← Cisco Examples // Lab Guide · Cisco IOS 15.x

Cisco 1921 VLANs
& Inter-VLAN Routing

Segment your network with VLANs on the Catalyst C2960L switch, then route between them using Cisco 1921 sub-interfaces (router-on-a-stick). No Layer-3 switch required.

~ 30–45 min
8 steps
CLI
IOS 15.x

Router-on-a-Stick Topology

VLAN 10
192.168.10.0/24
───►
C2960L
trunk Gi0/1
───► 802.1Q trunk
Cisco 1921
Gi0/0 sub-ifs

VLAN 10 — Staff (192.168.10.0/24)  |  VLAN 20 — Guests (192.168.20.0/24)  |  VLAN 30 — Servers (192.168.30.0/24)

Progress 0 / 8 viewed
01

Plan Your VLANs

Router & Switch

Decide VLAN IDs, names, subnets, and which switch ports belong to each VLAN before touching any equipment. A clear plan prevents mismatched IDs between the switch and router.

VLAN IDNameSubnetGateway (Router)Switch Ports
10Staff192.168.10.0/24192.168.10.1Fa0/1–Fa0/8
20Guests192.168.20.0/24192.168.20.1Fa0/9–Fa0/16
30Servers192.168.30.0/24192.168.30.1Fa0/17–Fa0/20
i
Key rule: VLAN IDs must match exactly between the switch database, the trunk allowed list, and the router sub-interface encapsulation. A single mismatch silently breaks routing.
02

Create VLANs on the Switch

C2960L

VLANs must be defined in the switch VLAN database before they can be assigned to ports. Undefined VLANs on a trunk are silently pruned.

Switch> enable Switch# configure terminal Switch(config)# vlan 10 Switch(config-vlan)# name Staff Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# name Guests Switch(config-vlan)# exit Switch(config)# vlan 30 Switch(config-vlan)# name Servers Switch(config-vlan)# exit
!
Verify: Run show vlan brief — all three VLANs should appear as active. VLANs 1 and 1002–1005 are defaults and cannot be deleted.
03

Assign Access Ports

C2960L

End-device ports are access ports — they carry traffic for exactly one VLAN (untagged). Use interface range to configure multiple ports at once.

! VLAN 10 — Staff devices on Fa0/1 through Fa0/8 Switch(config)# interface range FastEthernet 0/1 - 8 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# spanning-tree portfast Switch(config-if-range)# exit ! VLAN 20 — Guest devices on Fa0/9 through Fa0/16 Switch(config)# interface range FastEthernet 0/9 - 16 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 20 Switch(config-if-range)# spanning-tree portfast Switch(config-if-range)# exit ! VLAN 30 — Servers on Fa0/17 through Fa0/20 Switch(config)# interface range FastEthernet 0/17 - 20 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 30 Switch(config-if-range)# spanning-tree portfast Switch(config-if-range)# exit
i
PortFast: Ports skip STP listening/learning states and come up immediately. Use only on end-device ports — never on trunk ports or ports connecting to other switches.
04

Configure the Trunk Port

C2960L

The uplink from the switch to the router carries all VLANs tagged with 802.1Q headers. This single cable is the "stick" in router-on-a-stick — one wire, all VLANs.

! GigabitEthernet0/1 connects to router Gi0/0 Switch(config)# interface GigabitEthernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk allowed vlan 10,20,30 Switch(config-if)# no shutdown Switch(config-if)# exit Switch(config)# end Switch# write memory
!
Allowed VLANs: A trunk allows all VLANs by default. Explicitly listing only 10, 20, 30 prevents unneeded broadcast flooding. Verify with: show interfaces GigabitEthernet 0/1 trunk
05

Create Router Sub-Interfaces

Cisco 1921

On the 1921, one physical interface (Gi0/0) is divided into logical sub-interfaces — one per VLAN. Each sub-interface acts as the default gateway for its VLAN's subnet. The physical interface itself gets no IP address.

Router> enable Router# configure terminal ! Bring up the physical interface — no IP assigned here Router(config)# interface GigabitEthernet 0/0 Router(config-if)# no shutdown Router(config-if)# exit ! Sub-interface for VLAN 10 — Staff Router(config)# interface GigabitEthernet 0/0.10 Router(config-subif)# encapsulation dot1Q 10 Router(config-subif)# ip address 192.168.10.1 255.255.255.0 Router(config-subif)# no shutdown Router(config-subif)# exit ! Sub-interface for VLAN 20 — Guests Router(config)# interface GigabitEthernet 0/0.20 Router(config-subif)# encapsulation dot1Q 20 Router(config-subif)# ip address 192.168.20.1 255.255.255.0 Router(config-subif)# no shutdown Router(config-subif)# exit ! Sub-interface for VLAN 30 — Servers Router(config)# interface GigabitEthernet 0/0.30 Router(config-subif)# encapsulation dot1Q 30 Router(config-subif)# ip address 192.168.30.1 255.255.255.0 Router(config-subif)# no shutdown Router(config-subif)# exit Router(config)# end Router# write memory
i
Sub-interface numbering: The .10 suffix is arbitrary — it does not have to match the VLAN ID. Matching them is a best practice that makes configs easier to read and troubleshoot.
06

Configure DHCP per VLAN (Optional)

Cisco 1921

The 1921 can hand out IP addresses automatically to each VLAN's devices. Skip this step if you're using static IPs or a separate DHCP server.

! Exclude gateway and reserved addresses from each pool Router(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10 Router(config)# ip dhcp excluded-address 192.168.20.1 192.168.20.10 Router(config)# ip dhcp excluded-address 192.168.30.1 192.168.30.10 ! Pool for VLAN 10 — Staff (7-day lease) Router(config)# ip dhcp pool VLAN10_STAFF Router(dhcp-config)# network 192.168.10.0 255.255.255.0 Router(dhcp-config)# default-router 192.168.10.1 Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 Router(dhcp-config)# lease 7 Router(dhcp-config)# exit ! Pool for VLAN 20 — Guests (1-day lease) Router(config)# ip dhcp pool VLAN20_GUESTS Router(dhcp-config)# network 192.168.20.0 255.255.255.0 Router(dhcp-config)# default-router 192.168.20.1 Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 Router(dhcp-config)# lease 1 Router(dhcp-config)# exit ! Pool for VLAN 30 — Servers (30-day lease) Router(config)# ip dhcp pool VLAN30_SERVERS Router(dhcp-config)# network 192.168.30.0 255.255.255.0 Router(dhcp-config)# default-router 192.168.30.1 Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 Router(dhcp-config)# lease 30 Router(dhcp-config)# exit Router(config)# end Router# write memory
07

Verify Inter-VLAN Routing

Cisco 1921

Confirm sub-interfaces are up, the routing table shows all three subnets, and hosts in different VLANs can reach each other through the router.

! All sub-interfaces should show up/up Router# show ip interface brief
InterfaceIP-AddressStatusProtocol
GigabitEthernet0/0unassignedupup
GigabitEthernet0/0.10192.168.10.1upup
GigabitEthernet0/0.20192.168.20.1upup
GigabitEthernet0/0.30192.168.30.1upup
! Each VLAN subnet should appear as directly connected (C) Router# show ip route C 192.168.10.0/24 is directly connected, GigabitEthernet0/0.10 C 192.168.20.0/24 is directly connected, GigabitEthernet0/0.20 C 192.168.30.0/24 is directly connected, GigabitEthernet0/0.30
! Ping from VLAN 10 gateway to a VLAN 20 host Router# ping 192.168.20.50 source 192.168.10.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
08

Troubleshooting Common VLAN Issues

Router & Switch

When inter-VLAN routing fails, work down this checklist — start at the switch access port and work toward the router.

SymptomLikely CauseFix
Host can't ping its own gatewayPort in wrong VLAN or not in access modeshow vlan brief — verify port is in correct VLAN
Sub-interface shows down/downPhysical Gi0/0 is shut downinterface Gi0/0no shutdown
VLAN missing from trunkNot in allowed vlan listswitchport trunk allowed vlan add 10
VLAN not in switch databaseVLAN not created with vlan commandCreate VLAN: vlan 10name Staff
Wrong encapsulation VLAN IDSub-if VLAN ID doesn't match switch VLANCheck encapsulation dot1Q number matches VLAN
Hosts not getting DHCPDHCP pool misconfiguredshow ip dhcp pool, show ip dhcp binding