Firewall Wizards mailing list archives
Re: Cisco ASA and FWSM
From: D Sharp <drsharp () pacbell net>
Date: Sat, 28 Apr 2007 14:23:43 -0700
Hi;
We have a Internet Portal inplace for some 2+ years based on a redundant
set of 6500 switches with sup720s, IDS-SM, NAM, FWSM, switch blades. We
also use the FWSM to create isolated non-production developement/test/QA
areas. We also have PIX and ASA firewalls.
Would we use FWSM again, not likely. We spent a great deal of time
finding a stable version of software for both SUP720 and FWSM. The
problems we have experienced may no longer exist in current code releases.
But the FWSM is very compelling, yet it has to meet your requirements.
You asked for a comparision, and as others have responded with some
points. These are more on the design.
Chassis versus standalone:
FWSM 'interface' is a set of virtual gigabit intfs. bound into a
single GEC (gigabit ether channel). Packets are 'load balanced' over
these. You work with vlans, not interfaces.
ASA top model supports (8) gig interfaces, but ether channel still
does not appear to be supported. Not a big deal as the top ASA only
supports up to 1.2gbs throughput.
FWSM uses the shared bus of the chassis, not the switched bus. Thus
the SUP32 and SUP720 modules are supported.
Or less desireable, as your switched bus cards still have to send
traffic over the shared bus for the FWSM.
With externally connected firewalls, you save a chassis slot for
another (48) port switch card, or some other special purpose module.
There is another interesting design "feature" of the FWSM, it uses
ONE MAC address per module. Thus all interfaces, layer 3, across all
virtual firewalls share this MAC. This precludes some designs that would
share a vlan.
Capabilities, there are dozens of comparison points, my top 5 are:
FWSM vs ASA5500
1: FWSM 5gbs over ASA 1.2gbs
2: flexible vlans, FWSM over ASA.
3: FWSM support for more ACLs, vlans, connections over ASA.
4: ASA for VPNs, not possible with FWSM.
5: ASA uses (8) network ports versus the FWSM usage of a slot.
Hope this helps.
Yours,
Duncan Sharp
Security Guy wrote:
As Avishai said, the FWSM is just a firewall, no VPN or IDS support at all (those are different modules ;) If you can do without the features, you still have to consider cost: the last time I looked at FWSMs they were in the 20k USD range.. The main thing you get with FWSM is performance (supposedly about 6gb/s limited by the 6-gb etherchannel it takes from the backplane) tied directly to your core switch/router, if that's what you're looking for. On 4/12/07, Kimberly Fields <kimberlymfields () gmail com> wrote:Can anyone tell me what, if any, are the differences between the Cisco ASA firewall features and the Cisco FWSM firewall features? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco ASA and FWSM Kimberly Fields (Apr 24)
- Re: Cisco ASA and FWSM Avishai Wool (Apr 26)
- Message not available
- Re: Cisco ASA and FWSM Douglas C. Stephens (Apr 26)
- Message not available
- Re: Cisco ASA and FWSM kevin horvath (Apr 27)
- Re: Cisco ASA and FWSM Avishai Wool (Apr 26)
- Re: Cisco ASA and FWSM Security Guy (Apr 26)
- Re: Cisco ASA and FWSM D Sharp (Apr 30)
- Re: Cisco ASA and FWSM kluivert (Apr 30)