This is a discussion on Re: [fw-wiz] Cisco ASA and FWSM - Firewalls ; --===============1060866776== Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV" --Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 28 Apr 2007 14:23:43 -0700 D Sharp wrote: > Hi; >=20 > We have a Internet Portal inplace for some 2+ years based on ...
Content-Type: multipart/signed; protocol="application/pgp-signature";
Content-Type: text/plain; charset=US-ASCII
On Sat, 28 Apr 2007 14:23:43 -0700
> We have a Internet Portal inplace for some 2+ years based on a
> redundant set of 6500 switches with sup720s, IDS-SM, NAM, FWSM,
> switch blades. We also use the FWSM to create isolated non-production
> developement/test/QA areas. We also have PIX and ASA firewalls.
> Would we use FWSM again, not likely. We spent a great deal of time=20
> finding a stable version of software for both SUP720 and FWSM. The=20
> problems we have experienced may no longer exist in current code
> But the FWSM is very compelling, yet it has to meet your
> requirements. You asked for a comparision, and as others have
> responded with some points. These are more on the design.
> Chassis versus standalone:
> FWSM 'interface' is a set of virtual gigabit intfs. bound into a=20
> single GEC (gigabit ether channel). Packets are 'load balanced' over=20
> these. You work with vlans, not interfaces.
> ASA top model supports (8) gig interfaces, but ether channel
> still does not appear to be supported. Not a big deal as the top ASA
> only supports up to 1.2gbs throughput.
yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
worst hardware design ever.
> FWSM uses the shared bus of the chassis, not the switched bus.
> Thus the SUP32 and SUP720 modules are supported.
> Or less desireable, as your switched bus cards still have to send=20
> traffic over the shared bus for the FWSM.
> With externally connected firewalls, you save a chassis slot for=20
> another (48) port switch card, or some other special purpose module.
> There is another interesting design "feature" of the FWSM, it
> uses ONE MAC address per module. Thus all interfaces, layer 3, across
> all virtual firewalls share this MAC. This precludes some designs
> that would share a vlan.
> Capabilities, there are dozens of comparison points, my top 5 are:
> FWSM vs ASA5500
> 1: FWSM 5gbs over ASA 1.2gbs
> 2: flexible vlans, FWSM over ASA.
> 3: FWSM support for more ACLs, vlans, connections over ASA.
> 4: ASA for VPNs, not possible with FWSM.
> 5: ASA uses (8) network ports versus the FWSM usage of a slot.
> Hope this helps.
> Duncan Sharp
> Security Guy wrote:
> >As Avishai said, the FWSM is just a firewall, no VPN or IDS support
> >at all (those are different modules
> >If you can do without the features, you still have to consider cost:
> >the last time I looked at FWSMs they were in the 20k USD range..
> >The main thing you get with FWSM is performance (supposedly about
> >6gb/s limited by the 6-gb etherchannel it takes from the backplane)
> >tied directly to your core switch/router, if that's what you're
> >looking for.
> >On 4/12/07, Kimberly Fields
> > =20
> >>Can anyone tell me what, if any, are the differences between the
> >>Cisco ASA firewall features and the Cisco FWSM firewall features?
> >>firewall-wizards mailing list
> >> =20
> > =20
> firewall-wizards mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (OpenBSD)
-----END PGP SIGNATURE-----
Content-Type: text/plain; charset="us-ascii"
firewall-wizards mailing list