How To Create Sub Interface On Cisco Router

Cloud Help Desk: Delays for ticket imports:

Home
Networking
Cisco

Hello guys & gals,

I trust you're all well. I'm trying to re-purpose an old Cisco 1711 Router to do some port forwarding tasks for me. However, I'm having a heck of a time configuring a sub-interface on any of the ports on the switch module (Fa1, Fa2, Fa3, and Fa4). These are Layer2 ports so I know I can't directly add an IP address to them, but all my training (and everybody I've asked so far) tells me I need to create a sub-interface with dot1q encapsulation.

However, all the commands I'm issuing aren't working. I'm not sure if it's because the 1711 doesn't support sub-interfacing or what. I haven't found anything online yet that would indicate it doesn't. So, if someone here is familiar with the 1711 router and can give a hand with what I need to do, I would very much appreciate it.

Here's my running-config:

                      fw1#sho run Building configuration...  Current configuration : 1518 bytes ! version 12.3 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service linenumber service sequence-numbers no service dhcp ! hostname fw1 ! boot-start-marker boot-end-marker ! no logging console enable secret 5 MD5_HASH ! clock timezone EST -4 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ! ! ! ! ip cef no ip domain lookup ip domain name domain.local ip ips po max-events 100 no ftp-server write-enable ! ! ! no crypto isakmp ccm ! ! ! interface FastEthernet0  description WAN to ISP (Comcast Coax)  ip address MY_ISP_STATIC_IP 255.255.255.248  ip nat outside  ip virtual-reassembly  duplex auto  speed auto ! interface FastEthernet1  switchport access vlan 10  switchport mode trunk  speed 100 ! interface FastEthernet2  switchport access vlan 10 ! interface FastEthernet3 ! interface FastEthernet4 ! interface Vlan10  description Connection to LAN @ Ironwood  ip address 172.23.6.120 255.255.255.0  ip nat inside  ip virtual-reassembly ! interface Async1  no ip address ! ip classless ip route 0.0.0.0 0.0.0.0 MY_ISP no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet0 overload ! ! access-list 1 permit 172.23.6.0 0.0.0.255 ! ! control-plane ! ! line con 0 line 1 line aux 0 line vty 0 4 ! end

On a layer-2 interface you do not create a sub-interface. You will create SVI's - virtual interfaces with ip address for the VPN and then you will associate switch ports with the VLANs they should belong to.

It looks like your config is ok, you define VLAN 10 with an ip and make FA2 an access port. If you plug a computer into Fa2 can you ping 172.23.6.120,? er uh oh wait. Thats not a private IP. You should fix that.

11 Replies

Aaron9615

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

May 3, 2016 at 20:31 UTC

Should be like this example, let's use interface fa0/3

interface fa0/3.10
encapsulation dot1q 10
ip address 192.168.1.254 255.255.255.0

The fa0/3.10 doesn't actually mean this sub-interface is using VLAN 10 this is just for organizational purposes. The encapsulation dot1q 10 actually does the VLAN tagging. You will have to encapsulate the interface first before assigning and IP address also.

EDIT read it too quick thought you were trying to setup ROS, and since this is a layer 3 device you should be able to set sub-interfaces on it.

Aaron

Edited May 3, 2016 at 20:43 UTC

thanks Aaron for the response. fa0 is my Internet facing port, so I didn't think that's where I would need to put the sub-interface. Am I wrong? fa1 is the switch module that has four layer2 ports in it.

Thanks Peter.

Unfortunately, I inherited this network and that subnet was in use already and difficult to change. On the issue at hand, however, thanks for the clarification. When I issue the command "switchport access vlan 10" on either fa1 or fa2, the ports and vlan10 change states to up then go back down.

                              fw1# 001148: *Mar  2 03:09:27.678: %DTP-5-TRUNKPORTON: Port Fa1 has become dot1q trunk 001149: *Mar  2 03:09:28.178: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up 001150: *Mar  2 03:09:29.178: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up 001151: *Mar  2 03:09:29.698: %DTP-5-NONTRUNKPORTON: Port Fa1 has become non-trunk 001152: *Mar  2 03:09:30.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down 001153: *Mar  2 03:09:31.198: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to down

Aaron9615

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

May 3, 2016 at 20:51 UTC

What subnets are you attempting to setup?

Aaron, I'm just trying to setup this router to pass traffic from another ISP to my local subnet (172.23.6.0/24). So in effect, I just want it to be another IP device on the network. But the problem I'm running into is that the switchports are layer 2 so I can't directly assign an IP address.

I found out the reason why the port goes up then immediately down - the switch is deactivating the port. Apparently, the router is triggering the STP BPDU Guard on the switch. So I guess I need to do something with spanning-tree-protocol on the router to resolve this - don't know what though - but that's what I need to figure out.

Any help would be appreciated.

mark9586

This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional.

May 3, 2016 at 21:34 UTC

Kismet wrote:

I found out the reason why the port goes up then immediately down - the switch is deactivating the port. Apparently, the router is triggering the STP BPDU Guard on the switch. So I guess I need to do something with spanning-tree-protocol on the router to resolve this - don't know what though - but that's what I need to figure out.

Any help would be appreciated.

Lets see the err-disable output to be sure. With the interface down show us the output of show int fa1

Also BPDU guard is not enabled by default so someone must have added it. It is just (JUST) possible that the router had a sub-if before with BPDU guard enabled, then the sub-if was deleted but (as we all know) Cisco warn that when deleting a sub-if, some config may remain.

Go to the sub-if and issue the command

                                Router(config-subif)#no spanning-tree bpduguard enable

That should clear it.

You should shutdown FA1 for now, just use FA2 and plug in a computer and assign it an IP on the VLAN 10 subnet. Can it ping the VLAN 10 Interface?

What does FA1 connect to? Remove the TRUNK command. And add SWITCHPORT MODE ACCESS to both ports. Now what do you have?

Thanks all for your assistance - regarding the BPDU issue, I was the one that enabled it on the switch and had forgotten about it. So I simply disabled it for that specific port this router is plugging into. So that issue is solved.

So now that I think of it, my original question regarding not being able to create a sub-interface is null and voided - since the reason I wanted to do that in the first place was because the port wouldn't stay up after I issued the no shut command and put it in a Vlan.

At the moment, I have removed Vlan10 and put fa1 thru 4 back to the default Vlan1 (since my LAN is on Vlan1 on the switch I'm connecting to). Peter, as you pointed out, I have also ensured that the switchport mode is set back to access and not trunk (and the switch end matches as well).

The remaining issue I'm having now is that the router is responding to pings on the outside interface (fa0) using the public IP I assigned to it, but not responding to pings on the inside interface (fa1) from a client on the network. I know this is probably related to something I'm screwing up with my NAT rules, but so as not to mix that issue with this I'm going to close this and re-open another one.

Thank you all for your assistance - really appreciate it.

The 1711 is such an old router, I doubt it can come close to handling the bandwidth of of even the slowest Comcast connection.

Having said that, I'm also wondering if you even can NAT between the Fastethernet ports on that router. Some of the Cisco lower end gear you'd need an ethernet card (WIC), the Fastethernet ports basically can only be used for LAN side.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.