Today I will show you how to build a so called “Router-on-a-stick” environment. In this example we have one Cisco router, one HP ProCurve switch and three subnets:
First we configure inspection firewall profiles, so when someone requests packets from the internet, packets can come back through our inbound WAN interface access-list
ip inspect name Marketing tcp
ip inspect name Marketing udp
ip inspect name Marketing icmp
ip inspect name Sales tcp
ip inspect name Sales udp
ip inspect name Sales icmp
ip inspect name Server tcp
ip inspect name Server udp
ip inspect name Server icmp
to access the internet, we need to NAT overload packets going to public IP addresses (in this example we have a PPPoE DSL Dialer-Interface)
ip access-list extended tonat
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any anyip nat inside source list tonat interface Dialer1 overload
interface Dialer1
ip nat outside
ip access-group wan_in inip access-list extended wan_in
remark Inbound ACL for VPN traffic
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
now it’s time to configure subinterfaces on the interface which is connect to our primary HP ProCurve Switch. Please let the interface at it’s default settings:
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
now we will configure sub-interfaces on that interface and will tag the IP packets for Sales and Marketing subnet
interface GigabitEthernet0/0.1
description Server LAN
encapsulation dot1Q 1 native
ip address 192.168.15.254 255.255.255.0
ip nat inside
ip inspect Server in
ip virtual-reassembly in
ip tcp adjust-mss 1452interface GigabitEthernet0/0.10
description Marketing LAN
encapsulation dot1Q 10
ip address 192.168.23.254 255.255.255.0
ip nat inside
ip inspect Marketing in
ip virtual-reassembly in
ip tcp adjust-mss 1452interface GigabitEthernet0/0.20
description Sales LAN
encapsulation dot1Q 20
ip address 192.168.54.254 255.255.255.0
ip nat inside
ip inspect Sales in
ip virtual-reassembly in
ip tcp adjust-mss 1452
we can also configure access-lists on our interfaces to deny packets going between Sales and Marketing network but let them go to the server and internet:
ip access-list extended sales_in
deny ip 192.168.54.0 0.0.0.255 192.168.23.0 0.0.0.255
permit ip 192.168.54.0 0.0.0.255 anyinterface GigabitEthernet0/0.20
ip access-group sales_in inip access-list extended marketing_in
deny ip 192.168.23.0 0.0.0.255 192.168.54.0 0.0.0.255
permit ip 192.168.23.0 0.0.0.255 anyinterface GigabitEthernet0/0.10
ip access-group marketing_in in
In a Cisco router, the interface configured with the sub-interfaces needs always a native vlan (packets will not have any vlan tag). At last step we will configure the HP ProCurve Switch. We take a 2510 with 24-ports
The port assignment is as follows:
Port 1-12: VLAN 10 (Marketing LAN)
Port 13-20: VLAN 20 (Sales LAN)
Port 21-23: VLAN 1 (Server LAN)
Port 24: VLAN Trunk (Cisco Router)
Configuration of the switch:
vlan 1
name “Server LAN”
untagged 21-24
ip address 192.168.23.250 255.255.255.0 // for management
no untagged 1-20
exit
vlan 10
name “Marketing LAN”
untagged 1-12
tagged 24
exit
vlan 20
name “Sales LAN”
untagged 13-20
tagged 24
exit
Don’t forget to save the router und switch configuration with “write memory”. Now, you will have a complete router-on-a-stick infrastructure. Feel free to ask questions in the comments below :)
9 Responses
That really was new to me. Your blog is really a good source for things about Gigabitethernet0 0.1. Thanks, Klaus!
Great tutorial!
I have a similar network although I want the Cisco router to be the DHCP server for both VLAN1+10+20
How would you apply this in the router and the HP switch?
Hi Mikhail :)
thank you! You can configure different DHCP scopes at the cisco router like this:
ip dhcp pool VLAN1DHCPSCOPE
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
domain-name company.local
lease 2
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
ip dhcp pool VLAN10DHCPSCOPE
network 192.168.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.10.1
domain-name company.local
lease 2
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.150 192.168.10.254
ip dhcp pool VLAN20DHCPSCOPE
network 192.168.20.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.20.1
domain-name company.local
lease 2
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.20.150 192.168.20.254
The scope will only give IP addresses to clients where the router has a routing interface in it. So “VLAN1DHCPSCOPE” will only give IP addresses from 192.168.1.100-149.
After your configuration you can start the service with “service dhcp” and can watch bindings with “show ip dhcp binding”. When you have placed an access-list inbound to a vlan interface, keep in mind that you allow ipless bootps packets like this:
ip access-list extended lan_in
permit udp any any eq bootps
If you have any further questions, don’t hestitate to reply :) I hope I could help you with this. Have an nice day!
Wow, I didn’t expect such a quick reply thank you!
You will have to forgive me as I am quite new to Cisco router config and VLANing
I am used to configuring via web UIs but I am reasonably comfortable with the CLI as I have spent so much time trying to work out this configuration in the last couple of weeks.
Basically, I have a Cisco 881 router and a HP Procurve 2520 series and want to have 2 VLANs . (I googled this and your page came up first!)
Like you explained above. I have 2 VLANs configured with DHCP on the 881
VLAN1 = Management 10.1.1.0/24
VLAN2 = Guest 172.1.1.0/24 (completely isolated from VLAN1)
Cisco 881 FE0 > straight patch HP Procurve Port 24
When the switch is in default mode with native VLAN1 across 1-24 I get DHCP address fine from the 10.1.1.0/24 network.
This is as far as I got as I think I am doing something wrong with the ProCurve Switch or the Cisco 881
I know FE0 needs to be set up as a trunk 802.1q with sub-interfaces for the 2 VLANs.
I am unsure if this is has been configured correctly as every tutorial describes the same commands (FA0/0.1) this has never worked for this router for some reason, so I am assuming the sub-interfaces are assigned to FE0 somehow (a friend of mine said he found a way to do it)
On the HP ProCurve I know I need to tag port 24 for VLAN1 + VLAN2 for 802.1q
Ports 3-12 are untagged for VLAN1
Ports 13-23 are untagged for VLAN2
Ports 1-2 will have a Ruckus Zone Director and access point. It will have 2 SSIDs one for VLAN1, the other for VLAN2 – Im presuming I tag ports 1-2 for VLAN1+VLAN2.
However when I patch into any port after I have configured the VLANs on the switch I get a self assigned IP address of 169.xxx.xxx.xxx and from there I have to default the switch and start again. I was thinking it was some kinda of DHCP issue but I don’t think thats the case as I get DHCP when the switch is in default and native VLAN across all ports.
I am at a loss now as very tutorial I have tried does not work.
I appreciate your response. I will definitely be keeping up with your blog!
Than your config will be like this:
ProCurve Switch:
vlan 1
untagged 24
vlan 2
tagged 24
Cisco Router:
default interface FastEthernet0
interface FastEthernet0.1
encapsulation dot1Q 1 native
ip address 10.1.1.x 255.255.255.0
interface FastEthernet0.2
encapsulation dot1Q 2
ip address 172.1.1.x 255.255.255.0
one vlan interface needs to be native in the cisco router (nativ = no vlan tag on IP packet) so you don’t tag on the HP Switch. Only the other VLANs will be tagged (in your example vlan 2).
Try this and contact me again if it’s working. You can also send me your cisco router and hp switch config, it’s the “show run” output. You can find my mail address here http://www.google.com/recaptcha/mailhide/d?k=01-KfNaX7fWLTHh7BlPfSmYg==&c=Shd3_hwuUfmGT_Kan8Af3LC9KD0pKJALlMKCEy6AVpY=
Thanks. that helped.
Can you shed light on my config as well please. Trying to get a Cisco ASA sujb interface to communicate with a HP procurve dynamic trunk running wit GVRP. Any ideas
Hi laposki,
you can configure subinterfaces like
asa(config)#interface gigabitethernet0/1.22
asa(config-if)# vlan 22
you can also post your anonymised ASA and ProCurve Switch config or you can write me an email. Address can be find after typing captcha: http://www.google.com/recaptcha/mailhide/d?k=01-KfNaX7fWLTHh7BlPfSmYg==&c=Shd3_hwuUfmGT_Kan8Af3LC9KD0pKJALlMKCEy6AVpY=