Adding vlan to a vlan-group, is it an atomic operation?

Unanswered Question

I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.

Here is an example:

I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.

# show firewall vlan-group

Group Created by vlans

----- ---------- -----

51 FWSM 100,200,300

# show firewall module

Module Vlan-groups

------ -----------

09 51

If I were to add another vlan (400) onto vlan-group 51 like so:

(config)# firewall vlan-group 51 100,200,300,400

Would this be an atomic operation?

I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Jon Marshall Tue, 05/08/2007 - 10:13

Hi

I believe it is as well although i haven't seen it stated in the docs.

Rather than type the entire list out again you can just do

(config)# firewall vlan-group 51 400

which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ?

If so i can check in our lab tomorrow.

HTH

Jon

Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.

Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.

For documentation and the search engines, to remove a vlan from a vlan-group, you can do:

(config)# no firewall vlan-group 300

Jon Marshall Wed, 05/09/2007 - 03:58

Hi

Just a quick follow up.

I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session.

I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping.

Just thought you'd like to now

Jon

Actions

This Discussion