Courseiva
VLANCCNA 200-301

Router-on-a-Stick Subinterface Misconfigured — VLAN Traffic Fails

Presenting Symptom

Hosts in different VLANs cannot communicate with each other through the router, even though the router has subinterfaces configured for each VLAN.

Network Context

A small branch office network uses a single Cisco router (Cisco 4321, IOS XE 16.9) connected to a Cisco Catalyst 2960 switch via a trunk link. The switch has two VLANs: VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24). The router is configured with subinterfaces GigabitEthernet0/0.10 and GigabitEthernet0/0.20 for inter-VLAN routing. Hosts in each VLAN can ping their default gateway but cannot reach hosts in the other VLAN.

Diagnostic Steps

1

Check the trunk status on the switch

show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20

Verify that the trunk is up and that both VLANs 10 and 20 are allowed and active. If the trunk is down or VLANs are missing, that would be the problem.

2

Check the router's subinterface configuration

show running-config interface gigabitethernet 0/0
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0

Ensure that the subinterfaces exist and have the correct encapsulation dot1Q VLAN IDs and IP addresses. A common misconfiguration is using the wrong VLAN ID or missing the encapsulation command.

3

Check the router's routing table

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0.10
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0.10
C        192.168.20.0/24 is directly connected, GigabitEthernet0/0.20
L        192.168.20.1/32 is directly connected, GigabitEthernet0/0.20

Confirm that both subnets are in the routing table as directly connected. If one is missing, the subinterface may be down or misconfigured.

4

Check the subinterface status

show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/0.10  192.168.10.1    YES manual up                    up
GigabitEthernet0/0.20  192.168.20.1    YES manual up                    up

Verify that both subinterfaces are up/up. If a subinterface is down, the physical interface may be down or the subinterface may be administratively down.

5

Check for VLAN mismatch or native VLAN issues

show interfaces gigabitethernet 0/0.10
GigabitEthernet0/0.10 is up, line protocol is up
  Hardware is PQUICC_FEC, address is 001e.4a7b.1c01 (bia 001e.4a7b.1c01)
  Internet address is 192.168.10.1/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID 10.
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Look for 'Encapsulation 802.1Q Virtual LAN, Vlan ID 10.' Confirm the VLAN ID matches the intended VLAN. Also check for any input errors or drops that might indicate a mismatch.

Root Cause

The router's subinterface GigabitEthernet0/0.10 is configured with encapsulation dot1Q 100 instead of dot1Q 10, causing VLAN 10 traffic to be tagged with VLAN 100, which the switch does not recognize as VLAN 10. As a result, the router receives traffic from VLAN 10 but tags it incorrectly, and the switch drops the frames because VLAN 100 is not allowed on the trunk or does not exist.

Resolution

Correct the encapsulation VLAN ID on the subinterface. 1. Enter global configuration mode: configure terminal 2. Enter the subinterface configuration: interface gigabitethernet 0/0.10 3. Remove the incorrect encapsulation: no encapsulation dot1Q 100 4. Apply the correct encapsulation: encapsulation dot1Q 10 5. Exit and save: end write memory

Verification

1. Verify the corrected configuration: show running-config interface gigabitethernet 0/0.10 Expected output includes: encapsulation dot1Q 10 2. Test inter-VLAN connectivity: From a host in VLAN 10, ping the IP address of a host in VLAN 20 (e.g., 192.168.20.2). Expected: Successful ping replies. 3. Check the router's ARP table for both VLANs: show ip arp Expected: Entries for hosts in both VLANs.

Prevention

1. Use consistent VLAN numbering and document the VLAN-to-subnet mapping. 2. Always verify the encapsulation VLAN ID matches the switch's VLAN configuration. 3. Implement a change management process that includes verification steps after any VLAN or subinterface changes.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where you must identify misconfigured subinterfaces. The exam may present a drag-and-drop task to match symptoms with root causes, or a multiple-choice question asking which command reveals the VLAN ID mismatch. Key fact: The encapsulation dot1Q command must specify the exact VLAN ID used on the switch.

Exam Tips

1.

Memorize that 'show running-config interface' reveals the encapsulation VLAN ID; a mismatch between the subinterface VLAN and the switch's access/trunk VLAN is a common error.

2.

Remember that the native VLAN on the trunk should match on both sides; if the router's subinterface uses a VLAN ID that is the native VLAN on the switch, traffic may be untagged and cause issues.

3.

Practice using 'show interfaces trunk' on the switch to verify allowed VLANs and 'show interfaces [subinterface]' on the router to check encapsulation.

Commands Used in This Scenario

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

show ip interface brief

Displays a summary of all IP interfaces on the device, including their IP address, status, and protocol state, used for quick verification of interface configuration and connectivity.

show ip route

Displays the current IP routing table on a Cisco router, used to verify routes, check next-hop addresses, and troubleshoot connectivity issues.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions