VLANs Configuration

dianawinsky · ‎10-01-2024

I'm encountering an issue with VLAN segmentation on my network. I have 10 VLANs, where some need to communicate with each other while others should remain isolated.

For example, I have VLANs 10, 20, and 30:

-VLAN 10 (in Static) should communicate with VLAN 20.
-VLAN 20 (in DHCP) should communicate with all VLANs.
-VLAN 30 (in DHCP) should be isolated from all other VLANs.

Here’s what I’ve observed on the switch:

1. When checking the access lists during troubleshooting, I don't see any matches for denied traffic (e.g., pings between VLANs that shouldn’t communicate), but I do see matches for traffic to its own gateway.
2. Devices in each VLAN can only ping their respective gateways.

I’ve tried various troubleshooting methods, including verifying trunking configurations, but I haven't been able to resolve the issue.

Here's a sample configuration that looks like with my current config in C9500:

ip access-list extended VLAN10
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.1.255
permit ip any any
int vlan 10
ip access-group VLAN10 in

ip access-list extended VLAN20
permit ip any any
int vlan 20
ip access-group VLAN20 in

ip access-list extended VLAN30
deny ip 192.168.30.0 0.0.1.255 192.168.10.0 0.0.0.255
deny ip 192.168.30.0 0.0.1.255 192.168.20.0 0.0.0.255
permit ip any any
int vlan 30
ip access-group VLAN30 in

chrihussey · ‎10-08-2024

Having difficulty understanding the issue. It looks like what you are trying to accomplish is pretty simple. Are the ACLs working and just not having the counters increment or are the ACLs not working? Please elaborate.

Also, it would be helpful if more detailed configs were provided.

Thanks