https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777432#M1005096 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Just a quick follow up. </P><P></P><P>I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session. </P><P></P><P>I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping. </P><P></P><P>Just thought you'd like to now</P><P></P><P>Jon</P></BODY></HTML> Wed, 09 May 2007 10:58:05 GMT Jon Marshall 2007-05-09T10:58:05Z https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777429#M1005089 <P>I'm unable to find any documentation with regards to adding a vlan to vlan-group that has multiple vlans already and whether it would be an atomic operation, i.e. the new vlan is added on, rather than reconfigured with a new list of vlans.</P><P></P><P>Here is an example:</P><P></P><P>I have 3 vlans with ids 100, 200, 300. I have one vlan-group 51, where these 3 vlans are assigned. This one vlan-group is already assigned to the FWSM module.</P><P></P><P># show firewall vlan-group</P><P>Group Created by vlans</P><P>----- ---------- -----</P><P> 51 FWSM 100,200,300</P><P></P><P># show firewall module</P><P>Module Vlan-groups</P><P>------ -----------</P><P> 09 51</P><P></P><P>If I were to add another vlan (400) onto vlan-group 51 like so:</P><P></P><P>(config)# firewall vlan-group 51 100,200,300,400</P><P></P><P>Would this be an atomic operation?</P><P></P><P>I'm assuming it is, as it wouldn't make sense to not be an atomic operation on a continuously reconfigured switch. But I just wanted to check and see if there was any documentation stating this fact.</P> Mon, 11 Mar 2019 10:10:53 GMT https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777429#M1005089 netops 2019-03-11T10:10:53Z https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777430#M1005092 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>I believe it is as well although i haven't seen it stated in the docs. </P><P></P><P>Rather than type the entire list out again you can just do</P><P></P><P>(config)# firewall vlan-group 51 400 </P><P></P><P>which does suggest it does get added. Are you concerned that service might temporarily be disrupted on existing vlans ? </P><P></P><P>If so i can check in our lab tomorrow. </P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Tue, 08 May 2007 17:13:00 GMT https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777430#M1005092 Jon Marshall 2007-05-08T17:13:00Z https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777431#M1005094 <HTML><HEAD></HEAD><BODY><P>Yes, my concern was the interaction on the FWSM and whether it would impact current connection states.</P><P></P><P>Thank you for supplying the 'added' suggestion. I was always wondering whether that would append on the vlan. That is something that I couldn't find ether.</P><P></P><P>For documentation and the search engines, to remove a vlan from a vlan-group, you can do:</P><P></P><P>(config)# no firewall vlan-group 300</P></BODY></HTML> Tue, 08 May 2007 17:38:18 GMT https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777431#M1005094 netops 2007-05-08T17:38:18Z https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777432#M1005096 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Just a quick follow up. </P><P></P><P>I thought i'd test this in the lab anyway so i set off a continuous ping to a server in one of my DMZ's and also started up an ssh session. </P><P></P><P>I then added a new vlan to the switch with the firewall vlan-group x "vlan number" command and there was not a blip. My ssh session was fine and there was no packet loss on the ping. </P><P></P><P>Just thought you'd like to now</P><P></P><P>Jon</P></BODY></HTML> Wed, 09 May 2007 10:58:05 GMT https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/777432#M1005096 Jon Marshall 2007-05-09T10:58:05Z https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/4089812#M1070398 Thanks for the information.<BR />Weird thing I still need this information in 2020 <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thu, 21 May 2020 07:23:49 GMT https://community.cisco.com/t5/network-security/adding-vlan-to-a-vlan-group-is-it-an-atomic-operation/m-p/4089812#M1070398 cristian.badica 2020-05-21T07:23:49Z