PVLAN on FWSM interface on 6500

Unanswered Question
May 16th, 2008


Is it possible to apply a PVLAN configuration on a 6500 and have the interface on the FWSM configured as a promiscuous interface.

I found an old thread that said it couldn't be done, but that it might in the future.

The etherchannel interface between the switch and the FWSM uses PAgP and the PVLAN document states that PVLANs are no compatible with PAgP or LACP. (The document referred to is 6500 IOS config guide for release 12.2SXF.)

Can anyone confirm if the latest hardware/software versions can now support this configuration?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gpulos Fri, 05/16/2008 - 09:39

Per cco docs:

"PVLAN support on Firewall Services Module (FWSM) begins in software version 3.1. If you run a software version earlier than 3.1, the only possible workaround is to connect the promiscuous port of the PVLAN using the crossover cable to a regular access port. Then, make a firewall for the VLAN of that access port."

Please see the following link for the PVLAN Cat Switch Support Matrix:


Also in the FWSM FAQ:


rhholmes Tue, 05/20/2008 - 13:53

Thank you. That got it working. I'm surprised that there is no configuration required on the sup card or FWSM to get this working. Meaning I didn't have to assign it as a promiscuous port.

Are there any parameters to configure at the FWSM? What if I didn't want the FWSM interface to be promiscuous, or at least control which community VLANs it could access. Is there a way to control this?

Thanks again.


This Discussion