Configuring router-on-a-stick on Cisco router and switch in Packet Tracer

Introduction

Referring to this post. I ran through the configuration on both a router and a switch in Cisco Packet Tracer to get a refresher on how to configure router-on-a-stick. I also put in some basic configuration options to these scripts. I am certain that these are incomplete in terms of security lockdown and basic configuration, but they can serve as a baseline for the next time this comes up, and perhaps I can expand upon them at that time. I had a bunch of index cards from my previous studies that I compiled into these commands.

Some things I got hung up on:

• Native VLAN (I ran encapsulation dot1q 10 native the first time and nothing would ping)
• ip address dhcp on an interface does not enable DHCP propagation on that interface…rather it says that interface should acquire its IP address via DHCP. So in the script I set the IP address, then ran ip address dhcp, and didn’t realize that was unassigning the IP. Duh.
• switchport trunk encapsulation dot1q is not a supported command on the device I was using, but it is unnecessary
• speed auto and duplex auto, as well as changing cable types and looking into mdix auto, were red herrings, unnecessary…also Packet Tracer shows whether or not your connection is messed up with little indicator icons, and yet I still fiddled around with that (while I was having the native VLAN issue)

After some trial and error, I finalized the below “scripts” and was able to copy paste them into a fresh router and switch, connect them up, connect up a couple PCs to the appropriate switch ports, enable DHCP, and everything worked!

Some helpful links:

• Networks Training RoaS
• Networks Training DHCP
• Cisco community RoaS question
• Cisco community native VLAN question
• Cisco community management VLAN question
• Cisco docs speed and duplex auto-negotiation

Router configuration

Cisco 1841 Router, IOS Version 12.4(15)T1 via Packet Tracer

! Global configuration
enable
configure terminal
hostname opnsense
no ip domain-lookup
enable secret cisco
service password-encryption

! DHCP configuration
service dhcp
ip dhcp excluded-address 10.10.99.1 10.10.99.100
ip dhcp excluded-address 10.10.99.200 10.10.99.254
ip dhcp excluded-address 10.20.99.1 10.20.99.100
ip dhcp excluded-address 10.20.99.200 10.20.99.254
ip dhcp pool end-device
network 10.10.99.0 255.255.255.0
default-router 10.10.99.1
dns-server 10.10.99.1
domain-name lan.local
ip dhcp pool management
network 10.20.99.0 255.255.255.0
default-router 10.20.99.1
dns-server 10.20.99.1
domain-name lan.local

! SSH configuration
ip domain-name lan.local
crypto key generate rsa general-keys modulus 1024
username cisco password cisco
line vty 0 15
logging synchronous
transport input ssh
password cisco
login local

! Console and auxiliary port configuration
line console 0
logging synchronous
password cisco
login
line aux 0
logging synchronous
password cisco
login

! Trunk interface configuration
interface FastEthernet 0/0
no shutdown
description Router-on-a-stick 10.10.99.0/24 and 10.20.99.0/24

! Configure sub-interface 0.10
interface FastEthernet 0/0.10
description End-device VLAN 10, 10.10.99.0/24
encapsulation dot1q 10
ip address 10.10.99.1 255.255.255.0

! Configure sub-interface 0.20
interface FastEthernet 0/0.20
description Management VLAN 20, 10.20.99.0/24
encapsulation dot1q 20
ip address 10.20.99.1 255.255.255.0

! Save configuration
end
write

Switch configuration

Cisco 2950-T24 Switch, IOS Version 12.1(22)EA4 via Packet Tracer

! Global configuration
enable
configure terminal
hostname switch
no ip domain-lookup
enable secret cisco
service password-encryption
ip default-gateway 10.20.99.1

! SSH configuration
ip domain-name lan.local
crypto key generate rsa general-keys modulus 1024
username cisco password cisco
int vlan 20
no shutdown
ip address 10.20.99.2 255.255.255.0
line vty 0 15
transport input ssh
logging synchronous
login local

! Console configuration
line console 0
logging synchronous
password cisco
login

! Create VLANs
vlan 10
name end-device
vlan 20
name management
vlan 99
name unused

! Configure trunk port
interface FastEthernet 0/1
description Trunk port to router
switchport mode trunk
switchport trunk allowed vlan 10,20
spanning-tree portfast trunk

! Configure access port for VLAN 10
interface FastEthernet 0/2
description VLAN 10 end-device
switchport mode access
switchport access vlan 10

! Configure access port for VLAN 20
interface FastEthernet 0/24
description VLAN 20 management
switchport mode access
switchport access vlan 20

! Lock down unused ports
interface range FastEthernet 0/3-23
description VLAN 99 unused
switchport mode access
switchport access vlan 99
shutdown

end
write

Router ACLs

The whole point of doing this is to create an isolated management network. However, creating the rules is not important to me here, as I know OPNSense (being a firewall OS first and foremost) will be capable of this. I will figure them out then. It should be fairly straightforward.

The important thing was confirming that all pings went through. That means the VLAN traffic is getting passed up the trunk and routing is happening on L3.

Finally - translating to OPNSense

Here’s what I think I need to configure on my OPNSense router, as a result of this exercise:

• Something something dot1q encapsulation - I can never remember what exactly this entails. Will have to research. (I read something about it being a pain or not possible on OPNSense/BSD? This was in the early stages of my research and I do not recall, nor did I save the link.)
• DHCP for multiple subnets on a single interface
• Sub-interfaces
• Firewall rules (ACLs) - obviously. This will come last, and won’t matter if I can’t run the subnets in the first place.

EOF