Initially I did created an SVI, but then deleted it and created just the vlan. I tried to add just that to he existing vlan-group 1 and still got the error.

I do not have the "firewall multiple-vlan-interfaces" running. The FWSM is going to be routing all traffic. I am not running multiple contexts either.

Thanks

Among those Vlans under firewall vlan group 1, which one is a layer 3 Vlan (or SVI)?

You plan to have it (FWSM) run in routed without multiple context, so you need to have 1x Layer 3 Vlan to act like a backbone or bridge Vlan connecting the router and FWSM.

I believed in your FWSM, you already defined a Vlan (or Vlan x) as outside interface, while other Vlans as inside or DMZs interface/segments.

Example:

Router/Switch ------------------------ FWSM

Vlan x (with IP x.x.x.1/24) x.x.x.2/24

Vlan 501,801,803,852,855,857,873-875,880-882,891 (each assigned as inside or DMZs with IP Addresses)

The above Vlan x will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.

So, in your router/switch, among Vlans you assigned to firewall van group 1, you can only have 1 Vlan with Layer 3 status (meaning assigned with IP on its Vlan interface). Other Vlans should exists as Layer 2 Vlans only (you don't see them as interface Vlan xx if you issue 'sh run', and no IP Address).

Alternatively, you can remove the command "firewall vlan-group 1 501,803,852,855,857,873-875,880-882,891", and re-add it again with Vlan 801, as follow:

firewall vlan-group 1 501,801,803,852,855,857,873-875,880-882,891

This will not delete your FWSM configuration associated with the Vlans.

Rgds,

AK

In the example, Vlan x (layer 3) could be one of the Vlan, say Vlan 501

Router/Switch ---------------------------- FWSM

Vlan 501 (with IP x.x.x.1/24)-------- Outside interface (x.x.x.2/24)

------------------------------------------------- Vlan 801,803,852,855,857,873-875,880-882,891 (each assigned as inside or DMZs with IP Addresses)

In the above example, the above Vlan 501 will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.

Thanks for the feedback.

vlan 501 is teh L3 interface.

If I simply type:

'firewall vlan-group 1 891'

will this delete all other vlans in vlan-group 1 or will it append the vlan to the group?

As suggested, I removed the vlan-group 1 line and went to re-add it. I still got the same message.

Not when I look at the vlan-group 1 I have only 2 of 11 vlan's listed.

I'm very concerned at this point.

I hit the same problem when I need to add 2 new L2-Vlans (on switch) behind FWSMs (on 2 x Cat6513), and works fine till now.

before:

firewall module 12 vlan-group 12

firewall vlan-group 12 61,65,66,100-102 <-

after:

firewall module 12 vlan-group 12

firewall vlan-group 12 61,65,66,100-104 <-

Are you saying you have:

firewall module #x vlan-group 1

firewall vlan-group 1 501,xx

One more thing, can you release/remove your vlan-group 1 that currently associated to the FWSM module #x before re-add new vlan to the group?

Do:

no firewall module #x vlan-group 1

no firewall vlan-group 1 501,803

Then:

firewall vlan-group 1 501,801,803,852,855,857,873-875,880-882,891

firewall module #x vlan-group 1

If I am not wrong, it will append it to the group.

But to be safe, you can always remove and re-add new Vlan to the "firewall vlan-group 1 xx,xx,xx". The setback, it will temporary disconnect communication to all Vlans behind FWSM, but will not affect the config on router/FWSM. To do it fast, copy & paste the command to the router/switch.

Rgds,

AK

Yes, I did the removal quickly and it did interrupt production.

I did infact have to remove all the SVI's except vlan501 and all is well now.

Thanks

Does this solved your attempt to add new Vlan 891 and the missing vlans under firewall vlan group 1?

Rgds,

AK

Hi ... I believe you have to re-type all the VLANS plus the new one that you are trying to add .. you can always use another vlan-group and bind it to the same FWSM ..