VLAN environment - not all VLAN route to default route (tracert)

jasonadmin77 · ‎05-19-2025

I have an environment setup that has multiple vlans in a generic hub/spoke design. My VLANs can all ping each other and i can see traffic heading out out to the internet. However, my traceroute done appear to work from VLANs that are not my switch management vlan.

Design = <switch> -trunk- <core switch> -connection- <dmz switch> -connection- <firewall> -connection- <ISP>

The first one is on my management network - VLAN GW on core switch, DMZ, Firewall, Beyond
The second one is on another vlan - VLAN FW on core.... and than nothing.... However i see traffic from it on my firewall but its not browsing on the internet. Any suggestions on further troubleshooting

<username>@sml-linux-01:~$ traceroute 10.100.0.2
traceroute to 10.100.0.2 (10.100.0.2), 64 hops max
1 10.100.132.2 0.456ms 0.296ms 0.257ms
2 172.20.100.101 0.633ms 0.277ms 0.462ms
3 172.20.128.5 0.483ms 0.133ms 0.093ms
4 169.254.3.1 11.620ms 11.184ms 11.089ms
^C

<username>@linux2:~$ traceroute 10.100.0.2
traceroute to 10.100.0.2 (10.100.0.2), 64 hops max
1 10.100.130.2 0.479ms 0.282ms 0.280ms
2 * * *
3 * ^C

Azizi123 · ‎05-26-2025

The traceroute issue from non-management VLANs likely stems from asymmetrical routing or misconfigured firewall settings. While outbound traffic reaches the firewall, replies may be dropped or misrouted due to missing return routes, incorrect NAT rules, or restrictive firewall policies (e.g., blocking ICMP TTL expired messages or high UDP ports). Additionally, VLANs might be assigned to different security zones, causing inconsistent policy enforcement. It's also essential to verify that SVIs on the core switch are correctly configured and that no VLAN-specific ACLs are blocking traffic. Troubleshooting should include inspecting firewall routes, NAT rules, zone mappings, and running tcpdump or fw monitor to trace return traffic.

MHM Cisco World · ‎05-31-2025

It depends on SW is run l3 ot l2

MHM