Same VLAN on Switch and Router with EtherSwitch

Module
Routers usually come with slots where you can add extra modules for functionalities like VPN,
switching and so on. In this article, I will be discussing one of the scenarios I faced recently where
the same VLAN on a switch and a router installed with a switch module were seen as separate VLANs
and I will show you two solutions to the issue.

The diagram below illustrates the scenario:

The Problem

In the above diagram, interface e0/1 on the switch is an access port on VLAN 10; e0/0 is configured
as a trunk port that is connected to Fa0/0 on the router. Fa0/0.10 is a sub-interface of Fa0/0 on the
router and is configured with “encapsulation dot1q 10.” Fa1/10 on the router is a port on the switch
module installed on the router and is also part of VLAN 10 on the router.

The problem is that the router was treating the VLAN 10 on the switch (connected via Fa0/0.10) as
a separate VLAN from the VLAN 10 that was configured on its own self. This means that HOST A and
HOST B could not communicate.

I wondered why this happened this way. My thinking was that since the interface on the switch that
connected the router to VLAN 10 (on the switch) was configured as a trunk port, then the router
should be able to “advertise” the same VLAN 10 configured on its own self to the switch.

Well, now I understand that my thinking was flawed, as explained to me by a friend of mine:
Assuming all the switch ports on the router are in the default VLAN, then that VLAN is a broadcast
domain on its own and, since every port (e.g., Fa0/0) on a router is in its own broadcast domain,
then there cannot be communication between different broadcast domains by default.

Note: You can also find an explanation here about why VLANs separated by a router are not the
same VLAN even if they have the same VLAN ID.

To show that this problem is as I have described, I have set up a lab like the one in the diagram. The
configuration on the switch is as follows:
 1. interface Ethernet0/0

2. switchport trunk encapsulation dot1q

3. switchport mode trunk

4. !

5. interface Ethernet0/1

6. switchport access vlan 10

7. switchport mode access

The configuration on the router (it’s just a router in GNS3 with the NM-16ESW module inserted
into one of the slots) is as follows:

interface FastEthernet0/0
no ip address
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.100 255.255.255.0
!
interface FastEthernet1/10
switchport access vlan 10

Notice that HOST_A can ping the router (192.168.10.100) but not HOST_B. Let’s now get to the
solutions.

Solution #1: Connect a switch port on the router to a port on the switch

This solution is quite straightforward – it’s like connecting two switches together through a trunk
port. The “router” part of the router is actually not involved – it is just another device on the
VLAN.
As you can see in the diagram above, I have connected a port on the switch (e0/2) to a port on the
switch module of the router (Fa1/2). Both ports will be set to trunk mode. The configuration on
the switch is as follows:

1. interface Ethernet0/2

2. switchport trunk encapsulation dot1q

3. switchport mode trunk

The configuration on the router is as follows:

1. interface FastEthernet1/2

2. switchport trunk encapsulation dot1q

3. switchport mode trunk

Now if I try to ping from HOST A to HOST B, we see that the ping goes through.

If you have a spare port on the switch module of your router, then this solution may be suitable
for you. However, why would I want to waste two ports on my router (i.e., Fa0/0 and Fa1/2) and
connect it to a switch just so that I can have the same VLAN on both sides?

Solution #2: Bridging using the IRB feature

This brings us to the second solution—bridging. IRB stands for integrated routing and bridging and
it allows a protocol to be both bridged and routed on the same interface on a router. There is a
great explanation of the IRB feature in this Cisco document.

The configuration to achieve this on the router is as follows:

 1. bridge irb

2. bridge 1 protocol ieee

3. !

4. interface FastEthernet0/0.10

5. no ip address

6. bridge-group 1

7. !

8. interface vlan 10

9. bridge-group 1

The command “bridge irb” enables the IRB feature on the router, while “bridge 1 protocol ieee”
enables bridging on the router. I then assigned interfaces to the bridge-group I created using the
“bridge-group” command.

To test this configuration, you can first shut down the Fa1/2 interface that we used for trunking to
the switch and then ping from HOST A to HOST B:

Usually, this configuration will not be enough for a real network; you will also want to be able to
route packets from bridged interfaces to routed interfaces: for example, hosts on VLAN 10 to the
Internet. We do this by configuring a bridged virtual interface (BVI). By looking at the destination
address, the router is able to determine whether to bridge the packet or to route it.

Hint: The concept of BVIs is similar to that of SVIs on switches that allow inter-VLAN routing on
switches.

1. bridge 1 route ip

2. interface bvi 1

3. ip address 192.168.10.100 255.255.255.0

To test this routing configuration, you can configure a loopback interface on the router (say
1.1.1.1) to serve as a test network and then configure the default gateway on the hosts as this BVI
address (192.168.10.100) and then ping:
Summary

This brings us to the end of this article, where we have looked at ways of bridging the same VLAN
on a switch and a router with an EtherSwitch module. The first method we looked at was
connecting a trunk between the switch ports. The second method we considered was using the
IRB feature.

I hope you have found this article helpful.

References and Further Reading

 Understanding and Configuring VLAN Routing and Bridging on a Router Using the IRB
Feature: http://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-
bridging-irb/17054-741-10.html