You need to re-configure the switch where the new RMA-ed blade resides with all necessary configuration, i.e firewall vlan group, which vlan need to sit behind FWSM and so on. This is more or less similar to the current switch-fwsm config.
In the new blade, you need to change/use different vlan interface name (under nameif , reserved same vlan ID but use different names). Configure other parameters including failover LAN interface & vlan, similar to the current/production module. Set the blade as secondary failover unit.
You need to have 2 sessions to both FWSM before activating the new blade as active FWSM.
When the new FWSM module is ready and switch has been configured accordingly, go to production FWSM, disable its role as primary FWSM (use "no failover active"). At the same time, go to the session on new FWSM, immediately set this blade as the new/active firewall (use "failover active"). This process helps to minimize downtime during the upgrade as well as allows you to put the new blade in production.
- Define a separate VLAN as a firewall VLAN (remove the old firewall VLAN definitions) on the switch with the replacement FWSM.
- Plug a PC into the Catalyst 6000 and assign the switch port to the same VLAN that you just defined.
- Session to the FWSM and enable an interface.
- Use the PC as a TFTP server to download the software. Ensure that you use the same version of code as the current Active device.
- Configure basic failover settings on the FWSM and restore the old firewall VLANs and the failover interface (remove the interface configured for TFTP). At this time, configuration replication occurs and the FWSM becomes the backup.
Yes, basically you can do that after the new blade is running fine and take over the firewall operation.
Session into the old blade from switch CLI/console. Make sure the TFTP PC/server is connected to a switchport belongs to a VLAN defined as inside/dmz in FWSM. Basically do the same thing when you defined which Vlan will sit behind FWSM.
The Vlan can be a temp vlan that is used purposely for the image upgrade only.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :