switch config --------------------------------
svclc module 2 vlan-group 11
svclc vlan-group 11 101
firewall module 7 vlan-group 11
redundant switches, both have FWSM, only one has ACE (bridge mode)
The above swith config seems to work. However during attempt to explicitly configure the FWSM with vlan 101 duplicated in it's group 11 was not successful.
I'm trying to introduce the second ACE into the second chassis and seem to run into problems.
Has any one experienced similar problem or am I not in the track at all, in this bridge mode?
(Note: With a PIX is used outside of chassis I do not experience this.)
It is valid configuration.
You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.
If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 7 vlan-group 11,51
I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?