https://community.cisco.com/t5/network-security/fwsm-initial-config/m-p/2703181#M193928 <P>Hi.&nbsp;</P><P>I haven't worked too much with FWSM modules, so I have a few easy questions:</P><P>1)&nbsp;What's the vlan-group? Which vlans should I include on this group? Every single vlan that will be crossing the FW?</P><P>2) Do I have to configure vlan group and a SVI before being able to session into the Firewall? Can I run "session slot X processor 1" without configuring anything on the 6500 before?</P><P>3) What could be the main reasons why I could get a timeout when trying to session into the FW?</P><P>Thanks!!</P> Tue, 12 Mar 2019 06:14:52 GMT Soporteco 2019-03-12T06:14:52Z https://community.cisco.com/t5/network-security/fwsm-initial-config/m-p/2703181#M193928 <P>Hi.&nbsp;</P><P>I haven't worked too much with FWSM modules, so I have a few easy questions:</P><P>1)&nbsp;What's the vlan-group? Which vlans should I include on this group? Every single vlan that will be crossing the FW?</P><P>2) Do I have to configure vlan group and a SVI before being able to session into the Firewall? Can I run "session slot X processor 1" without configuring anything on the 6500 before?</P><P>3) What could be the main reasons why I could get a timeout when trying to session into the FW?</P><P>Thanks!!</P> Tue, 12 Mar 2019 06:14:52 GMT https://community.cisco.com/t5/network-security/fwsm-initial-config/m-p/2703181#M193928 Soporteco 2019-03-12T06:14:52Z https://community.cisco.com/t5/network-security/fwsm-initial-config/m-p/2703182#M193929 <P><EM><STRONG>1)&nbsp;What's the vlan-group? Which vlans should I include on this group? Every single vlan that will be crossing the FW?</STRONG></EM></P><P>The vlan-group command is used to group VLANs together and then reference that group when assigning VLANs to the FWSM module.&nbsp; The VLANs you have in this group is really up to you.&nbsp; The number of VLANs that you assign to the FWSM is up to you, but this is a very broad question as it goes into network design and then this will depend on your requirements.&nbsp; Because of this I am going keep my suggestion short.&nbsp; Configre VRFs on the 6500 to seperate the different security levels.&nbsp; Networks that should be able to communicate with eachother freely should be placed in the same VRF.&nbsp; Networks that should have restricted access between eachother should be placed in different VRFs.&nbsp; Try to keep the number of VRFs to a minimum for ease of managment.&nbsp; The ASA should have a VLAN interface for each VRF.&nbsp; Set a default route on the 6500 for each VRF to point to their respective ASA IP.&nbsp; <U><STRONG>**This is just a suggestion and should be implemented at your own risk**</STRONG></U></P><P><STRONG><EM>2) Do I have to configure vlan group and a SVI before being able to session into the Firewall? Can I run "session slot X processor 1" without configuring anything on the 6500 before?</EM></STRONG></P><P>Yes, you need to assign VLANs to the FWSM so that the switch is able to communicate with the firewall.</P><P><EM><STRONG>3) What could be the main reasons why I could get a timeout when trying to session into the FW?</STRONG></EM></P><P>See answer from question #2</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Sat, 11 Jul 2015 18:43:26 GMT https://community.cisco.com/t5/network-security/fwsm-initial-config/m-p/2703182#M193929 Marius Gunnerud 2015-07-11T18:43:26Z