Skip to main content
danteLive
danteLive
New Member
July 30, 2018
Question

Routing between VLANS

  • July 30, 2018
  • 1 reply
  • 22952 views

Hi,

 

I have a physical interface which have two ports that are configured in LAG and those ports are tagged with all my VLANS.

 

We have 22 Cisco Switches in all departments which are also tagged with all the vlans.

 

Under my physical interface (10.1.0.x/23) I have three vlan interfaces which I am trying to route between.

10.3.0.0/24 staff wifi 50, 10.4.0.0/24 guest wifi 60, 10.10.0.0/24 voice 5.

 

I can see in the routing monitor that there are routes connected since they are directly attached. From this I understand that I only need bi-directional ipv4 policies between the subnets to make them communicate. I created these policies and can perfectly communicate and ping all devices between 10.1.0.0/23 and 10.3.0.0/24 but not between any of the other combinations. I need to be able to access 10.10.0.0/24 from 10.1.0.0./23 and I also need access to 10.4.0.0/24. Why is only one combination working when the policies are identical for the combinations? I can ping the gateway on those ranges only no other ip's, for example with the policy on I can ping 10.4.0.1 which is the gateway interface for the vlan but I can't ping a device on 10.4.0.2-254. 

Thanks

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 30, 2018

It's a firewall. You have to create policies between logical interfaces for all possible combinations, unless you combine them in a zone(s) and put them in then allow intra-zone traffic.

danteLive
danteLiveAuthor
New Member
July 30, 2018

Dear Toshi,

 

That is what I don't understand, I do have all the combinations in policies yet I can only ping the gateway within that range and nothing else. I can also see that when I ping a device on that range it does hit the correct policy even though I get no reply and can't communicate with those devices. What could be blocking the traffic? I have tried different devices as well. It was still working fine a few days ago and I did not change anything. 

danteLive
danteLiveAuthor
New Member
July 30, 2018

Also worth noting, when I run an advanced ip scan on the network on the affected subnets/ranges I do pick up a live device on the whole range, even though there are not even 254 devices on the range. I can however still not connect to anything on that range using http, https, icmp etc. All services are allowed in the policy.

Terms & ConditionsAccessibility statement