Router-on-a-Stick – Inter-VLAN Routing with Subinterfaces

1. Why Inter-VLAN Routing Is Needed

VLANs are isolated broadcast domains — by design, a device in VLAN 10 cannot communicate with a device in VLAN 20 at Layer 2. This isolation is the security and segmentation purpose of VLANs. But in practice, devices in different VLANs often do need to communicate — a PC in the Sales VLAN needs to reach a printer in the IT VLAN, or a workstation needs to access a server on a different subnet. This requires inter-VLAN routing — moving traffic from one VLAN to another at Layer 3.

  Without routing — VLANs are isolated:
  ┌─────────────┐    ┌─────────────┐
  │  VLAN 10    │    │  VLAN 20    │
  │ 192.168.10.x│    │ 192.168.20.x│
  │             │ ✗  │             │
  │  PC-A       │    │  Printer-B  │
  └─────────────┘    └─────────────┘
  PC-A CANNOT reach Printer-B — different broadcast domain, no route.

  With inter-VLAN routing — Layer 3 decision required:
  ┌─────────────┐    ┌───────────┐    ┌─────────────┐
  │  VLAN 10    │    │  Router   │    │  VLAN 20    │
  │ .10/24      │──→ │ routes IP │──→ │ .20/24      │
  │             │    │ packet    │    │             │
  │  PC-A       │    └───────────┘    │  Printer-B  │
  └─────────────┘                     └─────────────┘
  PC-A sends to default gateway → router routes to VLAN 20 → Printer-B reached ✓

There are three ways to achieve inter-VLAN routing. This page covers the second method in depth:

Multiple physical router interfaces — one router port per VLAN. Simple but wasteful of hardware; rarely used in modern networks.
Router-on-a-Stick — one physical router port divided into logical subinterfaces over a single 802.1Q trunk link. Cost-effective for small networks and labs.
Layer 3 switch with SVIs — the switch performs routing internally using Switch Virtual Interfaces. Higher performance; preferred in production networks.

2. What Is Router-on-a-Stick?

Router-on-a-Stick (RoaS) is a network design where a single physical router interface connects to a switch via an 802.1Q trunk link and is logically divided into multiple subinterfaces — one subinterface per VLAN. Each subinterface acts as the default gateway for its respective VLAN, and the router performs Layer 3 routing between them.

The name comes from the physical topology: a single cable (the "stick") connects the router to the switch, carrying all inter-VLAN traffic tagged with 802.1Q VLAN IDs.

  Physical view:
                    ONE physical link (trunk)
  [Router Gi0/0] ─────────────────────── [Switch Gi0/24]
       │
       ├── Gi0/0.10 (logical — VLAN 10 gateway: 192.168.10.1)
       ├── Gi0/0.20 (logical — VLAN 20 gateway: 192.168.20.1)
       └── Gi0/0.30 (logical — VLAN 30 gateway: 192.168.30.1)

  Logical view:
  VLAN 10 hosts ──→ trunk (tagged VLAN 10)  ──→ Gi0/0.10 ──→ router
  VLAN 20 hosts ──→ trunk (tagged VLAN 20)  ──→ Gi0/0.20 ──→ router
  VLAN 30 hosts ──→ trunk (tagged VLAN 30)  ──→ Gi0/0.30 ──→ router

  All three VLANs share the same physical wire but are kept separate
  by the 802.1Q VLAN tag in each Ethernet frame.

3. 802.1Q Subinterfaces — How They Work

A subinterface is a logical division of a physical interface, created in software. In Cisco IOS, subinterfaces are named using a dot notation: GigabitEthernet0/0.10 is subinterface 10 of physical interface GigabitEthernet0/0. The number after the dot is arbitrary — it does not need to match the VLAN ID, though it is best practice to make them the same for clarity.

Each subinterface is configured with:

An encapsulation statement that tells the router which VLAN tag this subinterface should process (encapsulation dot1Q <vlan-id>).
An IP address that serves as the default gateway for hosts in that VLAN.

  How 802.1Q tagging works with subinterfaces:

  VLAN 10 frame arrives on trunk:
  ┌──────────────────────────────────────────────────────┐
  │ Dst MAC │ Src MAC │ 802.1Q Tag │  IP Packet │ FCS   │
  │         │         │ VLAN=10    │            │       │
  └──────────────────────────────────────────────────────┘
              │
              ▼
  Router examines VLAN tag (10) →
  matches encapsulation dot1Q 10 on Gi0/0.10 →
  delivers IP packet to subinterface Gi0/0.10 for routing

  VLAN 20 frame arrives on same trunk:
  ┌──────────────────────────────────────────────────────┐
  │ Dst MAC │ Src MAC │ 802.1Q Tag │  IP Packet │ FCS   │
  │         │         │ VLAN=20    │            │       │
  └──────────────────────────────────────────────────────┘
              │
              ▼
  Router examines VLAN tag (20) →
  matches encapsulation dot1Q 20 on Gi0/0.20 →
  delivers IP packet to subinterface Gi0/0.20 for routing

Native VLAN Subinterface

The native VLAN (default: VLAN 1) carries untagged frames on a trunk link. To configure a subinterface for the native VLAN, use the native keyword:

  Router(config)# interface GigabitEthernet0/0.1
  Router(config-subif)# encapsulation dot1Q 1 native
  Router(config-subif)# ip address 192.168.1.1 255.255.255.0

  ! The "native" keyword tells the router this subinterface handles
  ! untagged frames (native VLAN traffic) on the trunk.
  ! Best practice: change the native VLAN to something other than
  ! VLAN 1 and match it on both ends to prevent VLAN hopping attacks.

4. Complete Configuration — Step by Step

The following configuration deploys Router-on-a-Stick for three VLANs: VLAN 10 (PCs), VLAN 20 (Printers), VLAN 30 (Servers). The router's GigabitEthernet0/0 connects to the switch's GigabitEthernet0/24.

Step 1 — Configure VLANs on the Switch

  Switch(config)# vlan 10
  Switch(config-vlan)# name PCs
  Switch(config)# vlan 20
  Switch(config-vlan)# name Printers
  Switch(config)# vlan 30
  Switch(config-vlan)# name Servers

  ! VLANs must exist in the switch's VLAN database before they can
  ! be used. Verify with: show vlan brief

Step 2 — Configure Access Ports for Each VLAN

  ! Assign host-facing ports to the correct VLAN:
  Switch(config)# interface GigabitEthernet0/1
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 10   ! PC port → VLAN 10

  Switch(config)# interface GigabitEthernet0/2
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 20   ! Printer port → VLAN 20

  Switch(config)# interface GigabitEthernet0/3
  Switch(config-if)# switchport mode access
  Switch(config-if)# switchport access vlan 30   ! Server port → VLAN 30

Step 3 — Configure the Trunk Port Toward the Router

  Switch(config)# interface GigabitEthernet0/24  ! port to router
  Switch(config-if)# switchport trunk encapsulation dot1q  ! needed on some switches
  Switch(config-if)# switchport mode trunk
  Switch(config-if)# switchport trunk allowed vlan 10,20,30
  Switch(config-if)# switchport trunk native vlan 99       ! non-default native VLAN
  Switch(config-if)# no shutdown

  ! switchport trunk allowed vlan: only listed VLANs cross this trunk.
  ! Setting a non-default native VLAN (99 here) is a security best practice.
  ! Verify with: show interfaces GigabitEthernet0/24 trunk

Step 4 — Configure the Physical Router Interface

  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# description Trunk to Switch
  Router(config-if)# no ip address    ! physical interface has NO IP address
  Router(config-if)# no shutdown      ! must be up for subinterfaces to work
  Router(config-if)# exit

  ! CRITICAL: The physical interface must be up and must NOT have an
  ! IP address. IP addresses go on the subinterfaces only.
  ! If the physical interface is "administratively down" ALL subinterfaces
  ! will also be down, regardless of their own shutdown state.

Step 5 — Configure Subinterfaces (One Per VLAN)

  ! VLAN 10 subinterface:
  Router(config)# interface GigabitEthernet0/0.10
  Router(config-subif)# description VLAN 10 - PCs
  Router(config-subif)# encapsulation dot1Q 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0

  ! VLAN 20 subinterface:
  Router(config)# interface GigabitEthernet0/0.20
  Router(config-subif)# description VLAN 20 - Printers
  Router(config-subif)# encapsulation dot1Q 20
  Router(config-subif)# ip address 192.168.20.1 255.255.255.0

  ! VLAN 30 subinterface:
  Router(config)# interface GigabitEthernet0/0.30
  Router(config-subif)# description VLAN 30 - Servers
  Router(config-subif)# encapsulation dot1Q 30
  Router(config-subif)# ip address 192.168.30.1 255.255.255.0

  ! Each subinterface:
  ! 1. encapsulation dot1Q [vlan-id] — must match the VLAN ID on the switch
  ! 2. ip address — becomes the default gateway for hosts in that VLAN
  ! No "no shutdown" needed — subinterfaces inherit state from physical interface

Step 6 — Configure Host Default Gateways

  Hosts in each VLAN must point to the correct subinterface IP:
  VLAN 10 PCs:      default gateway = 192.168.10.1
  VLAN 20 Printers: default gateway = 192.168.20.1
  VLAN 30 Servers:  default gateway = 192.168.30.1

  If using DHCP, configure DHCP pools on the router:
  Router(config)# ip dhcp pool VLAN10_POOL
  Router(dhcp-config)# network 192.168.10.0 255.255.255.0
  Router(dhcp-config)# default-router 192.168.10.1
  Router(dhcp-config)# dns-server 8.8.8.8

  Router(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10
  ! Exclude the gateway and any other statically-assigned addresses

See: Router-on-a-Stick Lab | Trunk Configuration | VLAN Configuration | DHCP Configuration

5. Packet Flow — What Happens When VLAN 10 Talks to VLAN 20

This is the most important section on this page. Understanding exactly what happens to each frame and packet as it moves between VLANs in a Router-on-a-Stick topology is a core CCNA topic.

  Scenario: PC-A (192.168.10.10, VLAN 10) sends data to Printer-B (192.168.20.50, VLAN 20)

  ── Step 1: PC-A determines the destination is on a different subnet ────────
  PC-A subnet: 192.168.10.0/24
  Printer-B:   192.168.20.50 ← different subnet
  Decision:    must send to default gateway → 192.168.10.1

  ── Step 2: PC-A sends the frame to the router's subinterface ────────────────
  PC-A checks ARP cache for 192.168.10.1 (or ARPs for it).
  Builds Ethernet frame:
    Src MAC:  PC-A's MAC
    Dst MAC:  Router Gi0/0.10 MAC (gateway)
    Src IP:   192.168.10.10
    Dst IP:   192.168.20.50
  Frame leaves PC-A's access port (untagged, VLAN 10 implied).

  ── Step 3: Switch tags the frame and sends it up the trunk ──────────────────
  Switch receives untagged frame on access port Gi0/1 (VLAN 10).
  Switch adds 802.1Q tag: VLAN=10
  Tagged frame sent up trunk port Gi0/24 to the router.

  ── Step 4: Router receives frame on Gi0/0.10 ────────────────────────────────
  Router examines 802.1Q tag (VLAN 10) → delivers to Gi0/0.10.
  Router strips Ethernet frame → reads IP header:
    Src IP: 192.168.10.10   Dst IP: 192.168.20.50
  Router decrements TTL by 1.

  ── Step 5: Router performs routing table lookup ─────────────────────────────
  Routing table has:
    C 192.168.20.0/24 directly connected, GigabitEthernet0/0.20
  → Forward out Gi0/0.20 toward 192.168.20.50

  ── Step 6: Router builds new frame for VLAN 20 and sends down trunk ─────────
  Router checks ARP for 192.168.20.50 (or sends ARP Request tagged VLAN 20).
  Builds new Ethernet frame:
    Src MAC:  Router Gi0/0.20 MAC
    Dst MAC:  Printer-B's MAC
    Src IP:   192.168.10.10 (unchanged!)
    Dst IP:   192.168.20.50 (unchanged!)
  Router sends frame out Gi0/0 — tagged VLAN 20 — down the trunk.

  ── Step 7: Switch delivers frame to Printer-B ────────────────────────────────
  Switch receives tagged frame (VLAN 20) on trunk port Gi0/24.
  Switch strips VLAN tag → forwards untagged frame to Printer-B's
  access port (Gi0/2, VLAN 20).
  Printer-B receives the frame ✓

  Key observation: the frame travelled DOWN the trunk twice on the SAME cable —
  once as VLAN 10 (PC-A to router), once as VLAN 20 (router to Printer-B).
  This "double-travel" on the single trunk link is why it is called the "stick"
  and why bandwidth is a concern in high-traffic environments.

6. Verification Commands

Command	Run On	What It Verifies	What to Look For
`show ip interface brief`	Router	Status and IP of all interfaces including subinterfaces	Physical interface and all subinterfaces show "up up"; each subinterface has the correct IP address
`show running-config interface Gi0/0.10`	Router	Full configuration of a specific subinterface	Correct encapsulation dot1Q VLAN ID and IP address
`show interfaces Gi0/0.10`	Router	Detailed subinterface statistics including input/output packet counts and errors	Traffic counters incrementing confirms frames are being processed; zero counters with expected traffic suggests a config problem
`show ip route`	Router	Routing table — confirms directly connected routes for each VLAN subnet are present	`C 192.168.10.0/24 is directly connected, Gi0/0.10` for each configured subinterface
`show interfaces trunk`	Switch	Trunk status, trunking VLANs, and VLANs active in spanning tree	Port shows trunking mode; all required VLANs (10, 20, 30) appear under "VLANs allowed and active in management domain"
`show vlan brief`	Switch	All configured VLANs and their member ports	VLANs 10, 20, 30 exist and the correct access ports are assigned to each
`show interfaces Gi0/24 trunk`	Switch	Specific trunk port status and allowed VLANs	Mode shows "trunk"; VLANs 10, 20, 30 are in the allowed list and active
`ping 192.168.20.1`	PC-A (VLAN 10)	End-to-end connectivity from a host to the remote VLAN gateway	Replies confirm the trunk, subinterface encapsulation, and IP addressing are all correct

Annotated show ip interface brief Output

  Router# show ip interface brief

  Interface              IP-Address      OK? Method Status   Protocol
  GigabitEthernet0/0     unassigned      YES unset  up       up
  GigabitEthernet0/0.10  192.168.10.1    YES manual up       up
  GigabitEthernet0/0.20  192.168.20.1    YES manual up       up
  GigabitEthernet0/0.30  192.168.30.1    YES manual up       up

  ! Physical interface: unassigned (no IP) — CORRECT
  ! All subinterfaces: up/up with correct IPs — CORRECT
  ! If physical shows down/down → cable issue or "no shutdown" missing
  ! If subinterface shows down/down with physical up → encapsulation
  !   mismatch or VLAN not allowed on trunk

7. Troubleshooting Common Issues

Symptom	Root Cause	Diagnostic Steps and Fix
Host cannot ping its own default gateway (e.g., 192.168.10.1)	VLAN not created on switch; VLAN not allowed on trunk; access port not in the correct VLAN; encapsulation mismatch on subinterface; physical interface is shutdown	`show vlan brief` — confirm VLAN 10 exists and the host port is a member; `show interfaces trunk` — confirm VLAN 10 is in the allowed list; `show ip interface brief` on router — confirm Gi0/0.10 is up/up; verify `encapsulation dot1Q 10` matches VLAN 10
Host can ping its own gateway but cannot reach other VLANs	Destination VLAN's subinterface misconfigured; destination VLAN not on trunk; host in destination VLAN has wrong default gateway	`show ip route` on router — check for connected route to destination VLAN subnet; `ping 192.168.20.1` from the router itself — if this fails, the subinterface for VLAN 20 has an issue
All subinterfaces show "down/down" even though physical is up	Physical interface has `shutdown` applied; OR incorrect encapsulation on subinterfaces	`show interfaces GigabitEthernet0/0` — confirm physical is "GigabitEthernet0/0 is up, line protocol is up"; if not, run `no shutdown` on the physical interface
VLAN mismatch — trunk shows VLAN not active	VLAN configured on router subinterface but not created on switch, or not in the trunk's allowed VLAN list	`show interfaces trunk` — compare "VLANs allowed on trunk" vs "VLANs allowed and active"; add missing VLAN: `switchport trunk allowed vlan add 30`
Encapsulation error — subinterface line protocol is down	`encapsulation dot1Q` VLAN number does not match the VLAN the switch is sending on that trunk	Compare `show running-config interface Gi0/0.10` (router) against `show interfaces trunk` (switch); ensure the VLAN ID in `encapsulation dot1Q <n>` exactly matches the VLAN the switch tags for that traffic
Trunk not forming — port shows as access instead of trunk	Switch port mode not set to trunk; some switches require `switchport trunk encapsulation dot1q` before `switchport mode trunk`	`show interfaces GigabitEthernet0/24 switchport` — check "Administrative Mode" and "Operational Mode"; if not trunk, apply `switchport mode trunk`; on switches requiring it, first run `switchport trunk encapsulation dot1q`

8. Security Considerations

Router-on-a-Stick introduces the trunk link as a critical security boundary. Several best practices should be applied.

Security Measure	Why It Matters	Configuration
Change the native VLAN	VLAN 1 is the default native VLAN. VLAN hopping attacks can exploit the native VLAN to send untagged frames that bypass VLAN isolation. Using a non-routable, unused VLAN (e.g., VLAN 99) as the native VLAN eliminates this attack vector.	`switchport trunk native vlan 99` on the switch; `encapsulation dot1Q 99 native` on the corresponding router subinterface
Restrict VLANs on the trunk	Allowing all VLANs (`vlan 1-4094`) on the trunk exposes every VLAN to any device that can access the trunk. Explicitly allow only the VLANs that need routing.	`switchport trunk allowed vlan 10,20,30` (not `all`)
Apply ACLs for inter-VLAN traffic control	By default, Router-on-a-Stick allows unrestricted communication between all routed VLANs. ACLs on subinterfaces can enforce policies — e.g., allowing the Servers VLAN to be reached only on specific ports, or blocking VLAN 10 from accessing VLAN 30 entirely.	Apply an extended ACL inbound on each subinterface: `ip access-group VLAN10_IN in` on Gi0/0.10
Disable DTP on the trunk port	Dynamic Trunking Protocol (DTP) can allow an attacker to negotiate a trunk with the switch automatically. Statically setting trunk mode and disabling DTP prevents this.	`switchport nonegotiate` on the trunk port

See: Applying ACLs | Named ACLs | VLAN Security

9. Router-on-a-Stick vs Layer 3 Switch SVI Routing

Router-on-a-Stick is a valid inter-VLAN routing solution, but it has important limitations compared to using a Layer 3 switch with Switch Virtual Interfaces (SVIs). Understanding when to use each is a CCNA exam topic.

Feature	Router-on-a-Stick	Layer 3 Switch (SVI)
Hardware required	Separate router + switch; one physical router interface used for all VLANs	Layer 3 capable switch; no external router needed for inter-VLAN routing (only for internet access)
Throughput / bandwidth	Limited by the single physical trunk link — all inter-VLAN traffic must traverse the same cable twice (down to router, back up to switch)	Inter-VLAN routing happens internally in hardware (ASIC) at line rate — no external link bottleneck; much higher throughput
Latency	Higher — traffic leaves the switch, traverses the router, and returns to the switch	Lower — routing decision is made inside the switch without leaving the chassis
Cost	Lower initial cost — reuses an existing router	Higher initial cost — Layer 3 switches are more expensive than Layer 2 switches
Scalability	Poor for many VLANs — all share one interface; adding more VLANs increases trunk congestion	Excellent — each SVI is a separate logical interface with dedicated internal routing capacity
Configuration complexity	Moderate — requires trunk on switch, subinterfaces on router, matching encapsulation	Simpler in some ways — create SVI (`interface vlan 10`), assign IP, enable IP routing (`ip routing`)
Best use case	Small networks; labs; cost-constrained environments; when no Layer 3 switch is available	Production environments; medium to large networks; where performance and scalability matter
Internet/WAN access	The router provides both inter-VLAN routing and internet access in a single device	Layer 3 switch handles inter-VLAN; a separate router or firewall typically provides internet/WAN access

Layer 3 Switch SVI Configuration (for comparison)

  ! Layer 3 switch inter-VLAN routing with SVIs:
  Switch(config)# ip routing                   ! enable Layer 3 routing

  Switch(config)# interface vlan 10
  Switch(config-if)# ip address 192.168.10.1 255.255.255.0
  Switch(config-if)# no shutdown

  Switch(config)# interface vlan 20
  Switch(config-if)# ip address 192.168.20.1 255.255.255.0
  Switch(config-if)# no shutdown

  Switch(config)# interface vlan 30
  Switch(config-if)# ip address 192.168.30.1 255.255.255.0
  Switch(config-if)# no shutdown

  ! No trunk to an external router needed for inter-VLAN routing.
  ! Routing is performed internally in hardware.
  ! For internet access, a separate uplink to a router is still needed.

10. Exam Tips & Key Points

Router-on-a-Stick uses a single physical interface divided into logical subinterfaces (one per VLAN) connected to the switch via an 802.1Q trunk. The "stick" is the single cable between router and switch.
The physical interface must have no ip address and no shutdown. IP addresses go on the subinterfaces only.
Each subinterface requires exactly two commands: encapsulation dot1Q <vlan-id> and an ip address. The VLAN ID in the encapsulation command must match the VLAN configured on the switch.
The switch port facing the router must be in trunk mode (switchport mode trunk) and must allow all routed VLANs. A missing VLAN in the allowed list is the most common misconfiguration.
Hosts in each VLAN use their subinterface IP as the default gateway. If the gateway is wrong on the host, inter-VLAN routing will not work even if everything else is correct.
When a host in VLAN 10 sends to VLAN 20, the frame travels the trunk twice — tagged VLAN 10 on the way to the router, tagged VLAN 20 on the return. This double traversal is why the single trunk is a bandwidth bottleneck.
For large or performance-sensitive networks, use Layer 3 switch SVIs instead — routing occurs internally in hardware at line rate.
Key verification commands: show ip interface brief (router — check subinterfaces up/up); show interfaces trunk (switch — confirm trunk mode and allowed VLANs); show vlan brief (switch — confirm VLANs exist and ports assigned).

11. Summary Reference Table

Element	Configuration / Role
Physical interface (router)	`no ip address`; `no shutdown`; no other config
Subinterface naming	`GigabitEthernet0/0.<n>` — dot notation; number typically matches VLAN ID
Subinterface encapsulation	`encapsulation dot1Q <vlan-id>` — must exactly match switch VLAN
Subinterface IP address	First usable IP in VLAN's subnet — becomes the default gateway for VLAN hosts
Native VLAN subinterface	`encapsulation dot1Q <vlan-id> native` — handles untagged frames
Switch port to router	`switchport mode trunk`; `switchport trunk allowed vlan <list>`
Access ports (host-facing)	`switchport mode access`; `switchport access vlan <n>`
Verify router subinterfaces	`show ip interface brief` — all subinterfaces up/up
Verify trunk (switch)	`show interfaces trunk` — VLANs listed as allowed and active
Verify routing	`show ip route` — connected routes for each VLAN subnet present
Bottleneck	Single physical trunk link — all inter-VLAN traffic traverses it twice
Better alternative for scale	Layer 3 switch with SVIs and `ip routing`

Router-on-a-Stick Quiz

1. What is the main purpose of Router-on-a-Stick, and what physical topology defines it?

A. To connect multiple physical router interfaces — each VLAN requires its own dedicated router port and separate cable to the switch B. To route traffic between multiple VLANs using a single physical router interface divided into logical subinterfaces, connected to the switch via a single 802.1Q trunk link — the "stick" is that single cable C. To replace Layer 2 switches with a router that performs both switching and routing for all network segments D. To provide internet access to hosts using NAT — VLANs are not involved in the design

Correct answer is B. Router-on-a-Stick is an inter-VLAN routing technique that uses a single physical router interface — the "stick" — connected to a switch trunk port. The physical interface is configured with no IP address and is not shut down, while logical subinterfaces (e.g., Gi0/0.10, Gi0/0.20) are created and each is configured with an 802.1Q encapsulation statement and an IP address that serves as the default gateway for its respective VLAN. All inter-VLAN traffic flows up and down this single trunk link. The name comes directly from the physical appearance — the router hangs off the switch on one "stick" (one cable) carrying multiple VLANs.

2. How does a single physical router interface handle frames from multiple different VLANs simultaneously in a Router-on-a-Stick design?

A. By using multiple physical interfaces, one per VLAN — the design simply aggregates them as a single logical bundle B. By using VLAN trunks with no subinterfaces — the physical interface reads all VLAN tags directly without any subdivision C. Through NAT — each VLAN is translated to a different public IP address as it passes through the router interface D. By creating logical subinterfaces (e.g., Gi0/0.10, Gi0/0.20), each configured with encapsulation dot1Q and the corresponding VLAN ID — the router uses the 802.1Q tag in each arriving frame to deliver it to the correct subinterface

Correct answer is D. The mechanism is the 802.1Q VLAN tag. The switch sends all inter-VLAN traffic up the trunk with each frame tagged with its originating VLAN ID. When frames arrive on the router's physical interface, the router reads the 802.1Q tag and matches it against the encapsulation dot1Q <vlan-id> statement on each subinterface — delivering VLAN 10 frames to Gi0/0.10 and VLAN 20 frames to Gi0/0.20. Each subinterface then processes the IP packet inside the frame independently, routes it to the correct destination VLAN, and sends it back down the trunk with the new VLAN tag.

3. What VLAN encapsulation protocol is used in Router-on-a-Stick, and why is Cisco ISL no longer used?

A. IEEE 802.1Q — the industry standard that inserts a 4-byte VLAN tag into the Ethernet frame header; ISL was Cisco-proprietary and has been deprecated on modern Cisco hardware B. ISL (Inter-Switch Link) — Cisco's proprietary encapsulation that wraps the entire Ethernet frame in a new header; still used on most modern Cisco platforms C. MPLS — the label-switching protocol that inserts a label between Layer 2 and Layer 3 headers for VLAN identification D. Frame Relay — the WAN encapsulation protocol used for VLAN tagging on serial interfaces

Correct answer is A. Router-on-a-Stick uses IEEE 802.1Q — the industry-standard VLAN tagging protocol. 802.1Q works by inserting a 4-byte tag into the Ethernet frame between the source MAC address and the EtherType field. This tag contains the 12-bit VLAN ID (supporting up to 4094 VLANs) and a 3-bit priority field (used by QoS). 802.1Q is supported by all vendors and all modern hardware. Cisco's ISL (Inter-Switch Link) was an older proprietary alternative that encapsulated the entire original Ethernet frame inside a new 26-byte header. ISL has been deprecated and is not supported on most modern Cisco switches and routers. The Cisco IOS command for 802.1Q tagging on a subinterface is encapsulation dot1Q <vlan-id>.

4. What configuration is required on the switch port connected to the router, and what happens if it is configured as an access port instead?

A. Access mode with VLAN 1 — all VLANs are carried as untagged traffic and the router distinguishes them by IP address range B. Disabled — the switch port should not be configured; it learns trunk mode automatically from the router C. Trunk mode allowing all required VLANs — if configured as an access port instead, only one VLAN's traffic can traverse the link and all other VLANs will be unable to route D. Port channel aggregation — multiple physical links must be bundled to provide enough bandwidth for inter-VLAN traffic

Correct answer is C. The switch port connecting to the router must be configured as a trunk port using switchport mode trunk, and the required VLANs must be explicitly allowed with switchport trunk allowed vlan 10,20,30. A trunk port carries multiple VLANs — each frame is tagged with its VLAN ID using 802.1Q. If the switch port is configured as an access port instead, it can only carry one VLAN (the access VLAN) as untagged traffic. The subinterface encapsulation statements on the router would not match because no 802.1Q tags would be present in the frames, and only the one native VLAN would work — completely defeating the purpose of Router-on-a-Stick.

5. How must IP addresses be assigned on router subinterfaces, and what role do they play for VLAN hosts?

A. The same IP address is assigned to all subinterfaces — hosts in different VLANs share the same gateway IP B. Each subinterface receives a unique IP address within its VLAN's subnet — this IP becomes the default gateway for all hosts in that VLAN; if the gateway IP is wrong on the host, inter-VLAN routing will not work even if the router and switch are perfectly configured C. Only public IP addresses can be used on subinterfaces — private addresses cannot be routed between VLANs D. Subinterface IPs are assigned automatically by DHCP from VLAN 1 — no manual configuration is needed

Correct answer is B. Each subinterface is assigned a unique IP address from within the subnet of the VLAN it serves — typically the first usable host address in that subnet (e.g., 192.168.10.1/24 for VLAN 10, 192.168.20.1/24 for VLAN 20). This IP address serves as the default gateway for all hosts in that VLAN. Hosts must be manually or via DHCP configured with the correct gateway — a host in VLAN 10 configured with 192.168.20.1 as its gateway will send all traffic to the wrong VLAN and routing will fail completely, even if all router and switch configuration is correct. This is one of the most common Router-on-a-Stick configuration errors — always verify host gateway settings when troubleshooting.

6. What is the bandwidth bottleneck in a Router-on-a-Stick design, and why does traffic traverse the trunk link twice for each inter-VLAN exchange?

A. Multiple physical interfaces are required, limiting the design — the bottleneck is the router CPU, not the interface B. The router cannot perform VLAN tagging so traffic must be converted to a different format — this conversion causes the double traversal C. The switch's VLAN database limits how many VLANs can be routed simultaneously, creating the bottleneck D. The single physical trunk link is the bottleneck — a frame from VLAN 10 to VLAN 20 must travel from the switch up the trunk to the router (tagged VLAN 10), then back down the same trunk from the router to the switch (tagged VLAN 20), effectively consuming twice the bandwidth per packet

Correct answer is D. The bandwidth bottleneck in Router-on-a-Stick is the single physical trunk link shared by all inter-VLAN traffic. Consider a PC in VLAN 10 sending a 1 KB packet to a printer in VLAN 20: the frame travels from the switch up the trunk to the router (consuming trunk bandwidth once), then the router routes it and sends it back down the exact same trunk to the switch (consuming trunk bandwidth a second time) before the switch delivers it to the printer. Every inter-VLAN packet makes this round trip on the trunk link, effectively halving the available bandwidth for inter-VLAN traffic compared to what the physical interface could theoretically support. In a high-traffic network with many VLANs, this single-link limitation becomes a serious performance constraint. Layer 3 switches solve this by routing internally in silicon without any external link traversal. See Layer 3 Switch Inter-VLAN Routing for the alternative design.

7. Which command on the router shows the IP address and up/down status of all subinterfaces at a glance?

A. show ip interface brief — displays all interfaces including subinterfaces with their IP address, OK status, and up/down state in a compact table B. show vlan brief — this switch command shows VLAN assignments, not router subinterface status C. show interfaces trunk — this switch command shows trunk port configuration, not router subinterfaces D. show ip route — shows the routing table entries but not the interface configuration or up/down status

Correct answer is A.

show ip interface
                  brief

is the fastest way to verify the status of all interfaces and subinterfaces on a Cisco router. Its output shows: Interface (name including subinterface notation), IP-Address, OK?, Method, Status (up/down), and Protocol (up/down). In a correctly working Router-on-a-Stick configuration, GigabitEthernet0/0 shows "unassigned" (no IP) with status/protocol both up, and each subinterface (Gi0/0.10, Gi0/0.20, etc.) shows the correct IP address with both status and protocol up. Any subinterface showing "down/down" while the physical is up indicates an encapsulation mismatch or VLAN problem. Any subinterface showing "administratively down" means shutdown was applied.

8. An engineer configures Router-on-a-Stick for VLANs 10, 20, and 30 but hosts in VLAN 30 cannot reach any other VLAN. What is the most likely cause?

A. All switch ports must be in access mode — trunk mode is not compatible with VLAN 30 B. DHCP is disabled on the switch, preventing VLAN 30 hosts from obtaining an IP address C. VLAN 30 is not included in the trunk's allowed VLAN list on the switch — frames tagged VLAN 30 are dropped at the trunk port before reaching the router's subinterface D. The router subinterface Gi0/0.30 does not need an encapsulation statement — all VLANs are automatically handled by the physical interface

Correct answer is C. This is the most common Router-on-a-Stick misconfiguration. If VLAN 30 is not in the trunk's allowed VLAN list (switchport trunk allowed vlan 10,20,30), the switch will drop all frames tagged with VLAN 30 at the trunk port — they never reach the router's Gi0/0.30 subinterface. Verify with show interfaces trunk on the switch and check the "VLANs allowed and active in management domain" section. If VLAN 30 is missing, add it with switchport trunk allowed vlan add 30. Additionally, verify that VLAN 30 actually exists in the switch's VLAN database with show vlan brief — a VLAN that is not created cannot be active on a trunk even if it is in the allowed list.

9. Trace the complete path of a packet sent from PC-A (192.168.10.10, VLAN 10) to Printer-B (192.168.20.50, VLAN 20). How many times does traffic cross the trunk link?

A. Once — the switch routes the frame directly to VLAN 20 once it arrives from PC-A without involving the router's trunk B. Twice — first from the switch to the router tagged VLAN 10 (PC-A's frame heading to the gateway), then back from the router to the switch tagged VLAN 20 (the routed packet heading to Printer-B) C. Three times — once to the router, once for VLAN conversion, and once for delivery to the printer D. The switch performs routing internally and traffic never crosses the trunk to the router at all

Correct answer is B. The path in a Router-on-a-Stick topology involves exactly two trunk crossings per inter-VLAN packet. First crossing: PC-A's frame leaves its access port (VLAN 10, untagged), the switch adds the VLAN 10 tag, and sends it up the trunk to the router. Second crossing: the router routes the IP packet from subinterface Gi0/0.10 to Gi0/0.20, builds a new Ethernet frame with VLAN 20 tag, and sends it back down the trunk toward the switch; the switch strips the tag and delivers the untagged frame to Printer-B's access port. The IP source and destination addresses remain unchanged throughout (192.168.10.10 → 192.168.20.50) — only the MAC addresses and VLAN tags change. This double traversal is the fundamental performance limitation of the design.

10. Why are Layer 3 switches with SVIs preferred over Router-on-a-Stick for larger production networks?

A. Layer 3 switches use hubs instead of switches, which provides faster broadcast delivery across all VLANs B. Disabling VLANs on a Layer 3 switch allows all traffic to flow freely without any routing overhead C. Using static IP addresses on all hosts eliminates the need for inter-VLAN routing, making Layer 3 switches the simpler solution D. Layer 3 switches route inter-VLAN traffic internally in hardware ASICs at line rate — there is no external link bottleneck, no double-traversal of a trunk, and throughput scales to many VLANs without degradation

Correct answer is D. A Layer 3 switch with Switch Virtual Interfaces (SVIs) performs inter-VLAN routing internally using dedicated routing ASICs (Application-Specific Integrated Circuits). When a frame from VLAN 10 needs to reach VLAN 20, the switch's hardware routing engine makes the Layer 3 decision and delivers the packet directly to the VLAN 20 segment — all within the switch chassis, at wire speed, without any traffic leaving the device. Compare this to Router-on-a-Stick where every inter-VLAN packet must travel to an external router and back — consuming trunk bandwidth twice and introducing additional latency. Layer 3 switches are more expensive but provide dramatically better performance and scalability. The common production design uses a Layer 3 switch for inter-VLAN routing and a separate router (or firewall) only for internet/WAN access.

← Back to Home