Adding vlan to a vlan-group, is it an atomic operation?

Unanswered Question

I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.

Here is an example:

I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.

# show firewall vlan-group

Group Created by vlans

----- ---------- -----

51 FWSM 100,200,300

# show firewall module

Module Vlan-groups

------ -----------

09 51

If I were to add another vlan (400) onto vlan-group 51 like so:

(config)# firewall vlan-group 51 100,200,300,400

Would this be an atomic operation?

I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Jon Marshall Tue, 05/08/2007 - 10:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I believe it is as well although i haven't seen it stated in the docs.

Rather than type the entire list out again you can just do

(config)# firewall vlan-group 51 400

which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ?

If so i can check in our lab tomorrow.



Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.

Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.

For documentation and the search engines, to remove a vlan from a vlan-group, you can do:

(config)# no firewall vlan-group 300

Jon Marshall Wed, 05/09/2007 - 03:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Just a quick follow up.

I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session.

I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping.

Just thought you'd like to now



This Discussion