Imagine you have a single physical link connecting two networks, but you need to carry traffic for multiple VLANs across that link. Router-on-a-Stick (ROAS) is the classic Cisco solution that uses a single router interface with subinterfaces to route between VLANs over a trunk link. For the CCNA 200-301 exam (Objective 3.1: IP Connectivity), mastering ROAS is essential because it tests your understanding of VLANs, trunking (802.1Q), subinterfaces, and inter-VLAN routing — all in one tidy configuration. In real networks, this technique is used in small-to-medium enterprises to avoid the cost of a Layer 3 switch, making it a practical skill every network engineer should have.
Jump to a section
Think of a single apartment building with one main entrance (the physical router interface). Inside, there are multiple apartments (VLANs) — Apartment 101 (VLAN 10), Apartment 102 (VLAN 20), and so on. The mail carrier (the router) stands at the entrance and needs to deliver letters (packets) to the correct apartment. But there's only one mailbox slot at the entrance (the single physical link). How does the carrier know which apartment a letter belongs to?
To solve this, the building manager installs a color-coded label on each letter: a blue sticker for VLAN 10, a red sticker for VLAN 20, and a green sticker for VLAN 30. This sticker is the 802.1Q VLAN tag. The carrier looks at the sticker, then places the letter into the appropriate internal chute labeled for that color. Each chute leads to a separate subinterface inside the router — subinterface G0/0.10 for blue, G0/0.20 for red, etc. The subinterface strips the sticker (removes the 802.1Q tag) and delivers the letter to the actual apartment (the VLAN interface) via the router's routing table. For outgoing mail, the process reverses: the subinterface adds the correct color sticker before the letter goes back through the main entrance to the switch, which then forwards it to the correct apartment based on the sticker.
This analogy works because: (1) the single physical entrance is the trunk link carrying multiple VLANs; (2) the color stickers are 802.1Q tags; (3) the chutes are subinterfaces — each dedicated to one VLAN; (4) the carrier is the router's routing process, deciding where to forward based on destination IP; (5) the building manager configures which chute handles which color — that's the encapsulation dot1Q command. If the carrier gets a letter with no sticker (untagged frame), it goes to the native VLAN chute (usually VLAN 1). If the stickers are misconfigured (e.g., a red sticker but no chute), the letter is dropped — just like a router dropping frames for a VLAN it doesn't have a subinterface for.
What is Router-on-a-Stick and Why Does It Exist?
Router-on-a-Stick (ROAS) is a method of inter-VLAN routing where a single physical router interface connects to a switch via a trunk link, and the router uses subinterfaces to route between VLANs. The name comes from the visual: the router sits on one end of a single 'stick' (the trunk link). Before ROAS, inter-VLAN routing required a separate physical router interface for each VLAN, which was expensive and inefficient. ROAS solves this by leveraging 802.1Q trunking, allowing one interface to carry multiple VLANs.
On the CCNA 200-301 exam, ROAS is tested under Objective 3.1 (IP Connectivity), specifically within 'Configure and verify IPv4 and IPv6 static routing' and 'Inter-VLAN routing'. You need to know how to configure subinterfaces, set the encapsulation dot1Q VLAN ID, and assign IP addresses. You also need to verify with show commands and understand how frames travel through the router.
How Router-on-a-Stick Works Step by Step at the Frame Level
Let's trace a packet from Host A (VLAN 10, 192.168.10.10) to Host B (VLAN 20, 192.168.20.10). Both hosts connect to a switch, which is trunked to the router's GigabitEthernet0/0 interface.
Host A sends frame: Host A knows that Host B is on a different subnet (based on its own IP and subnet mask), so it sends the frame to its default gateway, which is the router's subinterface for VLAN 10 (192.168.10.1). The frame is an Ethernet frame with destination MAC = MAC of the router's G0/0.10 subinterface, source MAC = Host A's MAC. The switch receives this frame on an access port in VLAN 10.
Switch forwards to trunk: The switch looks at the destination MAC. It knows the router's MAC is reachable via the trunk port. The switch adds an 802.1Q tag with VLAN ID 10 to the Ethernet frame (if the trunk uses dot1q tagging). The frame now has a 4-byte tag inserted between the source MAC and the EtherType/Length field. The switch sends the tagged frame out the trunk port to the router.
Router receives on physical interface: The router's G0/0 interface receives the tagged frame. The interface itself is not configured with an IP address; it is just a physical carrier. The router examines the 802.1Q tag and sees VLAN ID 10. It strips the tag and forwards the frame to the subinterface G0/0.10, which was configured with encapsulation dot1Q 10.
Subinterface processes: Subinterface G0/0.10 treats the frame as if it arrived on a separate interface in VLAN 10. It removes the Ethernet header and passes the IP packet to the routing table. The router checks the destination IP (192.168.20.10) and finds a route via subinterface G0/0.20 (192.168.20.1).
Router routes out another subinterface: The router builds a new frame for VLAN 20. The source MAC is the MAC of G0/0.20, and the destination MAC is Host B's MAC (obtained via ARP). The router sends this frame to the physical interface G0/0, which adds an 802.1Q tag with VLAN ID 20 and transmits it over the trunk.
Switch receives and delivers: The switch receives the tagged frame on the trunk port, sees VLAN ID 20, strips the tag, and forwards the frame out the access port in VLAN 20 to Host B.
Key Configuration Parameters and Defaults
Subinterface numbering: Subinterfaces are named as interface_type slot/port.subinterface_number (e.g., G0/0.10). The subinterface number does not have to match the VLAN ID, but it is a best practice to make it match for clarity.
encapsulation dot1Q vlan_id: This command ties the subinterface to a specific VLAN. For the native VLAN, use the keyword 'native' after the VLAN ID (e.g., encapsulation dot1Q 1 native). The native VLAN frames are sent untagged on the trunk; the router's subinterface for the native VLAN must be configured with the 'native' keyword.
IP address: Each subinterface must have an IP address in the corresponding VLAN's subnet. This IP serves as the default gateway for hosts in that VLAN.
No IP on physical interface: The physical interface (e.g., G0/0) should not have an IP address. If it does, it will be treated as a separate subnet, causing confusion. On the exam, a common trap is to configure an IP on the physical interface.
Interface state: The physical interface must be 'up/up' for subinterfaces to work. Subinterfaces inherit the line protocol of the physical interface.
IOS CLI Verification Commands with Example Output
To verify ROAS configuration, use the following commands:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM up up
GigabitEthernet0/0.10 192.168.10.1 YES NVRAM up up
GigabitEthernet0/0.20 192.168.20.1 YES NVRAM up upNotice the physical interface has no IP, and subinterfaces show their IPs.
R1# show running-config interface gigabitEthernet 0/0
Building configuration...
Current configuration : 62 bytes
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!R1# show running-config interface gigabitEthernet 0/0.10
Building configuration...
Current configuration : 72 bytes
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!R1# show vlans
Virtual LAN ID: 10 (InterVLAN routing on GigabitEthernet0/0.10)
This is configured as:
encapsulation dot1Q 10
Virtual LAN ID: 10 (802.1Q Virtual LAN ID)
Maximum Active Packets: 500
Maximum Active Flows: 500
...
Virtual LAN ID: 20 (InterVLAN routing on GigabitEthernet0/0.20)
...Interaction with Related Protocols
802.1Q Trunking: ROAS relies on 802.1Q trunking between the switch and router. The switch port connected to the router must be configured as a trunk port (e.g., switchport mode trunk). If the switch port is an access port, only one VLAN will pass, breaking ROAS.
ARP: The router performs ARP on each subinterface separately. For VLAN 10, the router sends ARP requests with source IP 192.168.10.1 out of G0/0.10, tagged with VLAN 10. The switch forwards the ARP request only within VLAN 10.
STP: Spanning Tree Protocol runs on the trunk link. If multiple trunk links exist between switch and router (not typical in ROAS), STP will block one to prevent loops. ROAS usually uses a single link.
CDP: Cisco Discovery Protocol runs on the physical interface and subinterfaces. Useful for verifying neighbor devices.
Configure switch trunk port
On the switch, configure the port connected to the router as a trunk port. Use the command 'switchport mode trunk' under the interface configuration mode. Optionally, specify allowed VLANs with 'switchport trunk allowed vlan 10,20' to restrict which VLANs traverse the trunk. If you omit this, all VLANs are allowed by default. Also, set the native VLAN with 'switchport trunk native vlan 1' (default is VLAN 1). Ensure the switch port is not an access port; otherwise, only one VLAN will be carried, breaking ROAS. Example: ``` Switch(config)# interface gigabitEthernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20 ```
Configure router physical interface
On the router, ensure the physical interface (e.g., GigabitEthernet0/0) has no IP address. It should be in 'no shutdown' state. The physical interface acts as the trunk endpoint; it does not participate in routing directly. Example: ``` R1(config)# interface gigabitEthernet 0/0 R1(config-if)# no ip address R1(config-if)# no shutdown ``` A common mistake is to assign an IP to the physical interface, which would create a separate subnet and confuse routing. On the exam, if you see an IP on the physical interface, it's likely a trap.
Create subinterface for each VLAN
Create a subinterface for each VLAN that needs inter-VLAN routing. Use the format 'interface gigabitEthernet 0/0.X' where X is a number (typically matching the VLAN ID for clarity). Enter subinterface configuration mode and set the encapsulation to 802.1Q with the VLAN ID. Example for VLAN 10: ``` R1(config)# interface gigabitEthernet 0/0.10 R1(config-subif)# encapsulation dot1Q 10 ``` If this is the native VLAN, add the 'native' keyword: 'encapsulation dot1Q 1 native'. The subinterface number can be any number from 1 to 4095, but best practice is to match the VLAN ID.
Assign IP address to subinterface
Assign an IP address to each subinterface. This IP will be the default gateway for hosts in that VLAN. Use the 'ip address' command followed by the IP and subnet mask. Example: ``` R1(config-subif)# ip address 192.168.10.1 255.255.255.0 ``` Repeat for each VLAN: create subinterface G0/0.20 with encapsulation dot1Q 20 and ip address 192.168.20.1 255.255.255.0. Ensure the IP subnet does not overlap with other VLANs. The router now has a logical interface for each VLAN.
Verify connectivity with ping
After configuration, verify that hosts in different VLANs can communicate. From a host in VLAN 10 (e.g., 192.168.10.10), ping the default gateway (192.168.10.1). If successful, ping a host in VLAN 20 (192.168.20.10). If ping fails, check the following: (1) Verify trunk configuration on the switch with 'show interfaces trunk'. (2) Verify subinterface status with 'show ip interface brief'. (3) Check routing table with 'show ip route' — ensure routes to both subnets are present (connected routes). (4) Check VLAN encapsulation with 'show vlans'. Common issues: trunk port not set to trunk, native VLAN mismatch, or firewall/ACL blocking traffic.
Troubleshoot with show commands
Use 'show interfaces trunk' on the switch to confirm the trunk is up and VLANs are allowed. Example output: ``` Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/1 10,20 Port Vlans active and in local forwarding plane Gi0/1 10,20 ``` On the router, use 'show vlans' to see VLANs configured on subinterfaces. If a VLAN is missing, the subinterface may be down. Also, use 'debug dot1q events' (in lab only) to see tagged frames. Remember that the physical interface must be up; if the cable is disconnected, subinterfaces will be down.
In a small-to-medium enterprise, Router-on-a-Stick is a cost-effective solution for inter-VLAN routing when a Layer 3 switch is not available or not justified. For example, a company with 50 employees might have separate VLANs for IT (VLAN 10), Sales (VLAN 20), and Guest Wi-Fi (VLAN 30). They have a single Cisco router (e.g., ISR 4321) connected to a Layer 2 switch (e.g., Catalyst 2960). The router's GigabitEthernet0/0 is trunked to the switch, and subinterfaces are configured for each VLAN. The router also connects to the internet via another interface. This setup allows inter-VLAN traffic to be routed while also providing internet access through the router.
Another scenario is in a branch office where the main site has a Layer 3 switch, but the branch uses a router for WAN connectivity. The branch router can be configured with ROAS to route between VLANs locally, reducing traffic to the main site. For instance, a retail store with VLANs for POS systems, inventory, and guest Wi-Fi can use ROAS on the branch router to keep local traffic local.
Performance considerations: ROAS uses a single physical link, so it can become a bottleneck if inter-VLAN traffic is heavy. The maximum throughput is limited by the link speed (e.g., 1 Gbps) and the router's CPU (since routing is done in software on most routers). For high-throughput environments, a Layer 3 switch is preferred because it routes in hardware (ASICs). Misconfiguration can cause complete loss of connectivity: for example, if the trunk port is accidentally set to access mode, only one VLAN will pass; if the native VLAN mismatches between switch and router, frames for the native VLAN may be dropped or misdelivered; if a subinterface is missing, that VLAN cannot reach others. Always verify with 'show interfaces trunk' and 'show ip interface brief'.
The CCNA 200-301 exam tests Router-on-a-Stick under Objective 3.1 'IP Connectivity', specifically within 'Configure and verify IPv4 and IPv6 static routing' and 'Inter-VLAN routing'. Expect scenario-based questions where you must identify the correct configuration or troubleshoot a broken setup. The most common wrong answers candidates choose:
Assigning an IP address to the physical interface instead of subinterfaces. Candidates think the router needs an IP on the physical interface to route. In reality, the physical interface should have no IP; subinterfaces carry the IPs. On the exam, if you see an IP on G0/0, it's likely a distractor.
Using the wrong encapsulation command. Some candidates use 'encapsulation dot1Q' without the VLAN ID, or they use 'encapsulation isl' (ISL is obsolete). The correct command is 'encapsulation dot1Q <vlan-id>'. Also, forgetting the 'native' keyword for the native VLAN will cause the router to tag native VLAN frames, leading to a mismatch.
Not configuring the switch port as trunk. The switch port must be in trunk mode. If it is left as dynamic auto or access, the trunk may not form. A common trap is configuring the router correctly but the switch port is in default mode (dynamic desirable or auto).
Assuming subinterface number must match VLAN ID. While best practice, it is not required. The exam may show a subinterface number that doesn't match the VLAN ID (e.g., G0/0.5 with encapsulation dot1Q 10) — this is valid.
Specific values to remember: The default native VLAN is 1. The 'show vlans' command displays VLANs configured on subinterfaces. The 'show interfaces trunk' command shows trunk status. For verification, 'show ip interface brief' shows subinterface IPs and status.
Decision rule for scenario questions: If a question asks for inter-VLAN routing using a router and one link, the answer must involve subinterfaces with 802.1Q encapsulation. If the router has multiple physical interfaces, you could use a separate interface per VLAN, but ROAS uses one interface. Eliminate any answer that puts an IP on the physical interface or uses no encapsulation.
Router-on-a-Stick uses one physical router interface with multiple subinterfaces, each tied to a VLAN via 'encapsulation dot1Q <vlan-id>'.
The physical interface must have no IP address; IPs are assigned to subinterfaces.
The switch port connected to the router must be configured as a trunk port with 'switchport mode trunk'.
Subinterface numbers do not have to match VLAN IDs, but it is best practice.
Use 'show ip interface brief' to verify subinterface status and IPs.
Use 'show interfaces trunk' on the switch to verify trunk status and allowed VLANs.
The native VLAN (default VLAN 1) must be configured with the 'native' keyword on the router subinterface if it is used.
ROAS is a cost-effective solution but can become a bottleneck; Layer 3 switches offer better performance.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick
Uses a router with one physical interface and subinterfaces.
Requires a trunk link between switch and router.
Routing is done in software (CPU-bound), limited throughput.
Cost-effective for small networks; uses existing router.
Configuration is on the router; switch is Layer 2 only.
Layer 3 Switch (SVIs)
Uses a Layer 3 switch with Switch Virtual Interfaces (SVIs).
No external trunk needed; VLANs are internal to the switch.
Routing is done in hardware (ASICs), wire-speed performance.
More expensive; requires a Layer 3 switch.
Configuration is on the switch; no separate router needed.
Mistake
The router's physical interface must have an IP address to route between VLANs.
Correct
The physical interface should have no IP address. Subinterfaces carry the IP addresses for each VLAN. The physical interface only handles the trunking of VLAN-tagged frames.
Candidates are used to assigning IPs to interfaces and think the physical interface needs one to be 'up'.
Mistake
The subinterface number must match the VLAN ID exactly.
Correct
The subinterface number is arbitrary (1-4095) and does not need to match the VLAN ID. The encapsulation dot1Q command ties the subinterface to a specific VLAN.
It is common practice to match them, so candidates assume it is mandatory.
Mistake
You need to configure 'no shutdown' on each subinterface.
Correct
Subinterfaces inherit the line protocol from the physical interface. If the physical interface is up, all subinterfaces are up (unless administratively shut down individually).
Candidates think each subinterface is like a separate physical interface that needs to be enabled.
Mistake
ROAS works with any switch port mode; trunk mode is optional.
Correct
The switch port must be in trunk mode (or dynamic desirable if the router supports DTP) to carry multiple VLANs. If the port is in access mode, only one VLAN (the access VLAN) will be carried, breaking ROAS.
Candidates may not understand that trunking is required to pass multiple VLANs over a single link.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Technically, yes, but it's not recommended. A Layer 3 switch can route between VLANs using SVIs internally, which is faster and simpler. Using ROAS on a Layer 3 switch would require connecting a router to the switch via a trunk, which defeats the purpose of having a Layer 3 switch. On the CCNA exam, ROAS is typically used with a Layer 2 switch and a separate router.
'encapsulation dot1Q vlan-id' configures the subinterface to handle 802.1Q tagged frames for that VLAN. Adding the 'native' keyword tells the subinterface to accept untagged frames (which belong to the native VLAN). On a trunk, the native VLAN is sent without a tag. If your router subinterface for the native VLAN does not have 'native', it will drop untagged frames. Always use 'native' for the native VLAN subinterface.
Cisco routers support up to 4095 subinterfaces per physical interface, matching the 802.1Q VLAN ID range (1-4095). However, practical limits depend on router platform and memory. In CCNA scenarios, you'll typically see 2-3 subinterfaces. On the exam, you don't need to memorize the exact limit, but know that it's large.
Only if you want the router to route traffic for the native VLAN (default VLAN 1). If you don't configure a subinterface for the native VLAN, the router will simply ignore untagged frames. In many designs, the native VLAN is unused for data traffic, so it's optional. However, if you do configure it, use the 'native' keyword.
The 'show vlans' command on a router displays the VLANs that are configured on subinterfaces for inter-VLAN routing. It shows the subinterface, VLAN ID, encapsulation type, and traffic statistics (packets in/out). It is useful for verifying that the router is correctly tagging and processing frames for each VLAN.
Yes, that's the whole point! ROAS allows a single Ethernet interface to route between multiple VLANs. The router can have just one Ethernet port (e.g., a home router with one WAN and one LAN port). In enterprise, you might have multiple interfaces, but ROAS uses one for inter-VLAN routing.
If the physical interface is up/up but a subinterface is down, it usually means there is a configuration issue. Common causes: (1) The subinterface has 'shutdown' configured; (2) The physical interface is up but the line protocol is down (e.g., no cable); (3) The encapsulation VLAN ID is invalid (e.g., 0 or 4096). Check with 'show ip interface brief' and 'show running-config interface subinterface'.
You've just covered Router-on-a-Stick — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?