Firewall Vlan group

Answered Question
Feb 23rd, 2010
User Badges:

Buenas noches. Tengo un Cisco Catalyst 6500 con un módulo Firewall el cual tiene la siguiente configuración en el Switche:


firewall module 4 vlan-group 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350
firewall vlan-group 10  10
firewall vlan-group 20  20
firewall vlan-group 30  30
firewall vlan-group 40  40
firewall vlan-group 50  50
firewall vlan-group 60  60
firewall vlan-group 70  70
firewall vlan-group 80  80
firewall vlan-group 90  90
firewall vlan-group 100  100
firewall vlan-group 140  140
firewall vlan-group 190  190
firewall vlan-group 200  200
firewall vlan-group 350  350


Cuando quiero agregar una nueva VLAN para que sea controlada por el Firewall, me aparece el siguiente mensaje de error:


No more than 16 groups allowed for a module


Este Core me permite hasta 256 VLAN's pero en grupos de a 16 Vlan. La pregunta es cómo puedo cambiar esta configuración para poder asignas más VLAN hacia el FWSM? Y en caso de hacerlo, es garantizable que no se pierda ninguna configuración del FWSM al hacer este cambio?


Quedo muy agradecido a la(s) persona(s) que me pueda colaborar con esta inquietud.


Feliz noche y hasta luego.


Francisco Velasco

E-mail: [email protected]

Correct Answer by Kureli Sankar about 7 years 2 months ago

firewall module 4 vlan-group 10
firewall vlan-group 10  10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350


Your configuration will not be lost. But when you make this change it will interrupt traffic.

Make sure to schedule downtime and do the change.


You can remove all the lines that you have and add the two lines above.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kureli Sankar Tue, 02/23/2010 - 17:00
User Badges:
  • Cisco Employee,

firewall module 4 vlan-group 10
firewall vlan-group 10  10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350


Your configuration will not be lost. But when you make this change it will interrupt traffic.

Make sure to schedule downtime and do the change.


You can remove all the lines that you have and add the two lines above.


-KS

fvelasco_rojas Wed, 02/24/2010 - 05:34
User Badges:

Hi, Mr. Kusankar.


I appreciate your help in my question. I made all your instructions and it's working perfectly.


Thanks a lot and I wish you a happy day.


Regards.

Farooq Razzaque Sat, 08/23/2014 - 08:03
User Badges:

Dear Team

We have a core switch in VSS with FWSM running with multiple contexts.

I need to create 5 new DMZ (interfaces) in FWSM server context 

Currently my config shows like below, which includes three "firewall vlan-group" statements, each with a comma-separated list of vlan numbers:

firewall switch 1 module 4 vlan-group 1,2,3
firewall switch 2 module 4 vlan-group 1,2,3

firewall vlan-group 1  2,3,4
firewall vlan-group 2  5,6,7  (vlans for server context)
firewall vlan-group 3  8,9,10

 

My question is:  when I add the 5 new vlans, do I have to simply issue an additional "firewall vlan-group" statement with the five new vlan numbers, like this?

firewall vlan-group 2 30,40,50,60,70  (I need to add vlans in vlan-group 2)

In other words, will above command overwrite my existing list of vlans in vlan group 2 if I only add the five new vlans in vlan group 2 ?  I obviously don't want to lose connectivity by erasing all my existing vlans.


Or do I have to issue a new statement that includes ALL of the existing vlans and five new vlans, like this?

firewall vlan-group 2 [all previously existing vlans],30,40,50,60,70 (five new vlans)

I want to know if i typed the above command with existing vlan and the new vlans does it cause any issues to the running environment b/c i think with the above command existing vlans will also be pushed along with new vlans to FWSM again or this is not the case.

Actions

This Discussion