Multi-Layer Troubleshooting Challenge
Lab Objectives
- Build inter-VLAN routing using router-on-a-stick and create the VLANs required for Sales, Engineering, and Management.
- Identify and fix multi-layer faults (Layer 1–3) in a small network: VLAN misconfiguration, trunking errors, and incorrect router subinterfaces.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Base topology (use this EXACT topology with the listed interface names and IPs):
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP scheme:
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link (physical)
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Task 1: Configure VLANs on S1 and S2
Create VLANs 10, 20, and 30. Configure access ports:
- S1 Fa0/1 -> PC1 (VLAN 10)
- S1 Fa0/2 -> PC2 (VLAN 10)
- S2 Fa0/1 -> PC3 (VLAN 20)
(Do NOT configure IPs on the switch SVIs for inter-VLAN routing — router-on-a-stick will provide gateways.)
Task 2: Configure router-on-a-stick on R2
Convert R2 Gi0/1 into a trunk link and create subinterfaces for VLANs 10/20/30. Assign gateway IPs:
- Gi0/1.10 -> 192.168.1.1/24
- Gi0/1.20 -> 192.168.2.1/24
- Gi0/1.30 -> 192.168.3.1/24
(Keep R2 Gi0/0 address 10.10.10.2 as-is for R1 connectivity.)
Task 3: Configure the trunk on S1 connecting to R2
Put S1 Gi0/1 (the link to R2) into dot1Q trunk mode and allow VLANs 10,20,30. Ensure native VLAN is consistent.
Think About It: If PC1 (192.168.1.10) can ping R2 Gi0/1.10 (192.168.1.1) but cannot ping PC3 (192.168.2.10), where in the OSI stack would you start looking and why?
Lab Solution
Task 1 Solution: Configure VLANs on S1 and S2
What we are doing: Create VLANs and assign access ports on the switches so hosts get placed into correct broadcast domains. This is Layer 2 configuration — if VLANs are wrong, hosts will be isolated or in the wrong network.
! On S1
enable
configure terminal
vlan 10
name Sales
vlan 20
name Engineering
vlan 30
name Management
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
interface FastEthernet0/2
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30
exit
! On S2
enable
configure terminal
vlan 20
name Engineering
interface FastEthernet0/1
switchport mode access
switchport access vlan 20
exit
What just happened:
vlan Xcreates the VLAN in the switch database — necessary so ports can be placed into that VLAN.switchport mode accessandswitchport access vlanassign a port to a VLAN (Layer 2 membership).switchport trunk encapsulation dot1qandswitchport mode trunkput the S1 Gi0/1 link into dot1Q trunking so multiple VLANs travel to the router.
Verify:
! Show VLANs and port assignment on S1
show vlan brief
Expected output:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/2, Gi0/3
10 Sales active Fa0/1, Fa0/2
20 Engineering active <none>
30 Management active <none>
! Show trunk status on S1
show interfaces trunk
Expected output:
Port Mode Encapsulation Status Native vlan
Gi0/1 on dot1q trunking 1
Port Vlans allowed on trunk
Gi0/1 10-30
Task 2 Solution: Configure router-on-a-stick on R2
What we are doing: Replace the single IP on Gi0/1 with subinterfaces, each providing a default gateway for a VLAN. This enables inter-VLAN routing at Layer 3. We remove the physical IP on Gi0/1 because dot1Q subinterfaces will carry VLAN-tagged traffic.
enable
configure terminal
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
exit
What just happened:
no ip addresson the physical interface frees it to be solely a trunk port that carries tagged frames.interface Gi0/1.Xcreates logical subinterfaces mapped to VLAN IDs withencapsulation dot1Q X.- Each
ip addresson subinterfaces becomes the gateway for hosts in that VLAN. Without these, hosts would have no L3 path off their VLAN.
Verify:
show ip interface brief
Expected output (relevant lines):
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.10.2 YES manual up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/1.10 192.168.1.1 YES manual up up
GigabitEthernet0/1.20 192.168.2.1 YES manual up up
GigabitEthernet0/1.30 192.168.3.1 YES manual up up
Task 3 Solution: Configure trunk on S1 toward R2
What we are doing: Ensure S1 Gi0/1 is trunking and carrying VLANs to R2. Native VLAN must be consistent on both ends (we used dot1Q and left native VLAN 1).
! On S1 (already configured in Task 1), confirm trunk:
show run interface GigabitEthernet0/1
What just happened: This confirms the trunk configuration. If trunk is down or mismatched (access mode, wrong encapsulation), VLAN traffic won't reach R2.
Verify:
show interfaces trunk
Expected output:
Port Mode Encapsulation Status Native vlan
Gi0/1 on dot1q trunking 1
Port Vlans allowed on trunk
Gi0/1 10-30
Troubleshooting Scenario
Scenario: Trunk and subinterface mismatch
Symptom: PC1 (192.168.1.10) can ping R2 Gi0/1.10 192.168.1.1, but cannot ping PC3 (192.168.2.10) or reach the internet.
Your task: Find and fix the issue.
Hint: Look for a VLAN mismatch on the switch or a wrong encapsulation/VLAN ID on a router subinterface.
Solution:
- Step 1: On R2, verify subinterfaces and VLAN IDs:
show running-config interface GigabitEthernet0/1
If you see:
interface GigabitEthernet0/1.20
encapsulation dot1Q 30
ip address 192.168.2.1 255.255.255.0
This is wrong — VLAN ID and IP network don't match. Fix:
configure terminal
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
exit
- Step 2: On S1, ensure Fa0/1 and Fa0/2 are in VLAN 10 and S2 Fa0/1 is in VLAN 20. Check:
show vlan brief
- Step 3: Confirm trunk is up and allowing VLAN 20:
show interfaces trunk
Why this matters: If the encapsulation VLAN ID is wrong, R2 will receive frames tagged for VLAN 20 on the wire but treat them as VLAN 30 (or not match), so routing between VLANs fails. The switch trunk must carry the same VLAN IDs that the router expects.
Verification Checklist
- S1 has VLANs 10, 20, 30 created and access ports assigned.
- S1 Gi0/1 is trunking with encapsulation dot1Q and allows VLANs 10–30.
- R2 Gi0/1 subinterfaces .10/.20/.30 exist with IPs 192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24.
- PC1 (192.168.1.10/24 gw 192.168.1.1) can ping PC3 (192.168.2.10/24 gw 192.168.2.1).
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| PC cannot reach gateway but link is up | Access port assigned to wrong VLAN | Move port to correct VLAN: switchport access vlan X |
| Router sees no tagged frames on subinterface | Physical interface still has an IP or not set to trunk | interface Gi0/1 -> no ip address; ensure switch port is trunking |
| Inter-VLAN ping works only one-way | Native VLAN mismatch or ACL blocking | Align native VLANs and check/remove ACLs on interfaces |
| Trunk shows 'encapsulation negotiation failed' | Mismatched encapsulation (dot1q vs isl) | Configure same encapsulation on both sides: switchport trunk encapsulation dot1q |
Tip: In production, router-on-a-stick becomes a bottleneck for many VLANs; in data centers you use L3 switches. For small sites and labs, it’s a great way to learn inter-VLAN routing.
Challenge Task
Without step-by-step guidance, extend the topology so hosts can reach the Internet:
- Add the minimal routing needed so 192.168.0.0/16 networks are reachable from R1 and a default route exists back to the Internet (203.0.113.1). Ensure R1 knows how to reach the VLAN networks and R2 forwards unknown traffic to R1.
Good luck — document your commands, why you ran them, and show the verification outputs you observed.