The Router on a Stick network uses one connection between the router and the switch. The switch
must be VLAN'd and normally on a VLAN'd switch port, the port is assigned to just one VLAN. In the Router on a Stick configuration, the port is assigned
multiple VLANs and called a trunk. There are a few standards for configuring the trunk, the method used in these examples is IEEE802.1Q sometimes
referred to as "dot1q".
Router on a Stick network
In order to utilize the Router on a Stick network, your switch must be VLAN'd, your switch must support a trunking method like
dot1q and your router must support the dot1q trunking method. Most consumer level broadband wireless routers do not support dot1q routing at this time.
Typically, you would be looking at an enterprise level router and switch for these services which naturally are more expensive.
Aftermarket Router Firmware
There are several aftermarket router firmware upgrades that are both free open source and paid upgrades that can add more capabilities to your
router. The result is that your el-cheapo router gets a hit of steroids and provides features normally seen only on expensive enterprise class
routers. One of these is DD-WRT which allows you to VLAN the internal switch, assign each port to a VLAN
and create individual DHCP servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require a level of expertise and
patience to get working correctly.
IEEE802.1Q (dot1q) Background Info
Dot1q only exists within a switch OR between switches OR between a switch and a router as in this Router on a Stick network. It's job is to tag traffic
on the trunk with the VLAN ID so that the destination knows which VLAN to send the Ethernet frame.
This is called tagging the Ethernet frame. The Ethernet frame is modified with tagging information according to the IEEE802.1Q standard and
again ONLY exists on the trunk. When the frame reaches its destination (the router or the switch), the tagging is removed.
Frame Tagging on dot1q Trunk
In the above image, the Ethernet frames belonging to VLAN 10 will be tagged with the VLAN ID "10", similarly VLAN 20, 30 and 40 frames will be tagged
with the VLAN IDs 20, 30 and 40 respectively. When an Ethernet frame leaves the switch and goes to an end device like a PC or Laptop, the dot1q
tagging is removed. The tagging only exists within a switch OR between switches OR between a switch and a router as in this Router on a Stick
There are a few special VLANs that are associated with a dot1q network:
- Native VLAN - This is the default VLAN that all switches initially boot to. When you first turn on a switch, all ports are automatically
assigned to the native VLAN which normally has the VLAN ID 1 (one). This is so that the switch works right out of the box until you configure it
for VLANs. An important point is that any port that is not assigned by you to a specific VLAN (like 10, 20, 30 or 40 in our example) will be
automatically assigned to VLAN 1.
This opens up a security hole! So for good physical security, all unused ports should be closed. Enterprise level switches allow you to turn off
or shut down unused ports. Another important point is that untagged traffic coming into a switch is automatically assigned to the native VLAN.
With this knowledge, you will want to control where untagged traffic goes to by changing the native VLAN's ID to a controlled VLAN of your choice.
- Management VLAN - Good practice in a large network is to have a special VLAN called the Management VLAN for security purposes. Its
purpose is to connect all of the network devices like switches and routers together for administration and configuration. This is a private VLAN
that only system admins can access. Normal day to day users and guests on the network do not have access to it and therefore cannot hack the system.
I've seen in many examples of VLAN'd networks where the Management VLAN and the native VLAN are the same VLAN. This is BAD practice! Anyone
who physically connects to the default VLAN either accidentally or through a switch port that defaults to the native VLAN will now have access to
the Management VLAN. Untagged traffic will now be on what should be a secure network! Always separate your native VLAN and Management VLAN.
You must configure both ends of the trunk: the switch side and the router side. This example is based on Cisco configuration,
only because that's what I'm used to. Other brands will be configured similarly.
This would be done for each VLAN: 20, 30 and 40. So there would be 4 subinterfaces created.
- Switch Configuration - On the switch, you must configure the port to the router as a dot1q trunk.
interface fastethernet0/5 <-- this is port 5 that is connected to the router
switchport trunk encapsulation dot1q <-- optional, indicates trunk protocol
switchport mode trunk <-- configures port as a trunk
switchport trunk native vlan 99 <-- sets VLAN ID 99 as the native VLAN for the trunk
- Router Configuration - On the router, you do something a little different, you create a subinterface for each VLAN on the physical
Ethernet port. The subinterface becomes the default gateway for the VLAN. This is an example for the VLAN 10 subinterface, the other VLANs
are configured similarly:
interface fa0/0 <-- this is the physical interface
no shutdown <-- in the Cisco world, this is how you turn on the interface
interface fa0/0.10 <-- this creates the subinterface and ties it to VLAN 10
encapsulation dot1q 10 <-- This uses IEEE802.1Q tagging of frames
ip address 192.168.10.1 255.255.255.0 <-- assign an IP address to the subinterface
You only need to turn on the physical interface. As a matter of fact, you must turn on the physical interface for it to work.
The IP address assigned to the subinterface becomes the default gateway for the VLAN. So in the above example 192.168.10.1 is the default gateway for
VLAN 10. The neat part is that the routing is automatically done between subinterfaces, no routing rules need be configured as the router is aware
of any networks directly connected to it. In this case, it is aware of the networks connected to the subinterfaces by the subinterface's IP address
and subnet mask.
The advantages to a Router on a Stick Network are
- Voice and data traffic are on separate VLANs
- The number of VLANs are not limited by the number of router LAN ports as only one port is required
- Only one LAN connection is required for multiple VLANs
The disadvantages to a Router on a Stick Network are:
- It is more complex to set up compared to other networks
- Traffic between VLANs goes into the router and out of the router through the same port
- The trunk is a major source of congestion
I've found that the trunk becomes a major source of congestion as all interVLAN traffic has to go in and out on the same port. So if VLAN 10 wanted to talk
to VLAN 20, then traffic from VLAN 10 would go to the router via the trunk. The router would route the traffic to VLAN 20's subinterface and then
out the same trunk. I've measured that the trunk can only carry 60% of traffic compared to having separate ports for VLANs.
Router on a Stick networks were a 90s solution to interVLAN routing. A much better solution is to use a more modern solution:
Layer 3 switch.