Adding vlan to a vlan-group, is it an atomic operation?

Unanswered Question

I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.


Here is an example:


I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.


# show firewall vlan-group

Group Created by vlans

----- ---------- -----

51 FWSM 100,200,300


# show firewall module

Module Vlan-groups

------ -----------

09 51


If I were to add another vlan (400) onto vlan-group 51 like so:


(config)# firewall vlan-group 51 100,200,300,400


Would this be an atomic operation?


I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Jon Marshall Tue, 05/08/2007 - 10:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I believe it is as well although i haven't seen it stated in the docs.


Rather than type the entire list out again you can just do


(config)# firewall vlan-group 51 400


which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ?


If so i can check in our lab tomorrow.


HTH


Jon

Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.


Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.


For documentation and the search engines, to remove a vlan from a vlan-group, you can do:


(config)# no firewall vlan-group 300

Jon Marshall Wed, 05/09/2007 - 03:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Just a quick follow up.


I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session.


I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping.


Just thought you'd like to now


Jon

Actions

This Discussion