Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
11
Helpful
4
Replies

Adding vlan to a vlan-group, is it an atomic operation?

netops
Level 1
Level 1

‎05-08-2007 09:57 AM - edited ‎03-11-2019 03:10 AM

I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.

Here is an example:

I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.

# show firewall vlan-group

Group Created by vlans

----- ---------- -----

51 FWSM 100,200,300

# show firewall module

Module Vlan-groups

------ -----------

09 51

If I were to add another vlan (400) onto vlan-group 51 like so:

(config)# firewall vlan-group 51 100,200,300,400

Would this be an atomic operation?

I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎05-08-2007 10:13 AM

Hi

I believe it is as well although i haven't seen it stated in the docs.

Rather than type the entire list out again you can just do

(config)# firewall vlan-group 51 400

which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ?

If so i can check in our lab tomorrow.

HTH

Jon

netops
Level 1
Level 1
In response to Jon Marshall

‎05-08-2007 10:38 AM

Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.

Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.

For documentation and the search engines, to remove a vlan from a vlan-group, you can do:

(config)# no firewall vlan-group 300

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to netops

‎05-09-2007 03:58 AM

Hi

Just a quick follow up.

I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session.

I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping.

Just thought you'd like to now

Jon

cristian.badica
Level 1
Level 1
In response to Jon Marshall

‎05-21-2020 12:23 AM

Thanks for the information.
Weird thing I still need this information in 2020 :)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card