FWSM in VSS Conversion

Unanswered Question
Oct 7th, 2009

I'm wondering if anyone can tell me if I'm on track with this. First let me say that I don't know the FWSM at all (I know the ASA, but not this module). I am going to be retiring two old 6500 chassis which contain 2 FWSMs running in active / standby and moving them into two new 6500 chassis running VSS.

I have the new VSS up and am staging the FWSM part of the configuration. I don't have spare modules to install so I am entering the configurations with no corresponding modules (VSS seems to be taking the config okay). Here is what I have configured on the VSS 6509E:

svclc switch 1 module 9 vlan-group 1

svclc switch 2 module 9 vlan-group 1

firewall switch 1 module 9 vlan-group 1

firewall switch 2 module 9 vlan-group 1

firewall vlan-group 1 100,200,300,400

I've created an interface VLANs for the inside interface-VLAN 200. All of this is copied from the current configuration (no changes). I understand from the docs that you should only have a single interface (right?).

So with the configuration above, I think I have this finished. Here are my newbie questions:

- On cutover night, can I just pull the FWSMs and install them into slot 9 on each VSS chassis w/o further configuration?

- Will I lose any of the FWSM configuration when I do this? I'll have backup's of the config, but need to know if I should be prepared to apply them right away?

- What else do I not know that might "kill" me on cutover night?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Kureli Sankar Wed, 10/07/2009 - 20:07

Yes, you can certainly do that. You have taken the necessary precautions. Good luck to you.

I hope the new 6k has the vlans created in the vlan database.

When you say only one interface - do you mean only one SVI?

If so, you can have multiple SVIs but, you just have to be very careful with routing on the switch side or traffic might route around the firewall.

jgagznos Thu, 10/08/2009 - 11:32

Thanks for your response. Yes, I have created the VLANs in the database (thanks for checking). And yes, I meant only a single SVI.

So it sounds like I'm all good to go on this. Thanks again for your response!



This Discussion