Back
Lesson 6 of 6

Subnetting Challenge

Lab Objectives

  • Design a subnet plan for a small branch office that meets department host requirements and conserves address space.
  • Implement inter-VLAN routing (router-on-a-stick) on R2 and configure VLANs on the access switch so PCs can reach each other and the Internet via R1.
  • Verify addressing, routing, and reachability end-to-end using show commands and ping.

Lab Tasks (Try It Yourself First!)

Complete these tasks WITHOUT looking at the solution below. Use ? and show commands to figure it out.

Task 1: Design subnets for departments

You must allocate subnets from the given networks for three departments at the branch:

  • Sales: needs at least 50 hosts — assign a contiguous subnet from 192.168.1.0/24 and choose a default gateway .254 for this VLAN.
  • Engineering: needs at least 110 hosts — assign a contiguous subnet from 192.168.2.0/24 and choose a default gateway .254 for this VLAN.
  • Management: needs up to 12 hosts — assign a contiguous subnet from 192.168.3.0/24 and choose a default gateway .254 for this VLAN.

Provide network addresses, masks (CIDR), and gateway IPs — do NOT enter device commands yet.

Task 2: Configure R2 for inter-VLAN routing (router-on-a-stick)

On R2, use Gi0/1 to provide the three VLAN default gateways (Sales, Engineering, Management) via subinterfaces. Keep the physical link to the switch on 10.10.40.0/24 for management/trunking as needed.

Parameters (do NOT use commands here): create subinterfaces Gi0/1.10, Gi0/1.20, Gi0/1.30 with 802.1Q encapsulation and the gateway IPs chosen in Task 1.

Task 3: Configure the access switch S1

On S1:

  • Create VLANs matching Sales, Engineering, Management.
  • Configure the access ports for PC1 and PC2 into the Sales VLAN.
  • Configure the trunk toward R2 (the interface connecting to R2) to carry the VLANs and allow the subinterfaces on R2 to serve as gateways.

Think About It: Why must the switch-to-router link be a trunk for router-on-a-stick to work? What happens if that link is configured as an access port instead of a trunk?

Lab Solution

(We use the exact base topology and IPs provided. The ASCII topology is shown first.)

                [Internet]
               203.0.113.1
                    |
               R1 (Gateway)
              Gi0/0: 10.10.10.1
              Gi0/1: 10.10.20.1
              Gi0/2: 10.10.30.1
              /     |     \
           R2      R3      R4

Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2 Gi0/1: 10.10.40.1 | / \ | S1 S2 S3 / \ | /
PC1 PC2 PC3 PC4 PC5

IP SCHEME (as given)

  • 10.10.10.0/24 — R1-R2 link
  • 10.10.20.0/24 — R1-R3 link
  • 10.10.30.0/24 — R1-R4 link
  • 10.10.40.0/24 — R2-S1 link
  • 192.168.1.0/24 — VLAN 10 (Sales)
  • 192.168.2.0/24 — VLAN 20 (Engineering)
  • 192.168.3.0/24 — VLAN 30 (Management)
  • 203.0.113.0/24 — Public/Internet simulation

Task 1 Solution: Design subnets for departments

What we are doing: Determine appropriate subnet sizes from the provided /24s to satisfy host counts while conserving addresses.

Design choices and reasoning:

  • Sales needs ≥50 hosts. A /26 provides 62 usable hosts — that meets requirement without wasting a full /24.
  • Engineering needs ≥110 hosts. A /25 provides 126 usable hosts — fits requirement.
  • Management needs ≤12 hosts. A /28 provides 14 usable hosts — fits requirement.

Subnet assignments (use these exact network/gateway pairs):

  • Sales VLAN 10: 192.168.1.0/26 — network 192.168.1.0, usable host range .1–.62, gateway 192.168.1.254 (we choose .254 as per convention)
  • Engineering VLAN 20: 192.168.2.0/25 — network 192.168.2.0, usable host range .1–.126, gateway 192.168.2.254
  • Management VLAN 30: 192.168.3.0/28 — network 192.168.3.0, usable host range .1–.14, gateway 192.168.3.254

Tip: We deliberately place gateway on .254 for consistency with the reference IP pools which used .254 as gateway. Gateways should be within the subnet — using .254 is only valid if .254 falls inside the chosen subnet. Here, .254 is inside each /24 but be careful: when you subnet a /24, .254 may fall outside a small subnet (for example, the /28 192.168.3.0/28 has usable .1–.14; .254 would be outside). Therefore we must ensure the gateway chosen is actually inside the subnet. To avoid that mistake, we instead will use the highest usable address inside each subnet as the gateway:

  • Sales (192.168.1.0/26): highest usable .62 -> use 192.168.1.62
  • Engineering (192.168.2.0/25): highest usable .126 -> use 192.168.2.126
  • Management (192.168.3.0/28): highest usable .14 -> use 192.168.3.14

(Using .254 is not valid for these subnets because .254 is outside the smaller ranges.)

Documented gateway choices:

  • Sales gateway: 192.168.1.62/26
  • Engineering gateway: 192.168.2.126/25
  • Management gateway: 192.168.3.14/28

Task 2 Solution: Configure R2 subinterfaces for inter-VLAN routing

What we are doing: Create subinterfaces on R2 Gi0/1, tag them with 802.1Q VLAN IDs, and assign the gateway IPs derived above. This makes R2 act as the default gateway for each VLAN.

Commands (on R2):

interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.1.62 255.255.255.192
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 ip address 192.168.2.126 255.255.255.128
!
interface GigabitEthernet0/1.30
 encapsulation dot1Q 30
 ip address 192.168.3.14 255.255.255.240
!
interface GigabitEthernet0/1
 no ip address

What just happened (command-by-command and WHY it matters):

  • interface GigabitEthernet0/1.10 — enters configuration for subinterface 10 (logical interface for VLAN 10).
  • encapsulation dot1Q 10 — configures 802.1Q tagging for VLAN 10 on that subinterface; required so frames arriving on the trunk are associated with the correct VLAN.
  • ip address 192.168.1.62 255.255.255.192 — assigns the chosen gateway IP for the Sales subnet; this is the default gateway for Sales hosts.
  • Repeat for VLANs 20 and 30 with appropriate subnet masks (/25 -> 255.255.255.128, /28 -> 255.255.255.240).
  • interface GigabitEthernet0/1 + no ip address — ensures the physical interface does not have an IP address (subinterfaces carry IPs). This prevents overlapping address issues.

Verify:

show ip interface brief

Expected relevant lines (example output):

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1         unassigned      YES unset  up                    up
GigabitEthernet0/1.10      192.168.1.62    YES manual up                    up
GigabitEthernet0/1.20      192.168.2.126   YES manual up                    up
GigabitEthernet0/1.30      192.168.3.14    YES manual up                    up

Real-world note: In production, router-on-a-stick is used when you have a single physical connection between a router and a switch but need multiple L3 networks. In data centers you might prefer an L3 switch for scalability; router-on-a-stick is common in small branches.

Task 3 Solution: Configure the access switch S1

What we are doing: Create VLANs on S1, assign PC ports into Sales VLAN, and configure the trunk toward R2 so VLAN tags pass to the router subinterfaces.

Commands (on S1):

vlan 10
 name Sales
!
vlan 20
 name Engineering
!
vlan 30
 name Management
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
!
interface FastEthernet0/2
 switchport mode access
 switchport access vlan 10
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

What just happened and WHY it matters:

  • vlan X / name — creates VLAN entries in the switch VLAN database. VLANs must exist for access ports to be assigned.
  • interface Fa0/1 and Fa0/2 set to access and placed in VLAN 10 — connects PC1 and PC2 to the Sales subnet.
  • interface Gi0/1 configured as a trunk using 802.1Q and allowed VLANs 10,20,30 — carries tagged frames to R2 where subinterfaces demultiplex them. Without a trunk, the router subinterfaces would not receive VLAN tags and hosts would not reach their gateways.

Verify:

show vlan brief

Expected excerpt:

VLAN Name                             Status    Ports
10   Sales                            active    Fa0/1, Fa0/2
20   Engineering                      active
30   Management                       active

show interfaces trunk

Expected excerpt:

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       trunk        dot1q          trunking      1

Port        Vlans allowed on trunk
Gi0/1       10-20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       10,20,30

Troubleshooting Scenario

Scenario: Sales PCs cannot ping their gateway

Symptom: PC1 (assigned 192.168.1.10/26) cannot ping 192.168.1.62. Other VLANs work.

Your task: Find and fix the issue.

Hint: Check the subinterface VLAN tag and mask on R2 and verify the switch trunk tags the frames for VLAN 10.

Solution:

  • Likely cause: subinterface was configured with wrong VLAN tag or wrong mask (for example encapsulation dot1Q 20 on .10).
  • Fix: On R2, verify subinterfaces and correct encapsulation and IP mask:
interface GigabitEthernet0/1.10
 encapsulation dot1Q 10
 ip address 192.168.1.62 255.255.255.192
  • Then verify on S1 the Fa0/1 is in VLAN 10 and Gi0/1 is trunking:
show interfaces trunk
show vlan brief
  • After correction, pings should succeed.

Verification Checklist

  • R2 shows three subinterfaces up with correct IPs (use show ip interface brief).
  • S1 trunk is up and allowing VLANs 10, 20, 30 (show interfaces trunk).
  • PC in Sales can ping its gateway and reach 203.0.113.1 via R1 (end-to-end connectivity).

Common Mistakes

SymptomCauseFix
PC cannot ping gateway in same VLANSubinterface VLAN tag on router does not match switch VLANCorrect encapsulation dot1Q <vlan> on router subinterface
Trunk shows as down / not passing VLANsTrunk not configured on switch or mismatched encapsulationConfigure switchport mode trunk and switchport trunk encapsulation dot1q (if required)
Gateway IP unreachable even though subinterface existsIP address assigned outside the chosen subnet (e.g., used .254 from /28)Recalculate subnet and assign an IP inside the subnet (use the highest usable or .1 as appropriate)

Challenge Task

Add DHCP services for each VLAN so PCs receive correct IP, mask, gateway, and DNS automatically. Use your subnet plan and ensure each VLAN receives addresses from its own pool. (Do this without step-by-step guidance — design pool ranges, configure DHCP on an appropriate device, and verify client leases.)

Important real-world insight: Choosing the correct subnet size prevents wasted address space and simplifies route summarization. In production branches, you often avoid tiny subnets for servers and use predictable gateway addressing (e.g., .1 or .254) — but always ensure the gateway IP actually exists within the subnet range you design.

Practice with Hands-On Labs

30 step-by-step labs for CCNA, CCNP Enterprise & Security