View Only
last person joined: 3 days ago 

Expand all | Collapse all

InterVlan Routing

This thread has been viewed 10 times
  • 1.  InterVlan Routing

    Posted Oct 17, 2023 09:54 AM

    We have a HP Switch as our Core switch doing Layer 3 routing. A small percentage of our VLAN interfaces have ACL's and I'd like to move the security to our Firewall.

    The IP Address for the port on the firewall that connect to the core switch is

    The trunk port on the core switch is configured as this:
    interface GigabitEthernet4/0/23
    port link-mode bridge
    description Trunk to Firewall LAN
    port link-type trunk
    undo port trunk permit vlan 1
    port trunk permit vlan 210 4000
    port trunk pvid vlan 4000

    The VLAN Interface for VLAN 4000 is configured on the core switch as
    interface Vlan-interface4000
    ip address

    For testing I created a new VLAN Interface as a sub-interface on the physical port connecting the firewall to the switch. The VLAN Interface is on the firewall as On the firewall and I created firewall policies for that Interface that look like this:

    Name                                    From           To               Source   Dest   Service
    VLAN 210 - Out to LAN     VLAN 210   LAN            All          All       All
    VLAN 210 - In from LAN    LAN            VLAN 210   All          All       All

    I have two resources that are downstream off the Core switch on the new VLAN. The resources are on different distribution switches connected to the core switch and are all able to see each other.

    From the console of the Core Switch I can ping

    From the console of the Core switch I am unable to ping the two resources on the the new VLAN. Nor am I able to ping those resources from the firewall.

    Any help is appreciated. Thank you

  • 2.  RE: InterVlan Routing

    Posted Oct 18, 2023 08:13 AM

    Does the Vlan exist on all the switches in-between and is the vlan allowed on all the trunk ports in-between?

  • 3.  RE: InterVlan Routing

    Posted Oct 20, 2023 03:24 AM


    Core side the uplink port's VLAN Membership:

    port trunk permit vlan 210 4000
    port trunk pvid vlan 4000

    means that your Core's physical interface 4/0/23 (used as uplink to your Firewall) is going to use the VLAN 4000 untagged (PVID) and the VLAN 210 tagged.

    If the Core is able to ping both VLAN 4000 and VLAN 210 IP interfaces on the Firewall (respectively and then it means that Core - Firewall communication (which is happening without a Transit VLAN point-to-point but it is just a Layer 2 extension) is working as expected.

    As written above, you should then ensure that VLAN 4000 and VLAN 210 are transported (allowed) along the whole chain of involved switches (Core - Distribution - Access) and that's to permit your testing resources to reach the Firewall's VLAN 210 IP interface (and eventually the Firewall's VLAN 4000 IP interface).

    We are implying that both your two resources (hosts and belonging to VLAN 210) are connected to access ports untagged members of VLAN 210 and that VLAN 210 is transported - tagged or untagged (tagged as best practice I would say) - up to the Core where finally there is the uplink to your Firewall's LAN physical interface (and where routing of this new VLAN 210 happens). Double check that.