Firewall vlan-group: adding vlans to exisiting vlan-group

Similar Messages

• Firewall Vlan group

  Buenas noches. Tengo un Cisco Catalyst 6500 con un módulo Firewall el cual tiene la siguiente configuración en el Switche:
  firewall module 4 vlan-group 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350
  firewall vlan-group 10  10
  firewall vlan-group 20  20
  firewall vlan-group 30  30
  firewall vlan-group 40  40
  firewall vlan-group 50  50
  firewall vlan-group 60  60
  firewall vlan-group 70  70
  firewall vlan-group 80  80
  firewall vlan-group 90  90
  firewall vlan-group 100  100
  firewall vlan-group 140  140
  firewall vlan-group 190  190
  firewall vlan-group 200  200
  firewall vlan-group 350  350
  Cuando quiero agregar una nueva VLAN para que sea controlada por el Firewall, me aparece el siguiente mensaje de error:
  No more than 16 groups allowed for a module
  Este Core me permite hasta 256 VLAN's pero en grupos de a 16 Vlan. La pregunta es cómo puedo cambiar esta configuración para poder asignas más VLAN hacia el FWSM? Y en caso de hacerlo, es garantizable que no se pierda ninguna configuración del FWSM al hacer este cambio?
  Quedo muy agradecido a la(s) persona(s) que me pueda colaborar con esta inquietud.
  Feliz noche y hasta luego.
  Francisco Velasco
  E-mail: [email protected]

  Dear Team
  We have a core switch in VSS with FWSM running with multiple contexts.
  I need to create 5 new DMZ (interfaces) in FWSM server context 
  Currently my config shows like below, which includes three "firewall vlan-group" statements, each with a comma-separated list of vlan numbers:
  firewall switch 1 module 4 vlan-group 1,2,3
  firewall switch 2 module 4 vlan-group 1,2,3
  firewall vlan-group 1  2,3,4
  firewall vlan-group 2  5,6,7  (vlans for server context)
  firewall vlan-group 3  8,9,10
  My question is:  when I add the 5 new vlans, do I have to simply issue an additional "firewall vlan-group" statement with the five new vlan numbers, like this?
  firewall vlan-group 2 30,40,50,60,70  (I need to add vlans in vlan-group 2)
  In other words, will above command overwrite my existing list of vlans in vlan group 2 if I only add the five new vlans in vlan group 2 ?  I obviously don't want to lose connectivity by erasing all my existing vlans.
  Or do I have to issue a new statement that includes ALL of the existing vlans and five new vlans, like this?
  firewall vlan-group 2 [all previously existing vlans],30,40,50,60,70 (five new vlans)
  I want to know if i typed the above command with existing vlan and the new vlans does it cause any issues to the running environment b/c i think with the above command existing vlans will also be pushed along with new vlans to FWSM again or this is not the case.

• Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

  Hello,
  How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
  There are no free modules on Catalyst 6500 to install a FWSM module.
  What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
  Thanks

  Hi Bro
  Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
  If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
  However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• Adding SG300 to exisiting network

  I am not an expert in the network field.
  About a year ago, I upgraded old network equipment with Cisco 2950 and 2960's to get some consistency in house.  
  We are about to switch over to a VOIP system, and we decided to replace all switches with Cisco Small Business SG300 POE to make like simpler, and hopefully faster.
  Problem is, we give it an IP address, rename the switch and have updated to the newest firmware.  We plug it in, and in seconds, it shuts down my network.  
  When I look at the log, we get a native VLAN mismatch, then Loopback error.
  Obviously I need some more basic configuration.  I assumed I would just be able to plug these in and swap similar to the way I upgraded my 2960's.
  Any help would be appreciated.

  Hi,
  SG300 series switches have all the default settings to simplify voice and data network implementation but...
  if you are adding to Cisco enterprise network there are several things which needs to be consider:
  1. PVST is not supported ad only common STP is MSTP
  2. VTP is not supported so all the trunks needs to be configured one by one manually
  3. when setting up access port for desktop+phone on SG300 port needs to be in trunk mode and data vlan set as native and auto-voice vlan enabled
  If you still have some problem we would really need to look at your topology and devices interaction in details and I would recommend you to open ticket with Cisco Small Business Support team:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra

• Firewall rules, groups - confusing!

  Hi all,
  I am trying to setup firewall on my Macmini server 10.6.7. Hope you could help me clarify below issues:
  - By default I got "any group", "10-net group", "129.168-net group" and "192.168.1-net group". Should I delete all and just keep 192.168.1-net group? if keep, which check box I have to tick to enable services?
  - Is it a right way when I tick all "Deny rule" in Advance tab and then open service by service in Services tab?
  Thanks and looking forward to your respond!

  Those are IP subnets, and those groups select the originating IP address for the incoming connection.
  Your network looks to be using the 192.168.1.x/24 subnet.  Which is common.  Unfortunately, the common subnets are also very bad choices if you decide to use VPNs in the future.
  Ok, your "10-net group", "129.168-net group" and "192.168.1-net group" should probably be "10-net group", "192.168-net group" and "192.168.1-net group" (typo in there), and you'll find that is the 10.0.0.0/8 subnet, and the 192.168.0.0/16 block, and the 192.168.1.0/24 block.
  Here are the three private IP address blocks:
  10.0.0.0 to 10.255.255.255, also called 10.0.0.0/8
  172.16.0.0 to 172.31.255.255, also known as 172.16.0.0/12
  192.168.0.0 to 192.168.255.255, also known as 192.168.0.0/16
  You'll generally have a subnet within these blocks, but we'll skip the IP subnet introduction for now and point to the use of  "10-net group" to point to any incoming address in 10.0.0.0/8; connections from addresses 10.0.0.1 to 10.255.255.254.  "192.168-net group" is 192.168.0.1 to 192.168.255.254, and "192.168.1-net group" is 192.168.1.1 to 192.168.1.254.
  You can read the Wikipedia article on this IP addressing stuff but (and I've been tussling with IP for a very long time) it's surprisingly dense reading.  (It's entirely correct, but it's written for IP nerds and not really for IP newbies.)  If you don't bother reading that (and I would not blame you), then just remember you can't use the .0 and .255 addresses within any particular subnet; the ranges I show above reflect that, though technically the .0 and .255 addresses are within the ranges, and you probably want to configure your network out of the 192.168.0.1 to 192.168.0.254 and 192.168.1.1 to 192.168.1.254 subnets if you might ever need to use VPNs.
  Now these private addresses should generally not be active on the public internet and should not be passing default router configurations, and so these should be LAN local.  There are cases of ISPs using these blocks and issuing addresses from here for all private LANs managed by that ISP, so there's no solid rule of what you might see; there are various ISP schemes and even more local LAN schemes and permutations.
  So the answer to your question is...  Do you know what IP addresses will be referencing and reaching your server?  If so, then yes, you can delete those groups that you are not using.  But I'd probably leave the groups alone (at least for now), and just select the services within each (that your network is not using) for no traffic.  Which is the "don't delete" answer.
  I also typically recommend acquiring and installing an external gateway firewall box and not running a Mac as a gateway, as that makes networking (far) easier, and (if you purchase a gateway firewall with server-oriented features, or use one of the available open-source options with server-oriented features) you can connect via external VPN to your firewall to allow remote (in-bound) access into your network.  That also means you have less traffic hitting your server-local firewalls.
  I'd suggest some introductory reading on IP networking and DNS services, as they're essential to operating a server.

• Windows Firewall Rules - Automatically Added by Sharepoint

  Hi All,
                 I do have  two WFE 's and 1 APP server . When i checked the inbound firewall rules of WFE1 and WFE 2 i can see 
  Sharepoint Search 16500,16501,.... Allowed
  Sharepoint Web Services 32843,32844,... Allowed
  SPUserCodeV4 32846 allowed 
  When i checked the APP Server , these are not added .
  Can somebody let me know even though all have been created the same way only in the App Server this is not added?
  For making the APP Server , i have stopped the Microsoft SharePoint Foundation Web Application  service.

  HI Thompson,You can see the firewall service as "windows firewall" in services.msc.You can find the  firewall rules in administrative tools->windows firewall with advanced security in Win 2008 servers.You can also look in URL that exactly discussing
  about your query.
  You can see the firewall service as "windows firewall" in services.msc.You can find the  firewall rules in search as windows firewall with advanced security in Win 2012 servers.You can also look in URL that exactly discussing about your query
  http://expertsharepoint.blogspot.de/2014/05/firewall-settings-for-sharepoint-farm.html
  Anil Avula[MCP,MCSE,MCSA,MCTS,MCITP,MCSM] See Me At: http://expertsharepoint.blogspot.de/

• Firewall-safari getting added to list.

  ok, from time to time, I notice that Safari gets added to the list of apps allowed to get incoming info. I know I have the checkmark turned on to allow signed software. But what actions cause safari to get added to the list. Is there a log in console that I could look at that would tell me when and why safari got added.

  Aaron Oneal wrote:
  What appears to be happening is that Finder is not dropping the inherited permissions on a copy. I just copied the file to a folder that doesn't have an ACL and when I inspect the file permissions it still shows the inherited permissions from the source when I would have expected them to have been dropped. So of course, when I copy that file back to the folder with the ACL it again preserves the source inherited permissions, combines them with the destination, and results in the duplication.
  I came to the same conclusion. Explicit permissions don't seem to be duplicated, but inherited permissions seem to be retained, and then duplicated. Funny though when I made a fresh local non-administrative account (machine is bound to OD) it would not duplicate permissions. It would only happen with OD user accounts. Also it seems to be 10.6 (client) specific. I still have quite a few 10.5.8 machines and they would not duplicate. When I get a chance I want to do a fresh 10.6.3 install and see if that version was doing it, although I don't personally believe so. Also I haven't tested on non-bound 10.6 machines. However it sounds like same effect from your research.
  Then again we could get lucky and today's 10.6.6 update will fix it.

• To add vlan group for Fwsm

  Hi,
  i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewallmodule 1 vlan group 10, 20. i need to have zero downtime. how can i do it? peter
  Sent from Cisco Technical Support iPhone App

  Hi,
  you would just need to add the command:
  6506-SUP720(config)#firewall module 1 vlan-group 20
  and when after you do:
  show run | sec firewall
  The output would show:
  firewall module 1 vlan-group 10,20
  It doesn't need any downtime.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Assigning VLANs to the Firewall Services Module

  I need add a new vlan group to our fwsm module. I have some doubts:
  What command do i need for it?
       firewall vlan-group 5 100,101,102,103,104,105
       firewall switch 2 module 4 vlan-group 5
       firewall switch 1 module 4 vlan-group 5
       or
       firewall vlan-group 5 100,101,102,103,104,105
       firewall switch 2 module 4 vlan-group 1,2,3,4,5
       firewall switch 1 module 4 vlan-group 1,2,3,4,5
  Will it be disruptive?
  Thanks!

  So, just to confirm, in this case to add/append a new vlan-goup to the firewall module I should use:
  Switch# firewall switch <1-2> module 02 vlan-group 2
  My main concern is if with the command It will replace the curent vlan-goup (4,5,6) or if it just append the new vlan-group.
  Thanks in advance!

• Add vlan in FWSM

  hi,
  Newbie question here. how can i add a vlan to a fwsm module. What are the steps i should do? And also, can i directly assign the vlan i add to fwsm directly to a switchport (i.e. access switch)
  thanks.

  Roselyn
  It depends on whether you already have vlans assigned to the firewall or not. If you do then simply add the vlan you want to assign ie.
  firewall vlan-group 20 11,12,16 <-- the vlan you added was 16, and firewall vlan-group 20 already existed in the 6500 config with vlans 11,12 already assigned.
  If you haven't assigned any yet then you need an additional step ie.
  firewall vlan-group 20 16
  firewall module 7 vlan-group 20
  where 7 in the firewall module command is the slot the FWSM is in in your 6500 chassis. See this link for full details -
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/switch_f.html#wp1175820
  "And also, can i directly assign the vlan i add to fwsm directly to a switchport (i.e. access switch)"
  Yes you can ie. you have a vlan you want to firewall. You assign it to the firewall as above, configure the FWSM and then allocate the switchports of the devices you want to firewall to that vlan.
  Jon

• Fwsm - active/standby - "Vlan configuration mismatch between peers"

  Hi,
  A FWSM pair fall in to active active sittuation due to a vlan configuration mismatch. What would be the best way to synchronize configurations and return to the normal active/standbay? There is a new vlan on the primary fwsm and at present both are in active state.
  Thank you in advance.
  Zdravko

  Hi,
  To my understanding the FWSMs (even though both active) have identical configurations?
  Have you perhaps done so that on the core switch you have only issued the "firewall vlan-group only on the primary core device (to which the FWSM is attached) and not the secondary core device?
  The only time I have witnessed the same situation is when configuring a new customer link and I have only configured the primary unit (and about to configure the same on the standby unit)
  Hope it helps, not sure if the above was what you meant.
  - Jouni

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ISA550 Voice VLAN cannot connect to WAN?

  Hi,
  I just bought ISA550 and used the configuration wizatrd to set it up, mostly with defaults.
  I mapped GE2 to VOICE VLAN/Zone, and although the SPA122 I connected to this port now gets an IP adress (10.1.1.100),it fails to register with SIP provider.
  I have LB WAN set up (bandwidth), WAN1(GE1) Primary, WAN2(GE7) secondary, but not conecting WAN2 yet until I have configuration working.
  I set ALG on for SIP (and tried it 'off') but nothing seems to work.
  I also checked Firewall settings and added rule to 'permit' WAN to VOICE. There was only the other direction by default.
  I have also not yet updated firmware, as I have only just elevated my access to allow encrypted downloads, biut will try that later this evening, out of hours.
  Otherwise, any other suggestions gratefully received.
  MTIA

  I have now been able to get most of this working, but had to connect SPA122 to DEFAULT VLAN (GE3).
  Added traffic selectors for this and some high priority (Q2) devices. Added QoS rules for these but if I added these to the default WAN_POLICY only those explicitly mentioned could access the WAN.
  I then created a a new WAN POLICY without the default QoS rules, just the new ones, and this works!
  However, I need to prioritise incoming traffic but only Q1 seems to be available for incoming, so currently only SPA122 has a rule (to mark Cos). Everything else is a free for all.
  I have three devices I need to give Q2 on incoming traffic, so is there a way to do this, or is the traffic precedence 'inherited' from outgoing rules?
  The documentation, both shipped CD and ESD, is not very clear on this. In fact, there are places where it is just plain wrong.
  Otherwise, all seems to be going well. It is handling marginal circuits and LB better than my old router.
  One last point. I need to report on WAN availability. I am remote logging to a Linux system to analyse syslog, but cannot find definitive log entries to determine WAN State (DNS LInk detection). Only physical port availability is shown explicitly (Line status - which also correctly triggers email alerts). I can see nothing similar for WAN State.
  I use Splunk to analyse the logs, so could use fairly complex search pattern, if necessary.
  MTIA
  P

• FWSM maintenance mode - vlan 1

  Hi,
  A client has had their FWSM fail, when you try to start the module the switch eventually disables the power to that slot (%C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Module  Failed SCP dnld)). I have turned off diagnostics with 'no diagnostic boot level' and then use 'boot device module 4 cf:1' to bring the FWSM up into maintenance mode. I can then session up from the switch and log in to the FWSM as root.
  After inputting all the necessary IP info I can't ping anything on vlan 1 as I would expect, I have set the FWSM as 192.168.1.2 and a FTP/TFTP server as 192.168.1.1
  I have removed the firewall vlan groups and tried to put them back with just vlan 1 but this isn't accepted (the reasons are covered in other posts on the forum). What am I doing wrong as the instruction say that vlan 1 is the only vlan that is accessable whilst the FWSM is in maintenance mode.
  I can create an int vlan 1 in the switch and ping my ftp server so know that the switchport is set up correctly, I can also see that Po308 is formed and when the module boots I can see the Gi4/xx interfaces come up (FWSM is in slot 4).
  Any ideas of what to try next?
  ............and they aren't covered by maintenance agreements
  FWSM
  Maintenance image version: 2.1(4)
  [email protected]#show images
  Device name             Partition#              Image name
  Compact flash(cf)       4                       c6svc-fwm-k9.3-1-4-0.bin
  Switch
  SWITCH# sh ver
  Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI7, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Mon 18-Jul-11 05:49 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(17r)SX7, RELEASE SOFTWARE (fc1)
  Regards
  Mel

  Recently i met the same problem.
  When installing FWSM board on the Catalyst 6509 there is not communication access via vlan1 in the maintenance partition.
  Moreover, the FWSM works properly in the aplication partition(cf:4).
  Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH8, RELEASE SOFTWARE (fc1)
  System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
  Mod Ports Card Type                              Model             
    1   48  48-port 10/100/1000 RJ45 EtherModule   WS-X6148A-GE-TX   
    4    6  Firewall Module                        WS-SVC-FWM-1      
    5    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL    
    8    5  Communication Media Module             WS-SVC-CMM        
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  001b.d41a.8360 to 001b.d41a.838f   1.5   8.4(1)       8.7(0.22)BUB Ok
    4  0003.fead.962e to 0003.fead.9635   3.0   7.2(1)       4.1(14)      Ok
    5  0017.9444.c3ec to 0017.9444.c3ef   5.4   8.5(2)       12.2(33)SXH8 Ok
    8  0017.0ee2.13cc to 0017.0ee2.13d5   2.8   12.4(25c),   12.4(25c),   Ok
  FWSM versions
  FWSM Firewall Version 3.2(20)
  Device Manager Version 5.0(3)F
  Not possible to verify the switch is in the service.
  I guess the reason is likely next.
  FWSM supports only untagged packets on the vlan1. By default catalyst 6500 not tagged native vlan1.
  In my case globally enabled tagging  in the native vlan.
  #sh vlan dot1q tag native
  dot1q native vlan tagging is enabled globally
  sh vlan dot1q tag native
  dot1q native vlan tagging is enabled globally
  Per Port Native Vlan Tagging State:
  Port    Operational          Native VLAN
             Mode               Tagging State
  Gi1/2   trunk                 enabled
  Gi1/8   trunk                 enabled
  Gi1/13  trunk                 enabled
  Gi1/14  trunk                 enabled
  Gi1/17  trunk                 enabled
  Gi1/18  trunk                 enabled
  Gi1/21  trunk                 enabled
  Gi1/27  trunk                 enabled
  Gi1/30  trunk                 enabled
  Gi1/32  trunk                 enabled
  Gi1/38  trunk                 enabled
  Gi1/42  trunk                 enabled
  Gi1/43  trunk                 enabled
  Gi1/44  trunk                 enabled
  Gi1/46  trunk                 enabled
  Gi5/2   trunk                 enabled
  Po2     trunk                 enabled
  Po308   trunk                 enabled

• Unknown interface vlan on fwsm

  ive done the ff. on the msfc
  firewall module 2 vlan-group 1
  firewall vlan-group 1 100,200,300
  interface Vlan100
  no ip address
  interface Vlan200
  no ip address
  shutdown
  interface Vlan300
  no ip address
  shutdown
  BUT WHEN I DO THE FF ON THE FWSM
  int vlan 300
  i get the foloowing
  FWSM# conf t
  FWSM(config)# int vlan 300
  Unknown interface vlan.
  the fwsm is not recognizing my vlan. what is missing?
  thanks

  Hi
  Have you created the vlans at Layer 2 ie. if you do a "sh vlan" on the 6500 do you see your vlans ?
  You do not create layer 2 vlans by entering
  int vlan300
  no ip address
  shutdown.
  If you want vlan 300 to be firewalled then please
  1) remove the "interface vlan 300" from the 6500 ie.
  6500(config)# no interface vlan 300
  2) Add the vlan at layer 2 on the 6500 ie.
  6500(config)# vlan 300
  6500(config-vlan)# name vlan300
  Do this for all vlans you want to firewall.
  Jon