InterfacesCCNA 200-301

Subinterface Wrong or Missing encapsulation dot1Q

Presenting Symptom

Hosts in the same VLAN cannot communicate across a router-on-a-stick configuration, but inter-VLAN routing fails for one specific VLAN.

Network Context

A small branch office uses a router-on-a-stick topology with a Cisco 4321 router and a Cisco 2960 switch. The router has a single physical GigabitEthernet0/0/0 interface with multiple subinterfaces for VLANs 10, 20, and 30. The switch trunk port connecting to the router is configured with allowed VLANs. Hosts in VLANs 10 and 20 can communicate across the router, but VLAN 30 hosts cannot reach other VLANs or the internet.

Diagnostic Steps

Check subinterface configuration on the router

show running-config interface gigabitethernet 0/0/0.30

interface GigabitEthernet0/0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0

Look for the 'encapsulation dot1Q' command. If it is missing or has a wrong VLAN ID (e.g., encapsulation dot1Q 300), the subinterface will not process frames for VLAN 30. If the subinterface does not exist, it must be created.

Verify the switch trunk port configuration

show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       10,20,30

Ensure VLAN 30 is allowed on the trunk. If VLAN 30 is missing from the 'Vlans allowed' list, the switch is not forwarding VLAN 30 frames to the router. Also check that the native VLAN matches on both sides.

Check the router's ARP table for the VLAN 30 subnet

show ip arp vlan 30

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.30.1     -           aaaa.bbbb.cccc  ARPA   GigabitEthernet0/0/0.30
Internet  192.168.30.10    0           xxxx.yyyy.zzzz  ARPA   GigabitEthernet0/0/0.30

If the router has no ARP entries for VLAN 30 hosts (except its own), it cannot communicate with them. This often indicates the subinterface is not receiving frames from the switch, pointing to an encapsulation or trunk issue.

Use debug to see incoming frames on the subinterface

debug dot1q events

dot1q: Gi0/0/0.30: received VLAN 30 frame
...

If no debug output appears when pinging from a VLAN 30 host, the router is not receiving any frames tagged with VLAN 30. This confirms the switch is not sending them, or the subinterface is not processing them due to missing/wrong encapsulation.

Root Cause

The subinterface GigabitEthernet0/0/0.30 is missing the 'encapsulation dot1Q 30' command, or it has a wrong VLAN ID (e.g., encapsulation dot1Q 300). Without the correct encapsulation, the router does not associate incoming VLAN 30 frames with the subinterface, so it cannot route traffic for VLAN 30.

Resolution

1. Enter global configuration mode: configure terminal 2. Enter the subinterface configuration: interface gigabitethernet 0/0/0.30 3. Set the correct encapsulation: encapsulation dot1Q 30 4. (If not already set) Assign the IP address: ip address 192.168.30.1 255.255.255.0 5. Exit and save: end, write memory Alternatively, if the subinterface does not exist, create it with the above commands.

Verification

1. Run 'show running-config interface gigabitethernet 0/0/0.30' to confirm 'encapsulation dot1Q 30' is present. 2. Ping from a VLAN 30 host to the router's VLAN 30 interface IP (192.168.30.1) — should succeed. 3. Ping from a VLAN 30 host to a host in another VLAN (e.g., 192.168.10.10) — should succeed. 4. Run 'show ip arp vlan 30' to see dynamic ARP entries for VLAN 30 hosts.

Prevention

1. Use a configuration template or script when creating subinterfaces to ensure encapsulation is always included. 2. Implement a change management process that requires verification of subinterface configuration after any router or switch changes. 3. Use network documentation to track VLAN-to-subinterface mappings and verify them during audits.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions, often as a drag-and-drop or multiple-choice item. The exam tests the candidate's ability to identify misconfigured subinterface encapsulation as the root cause of inter-VLAN routing failure. Key fact: A subinterface must have the 'encapsulation dot1Q vlan-id' command to process frames for that VLAN.

Exam Tips

Memorize that the 'encapsulation dot1Q' command is mandatory on router subinterfaces for inter-VLAN routing.

In exam simulations, always check the subinterface configuration first when inter-VLAN routing fails for a specific VLAN.

Remember that the native VLAN does not require a subinterface; it uses the physical interface IP.

Commands Used in This Scenario

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

show ip arp

Displays the Address Resolution Protocol (ARP) cache, mapping IP addresses to MAC addresses on a router or switch, used to verify connectivity and troubleshoot Layer 2 issues.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions