Router on a stick (or One Armed Router) is a common name for a configuration used for routing between VLANs on a single Ethernet (including Fast/Gig/10Gig) interface. This configuration uses sub-interfaces on the separate VLANs and an 802.1q or ISL trunk to perform the routing. There are a few reasons you would use this configuration, and several not to. Probably the most common reason is cost. Most branches will have a router for WAN or internet access, using the same router for routing between VLANs saves the cost of a Layer 3 switch. You may also wish to make use of some of the more advanced features on a router, such as firewalling. Another thing that cuts both ways is that you gain some simplicity by minimizing the number of routing devices, but you add complexity to the configuration of the router. The main drawback is performance. You are pushing all your traffic between two VLANs through a single interface, which could become a network bottleneck. You have to determine the potential impact to your network. The topology and network usage will largely determine how big an impact this will have. If you have all your PCs on one VLAN, and a couple servers that you are doing large file transfers with on another, and your printers on their own VLAN, you are probably going to see some serious issues. Conversely, if you have a single data VLAN, a wireless VLAN, and a voice VLAN, with the majority of the traffic from each going back to a central site over a WAN connection, this may be a very legitimate production use of router on a stick.
Connect an Ethernet port on the router to a switch port. You should use the fastest available ports to maximize throughput.
The switch port needs to be configured as a trunk, and in this case I am also setting the allowed VLANs. This serves two purposes; it is a good management practice to restrict VLANs where they are not needed, and the router will not be able to accept traffic on other VLANs without adding another sub-interface, so this shows you clearly on the switch side what VLANs are available for routing. The disadvantage is that when a VLAN is added to the router, it needs to be added to the allowed VLAN list on the switch. Since the VLAN needs to be added to the VLAN database anyways, this should not be too much of an issue.
Switch(config)#interface gig0/0 Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk allowed vlan 1,10,20
On the router, the main interface is usually configured without an IP address, although on an 802.1q trunk it can be used for the native VLAN. The remaining VLANs are configured on subinterfaces. My preference is to not use the native VLAN, and if it needs to be used, place it on a subinterface.
To create a subinterface, issue the interface command with a decimal point and number after the interface number:
R1(config)#interface fastEthernet 1/0.10
The number here is only to label the subinterfaces, and is not related to the VLAN. Usually it will be configured to match the VLAN for clarity, but it doesn’t need to.
Next, the subinterfaces need to have an encapsulation configured:
R1(config-subif)#encapsulation dot1Q 10
For our uses, the encapsulation can either be “dot1q” or “isl.” The encapsulation configured needs to match the encapsulation on the switch. The VLAN is specified after the encapsulation type, so the above example configures an 802.1q trunk, with the interface on VLAN 10. To make the VLAN the native (untagged) VLAN, add the keyword “native” at the end of the command.
If you try to configure an IP address before setting the encapsulation, you will get the following error:
% Configuring IP routing on a LAN subinterface is only allowed if that subinterface is already configured as part of an IEEE 802.10, IEEE 802.1Q, or ISL vLAN.
Once the interface is created and an encapsulation specified, you can assign an IP address or any other configuration that can be applied to a normal interface.
interface FastEthernet1/0 no ip address speed auto duplex auto ! interface FastEthernet1/0.10 encapsulation dot1Q 10 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet1/0.20 encapsulation dot1Q 20 ip address 10.10.20.1 255.255.255.0 ! interface FastEthernet1/0.30 encapsulation dot1Q 30 native ip address 10.10.30.1 255.255.255.0 standby 1 ip 10.10.30.3 standby 1 preempt
The example above shows a more complete configuration, including the physical interface, where speed and duplex are set. The subinterface numbers were matched to the VLANs, although that is not needed. On the third interface, VLAN 30 is set as the native VLAN, and HSRP is configured to show that the interface can be configured as normal.
An alternative would be make the mmngaeaent interface on your switch part of vlan10. If you remove the IP address from int fa0/1 on the router, and add “int vlan 10” on the switch from config mode, add the original switch mgmt IP address from vlan 10 on the switch (10.10.10.100) then add the command “management” under int vlan 10, it should work just fine if you have a somewhat recent IOS on the switch. If the command isn’t “management” it’s something very similar, good old ? will help. I do this on many switches, because it’s not always a good idea to have a mmngaeaent interface on the default vlan1. It is also a good idea, in a large network, to set aside subnets for device mmngaeaent in each campus location, which makes routing and network device mmngaeaent security policies much more scalable and easy to maintain.