Add vlan in FWSM
hi,
Newbie question here. how can i add a vlan to a fwsm module. What are the steps i should do? And also, can i directly assign the vlan i add to fwsm directly to a switchport (i.e. access switch)
thanks.
Roselyn
It depends on whether you already have vlans assigned to the firewall or not. If you do then simply add the vlan you want to assign ie.
firewall vlan-group 20 11,12,16 <-- the vlan you added was 16, and firewall vlan-group 20 already existed in the 6500 config with vlans 11,12 already assigned.
If you haven't assigned any yet then you need an additional step ie.
firewall vlan-group 20 16
firewall module 7 vlan-group 20
where 7 in the firewall module command is the slot the FWSM is in in your 6500 chassis. See this link for full details -
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/switch_f.html#wp1175820
"And also, can i directly assign the vlan i add to fwsm directly to a switchport (i.e. access switch)"
Yes you can ie. you have a vlan you want to firewall. You assign it to the firewall as above, configure the FWSM and then allocate the switchports of the devices you want to firewall to that vlan.
Jon
Similar Messages
-
Unknown interface vlan on fwsm
ive done the ff. on the msfc
firewall module 2 vlan-group 1
firewall vlan-group 1 100,200,300
interface Vlan100
no ip address
interface Vlan200
no ip address
shutdown
interface Vlan300
no ip address
shutdown
BUT WHEN I DO THE FF ON THE FWSM
int vlan 300
i get the foloowing
FWSM# conf t
FWSM(config)# int vlan 300
Unknown interface vlan.
the fwsm is not recognizing my vlan. what is missing?
thanksHi
Have you created the vlans at Layer 2 ie. if you do a "sh vlan" on the 6500 do you see your vlans ?
You do not create layer 2 vlans by entering
int vlan300
no ip address
shutdown.
If you want vlan 300 to be firewalled then please
1) remove the "interface vlan 300" from the 6500 ie.
6500(config)# no interface vlan 300
2) Add the vlan at layer 2 on the 6500 ie.
6500(config)# vlan 300
6500(config-vlan)# name vlan300
Do this for all vlans you want to firewall.
Jon -
Hi,
i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewallmodule 1 vlan group 10, 20. i need to have zero downtime. how can i do it? peter
Sent from Cisco Technical Support iPhone AppHi,
you would just need to add the command:
6506-SUP720(config)#firewall module 1 vlan-group 20
and when after you do:
show run | sec firewall
The output would show:
firewall module 1 vlan-group 10,20
It doesn't need any downtime.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
I have a production 6509e running with FWSM and have:
interface vlan 240
ip address 10.100.1.1 255.255.255.0
There is another test 6509e I am trying to do the same thing on , but when I try and create the vlan I get error:
FWSM/DATA(config)# interface vlan240
^
ERROR: % Invalid input detected at '^' marker.
Any ideas why this is happening?Hi,
If you change the vtp mode to "transparent", you should be to add the vlan you want (256).
HTH -
Sharing a VLAN between FWSM and ACE (Routed Mode)
Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
I wanted to configure it like this.
firewall vlan group 10 <FWSM only vlans>
firewall vlan group 20 <shared FWSM and ACE vlan>
or
svclc vlan group 20 <shared FWSM and ACE vlan>
svclc vlan group 30 <ACE only vlans>
The design hides the client side network and the server side network for the ACE behind the FWSM module.
Layout:
|-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
So allocation on the 65xx would be like this.
firewall module n vlan-group 10,20
svclc module n vlan-group 20,30
Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
FWSM and ACE will be in routed mode.
Thanks for reading...
RobleNever mind...
Just found the perfect answer for this in a another posting from Syed.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
Roble -
Not able to add vlans (svi) on a 6500
Hello all,
I am having an issue while trying to create a VLAN/SVI interface on my 6500 Metro Ethernet Aggregator.
I am receiving an error message that I cannot create an SVI without having the vlan added on the L2 vlan database, but the issue is that the vlan is already created there:
1. I created the vlan on the database:
CAT_6k_MT#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT_6k_MT(config)#vlan 1241
CAT_6k_MT(config-vlan)#name test
CAT_6k_MT(config-vlan)#exit
% Applying VLAN changes may take few minutes. Please wait...
2. Trying to add the SVI interface for that vlan
CAT_6k_MT(config)#int vlan 1241
CAT_6k_MT(config-if)#no shut
CAT_6k_MT(config-if)#
Oct 14 10:11:04.241 CST: %PM-4-SVI_ADD_CORRESPONDING_L2_VLAN: Vlan 1241 must be added to L2 database in order to be used, do <vlan 1241> from config mode.
Oct 14 10:11:04.257 CST: %LINK-3-UPDOWN: Interface Vlan1241, changed state to down
Then I checked the vlan 1241 is created on the database:
CAT_6k_MT#sh vlan id 1241
VLAN Name Status Ports
1241 VLAN1241 active Po11, Po61
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1241 enet 101241 1500 - - - - - 0 0
Remote SPAN VLAN
Disabled
Primary Secondary Type Ports
CAT_6k_MT#sh run int vlan 1241
Building configuration...
Current configuration : 41 bytes
interface Vlan1241
no ip address
end
But when I look at the interface vlan is always down/down:
CAT_6k_MT(config-if)#do sh int vlan 1241
Vlan1241 is down, line protocol is down
Hardware is EtherSVI, address is 0016.9c7b.d7c0 (bia 0016.9c7b.d7c0)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Any ideas reagrding this?
Thanks for your help!
AlexHello all,
I am having an issue while trying to create a VLAN/SVI interface on my 6500 Metro Ethernet Aggregator.
I
am receiving an error message that I cannot create an SVI without
having the vlan added on the L2 vlan database, but the issue is that
the vlan is already created there:
1. I created the vlan on the database:
CAT_6k_MT#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CAT_6k_MT(config)#vlan 1241
CAT_6k_MT(config-vlan)#name test
CAT_6k_MT(config-vlan)#exit
% Applying VLAN changes may take few minutes. Please wait...
2. Trying to add the SVI interface for that vlan
CAT_6k_MT(config)#int vlan 1241
CAT_6k_MT(config-if)#no shut
CAT_6k_MT(config-if)#
Oct
14 10:11:04.241 CST: %PM-4-SVI_ADD_CORRESPONDING_L2_VLAN: Vlan 1241
must be added to L2 database in order to be used, do
from config mode.
Oct 14 10:11:04.257 CST: %LINK-3-UPDOWN: Interface Vlan1241, changed state to down
Then I checked the vlan 1241 is created on the database:
CAT_6k_MT#sh vlan id 1241
VLAN Name Status Ports
1241 VLAN1241 active Po11, Po61
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
1241 enet 101241 1500 - - - - - 0 0
Remote SPAN VLAN
Disabled
Primary Secondary Type Ports
CAT_6k_MT#sh run int vlan 1241
Building configuration...
Current configuration : 41 bytes
interface Vlan1241
no ip address
end
But when I look at the interface vlan is always down/down:
CAT_6k_MT(config-if)#do sh int vlan 1241
Vlan1241 is down, line protocol is down
Hardware is EtherSVI, address is 0016.9c7b.d7c0 (bia 0016.9c7b.d7c0)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Any ideas reagrding this?
Thanks for your help!
Alex
Alex,
Ensure that you have assigned the switch port(s) to VLAN on the switch side. Also ensure that at least one VLAN port on the switch is connected to the switch or the workstation, and is active.
HTH
Ganesh.H -
How to add VLAN to trunk port on Cisco SF200-24
Hello All,
I have question want to ask:
I have Cisco switch SF200-24 I want to configuration VLAN as below:
Port 1 to 10 = Vlan 100
Port 11 to 21 = Vlan 200
Port 22 to 24 = Vlan 300
Port GE1 = Trunking (Primary)
Port GE2 = Trunking (Secondary)
How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
Which port can I connect for management switch?
Thanks> How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
and you are done.
> Which port can I connect for management switch?
by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN. -
I was able to do this before but forgot what the command is to do it.
I don't make changes to the switches often so I forget the commands I dont use regularly.
We have a catalyst 4500 Level 3 switch as our main switch. It has all the vlans and everything already set.
That is connected to a few other switches via fiber, 2960-G switches.
We have one switch upstairs for vlan 2 access
We have one switch downstairs for Vlan 1 access
The Vlan addresses are given out via a DHCP server.
Can someone provide me the process/commands to add Vlan2 to the downstairs switch so one of the ports can get a Vlan 2 address?
I want to say it is trunk or something but I tried and failed.
ThanksThanks, I do remember doing something like that before.
I also remember needing to add all the vlans that need to go through the switch or I have issues :)
I want to confirm switchport trunk allowed vlan add 2 at the interface layer, correct? -
Add VLAN to firewall exception WS 2003 R2
How do I add a VLAN exception to the firewall in Windows Server 2003 R2?
Hi,
In OSI model’s seven layers, VLAN is a concept of Datalink Layer. And firewall work on network layer or above. So it won’t be blocked by windows firewall.
Hope this helps. -
How to add vlan virtual interface on a Catalyst Using SNMP
Hi,
I need some assistance in locating the mib/variables to allow me to add and remove vlan
virtual interface on Catalyst 3759G. If I understand correctly CISCO-VTP-MIB can not carry
out this requirement.
Is there another way of accomplishing this using SNMP ?
Thanks,
ZhouYou cannot add a new interface directly using SNMP. However, you can use the CISCO-CONFIG-COPY-MIB to copy a config snippet into the running configuration which can create a new VLAN interface. See http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml for more details.
-
Unable to add allowed VLANs to TenGig trunk port
Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
endSteve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed! -
Does it need add the native vlan to allowed vlan list ?
If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
ThanksYes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg -
VLAN ID, add irtual NIC in Windows like I do in OS X
I have a Macbook 13''.
I am able to add VLAN ID in OS X like this video show's :
http://screencast.com/t/fJBMWrckmbE
However, I am not able to do the same in Windows...
How should I be able to do the same on Windows on my MacBook.
Please, this is really important !!
Best Regards and thanks in advance for a answer....I currently do this with an iMac along with EyeTV and Time Machine. There used to be limitations with older versions of iLife, but I think it was just the installer being difficult, but those are no longer present in the shipping versions of Server and iLife. Time Machine might be considered an issue because by default, Time Machine doesn't back up a few directories which would not have any bearing on normal OS X, but is a bit daunting with OS X Server, specifically /var/spool/ as this is where all mail is stored. You can override this behavior by modifying the Exclusion file in /System/ which some would consider a no no.
-
FWSM system space does not replicate part of configuration
Hi
I have FWSM failover pair, Active/Active configuration, admin and another 4 context, few context active on first FWSM, other on second FWSM.
I needed to add VLANs 51 and 52 to FWSM
I created VLANs on both Cat6500, created firewall vlan-group 3 a and put "firewall module1 vlan-group 3" on both cat6500
Then I log in in system space on primary FWSM and created interface VLAN.
Created VLANs automatically occured in system space on Secondary FWSM.
Then I wanted allocate VLAN 51 and 52 to context XY, so I went to part of configuration for context XY and "allocate-interface Vlan51" and "allocate-interface Vlan52".
But this part did not replicate to system space on Secondary FWSM, i do not know why.
I tried for expample shutdown inteface101 in system space on Primary FWSM. This action was replicated.
pnfkepolsa17# sh failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Interface config Syncing - STANDBY
Sync Done - STANDBY
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
pnfkepolsa17#
pnfkepolsa17# sh failover state
====My State===
Secondary | Standby |
====Other State===
Primary | Active |
====Configuration State===
Interface config Syncing - STANDBY
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure
pnfkepolsa17#
I found this message in logg of Cat6500
000160: Jun 11 20:34:22.405: %SVCLC-5-SVCLCMULTI: Group 3 being tied to more than one module
Why is this problem?
PeterI found explanation:
Error Message %SVCLC-5-SVCLCMULTI: Group [dec] being tied to more than one module
Explanation The specified group is tied to multiple service modules. A group should not be associated with more than one service module unless a failover configuration is being used.
Recommended Action If a failover configuration is in use, no action is required. Otherwise enter the show svclc module command to find out which group is being tied to more than one module. Then remove multiple associations by entering the no svclc module mod vlan-group group command.
I want to use vlan-group 3 for FWSM and for ACE module too.
which kind of failover was mentioned?
Peter -
IDSM-2 Inline Vlan Pair - Duplicate Packets
Dear All
We have a setup where two IDSM-2 modules are ether-channeled together in a single 6513 Chassis.
There is an FWSM module also, which acts as the default gateway for all internal VLANs.
Problem: IDSM show stat virtual-sensor command is showing tons of 'Duplicate Packets'
show statistics virtual-sensor | inc Duplic
Duplicate Packets = 2950967
Inline TCP Tracking Mode: Interface and VLAN
Topology:
Assume Client VLAN = 10 and Server VLAN = 60
IPS Inline VLAN Pairs:
10 >> 110 (Client VLAN)
60 >> 160 (Server VLAN)
Client >> Server Flow: (Layer 2):
[ClientPC] >>>> Access Switch (VLAN 10) >>>> Core SW >>>> IDSM-2 (VLAN 10--110 Pair) >>>> Core Sw >>>> FWSM VLAN 110 >>>>
FWSM VLAN 160 >>>> Core Sw >>>> IDSM-2 (VLAN 160--60 Pair) >>>> Server Switch (VLAN 60) >>>> [Server]
Core Switch IPS Etherchannel Setup:
Group 5: IDSM(A) and IDSM(B) Port x/7
Group 6: IDSM(A) and IDSM(B) Port x/8
Some VLAN Pair(s) are on interface x/7 and others are on x/8
Because of the above issue, we see a lot of TCP normalization signatures being fired (as the IPS gets confused with duplicate packets seen for the same flow). Specially signatures 1330:12 :17 and :18.
It is also causing some applications to break (e.g. Veritas Netbackup 6.5). When I removed the DENY action from these signatures, our IPS started having stability issues (This could also be due to E3 upgrade)
Should we change the Tracking mode to 'VLAN' only, OR any other possible solution?. Should not the 'interface and vlan' setting be sufficient?.
Regards
FarrukhThis will take some traffic analysis to determine what is going wrong.
You might need to place a sniffer to watch the traffic on the client where the backup software is running at the same time that you capture the traffic on the sensor.
Look to see if there are any differences in the traffic.
Look for any anomalies in the traffic.
Look to see if maybe the backup software is not using a standard TCP connection (is it jumping the tcp sequence numbers in any abnormal way?)
You might also try some things on the sensor to determine if the sensor itself might have an issue.
Determine if the connction passes through 2 connections (inline vlan pairs) monitored by the sensor.
If you can, you might try removing both of the pairs from the virtual sensor. (don't delete the pairs, just remove them from the virtual sensor so they won't be analyzed)
And see if the backup works.
If it does then just add in one pair, and see if it keeps working.
If it has errors with just the one pair, then the problem is likely not because of the connection being monitored twice.
Something else must be weird about the connection.
If the problems are only seen when having both pairs in the same virtual sensor, then try placing the pairs in different virtual sensors and see if the problem goes away.
If the problem goes away when in different virtual sensors, then there may be an error in the inline tcp session tracking code that should track connections separately for each interface/vlan.
Maybe you are looking for
-
How to create proxy class for a Siebel WS which has many Workflows in it?
Hi, I am facing a strange problem. I have a Web Service for which there are many workflows associated with this. When I generate WSDL for this Web Service and later on generate proxy class in .NET, it creates mutilple classes for each workflow. From
-
Okay - so I have traveled away from my home for business - but now I want some of my music from my computer at home. I instructed my family to turn the computor on and open iTunes - but I still can't get my shared library to show up on this computer.
-
CR_GUI_FRONTEND_SERVICES== GUI_DOWNLOAD inconsistently creates CRLF.
Hello SDN Community, I am using CL_GUI_FRONTEND_SERVICES==>GUI_DOWNLOAD in an ABAP report to download an internal table to a file. I am running this same report in several different instances that have been created/upgraded at various times over th
-
I just bought a yearly membership for $24 to be able to convert my pdf to word. that didnt work. Is there a way to be able to edit the pdf file?Can
-
Issue installing apps on Ipod Touch
When I try to install an app from iTunes onto my Ipod Touch, the app is removed when synching. I have tried removing and re-downloading the app thru the store, still getting the same result when trying to synch it onto the Touch. Please help.