Chapter 11
Configuring VLANs
Configuring VLANs for the Firewall Services Module
Enter the set vlan {vlans} firewall-vlan {mod} command to specify the VLANs that are secured by a
Firewall Services Module (WS-SVC-FWM-1-K9). Enter the show vlan firewall-vlan mod command to
display the VLANs that are secured by the Firewall Services Module.
To secure a range of VLANs on a Firewall Services Module, these conditions must be satisfied:
Note
VLAN 1 cannot be secured to the Firewall Services Module.
1.
2.
3.
The VLANs that do not satisfy condition number 2 in the list above are discarded from the range of
VLANs that you attempt to secure on the Firewall Services Module.
The VLANs that meet condition number 2 and condition number 3 but do not meet condition number 1
are stored in the supervisor engine database; these VLANs are sent to the Firewall Services Module as
soon as they meet condition number 1.
This example shows how to secure a range of VLANs on a Firewall Services Module:
Console> (enable) set vlan 2-55 firewall-vlan 7
Console> (enable)
Enter the set firewall multiple-vlan-interfaces {enable | disable} command to set the multiple VLAN
interface feature for a Firewall Services Module. Disabling the multiple VLAN interface feature sets the
Firewall Services Module to single VLAN interface mode. The multiple VLAN interface feature is disabled
by default. An example is as follows:
Console> (enable) set firewall multiple-vlan-interfaces
This command will enable multiple-vlan-interfaces feature for all firewall
modules in the chassis.
It can result in traffic bypassing the firewall module.
Do you want to continue (y/n) [n]? y
multiple-vlan-interfaces feature enabled for firewall module 5.
Console> (enable)
With software release 8.4(1) and later releases, you can enter the set vlan {vlan} firewall-vlan {mod}
msfc-fwsm-interface command to make the specified VLAN the secured interface between the MSFC and
the Firewall Services Module. This command is available only in the single VLAN interface mode and cannot
be entered when multiple VLAN interfaces are enabled. An example is as follows:
Console> (enable) set vlan 3 firewall-vlan 5 msfc-fwsm-interface
Vlan 3 declared as Secure Vlan interface for module 5
Vlan 3 declared secure for firewall module 5
Console> (enable)
Note
For detailed Firewall Services Module configuration information, refer to the Firewall Services Module
documentation at this URL:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home
.html
OL-8978-04
The port membership must be defined for the VLANs, and the VLANs must be in the active state.
The VLANs cannot have a Layer 3 interface in the active state on the MSFC.
The VLANs cannot be reserved VLANs.
Configuring VLANs for the Firewall Services Module
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
enable
11-37