Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
2
Replies

ACE - bridging - FWSM

Go to solution
s.srivas
Level 1
Level 1

‎04-24-2007 08:21 AM

switch config --------------------------------

svclc multiple-vlan-interfaces

svclc module 2 vlan-group 11

svclc vlan-group 11 101

firewall module 7 vlan-group 11

!

redundant switches, both have FWSM, only one has ACE (bridge mode)

The above swith config seems to work. However during attempt to explicitly configure the FWSM with vlan 101 duplicated in it's group 11 was not successful.

I'm trying to introduce the second ACE into the second chassis and seem to run into problems.

Has any one experienced similar problem or am I not in the track at all, in this bridge mode?

(Note: With a PIX is used outside of chassis I do not experience this.)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jasmina27s
Level 1
Level 1

‎04-25-2007 10:57 AM

Hi,

It is valid configuration.

You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.

If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:

Router(config)# firewall vlan-group 51 70-85

Router(config)# firewall module 7 vlan-group 11,51

I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?

Regards,

Jasmina

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jasmina27s
Level 1
Level 1

‎04-25-2007 10:57 AM

Hi,

It is valid configuration.

You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.

If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:

Router(config)# firewall vlan-group 51 70-85

Router(config)# firewall module 7 vlan-group 11,51

I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?

Regards,

Jasmina

0 Helpful

Go to solution
s.srivas
Level 1
Level 1
In response to jasmina27s

‎04-26-2007 03:04 AM

Thank you for confirming that defining a vlan in one location/group will meke it valid for another location/same group without explicitly defining.

The problem I ran into was with over confidence i left the default auto sync running and startup configs on the supposed to be primary ACE and opened the FT VLANs and and then the second connection to FWSM.

The config syncs happend in the oposite direction. probably caused by an attempt to include the vlan also into fwsm group or something else happened.

Thanks anyway, i'll be confident about my assumptions on allocating the same LAN in two different locations but same groups.

SS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents