We have a Internet Portal inplace for some 2+ years based on a redundant
set of 6500 switches with sup720s, IDS-SM, NAM, FWSM, switch blades. We
also use the FWSM to create isolated non-production developement/test/QA
areas. We also have PIX and ASA firewalls.

Would we use FWSM again, not likely. We spent a great deal of time
finding a stable version of software for both SUP720 and FWSM. The
problems we have experienced may no longer exist in current code releases.

But the FWSM is very compelling, yet it has to meet your requirements.
You asked for a comparision, and as others have responded with some
points. These are more on the design.

Chassis versus standalone:
FWSM 'interface' is a set of virtual gigabit intfs. bound into a
single GEC (gigabit ether channel). Packets are 'load balanced' over
these. You work with vlans, not interfaces.
ASA top model supports (8) gig interfaces, but ether channel still
does not appear to be supported. Not a big deal as the top ASA only
supports up to 1.2gbs throughput.
FWSM uses the shared bus of the chassis, not the switched bus. Thus
the SUP32 and SUP720 modules are supported.
Or less desireable, as your switched bus cards still have to send
traffic over the shared bus for the FWSM.
With externally connected firewalls, you save a chassis slot for
another (48) port switch card, or some other special purpose module.

There is another interesting design "feature" of the FWSM, it uses
ONE MAC address per module. Thus all interfaces, layer 3, across all
virtual firewalls share this MAC. This precludes some designs that would
share a vlan.

Capabilities, there are dozens of comparison points, my top 5 are:
FWSM vs ASA5500
1: FWSM 5gbs over ASA 1.2gbs
2: flexible vlans, FWSM over ASA.
3: FWSM support for more ACLs, vlans, connections over ASA.
4: ASA for VPNs, not possible with FWSM.
5: ASA uses (8) network ports versus the FWSM usage of a slot.

Hope this helps.

Duncan Sharp

Security Guy wrote:

>As Avishai said, the FWSM is just a firewall, no VPN or IDS support at
>all (those are different modules
>If you can do without the features, you still have to consider cost:
>the last time I looked at FWSMs they were in the 20k USD range..
>The main thing you get with FWSM is performance (supposedly about
>6gb/s limited by the 6-gb etherchannel it takes from the backplane)
>tied directly to your core switch/router, if that's what you're
>looking for.
>On 4/12/07, Kimberly Fields wrote:
>>Can anyone tell me what, if any, are the differences between the Cisco ASA
>>firewall features and the Cisco FWSM firewall features?
>>firewall-wizards mailing list


firewall-wizards mailing list