firewall vlan-group command

Probably a stupid question, but how can you remove vlans from an existing firewall vlan-group on a 6500? I had a couple of test contexts set up on fwsm, and have now deleted them. I want to release the vlans back into the wild (without a blip to the production contexts), but I don't see any syntax to do this. Help! (and thanks in advance).


Hi .. please post the output of

show firewall vlan-group

show firewall module

If you have something like:

firewall vlan-group 9 10,20,22,30,32

firewall module 9 vlan-group 9 -----> slot installed with FWSM

and would like to remove@release one (e.g vlan 20) or more vlan from the firewall group, use:

no firewall vlan-group 9 10,20,22,30,32

firewall vlan-group 9 10,22,30,32


If you have vlan 10,20,22,30 & 32 in fwsm's firewall-vlan 9 (9 is a tag to easily identify which slot fwsm sits)

To remove, use 'clear' command. To add, use 'set' command, .e.g to remove vlan 20 from fwsm vlan-group:

switch(enable) clear vlan 10,22,30,32 firewall-vlan 9

switch(enable) set vlan 10, 22,30,32 firewall-vlan 9



Well, I said initially that it might be a stupid question, and it was ...

I couldn't really use

no firewall vlan-group 9 10,20,22,30,32

firewall vlan-group 9 10,22,30,32

because I was concerned about a (however momentary) "blip" in service to the contexts using the remaining vlans. In retrospect, it should have been obvious to try

no firewall vlan-group 9 20

which works.

Larry Owen