Lab 1 proved VLANs isolate traffic at Layer 2. Lab 2 adds the next piece — a router that sits above those VLANs and routes between them in a controlled way. This is the classic router-on-a-stick topology: one physical router interface, multiple logical subinterfaces, each one handling a different VLAN.
The lab has two parts. Part 1 is the same VLAN configuration from Lab 1 — build it from scratch again, practice makes it automatic. Part 2 adds a third switch and a router, configures dot1q subinterfaces, and routes between the Student and Staff subnets.
★ TOPOLOGY
[ DEVICES ]
R1 — ISR 1321 (router)
SW1 — Cisco 2960-24TT
SW2 — Cisco 2960-24TT
SW3 — Cisco 2960-24TT (uplink switch)
PC1, PC2, PC5, PC6 — VLAN 10 (Students)
PC3, PC4 — VLAN 100 (Staff)
SW1 — Cisco 2960-24TT
SW2 — Cisco 2960-24TT
SW3 — Cisco 2960-24TT (uplink switch)
PC1, PC2, PC5, PC6 — VLAN 10 (Students)
PC3, PC4 — VLAN 100 (Staff)
[ CONNECTIONS ]
R1 G0/0/0 → SW3 F0/1 (router uplink)
SW3 G0/1 → SW1 F0/1 (trunk)
SW3 G0/2 → SW2 F0/1 (trunk)
SW3 F0/0 → trunk port
SW1 F0/2 → PC1 · SW1 F0/3 → PC2 · SW1 F0/4 → PC3
SW2 F0/2 → PC4 · SW2 F0/3 → PC5 · SW2 F0/4 → PC6
SW3 G0/1 → SW1 F0/1 (trunk)
SW3 G0/2 → SW2 F0/1 (trunk)
SW3 F0/0 → trunk port
SW1 F0/2 → PC1 · SW1 F0/3 → PC2 · SW1 F0/4 → PC3
SW2 F0/2 → PC4 · SW2 F0/3 → PC5 · SW2 F0/4 → PC6
★ IP ADDRESSING
| DEVICE | IP ADDRESS | SUBNET | GATEWAY | VLAN |
|---|---|---|---|---|
| PC1 | 192.168.10.1 | /25 | 192.168.10.126 | 10 |
| PC2 | 192.168.10.2 | /25 | 192.168.10.126 | 10 |
| PC3 | 192.168.10.129 | /25 | 192.168.10.254 | 100 |
| PC4 | 192.168.10.130 | /25 | 192.168.10.254 | 100 |
| PC5 | 192.168.10.3 | /25 | 192.168.10.126 | 10 |
| PC6 | 192.168.10.4 | /25 | 192.168.10.126 | 10 |
| R1 G0/0/0.10 | 192.168.10.126 | /25 | — | 10 |
| R1 G0/0/0.100 | 192.168.10.254 | /25 | — | 100 |
[ ⚠ LAST USABLE ADDRESS = DEFAULT GATEWAY ]
Students subnet 192.168.10.0/25 — last usable is .126 (.127 is broadcast)
Staff subnet 192.168.10.128/25 — last usable is .254 (.255 is broadcast)
These become the subinterface IPs on R1 and the default gateways on each PC.
Staff subnet 192.168.10.128/25 — last usable is .254 (.255 is broadcast)
These become the subinterface IPs on R1 and the default gateways on each PC.
▶ PART 1 — VLAN SEGMENTATION
Same foundation as Lab 1. Build VLANs, assign access ports, set up the trunk. The difference here is a third switch (SW3) acting as the distribution layer between the two access switches and the router.
STEP 1 — CREATE VLANS (ALL THREE SWITCHES)
! Run on SW1, SW2, and SW3
Switch(config)# vlan 10
Switch(config-vlan)# name Students
Switch(config)# vlan 100
Switch(config-vlan)# name Staff
Switch(config)# vlan 99
Switch(config-vlan)# name Native_Unused
STEP 2 — ACCESS PORTS ON SW1
! Use interface range to configure multiple ports at once
SW1(config)# interface range fa0/2 - 3
SW1(config-if-range)# switchport mode access
SW1(config-if-range)# switchport access vlan 10
SW1(config-if-range)# spanning-tree portfast
SW1(config)# interface fa0/4
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 100
SW1(config-if)# spanning-tree portfast
STEP 3 — ACCESS PORTS ON SW2
SW2(config)# interface fa0/2
SW2(config-if)# switchport mode access
SW2(config-if)# switchport access vlan 100
SW2(config-if)# spanning-tree portfast
SW2(config)# interface range fa0/3 - 4
SW2(config-if-range)# switchport mode access
SW2(config-if-range)# switchport access vlan 10
SW2(config-if-range)# spanning-tree portfast
STEP 4 — TRUNK BETWEEN SW1 AND SW2
! Run on BOTH SW1 and SW2 on their uplink ports (F0/1)
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,100
Switch(config-if)# switchport trunk native vlan 99
STEP 5 — PART 1 VERIFICATION
Switch# show vlan brief
Switch# show interfaces trunk
[ CLICK TO REVEAL — PART 1 TASKS & VERIFICATION ]
▶
TASK 1
Create VLAN 10 (Students) and VLAN 100 (Staff) on SW1, SW2, and SW3. Use interface range where possible.
TASK 2
On SW1 — Fa0/2 and Fa0/3 access VLAN 10, Fa0/4 access VLAN 100. Enable portfast on all access ports.
TASK 3
On SW2 — Fa0/2 access VLAN 100, Fa0/3 and Fa0/4 access VLAN 10. Enable portfast on all access ports.
TASK 4
Configure trunk between SW1 Fa0/1 and SW2 Fa0/1. Allow VLANs 10 and 100. Native VLAN 99 on both ends.
TASK 5 — PING TEST
Ping PC1 → PC6. Should succeed — both VLAN 10 Students.
TASK 6 — PING TEST
Ping PC1 → PC3. Should fail — VLAN 10 cannot reach VLAN 100 at Layer 2.
[ PART 1 EXPECTED RESULTS ]
PC1 → PC6: SUCCESS (VLAN 10 across trunk)
PC1 → PC3: FAIL (VLAN 10 → VLAN 100, no routing yet)
PC1 → PC3: FAIL (VLAN 10 → VLAN 100, no routing yet)
▶ PART 2 — INTER-VLAN ROUTING
Part 1 proved isolation. Part 2 breaks it — intentionally, with a router making the decisions about what can talk to what. The router connects to SW3, which trunks down to SW1 and SW2. One physical interface on R1 handles both VLANs using logical subinterfaces.
STEP 1 — SW3 TRUNK PORT TO ROUTER
SW3(config)# interface fa0/0
SW3(config-if)# switchport mode trunk
SW3(config-if)# switchport trunk allowed vlan 10,100
SW3(config-if)# switchport trunk native vlan 99
STEP 2 — SW3 TRUNKS TO SW1 AND SW2
SW3(config)# interface g0/1
SW3(config-if)# switchport mode trunk
SW3(config-if)# switchport trunk allowed vlan 10,100
SW3(config-if)# switchport trunk native vlan 99
SW3(config)# interface g0/2
SW3(config-if)# switchport mode trunk
SW3(config-if)# switchport trunk allowed vlan 10,100
SW3(config-if)# switchport trunk native vlan 99
STEP 3 — R1 SUBINTERFACES
! Enable the physical interface first — no IP on the parent
R1(config)# interface g0/0/0
R1(config-if)# no shutdown
! Subinterface for VLAN 10 — Students
R1(config)# interface g0/0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 192.168.10.126 255.255.255.128
! Subinterface for VLAN 100 — Staff
R1(config)# interface g0/0/0.100
R1(config-subif)# encapsulation dot1q 100
R1(config-subif)# ip address 192.168.10.254 255.255.255.128
[ ⚠ ENCAPSULATION BEFORE IP ADDRESS ]
The encapsulation dot1q command must come before the ip address command on every subinterface. If you set the IP first, IOS will accept it but the subinterface won't tag traffic correctly and routing will fail silently.
STEP 4 — ADD DEFAULT GATEWAYS TO PCS
! On each Student PC (VLAN 10) — set gateway to R1's .10 subinterface
Default Gateway: 192.168.10.126
! On each Staff PC (VLAN 100) — set gateway to R1's .100 subinterface
Default Gateway: 192.168.10.254
[ CLICK TO REVEAL — PART 2 TASKS & VERIFICATION ]
▶
TASK 1
Configure SW3 Fa0/0 as a trunk port. Allow VLANs 10 and 100. Native VLAN 99.
TASK 2
Configure SW3 G0/1 and G0/2 as trunk ports toward SW1 and SW2. Same allowed VLANs and native VLAN.
TASK 3
On R1, enable G0/0/0 with no shutdown. Create subinterface G0/0/0.10 with dot1q encapsulation for VLAN 10, IP 192.168.10.126/25. Create G0/0/0.100 with dot1q encapsulation for VLAN 100, IP 192.168.10.254/25.
TASK 4
Add default gateways to all PCs. Students (PC1, PC2, PC5, PC6) → 192.168.10.126. Staff (PC3, PC4) → 192.168.10.254.
TASK 5 — PING TEST
Ping between all subnets. Every PC should be able to reach every other PC now that the router is routing between VLANs.
[ PART 2 EXPECTED RESULTS ]
PC1 → PC3: SUCCESS (routed via R1)
PC1 → PC4: SUCCESS (routed via R1)
PC2 → PC3: SUCCESS (routed via R1)
PC5 → PC4: SUCCESS (routed via R1)
PC6 → PC3: SUCCESS (routed via R1)
All same-VLAN pings: SUCCESS
PC1 → PC4: SUCCESS (routed via R1)
PC2 → PC3: SUCCESS (routed via R1)
PC5 → PC4: SUCCESS (routed via R1)
PC6 → PC3: SUCCESS (routed via R1)
All same-VLAN pings: SUCCESS
⬇ LAB 2 — INTER-VLAN ROUTING v2.0
Topology pre-built. PCs pre-configured with IPs.
Switches and router unconfigured — your job. ⬇ DOWNLOAD LAB FILE
Switches and router unconfigured — your job. ⬇ DOWNLOAD LAB FILE
[ ★ STUDY RESOURCES ]
Running this lab on real Cisco hardware? You'll need an access switch (2960X) and a USB-to-RJ45 console cable. Amazon affiliate.