Switch to Router-on-a-Stick Communication

In January I described how I configured my Cisco 2651XM router to pass traffic between two VLANs on my Cisco 2950T-24 switch. I never assigned an IP for management purposes to the switch, since I always reached it via console cable. Today I decided to try upgrading the switch IOS, but that required applying a management IP to the switch.

My router had this configuration on the interface facing the switch:
interface FastEthernet0/1
description Connection to gruden, Cisco switch
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.27.20.1 255.255.255.0

I assumed that if I assigned a management IP to my switch with either a 10.10.10.0/24 or 172.27.20.0/24 address, the switch would be able to speak to the router. I assigned 10.10.10.100/24 to the switch. Because switches do not receive IPs on individual ports, I applied the IP to VLAN 1:

gruden(config)#int vlan1
gruden(config-if)#ip address 10.10.10.100 255.255.255.0
gruden(config-if)#no shutdown
gruden(config-if)#exit
gruden(config)#ip default-gateway 10.10.10.1
gruden(config-if)#end

Unfortunately, this did not work. I could not reach the router from the switch and vice-versa.

I decided to try assigned a new IP address directly to router interface fa0/1, and give the switch an IP in the same netblock:

gill(config)#int fa0/1
gill(config-if)#ip address 192.168.168.1 255.255.255.0
gill(config-if)#no shutdown
gill(config-if)#end

Here's how I configured the switch:

gruden(config)#int vlan1
gruden(config-if)#ip address 192.168.168.2 255.255.255.0
gruden(config-if)#no shutdown
gruden(config-if)#exit
gruden(config)#ip default-gateway 192.168.168.1
gruden(config-if)#end

That did it. Now I can reach both devices. Apparently the switch can only communicate with the router when the address on the switch is outside of the VLANs in use. I believe Todd Lammle refers to this sort of setup as a management overlay network, where certain IPs are used solely for device management.

If anyone can comment on this design or suggest an alternative, I welcome feedback. I think the wrinkle in my setup involves the router having to pass traffic between VLANs 10 and 20.

Comments

Anonymous said…
An alternative would be make the management interface on your switch part of vlan10. If you remove the IP address from int fa0/1 on the router, and add "int vlan 10" on the switch from config mode, add the original switch mgmt IP address from vlan 10 on the switch (10.10.10.100) then add the command "management" under int vlan 10, it should work just fine if you have a somewhat recent IOS on the switch. If the command isn't "management" it's something very similar, good old ? will help. I do this on many switches, because it's not always a good idea to have a management interface on the default vlan1. It is also a good idea, in a large network, to set aside subnets for device management in each campus location, which makes routing and network device management security policies much more scalable and easy to maintain.
Barney,

Thanks for the idea. You saw I assigned a completely new IP address (192.168.168.2/24) for switch management. I assigned a new IP to fa0/1 on the router (192.168.168.1). Would you recommend that I move that router IP to a third subinterface, say fa0/1.3?
Anonymous said…
Yup that works just fine. I assume you realize why your first example didn't work.

You could create a 3rd sub-interface, as you suggest, though I'm certain that you would also have to put that subinterface in the native vlan. Some people do not like using vlan1 in their networks, there are some security reasons for doing this, though not having equipment on vlan1 does have it's drawbacks.

Some references to using vlan1 in an ethernet switched network can be found in http://www.nsa.gov/snac/os/switch-guide-version1_01.pdf even though that pdf mostly references the layer3 3550 switch, much is still relevant.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics