Router on a Stick Network

The Router on a Stick network uses one connection between the router and the switch. The switch must be VLAN'd and normally on a VLAN'd switch port, the port is assigned to just one VLAN. In the Router on a Stick configuration, the port is assigned multiple VLANs and called a trunk. There are a few standards for configuring the trunk, the method used in these examples is IEEE802.1Q sometimes referred to as "dot1q".

Router on a Stick network

In order to utilize the Router on a Stick network, your switch must be VLAN'd, your switch must support a trunking method like dot1q and your router must support the dot1q trunking method. Most consumer level broadband wireless routers do not support dot1q routing at this time. Typically, you would be looking at an enterprise level router and switch for these services which naturally are more expensive.

Aftermarket Router Firmware

There are several aftermarket router firmware upgrades that are both free open source and paid upgrades that can add more capabilities to your router. The result is that your el-cheapo router gets a hit of steroids and provides features normally seen only on expensive enterprise class routers. One of these is DD-WRT which allows you to VLAN the internal switch, assign each port to a VLAN and create individual DHCP servers for each VLAN. Unfortunately, aftermarket router firmware upgrades require a level of expertise and patience to get working correctly.

IEEE802.1Q (dot1q) Background Info

Dot1q only exists within a switch OR between switches OR between a switch and a router as in this Router on a Stick network. It's job is to tag traffic on the trunk with the VLAN ID so that the destination knows which VLAN to send the Ethernet frame. This is called tagging the Ethernet frame. The Ethernet frame is modified with tagging information according to the IEEE802.1Q standard and again ONLY exists on the trunk. When the frame reaches its destination (the router or the switch), the tagging is removed.

Frame Tagging on dot1q Trunk

In the above image, the Ethernet frames belonging to VLAN 10 will be tagged with the VLAN ID "10", similarly VLAN 20, 30 and 40 frames will be tagged with the VLAN IDs 20, 30 and 40 respectively. When an Ethernet frame leaves the switch and goes to an end device like a PC or Laptop, the dot1q tagging is removed. The tagging only exists within a switch OR between switches OR between a switch and a router as in this Router on a Stick network

Special VLANs

There are a few special VLANs that are associated with a dot1q network:

  • Native VLAN - This is the default VLAN that all switches initially boot to. When you first turn on a switch, all ports are automatically assigned to the native VLAN which normally has the VLAN ID 1 (one). This is so that the switch works right out of the box until you configure it for VLANs. An important point is that any port that is not assigned by you to a specific VLAN (like 10, 20, 30 or 40 in our example) will be automatically assigned to VLAN 1.

    This opens up a security hole! So for good physical security, all unused ports should be closed. Enterprise level switches allow you to turn off or shut down unused ports. Another important point is that untagged traffic coming into a switch is automatically assigned to the native VLAN. With this knowledge, you will want to control where untagged traffic goes to by changing the native VLAN's ID to a controlled VLAN of your choice.

  • Management VLAN - Good practice in a large network is to have a special VLAN called the Management VLAN for security purposes. Its purpose is to connect all of the network devices like switches and routers together for administration and configuration. This is a private VLAN that only system admins can access. Normal day to day users and guests on the network do not have access to it and therefore cannot hack the system.

    I've seen in many examples of VLAN'd networks where the Management VLAN and the native VLAN are the same VLAN. This is BAD practice! Anyone who physically connects to the default VLAN either accidentally or through a switch port that defaults to the native VLAN will now have access to the Management VLAN. Untagged traffic will now be on what should be a secure network! Always separate your native VLAN and Management VLAN.

Configuration Example

You must configure both ends of the trunk: the switch side and the router side. This example is based on Cisco configuration, only because that's what I'm used to. Other brands will be configured similarly.

  • Switch Configuration - On the switch, you must configure the port to the router as a dot1q trunk.

    interface fastethernet0/5   <-- this is port 5 that is connected to the router
    switchport trunk encapsulation dot1q  <-- optional, indicates trunk protocol
    switchport mode trunk  <-- configures port as a trunk
    switchport trunk native vlan 99 <-- sets VLAN ID 99 as the native VLAN for the trunk

  • Router Configuration - On the router, you do something a little different, you create a subinterface for each VLAN on the physical Ethernet port. The subinterface becomes the default gateway for the VLAN. This is an example for the VLAN 10 subinterface, the other VLANs are configured similarly:

    interface fa0/0   <-- this is the physical interface
    no shutdown   <-- in the Cisco world, this is how you turn on the interface
    interface fa0/0.10   <-- this creates the subinterface and ties it to VLAN 10
    encapsulation dot1q 10 <-- This uses IEEE802.1Q tagging of frames
    ip address  <-- assign an IP address to the subinterface

    You only need to turn on the physical interface. As a matter of fact, you must turn on the physical interface for it to work.

This would be done for each VLAN: 20, 30 and 40. So there would be 4 subinterfaces created.

InterVLAN Routing

The IP address assigned to the subinterface becomes the default gateway for the VLAN. So in the above example is the default gateway for VLAN 10. The neat part is that the routing is automatically done between subinterfaces, no routing rules need be configured as the router is aware of any networks directly connected to it. In this case, it is aware of the networks connected to the subinterfaces by the subinterface's IP address and subnet mask.


The advantages to a Router on a Stick Network are

  • Voice and data traffic are on separate VLANs
  • The number of VLANs are not limited by the number of router LAN ports as only one port is required
  • Only one LAN connection is required for multiple VLANs


The disadvantages to a Router on a Stick Network are:

  • It is more complex to set up compared to other networks
  • Traffic between VLANs goes into the router and out of the router through the same port
  • The trunk is a major source of congestion

I've found that the trunk becomes a major source of congestion as all interVLAN traffic has to go in and out on the same port. So if VLAN 10 wanted to talk to VLAN 20, then traffic from VLAN 10 would go to the router via the trunk. The router would route the traffic to VLAN 20's subinterface and then out the same trunk. I've measured that the trunk can only carry 60% of traffic compared to having separate ports for VLANs.


Router on a Stick networks were a 90s solution to interVLAN routing. A much better solution is to use a more modern solution: Layer 3 switch.

If this page has helped you, please consider donating $1.00 to support the cost of hosting this site, thanks.

Return to

TelecomWorld 101

Copyright July 2013 Eugene Blanchard