I have a FWSM inside a 6500 running hybrid CatOS / IOS.
I need to add a new VLAN to the fwsm. I have created the vlan in catos:
set vlan 20 name DMZ type ethernet mtu 1500 said 100020 state active
I have added it to a trunk:
set trunk 4/13 on dot1q 20
And given it to the firewall:
set vlan 20 firewall-vlan 13
All of this is the same for another bunch of vlans given to the firewall. However, if I do this:
>sh vlan firewall-vlan 13
Secured vlans by firewall module 13 :
Vlan 20 is present as a secured vlan.
However, sh config shows:
set vlan 10-11,80,95,129-130,900-902 firewall-vlan 13
No mention of vlan 20 (or 13, or 21, other vlans I used to confirm the behaviour was consistant).
On the fwsm side, vlan20 is up, and I can add config to it. I can put things in vlan20 and ping them from the fwsm. So despite the above config looking weird, layer 2 does seem to be in place.
However, if I try and ping something on the new vlan from the inside interface, it doesn't get there.
There aren't any errors in the logs of the fwsm, but if I log the rule that permits the traffic on the inside acl, it does show that the traffic is destined for the new vlan. It just doesn't get there.
Nat exemption is correct, routing is correct, acls are correct.
So the anomily is the catos config weirdness. The criteria for the addition of a vlan to the fwsm is that 1) it isn't on the msfc, which it isn't. 2) It isn't reserved, which it isn't 3) It is attached to a port, which it is.
Any ideas what is causing this?