FWSM & vlan1

Unanswered Question
Aug 4th, 2008

Just installed the FWSM in our 6513. Was reading on its configuration. It states under assigning VLANs to the FWSM under VLAN guidelines that you can not use VLAN 1. We do use VLAN 1.

To change away from VLAN 1 would require a lot of changes on our campus edge switches. By default all switch ports were in VLAN 1 when our LAN was first setup.

What is the issue with VLAN 1 and is there nothing I can do other than start the process of moving away from using VLAN 1?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Mon, 08/04/2008 - 12:48

Hi Craig,

Unfortunately, as you noted, it is impossible to push VLAN 1 down to the FWSM.

Aside from redesigning your network to not use VLAN 1, you can try creating another SVI and routing your traffic through the MSFC before being sent down to the FWSM. So, the packet's path might look something like this:


With this workaround, you can push VLAN2 and VLAN100 down to the FWSM and still keep your hosts on VLAN1.

Hope that helps.


cef2lion2 Mon, 08/04/2008 - 13:06

Thanks for the workaround. So what is the issue with VLAN 1?


robertson.michael Mon, 08/04/2008 - 13:58

Hi Craig,

I believe the reason for this is simply the enforcement of a best practice. It is assumed that VLAN1 will be used for management traffic only and not need to be firewalled. It is a best practice to move your production traffic into VLANs other than VLAN1 (though certainly not a requirement as you have seen in your case).



This Discussion