Solved

FWSM VLAN Doesn't Appear / Work

Posted on 2009-05-04
10
720 Views
Last Modified: 2012-05-06
Hello,

I have a FWSM inside a 6500 running hybrid CatOS / IOS.

I need to add a new VLAN to the fwsm.  I have created the vlan in catos:

  set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active

I have added it to a trunk:

  set trunk 4/13 on dot1q 20

And given it to the firewall:

  set vlan 20 firewall-vlan 13

All of this is the same for another bunch of vlans given to the firewall.  However, if I do this:

  >sh vlan firewall-vlan 13
  Secured vlans by firewall module 13 :
  10-11,13,20-21,80,95,129-130,900-902

Vlan 20 is present as a secured vlan.

However, sh config shows:
  set vlan 10-11,80,95,129-130,900-902 firewall-vlan 13

No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).

On the fwsm side, vlan20 is up, and I can add config to it.  I can put things in vlan20 and ping them from the fwsm.  So despite the above config looking weird, layer 2 does seem to be in place.

However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.

There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan.  It just doesn't get there.

Nat exemption is correct, routing is correct, acls are correct.

So the anomily is the catos config weirdness.  The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't.  2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.

Any ideas what is causing this?

0
Comment
Question by:muff
  • 5
  • 5
10 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24307168


did you issue the "show startup-config" instead off the "show config" command?

make sure you "wr mem" it

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24310083
This is on the CatOs part of the system, so there is no "we mem", and "sh config" is equivalent to "sh run".
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24310459


Right, I forgot, its been a little while since I last used catos, seriously, it does not sound right, what about the version of code you are using?  You definitely did the correct steps. I would open a TAC case and search teh version of code you are using against know bugs.

harbor235 ;}
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 9

Author Comment

by:muff
ID: 24314974
It isn't a new version of code, but I can't consider recommending an upgrade to a core and critical device without a diagnosis.

The cisco knowledgebase doesn't help, and TAC is a last resort - the support path I need to follow seems to be designed to make it difficult to log a call.

I'll wait and see if anyone has any suggestions.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24315846

What does "sh vlan 20" output?

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24315965
Nothing unusual - other than different ports, this is the same output as vlans that work fine.

In fact, we switched to one of the vlans that appear in the sh firewall-vlan output that wasn't being used, and the problem with forwarding traffic wasn't present.

So not appearing the sh firewall-vlan list seems to indicate that there is a problem somewhere.

The fwsm licence is for 256 interfaces by the way, and using about 10.

> (enable) sh vlan 20
VLAN Name                             Status    IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
20   DMZ                              active    264     4/13-16
                                                        5/13-16
                                                        13/1-4
                                                        15/1
                                                        16/1
 
 
VLAN Type  SAID       MTU   Parent RingNo BrdgNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ ------ ---- -------- ------ ------
20   enet  100020     1500  -      -      -      -    -        0      0
 
 
VLAN MISTP-Inst DynCreated  RSPAN
---- ---------- ---------- --------
20   -          static     disabled

Open in new window

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24316150


Did you add the vlan to the FWSM first before completing the work on the switch? Vlan guidelines for the FWSM state they should be added to the switch first. If so is it possible to remove the vlan and start over?

harbor235 ;}
0
 
LVL 9

Author Comment

by:muff
ID: 24321102

The vlan was added to the switch first, on all occasions.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24321322

Got me stumped, it's not a license issue, it must be a bug. I would love to hear the outcome of this one
It's hard not seeing the configs of both devices though.

Good luck to you,

harbor235 ;}
0
 
LVL 9

Accepted Solution

by:
muff earned 0 total points
ID: 25791693
This problem was never solved.  Instead, an already defined but unused vlan was usurped for this service.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question