03-25-2010 11:19 PM - edited 03-04-2019 07:56 AM
Hi, I have one 6509 series switch having firewall module on slot-4. I have already configured few vlan group in that.
Now I have to create new vlan-group 4 ( vlan 130 & 140). How can I tag that in "firewall swtich 1 module 4 ???" command.
I am scared if it will replace vlan-group 1,2,3 as all are in the production. Please help
firewall switch 1 module 4 vlan-group 1,2,3
firewall vlan-group 1 30
firewall vlan-group 2 96,127
firewall vlan-group 3 990,991
03-26-2010 12:06 AM
Hi, I have one 6509 series switch having firewall module on slot-4. I have already configured few vlan group in that.
Now I have to create new vlan-group 4 ( vlan 130 & 140). How can I tag that in "firewall swtich 1 module 4 ???" command.
I am scared if it will replace vlan-group 1,2,3 as all are in the production. Please help
firewall switch 1 module 4 vlan-group 1,2,3
firewall vlan-group 1 30
firewall vlan-group 2 96,127
firewall vlan-group 3 990,991
Hi Rupesh,
Just check the foolowing consideration while adding a vlan to vlan group that you cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM.check out the below link on step by step configuration of assigning vlans to vlan group.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/switch.html
Hope to Help !!
Remember to rate the helpful post
Ganesh.H
03-26-2010 12:11 AM
Hi, you are not getting my question.
I am not adding any duplicate vlans. I have created vlan-group 4 having new vlans. My only concern is, how can I add that in pre-existing line- "
firewall switch 1 module 4 vlan-group 1,2,3".
You can see 1,2,3 are already in production. How can I add 4, I do not want to touch currently used conf.
03-26-2010 12:19 AM
Hi, you are not getting my question.
I am not adding any duplicate vlans. I have created vlan-group 4 having new vlans. My only concern is, how can I add that in pre-existing line- "
firewall switch 1 module 4 vlan-group 1,2,3".
You can see 1,2,3 are already in production. How can I add 4, I do not want to touch currently used conf.
If you have seen the link you should not have asked this question and i also know you are not adding a duplicate vlan just a information to you in future help.
Following are the steps to configure a vlan group and assiging to firewall module
Step 1 To assign VLANs to a firewall group, enter the following command:
Router(config)# firewall vlan-group firewall_group vlan_range
The vlan_range can be one or more VLANs (1 to 1000 and from 1025 to 4094) identified in one of the following ways:
•A single number (n)
•A range (n-x)
Separate numbers or ranges by commas. For example, enter the following numbers:
5,7-10,13,45-100
Step 2 To assign the firewall groups to the FWSM, enter the following command:
Router(config)# firewall module module_number vlan-group firewall_group
The firewall_group is one or more group numbers:
•A single number (n)
•A range (n-x)
Separate numbers or ranges by commas. For example, enter the following numbers:
5,7-10
This example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs. See the "Prerequisites" section for more information about adding VLANs to the switch.
Router(config)# vlan 55-57,70-85,100
Router(config-vlan)# exit
Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall vlan-group 52 100
Router(config)# firewall module 5 vlan-group 50,52
Router(config)# firewall module 8 vlan-group 51,52
To view the group configuration, enter the following command:
Router# show firewall vlan-group
Group vlans
----- ------
50 55-57
51 70-85
52 100
Ganesh.H
03-26-2010 01:06 AM
Hi Sir,
I am still confused. For a summary, which following commands I have to use to add vlan-group 4 ( without disturbing 1,2,3?
firewall switch 1 module 4 vlan-group 1,2,3 ( Existing)
firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)
firewall switch 1 module 4 vlan-group 4 ( Is this recommanded)
03-26-2010 01:34 AM
Hi Sir,
I am still confused. For a summary, which following commands I have to use to add vlan-group 4 ( without disturbing 1,2,3?
firewall switch 1 module 4 vlan-group 1,2,3 ( Existing)
firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)
firewall switch 1 module 4 vlan-group 4 ( Is this recommanded)
Hi ,
I think you are got confused with vlans number and vlan group number.If you see your original post you have said you have 3 vlan group
firewall vlan-group 1 30
Router(config-vlan)# exit
Router(config)# firewall vlan-group 4 55 --- here you have binded the vlan 55 with new vlan group 4
Router(config)# firewall module 5 vlan-group 4 -- here you are assiging firewall groups to the FWSM
Router(config)# vlan 55 -- you have created vlan 55 and now you want to bind with new vlan group that is 4
Hope to Help !!
Ganesh.H
03-26-2010 01:41 AM
I think, u have attached some snap which is not clear.
I am doing two things-
1. adding new vlan with command "firewall vlan-group 4 130,140" -- I am OK with this.
2. Finally, I have to add this new group in the final line. I am firewall switch 1 module 4 vlan-group ?? ( I am not seeing any ADD keywords)
03-26-2010 02:00 AM
I think, u have attached some snap which is not clear.
I am doing two things-
1. adding new vlan with command "firewall vlan-group 4 130,140" -- I am OK with this.
2. Finally, I have to add this new group in the final line. I am firewall switch 1 module 4 vlan-group ?? ( I am not seeing any ADD keywords)
Rupesh,
You are getting confused let me try to clear your doubts
in the above post you have created vlans 130 and 140 -- is that ok by issuing command in switch switch(config)# vlan 130,140
Now you have two new vlans -- 130 and 140
and you have already 3 vlan groups (1,2 and 3) which are already having vlans assoiciated in it. --- is this ok.
Now you want to create a new vlan group 4 and bind the new vlan 130 and 140 with vlan group 4 by issuing a command in switch switch(config)# firewall vlan-group 4 130,140 --- is that ok till now !!
Now you need to bind the vlan group with firewall module which is placed in your switch by issuing a command
switch(config)# firewall module 5 vlan-group 4
where 5 is the slot number of FWSM placed in switch,so you need to check at your swith in which slot FWSM module in inserted.
I hope your query is cleared.
Hope to help !!
Ganesh.H
03-26-2010 04:22 AM
Hello Rupesh,
if there is no add option as we see here:
firewall module 2 vlan-group ?
WORD group range (1-65535) ex: 1,32,80-90
your only option is:
firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)
with
firewall switch 1 module 4 vlan-group 4
you will remove the existing vlan groups from mapping and you have only vlan-group 4 associated to the FWSM.
Hope to help
Giuseppe
03-26-2010 08:23 AM
giuslar wrote:
Hello Rupesh,
if there is no add option as we see here:
firewall module 2 vlan-group ?
WORD group range (1-65535) ex: 1,32,80-90your only option is:
firewall switch 1 module 4 vlan-group 1,2,3,4 ( Is this recommanded)
with
firewall switch 1 module 4 vlan-group 4
you will remove the existing vlan groups from mapping and you have only vlan-group 4 associated to the FWSM.
Hope to help
Giuseppe
Giuseppe
Do you know this for a fact ?
I ask because the other command for the FWSM on the 6500 ie. "firewall vlan-group
existing - firewall vlan-group 2 10,22,23
to add vlan 26
firewall vlan-group 2 26
and it will not overwrite the existing vlans ie. you would end up with -
firewall vlan-group 2 10,22,23,26
Jon
03-26-2010 08:28 AM
Hello Jon,
I would not give for granted an additive behaviour but it may be supported
I think rewriting the whole command is safer in this case
Hope to help
Giuseppe
03-26-2010 08:39 AM
giuslar wrote:
Hello Jon,
I would not give for granted an additive behaviour but it may be supported
I think rewriting the whole command is safer in this case
Hope to help
Giuseppe
Actually my concern would be the opposite. If there is no add option then it may be dangerous to rewrite the entire command because it may make the FWSM suspend the existing vlan group while it reallocates the vlans whereas simply using the new vlan in the command will not affect the existing vlans.
Jon
03-26-2010 11:13 AM
Hello Jon,
you can be right of course.
the logic can be similar to that of old CatOS commands
I haven't done the test and of course I cannot do it on a production FWSM pair.
However, I remember that when we had a faulty FWSM we used the no form of the whole command
no firewall module 5 vlan-group 50,52
in order to isolate the faulty FWSM.
Then when the replacement has been done we added again the whole command.
For Rupesh the original poster: I would suggest to ask for a maintanance window to do the change so that you will be on the safe side.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide