cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3003
Views
0
Helpful
6
Replies

Removing VLAN's from FWSM and how it affects connectivity

palomoj
Level 1
Level 1

I have several production VLAN's that I am going to be removing from the FWSM. I wanted to see if anyone out there had real life experience of the effects and connectivity issues (if any) during the removal of the VLAN's from the FWSM. How much connectivity loss and downtime should I expect during the removal of the VLAN's from the FWSM back to the switch?

I'm talking about connectivity within each of the VLAN's I'm removing and connectivity to/from the other parts of the network and VLAN's I'm removing.

TIA

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Joe

You can remove vlans that are allocated to the FWSM with no interruption to other vlans allocated to the FWSM. Make sure you remove from both chassis's if you have redundancy otherwise failover gets in a bit of a state.

As for the vlans you are removing. Well they will no longer have a L3 interface so communication will be broken. What you can do is create the L3 SVI on the MSFC for these vlans but if you have enabled "firewall multiple-vlan-interfaces" then the FWSM won't let you.

Either accept that connectivity to these vlans will be broken while you remove from FWSM and then create the L3 SVI on the MSFC or you could try using the "firewall multiple-vlan-interfaces" command and create the L3 SVI's before removing them from the FWSM. I have never done this though.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Joe

You can remove vlans that are allocated to the FWSM with no interruption to other vlans allocated to the FWSM. Make sure you remove from both chassis's if you have redundancy otherwise failover gets in a bit of a state.

As for the vlans you are removing. Well they will no longer have a L3 interface so communication will be broken. What you can do is create the L3 SVI on the MSFC for these vlans but if you have enabled "firewall multiple-vlan-interfaces" then the FWSM won't let you.

Either accept that connectivity to these vlans will be broken while you remove from FWSM and then create the L3 SVI on the MSFC or you could try using the "firewall multiple-vlan-interfaces" command and create the L3 SVI's before removing them from the FWSM. I have never done this though.

Jon

First of all thanks a lot for your quick and good feedback. This was my script plan to execute.

no firewall vlan-group 1 297-299

no firewall module 3 vlan-group 1

interface Vlan297

no shut

ip address a.a.a.1 255.255.255.0

no ip unre

no ip red

interface Vlan298

no shut

ip address b.b.b.1 255.255.255.0

no ip unre

no ip red

interface Vlan299

no shut

ip address c.c.c.1 255.255.255.128

no ip unre

no ip red

Joe

That will work fine although obviously you will lose connectivity within those 3 vlans while you bring up their L3 SVI's.

One thing though.

"no firewall module 3 vlan-group 1"

this will remove any vlans in vlan-group 1 from the FWSM in slot 3 - is this what you want ?

I ask because you have -

no firewall vlan-group 1 297-299

no firewall module 3 vlan-group 1

the first line removes the vlans from the FWSM. If you have any other vlans allocated to vlan-group 1 that you still want to use on the FWSM then you definitely don't want the second line.

Jon

yeah, we're making some changes and I'm pulling the fwsm out of this chassis.

how much connectivity loss you think there will be?

Joe

Okay that makes sense.

As for connectivity loss, well you would certainly want to do this out of core production hours and you should look to clear out the arp tables on the 6500.

The only other issue you may have is that end servers, hosts on vlans 297 - 299 will have an arp cache entry that resolves their default-gateway to mac-address on the FWSM.

I'm assuming you are simply migrating the addresses from the FWSM to the L3 SVI ? If so you may need to clear arp caches on servers and hosts. That's why you want to do this out of hours.

Finally routing - don't know how you are routing to the DMZ's on the FWSM at the moment ie. dynamic routing protocol such as OSPF between MSFC and FWSM or just statics but whichever way don't forget to clean up the config afterwards.

Jon

i have some other config changes for routing that i didn't include

i appreciate the time and feedback.

great help :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco