Firewall Wizards mailing list archives
Re: Cisco ASA and FWSM
From: Timo Schoeler <timo.schoeler () riscworks net>
Date: Mon, 30 Apr 2007 15:34:51 +0200
On Sat, 28 Apr 2007 14:23:43 -0700 D Sharp <drsharp () pacbell net> wrote:
Hi;
We have a Internet Portal inplace for some 2+ years based on a
redundant set of 6500 switches with sup720s, IDS-SM, NAM, FWSM,
switch blades. We also use the FWSM to create isolated non-production
developement/test/QA areas. We also have PIX and ASA firewalls.
Would we use FWSM again, not likely. We spent a great deal of time
finding a stable version of software for both SUP720 and FWSM. The
problems we have experienced may no longer exist in current code
releases.
But the FWSM is very compelling, yet it has to meet your
requirements. You asked for a comparision, and as others have
responded with some points. These are more on the design.
Chassis versus standalone:
FWSM 'interface' is a set of virtual gigabit intfs. bound into a
single GEC (gigabit ether channel). Packets are 'load balanced' over
these. You work with vlans, not interfaces.
ASA top model supports (8) gig interfaces, but ether channel
still does not appear to be supported. Not a big deal as the top ASA
only supports up to 1.2gbs throughput.
yeah, and for the ASA-5520 (e.g.) they share one single interrupt. worst hardware design ever.
FWSM uses the shared bus of the chassis, not the switched bus. Thus the SUP32 and SUP720 modules are supported. Or less desireable, as your switched bus cards still have to send traffic over the shared bus for the FWSM. With externally connected firewalls, you save a chassis slot for another (48) port switch card, or some other special purpose module. There is another interesting design "feature" of the FWSM, it uses ONE MAC address per module. Thus all interfaces, layer 3, across all virtual firewalls share this MAC. This precludes some designs that would share a vlan. Capabilities, there are dozens of comparison points, my top 5 are: FWSM vs ASA5500 1: FWSM 5gbs over ASA 1.2gbs 2: flexible vlans, FWSM over ASA. 3: FWSM support for more ACLs, vlans, connections over ASA. 4: ASA for VPNs, not possible with FWSM. 5: ASA uses (8) network ports versus the FWSM usage of a slot. Hope this helps. Yours, Duncan Sharp Security Guy wrote:As Avishai said, the FWSM is just a firewall, no VPN or IDS support at all (those are different modules ;) If you can do without the features, you still have to consider cost: the last time I looked at FWSMs they were in the 20k USD range.. The main thing you get with FWSM is performance (supposedly about 6gb/s limited by the 6-gb etherchannel it takes from the backplane) tied directly to your core switch/router, if that's what you're looking for. On 4/12/07, Kimberly Fields <kimberlymfields () gmail com> wrote:Can anyone tell me what, if any, are the differences between the Cisco ASA firewall features and the Cisco FWSM firewall features? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
_bin
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Cisco ASA and FWSM Timo Schoeler (May 03)
- Re: Cisco ASA and FWSM nick.nauwelaerts (May 09)
- Re: Cisco ASA and FWSM Chuck Swiger (May 09)
- Re: Cisco ASA and FWSM nick.nauwelaerts (May 09)