FWSM VLAN Doesn't Appear / Work
Hello,
I have a FWSM inside a 6500 running hybrid CatOS / IOS.
I need to add a new VLAN to the fwsm. I have created the vlan in catos:
set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active
I have added it to a trunk:
set trunk 4/13 on dot1q 20
And given it to the firewall:
set vlan 20 firewall-vlan 13
All of this is the same for another bunch of vlans given to the firewall. However, if I do this:
>sh vlan firewall-vlan 13
Secured vlans by firewall module 13 :
10-11,13,20-21,80,95,129-1
Vlan 20 is present as a secured vlan.
However, sh config shows:
set vlan 10-11,80,95,129-130,900-90
No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).
On the fwsm side, vlan20 is up, and I can add config to it. I can put things in vlan20 and ping them from the fwsm. So despite the above config looking weird, layer 2 does seem to be in place.
However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.
There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan. It just doesn't get there.
Nat exemption is correct, routing is correct, acls are correct.
So the anomily is the catos config weirdness. The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't. 2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.
Any ideas what is causing this?
I have a FWSM inside a 6500 running hybrid CatOS / IOS.
I need to add a new VLAN to the fwsm. I have created the vlan in catos:
set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active
I have added it to a trunk:
set trunk 4/13 on dot1q 20
And given it to the firewall:
set vlan 20 firewall-vlan 13
All of this is the same for another bunch of vlans given to the firewall. However, if I do this:
>sh vlan firewall-vlan 13
Secured vlans by firewall module 13 :
10-11,13,20-21,80,95,129-1
Vlan 20 is present as a secured vlan.
However, sh config shows:
set vlan 10-11,80,95,129-130,900-90
No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).
On the fwsm side, vlan20 is up, and I can add config to it. I can put things in vlan20 and ping them from the fwsm. So despite the above config looking weird, layer 2 does seem to be in place.
However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.
There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan. It just doesn't get there.
Nat exemption is correct, routing is correct, acls are correct.
So the anomily is the catos config weirdness. The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't. 2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.
Any ideas what is causing this?
ASKER
This is on the CatOs part of the system, so there is no "we mem", and "sh config" is equivalent to "sh run".
Right, I forgot, its been a little while since I last used catos, seriously, it does not sound right, what about the version of code you are using? You definitely did the correct steps. I would open a TAC case and search teh version of code you are using against know bugs.
harbor235 ;}
ASKER
It isn't a new version of code, but I can't consider recommending an upgrade to a core and critical device without a diagnosis.
The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.
I'll wait and see if anyone has any suggestions.
The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.
I'll wait and see if anyone has any suggestions.
What does "sh vlan 20" output?
harbor235 ;}
ASKER
Nothing unusual - other than different ports, this is the same output as vlans that work fine.
In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.
So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.
The fwsm licence is for 256 interfaces by the way, and using about 10.
In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.
So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.
The fwsm licence is for 256 interfaces by the way, and using about 10.
> (enable) sh vlan 20
VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
20 DMZ active 264 4/13-16
5/13-16
13/1-4
15/1
16/1
VLAN Type SAID MTU Parent RingNo BrdgNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
20 enet 100020 1500 - - - - - 0 0
VLAN MISTP-Inst DynCreated RSPAN
---- ---------- ---------- --------
20 - static disabled
Did you add the vlan to the FWSM first before completing the work on the switch? Vlan guidelines for the FWSM state they should be added to the switch first. If so is it possible to remove the vlan and start over?
harbor235 ;}
ASKER
The vlan was added to the switch first, on all occasions.
Got me stumped, it's not a license issue, it must be a bug. I would love to hear the outcome of this one
It's hard not seeing the configs of both devices though.
Good luck to you,
harbor235 ;}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
did you issue the "show startup-config" instead off the "show config" command?
make sure you "wr mem" it
harbor235 ;}