08-30-2006 03:49 PM - edited 03-09-2019 04:03 PM
I have an existing 'firewall vlan-group 1' with 11 vlan's associated to it.
I now want to add vlan 891 to that vlan-group 1 so that I can create a new FWSM interface.
Output:
router-with-fwsm(config)#firewall vlan-group 1 501,803,852,855,857,873-875,880-882,891
Found svi for vlan 501
Found svi for vlan 803
Found svi for vlan 852
Found svi for vlan 855
Found svi for vlan 857
Found svi for vlan 873
Found svi for vlan 874
Found svi for vlan 875
Found svi for vlan 880
Found svi for vlan 881
Found svi for vlan 882
No more than one svi is allowed. Command rejected.
What am I doing wrong?
08-30-2006 05:15 PM
Hi,
The error is associated with addition of another L3 Vlan@SVI, or detection of more than 1xL3 Vlan that is trying to be added into FWSM vlan group.
BTW, do you have "firewall multiple-vlan-interfaces" running on your switch/router end?
Cheers!
AK
08-30-2006 07:15 PM
Initially I did created an SVI, but then deleted it and created just the vlan. I tried to add just that to he existing vlan-group 1 and still got the error.
I do not have the "firewall multiple-vlan-interfaces" running. The FWSM is going to be routing all traffic. I am not running multiple contexts either.
Thanks
08-30-2006 06:55 PM
Sean,
Please refer the below URL for the issue that you are running into.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml#q7
Regards,
Arul
08-31-2006 01:55 AM
Among those Vlans under firewall vlan group 1, which one is a layer 3 Vlan (or SVI)?
You plan to have it (FWSM) run in routed without multiple context, so you need to have 1x Layer 3 Vlan to act like a backbone or bridge Vlan connecting the router and FWSM.
I believed in your FWSM, you already defined a Vlan (or Vlan x) as outside interface, while other Vlans as inside or DMZs interface/segments.
Example:
Router/Switch ------------------------ FWSM
Vlan x (with IP x.x.x.1/24) x.x.x.2/24
Vlan 501,801,803,852,855,857,873-875,880-882,891 (each assigned as inside or DMZs with IP Addresses)
The above Vlan x will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.
So, in your router/switch, among Vlans you assigned to firewall van group 1, you can only have 1 Vlan with Layer 3 status (meaning assigned with IP on its Vlan interface). Other Vlans should exists as Layer 2 Vlans only (you don't see them as interface Vlan xx if you issue 'sh run', and no IP Address).
Alternatively, you can remove the command "firewall vlan-group 1 501,803,852,855,857,873-875,880-882,891", and re-add it again with Vlan 801, as follow:
firewall vlan-group 1 501,801,803,852,855,857,873-875,880-882,891
This will not delete your FWSM configuration associated with the Vlans.
Rgds,
AK
08-31-2006 01:58 AM
In the example, Vlan x (layer 3) could be one of the Vlan, say Vlan 501
Router/Switch ---------------------------- FWSM
Vlan 501 (with IP x.x.x.1/24)-------- Outside interface (x.x.x.2/24)
------------------------------------------------- Vlan 801,803,852,855,857,873-875,880-882,891 (each assigned as inside or DMZs with IP Addresses)
In the above example, the above Vlan 501 will act like a backbone vlan connecting Router/switch and FWSM in routed mode. In your FWSM, the route statement to outside/default will point to x.x.x.1. In router/switch, route to all Vlans behind FWSM wil point to x.x.x.2.
08-31-2006 08:04 AM
Thanks for the feedback.
vlan 501 is teh L3 interface.
If I simply type:
'firewall vlan-group 1 891'
will this delete all other vlans in vlan-group 1 or will it append the vlan to the group?
08-31-2006 10:19 AM
As suggested, I removed the vlan-group 1 line and went to re-add it. I still got the same message.
Not when I look at the vlan-group 1 I have only 2 of 11 vlan's listed.
I'm very concerned at this point.
08-31-2006 10:48 AM
I hit the same problem when I need to add 2 new L2-Vlans (on switch) behind FWSMs (on 2 x Cat6513), and works fine till now.
before:
firewall module 12 vlan-group 12
firewall vlan-group 12 61,65,66,100-102 <-
after:
firewall module 12 vlan-group 12
firewall vlan-group 12 61,65,66,100-104 <-
Are you saying you have:
firewall module #x vlan-group 1
firewall vlan-group 1 501,xx
One more thing, can you release/remove your vlan-group 1 that currently associated to the FWSM module #x before re-add new vlan to the group?
Do:
no firewall module #x vlan-group 1
no firewall vlan-group 1 501,803
Then:
firewall vlan-group 1 501,801,803,852,855,857,873-875,880-882,891
firewall module #x vlan-group 1
08-31-2006 10:29 AM
If I am not wrong, it will append it to the group.
But to be safe, you can always remove and re-add new Vlan to the "firewall vlan-group 1 xx,xx,xx". The setback, it will temporary disconnect communication to all Vlans behind FWSM, but will not affect the config on router/FWSM. To do it fast, copy & paste the command to the router/switch.
Rgds,
AK
08-31-2006 12:33 PM
Yes, I did the removal quickly and it did interrupt production.
I did infact have to remove all the SVI's except vlan501 and all is well now.
Thanks
08-31-2006 05:49 PM
Does this solved your attempt to add new Vlan 891 and the missing vlans under firewall vlan group 1?
Rgds,
AK
08-31-2006 07:55 PM
Hi ... I believe you have to re-type all the VLANS plus the new one that you are trying to add .. you can always use another vlan-group and bind it to the same FWSM ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide