Solved: Firewall Vlan group

fvelasco_rojas · ‎02-23-2010

Buenas noches. Tengo un Cisco Catalyst 6500 con un módulo Firewall el cual tiene la siguiente configuración en el Switche:

firewall module 4 vlan-group 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350
firewall vlan-group 10 10
firewall vlan-group 20 20
firewall vlan-group 30 30
firewall vlan-group 40 40
firewall vlan-group 50 50
firewall vlan-group 60 60
firewall vlan-group 70 70
firewall vlan-group 80 80
firewall vlan-group 90 90
firewall vlan-group 100 100
firewall vlan-group 140 140
firewall vlan-group 190 190
firewall vlan-group 200 200
firewall vlan-group 350 350

Cuando quiero agregar una nueva VLAN para que sea controlada por el Firewall, me aparece el siguiente mensaje de error:

No more than 16 groups allowed for a module

Este Core me permite hasta 256 VLAN's pero en grupos de a 16 Vlan. La pregunta es cómo puedo cambiar esta configuración para poder asignas más VLAN hacia el FWSM? Y en caso de hacerlo, es garantizable que no se pierda ninguna configuración del FWSM al hacer este cambio?

Quedo muy agradecido a la(s) persona(s) que me pueda colaborar con esta inquietud.

Feliz noche y hasta luego.

Francisco Velasco

E-mail: pachomedellin@gmail.com

Kureli Sankar · ‎02-23-2010

firewall module 4 vlan-group 10
firewall vlan-group 10 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350

Your configuration will not be lost. But when you make this change it will interrupt traffic.

Make sure to schedule downtime and do the change.

You can remove all the lines that you have and add the two lines above.

-KS

View solution in original post

Kureli Sankar · ‎02-23-2010

firewall module 4 vlan-group 10
firewall vlan-group 10 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350

Your configuration will not be lost. But when you make this change it will interrupt traffic.

Make sure to schedule downtime and do the change.

You can remove all the lines that you have and add the two lines above.

-KS

fvelasco_rojas · ‎02-24-2010

Hi, Mr. Kusankar.

I appreciate your help in my question. I made all your instructions and it's working perfectly.

Thanks a lot and I wish you a happy day.

Regards.

Kureli Sankar · ‎02-24-2010

Glad to hear and thanks for rating.

-KS

Farooq Razzaque · ‎08-23-2014

Dear Team

We have a core switch in VSS with FWSM running with multiple contexts.

I need to create 5 new DMZ (interfaces) in FWSM server context

Currently my config shows like below, which includes three "firewall vlan-group" statements, each with a comma-separated list of vlan numbers:

firewall switch 1 module 4 vlan-group 1,2,3
firewall switch 2 module 4 vlan-group 1,2,3

firewall vlan-group 1 2,3,4
firewall vlan-group 2 5,6,7 (vlans for server context)
firewall vlan-group 3 8,9,10

My question is: when I add the 5 new vlans, do I have to simply issue an additional "firewall vlan-group" statement with the five new vlan numbers, like this?

firewall vlan-group 2 30,40,50,60,70 (I need to add vlans in vlan-group 2)

In other words, will above command overwrite my existing list of vlans in vlan group 2 if I only add the five new vlans in vlan group 2 ? I obviously don't want to lose connectivity by erasing all my existing vlans.

Or do I have to issue a new statement that includes ALL of the existing vlans and five new vlans, like this?

firewall vlan-group 2 [all previously existing vlans],30,40,50,60,70 (five new vlans)

I want to know if i typed the above command with existing vlan and the new vlans does it cause any issues to the running environment b/c i think with the above command existing vlans will also be pushed along with new vlans to FWSM again or this is not the case.