firewall vlan-group: adding vlans to exisiting vlan-group

sean.gray · ‎11-28-2008

Hi,

I have the following firewall vlan-group defined on my 6500

firewall vlan-group 3 2803,2805,2807

I need to add another vlan, say 2809 to this group.

Will this command:

firewall vlan-group 3 2809

overwrite or append the exisitng vlan-group. What would be the safest method to add this new vlan to the group.

Any suggestions would be appreciated.

Thanks

Giuseppe Larosa · ‎11-28-2008

Hello Sean,

I've given a look at one of my C6500.

the command allows multiline :

RT-xxx#sh run | inc vlan-group

firewall module 4 vlan-group 41

firewall vlan-group 41 3-9,11-14,97-99,200,201,400,405,410,415,420,425

firewall vlan-group 41 430-432,435,440,445,450,455,460,465,470,475,480,485

firewall vlan-group 41 490,531,532,600-602,605,606,610-612,615,630,644-648

firewall vlan-group 41 651,656,661,666,696-698,700-703,730,745-748,800,801

firewall vlan-group 41 901,902

RT-xxx

this is IOS

disk0:s72033-adventerprisek9_wan-mz.122-18.SXF14.bin

So I think you can add a line with the two new vlans without issues

Hope to help

Giuseppe

sean.gray · ‎11-28-2008

Giuseppe,

Thanks for the reply.

Just so that I understand if my current config is :

sh firewall vlan-group 3

Group Created by vlans

----- ---------- -----

3 FWSM 2803,2805,2807

running the:

firewall vlan-group 3 2809

command will merely add this vlan to the exisiting group so that my output from the sh firewall vlan-group command will be as follows:

sh firewall vlan-group 3

Group Created by vlans

----- ---------- -----

3 FWSM 2803,2805,2807,2809

What I am trying to avoid is running firewall vlan-group 3 2809 and the three existing vlans are removed from the group and replaced by 2809.

Thanks again,

Sean

Jon Marshall · ‎11-28-2008

Sean

If you run "firewall vlan-group 3 2809" then it will just append it to the existing line. It will not overwrite your existing configuration. Promise :-)

Jon

Shiva Prasad · ‎02-21-2012

Hi Jon,

Thanks, that was helpful, i would be greatful if you can help clear my doubt.

Is there a specific order to add a new vlan to the fwsm ? i added a new vlan to the firewall group but it does not show up in the system context. should i input the vlan config in the fwsm system context (interface vlan ) firts and then add the vlan in the switch config ? the diocumentation that i could find is confusing.

Regards,

Shiva

Farooq Razzaque · ‎08-23-2014

Dear Team

We have a core switch in VSS with FWSM running with multiple contexts.

I need to create 5 new DMZ (interfaces) in FWSM server context

Currently my config shows like below, which includes three "firewall vlan-group" statements, each with a comma-separated list of vlan numbers:

firewall switch 1 module 4 vlan-group 1,2,3
firewall switch 2 module 4 vlan-group 1,2,3

firewall vlan-group 1 2,3,4
firewall vlan-group 2 5,6,7 (vlans for server context)
firewall vlan-group 3 8,9,10

My question is: when I add the 5 new vlans, do I have to simply issue an additional "firewall vlan-group" statement with the five new vlan numbers, like this?

firewall vlan-group 2 30,40,50,60,70 (I need to add vlans in vlan-group 2)

In other words, will above command overwrite my existing list of vlans in vlan group 2 if I only add the five new vlans in vlan group 2 ? I obviously don't want to lose connectivity by erasing all my existing vlans.

Or do I have to issue a new statement that includes ALL of the existing vlans and five new vlans, like this?

firewall vlan-group 2 [all previously existing vlans],30,40,50,60,70 (five new vlans)

I want to know if i typed the above command with existing vlan and the new vlans does it cause any issues to the running environment b/c i think with the above command existing vlans will also be pushed along with new vlans to FWSM again or this is not the case.