T The Triage ManualTechnical Guides for IT Emergencies
P2 · Network Infrastructure

VLAN, Inter-VLAN Routing, and Firewall ACL Misconfiguration — Network Segmentation Failure

VLAN misconfiguration, missing or incorrect inter-VLAN routing (SVI/sub-interface), and firewall or ACL rule errors cause complete or partial loss of communication between network segments, unexpected traffic drops, or unintended VLAN leakage. Root causes include trunk ports missing VLANs from their allowed list, absent or shutdown SVIs on Layer 3 switches, missing static routes, ACLs applied in the wrong direction, and native VLAN mismatches between switches. Resolution requires a systematic layer-by-layer review: VLAN database → trunk allowed-list → SVI/routed interface state → routing table → firewall/ACL rule order and hit counters. Changes to live firewall and routing rules carry a high risk of introducing additional outages and must be backed by tested rollback procedures.

Indicators

Likely causes

Diagnostic steps

  1. Identify the affected VLANs and verify VLAN existence on every switch in the traffic path. Cisco IOS: `show vlan brief` — confirm expected VLAN IDs are present and in 'active' state, not 'act/unsup' or absent. Open vSwitch: `ovs-vsctl show`. Linux bridge: `bridge vlan show`.
    Confirms whether the VLAN is defined and active on each switch, ruling out a missing VLAN database entry as the root cause before investigating trunk or routing issues.
  2. Check trunk port configuration and allowed VLAN lists on all inter-switch links. Cisco IOS: `show interfaces trunk`. Verify the affected VLAN ID appears in the 'VLANs allowed and active in management domain' column for each trunk interface — not just 'VLANs allowed on trunk', as a VLAN can be allowed but inactive if it is not in the local VLAN database.
    Determines whether the VLAN is permitted to traverse inter-switch trunk links; a missing entry causes all frames for that VLAN to be dropped silently at the trunk boundary.
  3. Verify Layer 3 VLAN interfaces (SVIs) or routed sub-interfaces exist and are in up/up state. Cisco IOS: `show ip interface brief` — locate `Vlan<ID>` entries; both 'Status' and 'Protocol' columns must show 'up'. Confirm the assigned IP address matches the intended default gateway for the VLAN subnet. If the SVI is administratively down, issue `no shutdown` under `interface vlan <id>` and recheck.
    Confirms that the routing device has an active, correctly addressed gateway interface for each VLAN; a missing or shutdown SVI prevents all inter-VLAN routing for that segment.
  4. Review the routing table on the Layer 3 switch, router, or firewall for all VLAN subnets. Cisco IOS: `show ip route`. Linux: `ip route show`. Confirm directly connected routes appear for each SVI subnet (marked 'C') and that no VLAN subnet route is missing or pointing to an incorrect next-hop. Flag any VLAN subnet absent from the table.
    Identifies missing or incorrect routes that would cause traffic to be dropped at the routing device or forwarded to the wrong next-hop, manifesting as one-way or no connectivity.
  5. Inspect firewall and ACL rules for rules that explicitly deny or fail to permit inter-VLAN traffic. Review rule order, source/destination zones or interfaces, and subnet definitions carefully. Check hit counters: Cisco ASA: `show access-list <name>`, looking for zero-hit permit rules and unexpectedly high-hit deny rules. Linux iptables: `iptables -L -v -n`. Identify shadowed rules (a broader deny before a specific permit) and rules applied to the wrong interface or direction.
    Determines whether a firewall deny rule or an absent permit rule is blocking legitimate inter-VLAN traffic, and whether rules are being evaluated in the intended order — a frequent silent failure mode.
  6. Use packet capture or traffic mirroring to observe actual frames at the VLAN boundary. Cisco IOS: configure a SPAN session (`monitor session 1 source interface <src>`, `monitor session 1 destination interface <dst>`) — avoid `debug ip packet` on production hardware under load. Linux/firewall: `tcpdump -i <interface> -nn 'host <src-ip> and host <dst-ip>'`. Confirm whether packets are arriving at the routing or firewall device, whether they are being forwarded, and whether ICMP unreachables or TCP RSTs are being returned.
    Provides ground-truth visibility into whether traffic is reaching the inter-VLAN routing point and what is happening to it, conclusively distinguishing a Layer 2 forwarding problem from a Layer 3 routing miss or a firewall policy block.

Resolution path

Prevention

Tools

References

vlaninter-vlan-routingfirewallaclnetwork-segmentationlayer-2layer-3switchingroutingtrunksvicisco-ioscisco-asaopen-vswitchiptablesmisconfigurationnetwork-outagetriagenative-vlanvtpspan