Hi!
Core side the uplink port's VLAN Membership:
port trunk permit vlan 210 4000
port trunk pvid vlan 4000
means that your Core's physical interface 4/0/23 (used as uplink to your Firewall) is going to use the VLAN 4000 untagged (PVID) and the VLAN 210 tagged.
If the Core is able to ping both VLAN 4000 and VLAN 210 IP interfaces on the Firewall (respectively 10.255.254.254 and 10.1.210.1) then it means that Core - Firewall communication (which is happening without a Transit VLAN point-to-point but it is just a Layer 2 extension) is working as expected.
As written above, you should then ensure that VLAN 4000 and VLAN 210 are transported (allowed) along the whole chain of involved switches (Core - Distribution - Access) and that's to permit your testing resources to reach the Firewall's VLAN 210 IP interface (and eventually the Firewall's VLAN 4000 IP interface).
We are implying that both your two resources (hosts 10.1.210.10 and 10.1.210.75 belonging to VLAN 210) are connected to access ports untagged members of VLAN 210 and that VLAN 210 is transported - tagged or untagged (tagged as best practice I would say) - up to the Core where finally there is the uplink to your Firewall's LAN physical interface (and where routing of this new VLAN 210 happens). Double check that.
Original Message:
Sent: Oct 17, 2023 07:42 AM
From: tbar1704
Subject: InterVlan Routing
We have a HP Switch as our Core switch doing Layer 3 routing. A small percentage of our VLAN interfaces have ACL's and I'd like to move the security to our Firewall.
The IP Address for the port on the firewall that connect to the core switch is 10.255.254.254
The trunk port on the core switch is configured as this:
#
interface GigabitEthernet4/0/23
port link-mode bridge
description Trunk to Firewall LAN
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 210 4000
port trunk pvid vlan 4000
#
The VLAN Interface for VLAN 4000 is configured on the core switch as
#
interface Vlan-interface4000
ip address 10.255.254.1 255.255.255.0
#
For testing I created a new VLAN Interface as a sub-interface on the physical port connecting the firewall to the switch. The VLAN Interface is on the firewall as 10.1.210.1. On the firewall and I created firewall policies for that Interface that look like this:
Name From To Source Dest Service
VLAN 210 - Out to LAN VLAN 210 LAN All All All
VLAN 210 - In from LAN LAN VLAN 210 All All All
I have two resources that are downstream off the Core switch on the new VLAN. The resources are on different distribution switches connected to the core switch and are all able to see each other.
10.1.210.10
10.1.210.75
From the console of the Core Switch I can ping 10.1.210.1
From the console of the Core switch I am unable to ping the two resources on the the new VLAN. Nor am I able to ping those resources from the firewall.
Any help is appreciated. Thank you