How to add new Vlan-Group in FWSM

Unanswered Question
Mar 25th, 2010

Hi, I have one 6509 series switch having firewall module on slot-4. I have already configured few vlan group in that.

Now I have to create new vlan-group 4 ( vlan 130 & 140). How can I tag that in "firewall swtich 1 module 4 ???" command.

I am scared if it will replace vlan-group 1,2,3 as all are in the production. Please help

firewall switch 1 module 4 vlan-group 1,2,3

firewall vlan-group 1  30
firewall vlan-group 2  96,127
firewall vlan-group 3  990,991

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Fri, 03/26/2010 - 00:06

Hi, I have one 6509 series switch having firewall module on slot-4. I have already configured few vlan group in that.

Now I have to create new vlan-group 4 ( vlan 130 & 140). How can I tag that in "firewall swtich 1 module 4 ???" command.

I am scared if it will replace vlan-group 1,2,3 as all are in the production. Please help

firewall switch 1 module 4 vlan-group 1,2,3

firewall vlan-group 1  30
firewall vlan-group 2  96,127
firewall vlan-group 3  990,991

Hi Rupesh,

Just check the foolowing consideration while adding a vlan to vlan group that you cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM.check out the below link on step by step configuration of assigning vlans to vlan group.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/switch.html

Hope to Help !!

Remember to rate the helpful post

Ganesh.H


Rupesh Kashyap Fri, 03/26/2010 - 00:11

Hi, you are not getting my question.

I am not adding any duplicate vlans. I have created vlan-group 4 having new vlans. My only concern is, how can I add that in pre-existing line- "

firewall switch 1 module 4 vlan-group 1,2,3".

You can see 1,2,3 are already in production. How can I add 4, I do not want to touch currently used conf.

Ganesh Hariharan Fri, 03/26/2010 - 00:19

Hi, you are not getting my question.

I am not adding any duplicate vlans. I have created vlan-group 4 having new vlans. My only concern is, how can I add that in pre-existing line- "

firewall switch 1 module 4 vlan-group 1,2,3".

You can see 1,2,3 are already in production. How can I add 4, I do not want to touch currently used conf.

If you have seen the link you should not have asked this question and i also know you are not adding a duplicate vlan just a information to you in future help.

Following are the steps to configure a vlan group and assiging to firewall module

Step 1 To assign VLANs to a firewall group, enter the following command:

Router(config)# firewall vlan-group firewall_group vlan_range

The vlan_range can be one or more VLANs (1 to 1000 and from 1025 to 4094) identified in one of the following ways:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:

5,7-10,13,45-100

Step 2 To assign the firewall groups to the FWSM, enter the following command:

Router(config)# firewall module module_number vlan-group firewall_group

The firewall_group is one or more group numbers:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:

5,7-10

This example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs. See the "Prerequisites" section for more information about adding VLANs to the switch.

Router(config)# vlan 55-57,70-85,100
Router(config-vlan)# exit
Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall vlan-group 52 100
Router(config)# firewall module 5 vlan-group 50,52
Router(config)# firewall module 8 vlan-group 51,52

To view the group configuration, enter the following command:

Router# show firewall vlan-group
Group vlans
----- ------
   50 55-57
   51 70-85
   52 100

Ganesh.H

Rupesh Kashyap Fri, 03/26/2010 - 01:06

Hi Sir,

I am still confused. For a summary, which following commands I have to use to add vlan-group 4 ( without disturbing 1,2,3?

firewall switch 1 module 4 vlan-group 1,2,3  ( Existing)

firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)

firewall switch 1 module 4 vlan-group 4  ( Is this recommanded)

Ganesh Hariharan Fri, 03/26/2010 - 01:34

Hi Sir,

I am still confused. For a summary, which following commands I have to use to add vlan-group 4 ( without disturbing 1,2,3?

firewall switch 1 module 4 vlan-group 1,2,3  ( Existing)

firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)

firewall switch 1 module 4 vlan-group 4  ( Is this recommanded)

Hi ,

I think you are got confused with vlans number and vlan group number.If you see your original post you have said you have 3 vlan group

firewall vlan-group 1  30


firewall vlan-group 2  96,127
firewall vlan-group 3  990,991

In the above configuration 1,2,3 are firewall vlan group in which vlans are assoiciated with each group like with 1 - 30,2 - 96,127 and with 3-990 and 991.

so if you want to add a new vlan and you want to assign to new vlan group here is the confioguration

create a vlan which you want to add to newly created group that group number 4

Router(config-vlan)# exit
Router(config)# firewall vlan-group 4 55 ---  here you have binded the vlan 55 with new vlan group 4
Router(config)# firewall module 5 vlan-group 4  -- here you are assiging firewall groups to the FWSM
Router(config)# vlan 55 -- you have created vlan 55 and now you want to bind with new vlan group that is 4


Hope to Help !!


Ganesh.H
Rupesh Kashyap Fri, 03/26/2010 - 01:41

I think, u have attached some snap which is not clear.

I am doing two things-

1. adding new vlan with command "firewall vlan-group 4  130,140"  -- I am OK with this.

2. Finally, I have to add this new group in the final line. I am  firewall switch 1 module 4 vlan-group ?? ( I am not seeing any ADD keywords)

Ganesh Hariharan Fri, 03/26/2010 - 02:00

I think, u have attached some snap which is not clear.

I am doing two things-

1. adding new vlan with command "firewall vlan-group 4  130,140"  -- I am OK with this.

2. Finally, I have to add this new group in the final line. I am  firewall switch 1 module 4 vlan-group ?? ( I am not seeing any ADD keywords)

Rupesh,

You are getting confused let me try to clear your doubts

in the above post  you have created vlans 130 and 140 -- is that ok by issuing command in switch switch(config)# vlan 130,140

Now you have two new vlans -- 130 and 140

and you have already 3 vlan groups (1,2 and 3) which are already having vlans assoiciated in it. --- is this ok.

Now you want to create a new vlan group 4 and bind the new vlan 130 and 140 with vlan group 4 by issuing a command in switch

switch(config)# firewall vlan-group 4 130,140  --- is that ok till now !!

Now you need to bind the vlan group with firewall module which is placed in your switch by issuing a command

switch(config)# firewall module 5 vlan-group 4 

where 5 is the slot number of FWSM placed in switch,so you need to check at your swith in which slot FWSM module in inserted.

I hope your query is cleared.

Hope to help !!

Ganesh.H

Giuseppe Larosa Fri, 03/26/2010 - 04:22

Hello Rupesh,

if there is no add option as we see here:

firewall module 2 vlan-group ?
  WORD  group range (1-65535) ex: 1,32,80-90

your only option is:

firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)

with

firewall  switch 1 module 4 vlan-group 4

you will remove the existing vlan groups from mapping  and you have only vlan-group 4 associated to the FWSM.

Hope to help

Giuseppe

Jon Marshall Fri, 03/26/2010 - 08:23

giuslar wrote:

Hello Rupesh,

if there is no add option as we see here:

firewall module 2 vlan-group ?
  WORD  group range (1-65535) ex: 1,32,80-90

your only option is:

firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)

with

firewall  switch 1 module 4 vlan-group 4

you will remove the existing vlan groups from mapping  and you have only vlan-group 4 associated to the FWSM.

Hope to help

Giuseppe

Giuseppe

Do you know this for a fact ?

I ask because the other command for the FWSM on the 6500 ie. "firewall vlan-group " also has no add option but i know for sure you can simply do this

existing -  firewall vlan-group 2 10,22,23

to add vlan 26

firewall vlan-group 2 26

and it will not overwrite the existing vlans ie. you would end up with -

firewall vlan-group 2 10,22,23,26

Jon

Giuseppe Larosa Fri, 03/26/2010 - 08:28

Hello Jon,

I would not give for granted an additive behaviour but it may be supported

I think rewriting the whole command is safer in this case

Hope to help

Giuseppe

Jon Marshall Fri, 03/26/2010 - 08:39

giuslar wrote:

Hello Jon,

I would not give for granted an additive behaviour but it may be supported

I think rewriting the whole command is safer in this case

Hope to help

Giuseppe

Actually my concern would be the opposite. If there is no add option then it may be dangerous to rewrite the entire command because it may make the FWSM suspend the existing vlan group while it reallocates the vlans whereas simply using the new vlan in the command will not affect the existing vlans.

Jon

Giuseppe Larosa Fri, 03/26/2010 - 11:13

Hello Jon,

you can be right of course.

the logic can be similar to that of old CatOS commands

I haven't done the test and of course I cannot do it on a production FWSM pair.

However, I remember that when we had a faulty FWSM we used the no form of the whole command

no firewall module 5 vlan-group 50,52

in order to isolate the faulty FWSM.

Then when the replacement has been done we added again the whole command.

For Rupesh the original poster: I would suggest to ask for a maintanance window to do the change so that you will be on the safe side.

Hope to help

Giuseppe

Actions

This Discussion