32 is directly connected, GigabitEthernet0/0.20
      192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.30.0/24 is directly connected, GigabitEthernet0/0.30
L        192.168.30.1/32 is directly connected, GigabitEthernet0/0.30

Three C (connected) routes — one per VLAN subnet. The router knows how to reach all three networks and can route between them.

show running-config | section interface

NetsTuts_R1#show running-config | section interface
interface GigabitEthernet0/0
 description Trunk-to-NetsTuts_SW1
 no ip address
 no shutdown
!
interface GigabitEthernet0/0.10
 description Gateway-VLAN10-SALES
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 description Gateway-VLAN20-HR
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 description Gateway-VLAN30-IT
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
!

Test Inter-VLAN Connectivity with ping

From the router, ping each PC to confirm end-to-end reachability across VLANs:

NetsTuts_R1#ping 192.168.10.10
!!!!!
Success rate is 100 percent (5/5)

NetsTuts_R1#ping 192.168.20.10
!!!!!
Success rate is 100 percent (5/5)

NetsTuts_R1#ping 192.168.30.10
!!!!!
Success rate is 100 percent (5/5)

All three VLANs reachable from the router. To confirm full inter-VLAN routing, also ping from PC1 to PC2's IP (192.168.20.10) — this crosses VLANs via the router.

Extended ping from PC1 to PC2 (Cross-VLAN)

PC1> ping 192.168.20.10
84 bytes from 192.168.20.10 icmp_seq=1 ttl=127 time=2.345 ms
84 bytes from 192.168.20.10 icmp_seq=2 ttl=127 time=1.891 ms
84 bytes from 192.168.20.10 icmp_seq=3 ttl=127 time=2.102 ms

TTL of 127 (one less than 128) confirms the packet passed through one router hop — exactly as expected for inter-VLAN routing. TTL of 128 would mean same-subnet (no routing); TTL of 127 means one router was crossed.

Verification Command Summary

Command	What It Confirms
`show ip interface brief`	All subinterfaces are up/up with correct IPs — physical interface shows unassigned
`show ip route`	Connected routes exist for all VLAN subnets
`show interfaces GigabitEthernet0/0.10`	Subinterface details including encapsulation VLAN ID
`show running-config \| section interface`	Full subinterface configuration with encapsulation and IP
`show vlan brief` (on switch)	Confirms VLANs exist and access ports are assigned correctly
`show interfaces trunk` (on switch)	Confirms trunk is operational and all required VLANs are allowed and active
`ping` cross-VLAN	End-to-end test — TTL of 127 confirms one router hop (inter-VLAN routing working)

8. Troubleshooting Router-on-a-Stick

Problem	Symptom	Cause	Fix
Subinterface down/down	`show ip interface brief` shows subinterface down	Physical interface not enabled — `no shutdown` missing on `Gi0/0`	Enter `interface GigabitEthernet0/0` and run `no shutdown`
No inter-VLAN routing	Ping fails between VLANs — router unreachable	PC default gateway not set, or set to wrong IP	Verify PC default gateway matches the subinterface IP for that VLAN
One VLAN works, others don't	PC1 can ping router but PC2 cannot	Missing or wrong `encapsulation dot1q [vlan-id]` on a subinterface	Check `show running-config \| section interface` — verify each subinterface has the correct VLAN ID in `encapsulation dot1q`
Trunk not carrying VLAN traffic	Cross-VLAN pings fail — router pings succeed locally	VLAN not in trunk allowed list on switch, or VLAN not created on switch	Check `show interfaces trunk` on the switch — verify the VLAN is in "allowed and active"
IP address on physical interface	Routing works for one subnet but fails for others	IP address accidentally assigned to `Gi0/0` instead of subinterfaces	Remove it: `no ip address` on the physical interface. IPs belong on subinterfaces only.
Wrong VLAN encapsulation	Traffic goes to wrong VLAN	Subinterface VLAN ID does not match the switch access port VLAN	Verify `encapsulation dot1q [id]` on each subinterface matches the corresponding VLAN on the switch. Cross-check with `show vlan brief` on the switch.

Key Points & Exam Tips

Router-on-a-Stick uses a single physical trunk link and subinterfaces (one per VLAN) to route between VLANs — no additional physical interfaces needed.
The physical interface must have no shutdown but no IP address. All IPs go on the subinterfaces.
Each subinterface requires encapsulation dot1q [vlan-id] before an IP address — without it, the router will not process tagged frames for that VLAN. See 802.1Q VLAN Tagging for the tagging standard.
The subinterface number does not have to match the VLAN ID — but always match them (e.g., Gi0/0.10 for VLAN 10) for clarity and consistency.
The switch port connecting to the router must be a trunk port — not an access port. Verify with show interfaces trunk on the switch.
Each PC's default gateway must be set to the IP address of its VLAN's subinterface — this is the most common misconfiguration in lab environments.
A cross-VLAN ping with TTL 127 (for Windows hosts, TTL 128 − 1) confirms inter-VLAN routing is working — the packet passed through one router hop.
The limitation of router-on-a-stick is the single physical link bottleneck — all inter-VLAN traffic must flow through one cable. For high-traffic environments, use a Layer 3 switch instead.
For a native VLAN subinterface, add the native keyword: encapsulation dot1q 999 native — this tells the router that frames on this subinterface arrive untagged. See 802.1Q VLAN Tagging for native VLAN details.
Subinterfaces are logical — they share the physical interface's bandwidth. All subinterface states depend on the physical interface state: if Gi0/0 goes down, all subinterfaces go down with it.

Next Steps: For a more scalable inter-VLAN routing solution, see Inter-VLAN Routing — Layer 3 Switch (SVI) which eliminates the single-link bottleneck. For adding routing between sites, see Static Route Configuration or OSPF Single-Area Configuration.

TEST WHAT YOU LEARNED

1. An engineer configures router-on-a-stick but forgets to run `no shutdown` on the physical interface `GigabitEthernet0/0`. What will `show ip interface brief` show for the subinterfaces?

A. The subinterfaces will show "up/up" — they operate independently of the physical interface B. Only the subinterface with the native VLAN will be up C. All subinterfaces will show "down/down" — subinterfaces inherit the state of the physical interface D. The subinterfaces will show "up/down" — administratively up but no signal

Correct answer is C. Subinterfaces are logical subdivisions of a physical interface — they fully depend on the physical interface being operational. If the physical interface is administratively down (no no shutdown), all subinterfaces on it will also show down/down regardless of their individual configuration.

2. A subinterface `GigabitEthernet0/0.20` is configured with `encapsulation dot1q 30` but the switch has VLAN 20 on the access ports for PC2. What will happen to PC2's traffic?

A. PC2 can communicate normally — IOS maps VLAN numbers automatically B. PC2's traffic tagged VLAN 20 will not be processed by Gi0/0.20 — the subinterface only handles VLAN 30 tags, so inter-VLAN routing for VLAN 20 fails C. The router will accept the traffic but forward it to the wrong subnet D. IOS generates an error and refuses to route the traffic

Correct answer is B. The encapsulation dot1q value is the binding between the subinterface and a specific VLAN tag. If the subinterface says dot1q 30 but PC2's traffic arrives tagged as VLAN 20, the router has no matching subinterface for VLAN 20 and the traffic is dropped. Always ensure the subinterface VLAN ID matches the switch VLAN assignment.

3. PC1 (192.168.10.10/24, VLAN 10) can ping the router subinterface 192.168.10.1 but cannot ping PC2 (192.168.20.10/24, VLAN 20). What is the most likely cause?

A. The trunk link is not operational B. VLAN 20 does not exist on the switch C. The router's Gi0/0 physical interface has an IP address assigned D. PC2's default gateway is not set to 192.168.20.1, or PC2's IP configuration is incorrect

Correct answer is D. Since PC1 can reach the router (confirming VLAN 10 routing and the trunk work), the issue is on PC2's side. The most common cause is PC2 having no default gateway set, having the wrong gateway (not 192.168.20.1), or having a wrong IP address or subnet mask. The router can route the packet to VLAN 20 — but if PC2 cannot respond correctly back through the gateway, the ping fails.

4. Why must the physical interface in a router-on-a-stick configuration have no IP address?

A. The physical interface serves only as a trunk carrier — assigning an IP creates an untagged subnet that conflicts with the native VLAN and causes routing confusion B. Cisco IOS does not allow IP addresses on interfaces that have subinterfaces C. An IP on the physical interface would disable all subinterfaces automatically D. The physical interface cannot have an IP because it is in trunk mode

Correct answer is A. IOS will accept an IP on the physical interface, but it creates an untagged subnet that the router treats as the native VLAN. This conflicts with the native VLAN subinterface and causes routing confusion. Best practice is to leave the physical interface with no IP (no ip address) and put all addressing on the subinterfaces.

5. A PC in VLAN 10 pings a PC in VLAN 20 successfully. The ICMP reply arrives with TTL 127. What does this confirm?

A. The two PCs are in the same subnet — no routing occurred B. Two router hops were crossed — the TTL decreased by 2 C. One router hop was crossed — the router decremented the TTL by 1, confirming inter-VLAN routing is working D. The packet was forwarded at Layer 2 only — no routing occurred

Correct answer is C. Each time a packet passes through a router, the TTL is decremented by 1. A Windows host sends packets with TTL 128. Receiving a reply with TTL 127 means the packet crossed one router hop — exactly what is expected in a router-on-a-stick topology where the router routes between VLANs.

6. The switch port connecting to the router is accidentally configured as an access port in VLAN 10 instead of a trunk. What will happen?

A. All VLANs will still work — access ports carry all VLANs by default B. Only VLAN 10 traffic will reach the router — frames for VLANs 20 and 30 are never sent to it, so those VLANs cannot be routed C. The router subinterfaces will detect the mismatch and disable themselves D. All VLANs will work except the native VLAN

Correct answer is B. An access port only carries traffic for one VLAN — VLAN 10 in this case. Frames for VLANs 20 and 30 will never reach the router, so those VLANs have no gateway and cannot communicate inter-VLAN. The switch uplink to the router must always be a trunk port carrying all required VLANs. Verify with show interfaces trunk.

7. Which command confirms the router has automatically created connected routes for all three VLAN subnets after subinterface configuration?

A. show interfaces trunk B. show vlan brief C. show ip interface brief D. show ip route

Correct answer is D. show ip route displays the router's routing table. Once subinterfaces are configured and up, IOS automatically adds connected routes (marked with C) for each subinterface's subnet. These connected routes are what enable the router to forward traffic between VLANs without any static route configuration.

8. What is the main limitation of router-on-a-stick compared to a Layer 3 switch for inter-VLAN routing?

A. All inter-VLAN traffic must flow through a single physical link — creating a bottleneck in high-traffic environments B. Router-on-a-stick does not support more than 2 VLANs C. Router-on-a-stick cannot use 802.1Q encapsulation D. Cisco routers do not support subinterfaces on GigabitEthernet

Correct answer is A. In a router-on-a-stick design, every inter-VLAN packet must travel from the switch up the trunk to the router and back down — even if the source and destination PCs are connected to the same switch. This single physical link becomes a bottleneck as VLAN traffic grows. A Layer 3 switch performs routing internally at hardware speed with no physical link limitation.

9. An engineer creates subinterface `GigabitEthernet0/0.99` for the native VLAN. Which encapsulation command is required to correctly handle untagged native VLAN frames?

A. encapsulation dot1q 99 B. encapsulation dot1q 1 C. encapsulation dot1q 99 native D. encapsulation native vlan 99

Correct answer is C. The native keyword in encapsulation dot1q [vlan-id] native tells the router that frames on this subinterface arrive untagged — which is the characteristic of native VLAN traffic on an 802.1Q trunk. Without the native keyword, the router expects all frames on that subinterface to arrive with a VLAN tag.

10. An engineer runs `show ip interface brief` on the router and sees all subinterfaces showing "up/up" but cross-VLAN pings still fail. The switch trunk is verified as operational. What should be checked next?

A. Whether the router has an enable secret configured B. Whether each PC's default gateway is correctly set to its VLAN's subinterface IP address C. Whether the subinterface numbers match the VLAN IDs D. Whether the physical interface has a description configured

Correct answer is B. When the router subinterfaces are up/up and the trunk is operational, the most common remaining cause of cross-VLAN ping failure is an incorrect or missing default gateway on the PCs. Without the correct default gateway pointing to the router's subinterface IP, PCs cannot forward inter-VLAN traffic to the router. Verify each PC's network settings match the topology IP plan.

Back to Home