Core issue

During the attempt to configure multiple switched virtual interfaces (SVIs), this produces a command-line interface (CLI) error message as shown in this example:

Forcing SVI 7 to stay shutdown (SVI 551 tied to line card in slot 1.)

For security reasons, by default, only one SVI can exist between the Multilayer Switch Feature Card  (MSFC) and the Firewall Service Module (FWSM). For example, if you misconfigure the system with multiple SVIs, you can accidentally allow traffic to pass around the FWSM if you assign both the inside and outside VLANs to the MSFC.

Note: In order to prevent traffic from bypassing the firewall, policy-routing can be required when you enable support for multiple VLAN interfaces on the switch.

Resolution

In order to enable support for multiple SVIs on your switch, use one of these commands.

For Cisco IOS, in order to allow you to add more than one SVI to the FWSM, use the firewall multiple-vlan-interfaces command in global configuration mode.

Similarly, in CatOS, issue the set firewall multiple-vlan-interfaces enable command.

Also, while you configure your switch for the FWSM VLANs and receive an error message that indicatesthat you have more than one SVI, look at your switch and/or MSFC configuration in order to ensure that only one Layer 3 interface or VLAN interface exists as part of the firewall VLANs.

Refer to the Adding Switched Virtual Interfaces to the MSFC section of Configuring the Switch for the Firewall Services Module for more information.