Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
2
Helpful
6
Replies

Inter-VLAN routing only working one way

Go to solution
gnomish
Level 1
Level 1

‎06-04-2025 10:11 PM

I'm trying to get routing working on a Catalyst 3850, but it will only work one way. 

I have the following vlans set up: 

interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 192.168.252.24 255.255.255.128
 ip access-group PERMIT in
 ip access-group PERMIT out
!
interface Vlan10
 ip address 192.168.10.254 255.255.255.0
!
interface Vlan12
 ip address 192.168.12.2 255.255.255.0
!

Vlan 10 can reach vlans 2 and 12 no problem.  Vlan 12 cannot reach vlan 10, this is what I am trying to figure out.  I've tried leaving them as is to use the implicit permit rule and tested with explicit permit any any acls on both in and out.  

From a PC on vlan 12 I can ping the switch's ips both vlan 12 and 10, but cannot reach anything else on vlan 10

 

The devices I'm pinging are not windows, so there's no defender firewall issue

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎06-05-2025 04:59 AM

Hell,

 

Do all devices have the correct Default GW for their respective VLAN? Can you also test it by removing the IP ACLS on the VLAN 2. I know you mentioned using permit statements and that should work but would like to see the results when they are removed.

 

-David

View solution in original post

6 Replies 6

Go to solution
gnomish
Level 1
Level 1

‎06-04-2025 10:13 PM

Should add: When pinging from vlan 12 I can see the switch adding the device to the arp table if its not there, still times out though

0 Helpful

Go to solution
monika_kispal
Level 1
Level 1

‎06-04-2025 11:43 PM

Hey.

Have you tried tracing the route?

0 Helpful

Go to solution
M02@rt37
VIP
VIP

‎06-05-2025 02:10 AM

hello @gnomish 

 

The devices I'm pinging are not windows, so there's no defender firewall issue

 

 So Linux server ? Possible to tcpdump on it and see icmp-echo request ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
monika_kispal
Level 1
Level 1

‎06-05-2025 04:10 AM

You could also use wireshark? Depending on your platforms you could get different but still usable answers from ping and traceroute.

0 Helpful

Go to solution
David Ruess
VIP
VIP

‎06-05-2025 04:59 AM

Hell,

 

Do all devices have the correct Default GW for their respective VLAN? Can you also test it by removing the IP ACLS on the VLAN 2. I know you mentioned using permit statements and that should work but would like to see the results when they are removed.

 

-David

Go to solution
gnomish
Level 1
Level 1

‎06-05-2025 06:17 AM

Well, I figured out that the device in VLAN10 that I want to reach has to have this switch as a gateway.  (vlan 10 is basically a dmz so the usual gw would be the fw)  Figured that might break icmp replies but didn't think it'd brick all communication.

I'm assuming I could also add a route back to vlan 12 on the fw but that would cause more issues.  

Customers Also Viewed These Support Documents