I'm encountering an issue with VLAN segmentation on my network. I have 10 VLANs, where some need to communicate with each other while others should remain isolated.
For example, I have VLANs 10, 20, and 30:
-VLAN 10 (in Static) should communicate with VLAN 20.
-VLAN 20 (in DHCP) should communicate with all VLANs.
-VLAN 30 (in DHCP) should be isolated from all other VLANs.
Here’s what I’ve observed on the switch:
1. When checking the access lists during troubleshooting, I don't see any matches for denied traffic (e.g., pings between VLANs that shouldn’t communicate), but I do see matches for traffic to its own gateway.
2. Devices in each VLAN can only ping their respective gateways.
I’ve tried various troubleshooting methods, including verifying trunking configurations, but I haven't been able to resolve the issue.
Here's a sample configuration that looks like with my current config in C9500:
ip access-list extended VLAN10
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.1.255
permit ip any any
int vlan 10
ip access-group VLAN10 in
ip access-list extended VLAN20
permit ip any any
int vlan 20
ip access-group VLAN20 in
ip access-list extended VLAN30
deny ip 192.168.30.0 0.0.1.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.1.255 192.168.20.0 0.0.0.255
permit ip any any
int vlan 30
ip access-group VLAN30 in