04-24-2007 08:21 AM
switch config --------------------------------
svclc multiple-vlan-interfaces
svclc module 2 vlan-group 11
svclc vlan-group 11 101
firewall module 7 vlan-group 11
!
redundant switches, both have FWSM, only one has ACE (bridge mode)
The above swith config seems to work. However during attempt to explicitly configure the FWSM with vlan 101 duplicated in it's group 11 was not successful.
I'm trying to introduce the second ACE into the second chassis and seem to run into problems.
Has any one experienced similar problem or am I not in the track at all, in this bridge mode?
(Note: With a PIX is used outside of chassis I do not experience this.)
Solved! Go to Solution.
04-25-2007 10:57 AM
Hi,
It is valid configuration.
You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.
If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 7 vlan-group 11,51
I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?
Regards,
Jasmina
04-25-2007 10:57 AM
Hi,
It is valid configuration.
You define svclc OR firewall vlan-group (you don't need both if FWSM and ACE use the same vlan), and the same group you can join with ACE and FWSM. You do not need separate firewall vlan-group with the same vlan 101, it is valid to use svclc vlan-group 11.
If you need to allocate additional vlans to use on FWSM, define additional firewall vlan-group and join it only with FWSM:
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 7 vlan-group 11,51
I did not understand what are you trying to acomplish with the second ACE, and exactly what kind of problems you ran into?
Regards,
Jasmina
04-26-2007 03:04 AM
Thank you for confirming that defining a vlan in one location/group will meke it valid for another location/same group without explicitly defining.
The problem I ran into was with over confidence i left the default auto sync running and startup configs on the supposed to be primary ACE and opened the FT VLANs and and then the second connection to FWSM.
The config syncs happend in the oposite direction. probably caused by an attempt to include the vlan also into fwsm group or something else happened.
Thanks anyway, i'll be confident about my assumptions on allocating the same LAN in two different locations but same groups.
SS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide