--===============1060866776==
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="PGP-SHA1";
boundary="Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV"

--Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, 28 Apr 2007 14:23:43 -0700
D Sharp wrote:

> Hi;
>=20
> We have a Internet Portal inplace for some 2+ years based on a
> redundant set of 6500 switches with sup720s, IDS-SM, NAM, FWSM,
> switch blades. We also use the FWSM to create isolated non-production
> developement/test/QA areas. We also have PIX and ASA firewalls.
>=20
> Would we use FWSM again, not likely. We spent a great deal of time=20
> finding a stable version of software for both SUP720 and FWSM. The=20
> problems we have experienced may no longer exist in current code
> releases.
>=20
> But the FWSM is very compelling, yet it has to meet your
> requirements. You asked for a comparision, and as others have
> responded with some points. These are more on the design.
>=20
> Chassis versus standalone:
> FWSM 'interface' is a set of virtual gigabit intfs. bound into a=20
> single GEC (gigabit ether channel). Packets are 'load balanced' over=20
> these. You work with vlans, not interfaces.
> ASA top model supports (8) gig interfaces, but ether channel
> still does not appear to be supported. Not a big deal as the top ASA
> only supports up to 1.2gbs throughput.


yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
worst hardware design ever.

> FWSM uses the shared bus of the chassis, not the switched bus.
> Thus the SUP32 and SUP720 modules are supported.
> Or less desireable, as your switched bus cards still have to send=20
> traffic over the shared bus for the FWSM.
> With externally connected firewalls, you save a chassis slot for=20
> another (48) port switch card, or some other special purpose module.
>=20
> There is another interesting design "feature" of the FWSM, it
> uses ONE MAC address per module. Thus all interfaces, layer 3, across
> all virtual firewalls share this MAC. This precludes some designs
> that would share a vlan.
>=20
> Capabilities, there are dozens of comparison points, my top 5 are:
> FWSM vs ASA5500
> 1: FWSM 5gbs over ASA 1.2gbs
> 2: flexible vlans, FWSM over ASA.
> 3: FWSM support for more ACLs, vlans, connections over ASA.
> 4: ASA for VPNs, not possible with FWSM.
> 5: ASA uses (8) network ports versus the FWSM usage of a slot.
>=20
> Hope this helps.
>=20
> Yours,
> Duncan Sharp
>=20
> Security Guy wrote:
>=20
> >As Avishai said, the FWSM is just a firewall, no VPN or IDS support
> >at all (those are different modules
> >
> >If you can do without the features, you still have to consider cost:
> >the last time I looked at FWSMs they were in the 20k USD range..
> >
> >The main thing you get with FWSM is performance (supposedly about
> >6gb/s limited by the 6-gb etherchannel it takes from the backplane)
> >tied directly to your core switch/router, if that's what you're
> >looking for.
> >
> >
> >On 4/12/07, Kimberly Fields wrote:
> > =20
> >
> >>Can anyone tell me what, if any, are the differences between the
> >>Cisco ASA firewall features and the Cisco FWSM firewall features?
> >>
> >>_______________________________________________
> >>firewall-wizards mailing list
> >>firewall-wizards@listserv.icsalabs.com
> >>https://listserv.icsalabs.com/mailma...rewall-wizards
> >>
> >>
> >> =20
> >>

> >
> >
> > =20
> >

>=20
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>=20


--Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (OpenBSD)

iD8DBQFGNfCO689t39h/zfARAvOUAJ9qgwypGmXIR32zE60KaOvWKQKyYQCgjfz6
cK8nsAlsjcGS4q1/9ZWkqq0=
=Nias
-----END PGP SIGNATURE-----

--Signature=_Mon__30_Apr_2007_15_34_51_+0200_RA+/jXk7L+Q9r4vV--

--===============1060866776==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============1060866776==--