08-13-2009 09:35 AM - edited 03-06-2019 07:14 AM
I have several production VLAN's that I am going to be removing from the FWSM. I wanted to see if anyone out there had real life experience of the effects and connectivity issues (if any) during the removal of the VLAN's from the FWSM. How much connectivity loss and downtime should I expect during the removal of the VLAN's from the FWSM back to the switch?
I'm talking about connectivity within each of the VLAN's I'm removing and connectivity to/from the other parts of the network and VLAN's I'm removing.
TIA
Solved! Go to Solution.
08-13-2009 09:49 AM
Joe
You can remove vlans that are allocated to the FWSM with no interruption to other vlans allocated to the FWSM. Make sure you remove from both chassis's if you have redundancy otherwise failover gets in a bit of a state.
As for the vlans you are removing. Well they will no longer have a L3 interface so communication will be broken. What you can do is create the L3 SVI on the MSFC for these vlans but if you have enabled "firewall multiple-vlan-interfaces" then the FWSM won't let you.
Either accept that connectivity to these vlans will be broken while you remove from FWSM and then create the L3 SVI on the MSFC or you could try using the "firewall multiple-vlan-interfaces" command and create the L3 SVI's before removing them from the FWSM. I have never done this though.
Jon
08-13-2009 09:49 AM
Joe
You can remove vlans that are allocated to the FWSM with no interruption to other vlans allocated to the FWSM. Make sure you remove from both chassis's if you have redundancy otherwise failover gets in a bit of a state.
As for the vlans you are removing. Well they will no longer have a L3 interface so communication will be broken. What you can do is create the L3 SVI on the MSFC for these vlans but if you have enabled "firewall multiple-vlan-interfaces" then the FWSM won't let you.
Either accept that connectivity to these vlans will be broken while you remove from FWSM and then create the L3 SVI on the MSFC or you could try using the "firewall multiple-vlan-interfaces" command and create the L3 SVI's before removing them from the FWSM. I have never done this though.
Jon
08-13-2009 09:58 AM
First of all thanks a lot for your quick and good feedback. This was my script plan to execute.
no firewall vlan-group 1 297-299
no firewall module 3 vlan-group 1
interface Vlan297
no shut
ip address a.a.a.1 255.255.255.0
no ip unre
no ip red
interface Vlan298
no shut
ip address b.b.b.1 255.255.255.0
no ip unre
no ip red
interface Vlan299
no shut
ip address c.c.c.1 255.255.255.128
no ip unre
no ip red
08-13-2009 10:08 AM
Joe
That will work fine although obviously you will lose connectivity within those 3 vlans while you bring up their L3 SVI's.
One thing though.
"no firewall module 3 vlan-group 1"
this will remove any vlans in vlan-group 1 from the FWSM in slot 3 - is this what you want ?
I ask because you have -
no firewall vlan-group 1 297-299
no firewall module 3 vlan-group 1
the first line removes the vlans from the FWSM. If you have any other vlans allocated to vlan-group 1 that you still want to use on the FWSM then you definitely don't want the second line.
Jon
08-13-2009 10:11 AM
yeah, we're making some changes and I'm pulling the fwsm out of this chassis.
how much connectivity loss you think there will be?
08-13-2009 10:18 AM
Joe
Okay that makes sense.
As for connectivity loss, well you would certainly want to do this out of core production hours and you should look to clear out the arp tables on the 6500.
The only other issue you may have is that end servers, hosts on vlans 297 - 299 will have an arp cache entry that resolves their default-gateway to mac-address on the FWSM.
I'm assuming you are simply migrating the addresses from the FWSM to the L3 SVI ? If so you may need to clear arp caches on servers and hosts. That's why you want to do this out of hours.
Finally routing - don't know how you are routing to the DMZ's on the FWSM at the moment ie. dynamic routing protocol such as OSPF between MSFC and FWSM or just statics but whichever way don't forget to clean up the config afterwards.
Jon
08-13-2009 10:22 AM
i have some other config changes for routing that i didn't include
i appreciate the time and feedback.
great help :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide