Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
5
Helpful
3
Replies

FWSM in VSS Conversion

jgagznos
Level 1
Level 1

‎10-07-2009 12:51 PM - edited ‎03-11-2019 09:24 AM

I'm wondering if anyone can tell me if I'm on track with this. First let me say that I don't know the FWSM at all (I know the ASA, but not this module). I am going to be retiring two old 6500 chassis which contain 2 FWSMs running in active / standby and moving them into two new 6500 chassis running VSS.

I have the new VSS up and am staging the FWSM part of the configuration. I don't have spare modules to install so I am entering the configurations with no corresponding modules (VSS seems to be taking the config okay). Here is what I have configured on the VSS 6509E:

svclc switch 1 module 9 vlan-group 1

svclc switch 2 module 9 vlan-group 1

firewall switch 1 module 9 vlan-group 1

firewall switch 2 module 9 vlan-group 1

firewall vlan-group 1 100,200,300,400

I've created an interface VLANs for the inside interface-VLAN 200. All of this is copied from the current configuration (no changes). I understand from the docs that you should only have a single interface (right?).

So with the configuration above, I think I have this finished. Here are my newbie questions:

- On cutover night, can I just pull the FWSMs and install them into slot 9 on each VSS chassis w/o further configuration?

- Will I lose any of the FWSM configuration when I do this? I'll have backup's of the config, but need to know if I should be prepared to apply them right away?

- What else do I not know that might "kill" me on cutover night?

Thanks,

Joe

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-07-2009 08:07 PM

Yes, you can certainly do that. You have taken the necessary precautions. Good luck to you.

I hope the new 6k has the vlans created in the vlan database.

When you say only one interface - do you mean only one SVI?

If so, you can have multiple SVIs but, you just have to be very careful with routing on the switch side or traffic might route around the firewall.

jgagznos
Level 1
Level 1
In response to Kureli Sankar

‎10-08-2009 11:32 AM

Thanks for your response. Yes, I have created the VLANs in the database (thanks for checking). And yes, I meant only a single SVI.

So it sounds like I'm all good to go on this. Thanks again for your response!

Joe

0 Helpful

yongl
Level 1
Level 1

‎10-08-2009 08:14 PM

Hi Joe,

Please ensure that your equipment is running the correct software version.

Minimum software version for:

6500 switch - 12.2(33)SXI

FWSM - 4.0.4

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#Service_Module_Support

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card