Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Adding vlan to a vlan-group, is it an atomic operation?

I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.

Here is an example:

I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.

# show firewall vlan-group

Group Created by vlans

----- ---------- -----

51 FWSM 100,200,300

# show firewall module

Module Vlan-groups

------ -----------

09 51

If I were to add another vlan (400) onto vlan-group 51 like so:

(config)# firewall vlan-group 51 100,200,300,400

Would this be an atomic operation?

I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.

3 REPLIES
Hall of Fame Super Blue

Re: Adding vlan to a vlan-group, is it an atomic operation?

Hi

I believe it is as well although i haven't seen it stated in the docs.

Rather than type the entire list out again you can just do

(config)# firewall vlan-group 51 400

which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ?

If so i can check in our lab tomorrow.

HTH

Jon

New Member

Re: Adding vlan to a vlan-group, is it an atomic operation?

Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.

Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.

For documentation and the search engines, to remove a vlan from a vlan-group, you can do:

(config)# no firewall vlan-group 300

Hall of Fame Super Blue

Re: Adding vlan to a vlan-group, is it an atomic operation?

Hi

Just a quick follow up.

I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session.

I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping.

Just thought you'd like to now

Jon

286
Views
6
Helpful
3
Replies