ACE - bridging - FWSM

Answered Question
Apr 24th, 2007

switch config --------------------------------

svclc multiple-vlan-interfaces

svclc module 2 vlan-group 11

svclc vlan-group 11 101

firewall module 7 vlan-group 11

!

redundant switches, both have FWSM, only one has ACE (bridge mode)

The above swith config seems to work. However during attempt to explicitly configure the FWSM with vlan 101 duplicated in it's group 11 was not successful.

I'm trying to introduce the second ACE into the second chassis and seem to run into problems.

Has any one experienced similar problem or am I not in the track at all, in this bridge mode?

(Note: With a PIX is used outside of chassis I do not experience this.)

I have this problem too.
0 votes
Correct Answer by jasmina27s about 9 years 7 months ago

Hi,

It is valid configuration.

You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.

If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:

Router(config)# firewall vlan-group 51 70-85

Router(config)# firewall module 7 vlan-group 11,51

I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?

Regards,

Jasmina

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jasmina27s Wed, 04/25/2007 - 10:57

Hi,

It is valid configuration.

You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.

If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:

Router(config)# firewall vlan-group 51 70-85

Router(config)# firewall module 7 vlan-group 11,51

I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?

Regards,

Jasmina

s.srivas Thu, 04/26/2007 - 03:04

Thank you for confirming that defining a vlan in one location/group will meke it valid for another location/same group without explicitly defining.

The problem I ran into was with over confidence i left the default auto sync running and startup configs on the supposed to be primary ACE and opened the FT VLANs and and then the second connection to FWSM.

The config syncs happend in the oposite direction. probably caused by an attempt to include the vlan also into fwsm group or something else happened.

Thanks anyway, i'll be confident about my assumptions on allocating the same LAN in two different locations but same groups.

SS

Actions

This Discussion