Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 730
  • Last Modified:

FWSM VLAN Doesn't Appear / Work


I have a FWSM inside a 6500 running hybrid CatOS / IOS.

I need to add a new VLAN to the fwsm.  I have created the vlan in catos:

  set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active

I have added it to a trunk:

  set trunk 4/13 on dot1q 20

And given it to the firewall:

  set vlan 20 firewall-vlan 13

All of this is the same for another bunch of vlans given to the firewall.  However, if I do this:

  >sh vlan firewall-vlan 13
  Secured vlans by firewall module 13 :

Vlan 20 is present as a secured vlan.

However, sh config shows:
  set vlan 10-11,80,95,129-130,900-902 firewall-vlan 13

No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).

On the fwsm side, vlan20 is up, and I can add config to it.  I can put things in vlan20 and ping them from the fwsm.  So despite the above config looking weird, layer 2 does seem to be in place.

However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.

There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan.  It just doesn't get there.

Nat exemption is correct, routing is correct, acls are correct.

So the anomily is the catos config weirdness.  The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't.  2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.

Any ideas what is causing this?

  • 5
  • 5
1 Solution

did you issue the "show startup-config" instead off the "show config" command?

make sure you "wr mem" it

harbor235 ;}
muffAuthor Commented:
This is on the CatOs part of the system, so there is no "we mem", and "sh config" is equivalent to "sh run".

Right, I forgot, its been a little while since I last used catos, seriously, it does not sound right, what about the version of code you are using?  You definitely did the correct steps. I would open a TAC case and search teh version of code you are using against know bugs.

harbor235 ;}
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

muffAuthor Commented:
It isn't a new version of code, but I can't consider recommending an upgrade to a core and critical device without a diagnosis.

The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.

I'll wait and see if anyone has any suggestions.

What does "sh vlan 20" output?

harbor235 ;}
muffAuthor Commented:
Nothing unusual - other than different ports, this is the same output as vlans that work fine.

In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.

So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.

The fwsm licence is for 256 interfaces by the way, and using about 10.

> (enable) sh vlan 20
VLAN Name                             Status    IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
20   DMZ                              active    264     4/13-16
VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
20   enet  100020     1500  -      -      -      -    -        0      0
---- ---------- ---------- --------
20   -          static     disabled

Open in new window


Did you add the vlan to the FWSM first before completing the work on the switch? Vlan guidelines for the FWSM state they should be added to the switch first. If so is it possible to remove the vlan and start over?

harbor235 ;}
muffAuthor Commented:

The vlan was added to the switch first, on all occasions.


Got me stumped, it's not a license issue, it must be a bug. I would love to hear the outcome of this one
It's hard not seeing the configs of both devices though.

Good luck to you,

harbor235 ;}
muffAuthor Commented:
This problem was never solved.  Instead, an already defined but unused vlan was usurped for this service.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now