Solved

FWSM VLAN Doesn't Appear / Work

Posted on 2009-05-04
10
721 Views
Last Modified: 2012-05-06
Hello,

I have a FWSM inside a 6500 running hybrid CatOS / IOS.

I need to add a new VLAN to the fwsm.  I have created the vlan in catos:

  set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active

I have added it to a trunk:

  set trunk 4/13 on dot1q 20

And given it to the firewall:

  set vlan 20 firewall-vlan 13

All of this is the same for another bunch of vlans given to the firewall.  However, if I do this:

  >sh vlan firewall-vlan 13
  Secured vlans by firewall module 13 :
  10-11,13,20-21,80,95,129-130,900-902

Vlan 20 is present as a secured vlan.

However, sh config shows:
  set vlan 10-11,80,95,129-130,900-902 firewall-vlan 13

No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).

On the fwsm side, vlan20 is up, and I can add config to it.  I can put things in vlan20 and ping them from the fwsm.  So despite the above config looking weird, layer 2 does seem to be in place.

However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.

There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan.  It just doesn't get there.

Nat exemption is correct, routing is correct, acls are correct.

So the anomily is the catos config weirdness.  The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't.  2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.

Any ideas what is causing this?

0
Comment
Question by:muff
  • 5
  • 5
10 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24307168


did you issue the "show startup-config" instead off the "show config" command?

make sure you "wr mem" it

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24310083
This is on the CatOs part of the system, so there is no "we mem", and "sh config" is equivalent to "sh run".
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24310459


Right, I forgot, its been a little while since I last used catos, seriously, it does not sound right, what about the version of code you are using?  You definitely did the correct steps. I would open a TAC case and search teh version of code you are using against know bugs.

harbor235 ;}
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 9

Author Comment

by:muff
ID: 24314974
It isn't a new version of code, but I can't consider recommending an upgrade to a core and critical device without a diagnosis.

The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.

I'll wait and see if anyone has any suggestions.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24315846

What does "sh vlan 20" output?

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24315965
Nothing unusual - other than different ports, this is the same output as vlans that work fine.

In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.

So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.

The fwsm licence is for 256 interfaces by the way, and using about 10.

> (enable) sh vlan 20
VLAN Name                             Status    IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
20   DMZ                              active    264     4/13-16
                                                        5/13-16
                                                        13/1-4
                                                        15/1
                                                        16/1
 
 
VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
20   enet  100020     1500  -      -      -      -    -        0      0
 
 
VLAN MISTP-Inst DynCreated  RSPAN
---- ---------- ---------- --------
20   -          static     disabled

Open in new window

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24316150


Did you add the vlan to the FWSM first before completing the work on the switch? Vlan guidelines for the FWSM state they should be added to the switch first. If so is it possible to remove the vlan and start over?

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24321102

The vlan was added to the switch first, on all occasions.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24321322

Got me stumped, it's not a license issue, it must be a bug. I would love to hear the outcome of this one
It's hard not seeing the configs of both devices though.

Good luck to you,

harbor235 ;}
0
 
LVL 9

Accepted Solution

by:
muff earned 0 total points
ID: 25791693
This problem was never solved.  Instead, an already defined but unused vlan was usurped for this service.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 177
Cisco ASA and Watchguard firewall 2 45
not able to to ping server on a switch 1 33
Deny permission ACL 16 26
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question