Hi,
You must push the vlan-group that contains the vlan 410 to the svclc
module (already in the firewall module). To archieve this task, you have
two ways:
- Push the vlan-group 1 to svclc by using "svclc module 4 vlan-group 1".
In this case, all of the existent Vlans in vlan-group 1 will also be
propagated to ACE.
- Create a new vlan-group and place the vlan 410 in this vlan-group and
link this vlan to the both of module. In this case, an interuption for
traffic of vlan 410 is risky.
So, anyway, with this type of operations, il should be better to planify
a maintenance.
Viet
On 08/10/2012 11:41 AM, Sirhan Khan wrote:
> Guys
>
> I would like to accomplish the following packet flow, [ 6509 >FWSM > Cisce
> ACE Module > Server ]. What should my configuration be in order to have
> VLAN 410 shared between module 4 (ACE LB) and module 1 (FWSM)? This is a
> live environment and I have never done a configuration of this sort with
> this many vlans. I am concerned on the impact to other clients (vlans) on
> this 6509.
> *
> I require Vlan 410 to reside on both the FWSM and CISCO ACE LB, my current
> configuration is as follows: *
>
> ndcbbnpendc0101#show run | i svc
>
> svclc multiple-vlan-interfaces
>
> svclc module 4 vlan-group 110
>
> svclc vlan-group 110
> 9,14,72,110,115,185,189,210,211,221,223-225,281,305,356
>
> svclc vlan-group 110 385,387
>
> ndcbbnpendc0101#show run | i firewall
>
> firewall multiple-vlan-interfaces
>
> firewall module 1 vlan-group 1
>
> firewall vlan-group 1
> 3,10-13,15,17,20-22,30,34,79-81,84,90-94,98-103,105-108
>
> firewall vlan-group 1
> 122,123,150,186-188,192,200-203,205,207,209,226,229,238
>
> firewall vlan-group 1
> 239,250-256,282-288,298-304,306-312,314,316-321,323,328
>
> firewall vlan-group 1
> 330,331,350,400,401,408,410,415,417-421,423-426,428-435
>
> firewall vlan-group 1
> 441,450-452,499-502,505,506,510-517,519,523,524,532,537
>
> firewall vlan-group 1 540,599-620,631,633,725,909,1192,1209,2077,2079
>
> firewall vlan-group 1 2100-2102
>
>
>
> *Cisco documentation states the following:*
>
> *Figure 5.* VLANs Shared Between Cisco Catalyst 6500 Series MSFC, Cisco
> Firewall Services Module, and Cisco ACE Module
>
> [image:
> http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/images/White_Paper_Cisco_Application_Control_Engine_A_Technical_Overview_of_Virtual_Partitioning-05.jpg]
>
> *VLAN Names*
>
> *Common names for Data Center VLANs*
>
> *VLAN ID*
>
> Internet Facing VLAN
>
> FWSM outside
>
> VLAN 10
>
> DMZ VLAN
>
> FWSM inside
>
> VLAN 20
>
> DMZ VLAN
>
> Cisco ACE client VLAN
>
> VLAN 20
>
> Private VLAN
>
> Cisco ACE server VLAN
>
> VLAN 30
>
> In this example intuitively VLANs 10 and 20 need to be allocated to the
> FSWM and VLANs 20 and 30 allocated to the Cisco ACE module. Due to the VLAN
> group constraint, an additional VLAN group must be allocated for the shared
> VLAN between the FWSM and Cisco ACE modules.
>
> svclc multiple-vlan-interfaces
>
> firewall module 1 vlan-group 3
>
> firewall module 1 vlan-group 5
>
> svclc module 2 vlan-group 5
>
> svclc module 2 vlan-group 7
>
> firewall vlan-group 3 10
>
> firewall vlan-group 5 20
>
> svclc vlan-group 7 30
>
> Notice either firewall or svclc commands can be used to define a VLAN
> group. However, the firewall command must be used to allocate VLAN groups
> to a FWSM, and the svclc command must be used to allocate VLAN groups to a
> Cisco ACE module. Once VLANs have been allocated to the module, the process
> of virtualization and resource allocation can begin.
>
> Each Cisco ACE module has a single virtual partition, created by default,
> which is known as the Admin virtual partition. This partition is a member
> of the default resource class. The default resource class has no defined
> minimal resources, and is permitted to use any available resources. All
> VLANs allocated to the module are accessible in the Admin virtual
> partition. These default settings allow the Admin virtual partition to be
> used when operating the Cisco ACE module in a traditional single-use and
> single-purpose design.
>
> In a virtualized configuration the Admin virtual partition is used to
> create new virtual partitions and dedicate client and server VLAN traffic
> to the appropriate virtual partitions (Figure 6). This way you can deploy
> the Cisco ACE module in a single-use design and then add new virtual
> partitions as needed.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Aug 13 2012 - 17:52:42 ART
This archive was generated by hypermail 2.2.0 : Sat Sep 01 2012 - 08:41:18 ART
