On Sat, 28 Apr 2007 14:23:43 -0700
D Sharp <drsharp@pacbell.net> wrote:
> Hi;
>
> We have a Internet Portal inplace for some 2+ years based on a
> redundant set of 6500 switches with sup720s, IDS-SM, NAM, FWSM,
> switch blades. We also use the FWSM to create isolated non-production
> developement/test/QA areas. We also have PIX and ASA firewalls.
>
> Would we use FWSM again, not likely. We spent a great deal of time
> finding a stable version of software for both SUP720 and FWSM. The
> problems we have experienced may no longer exist in current code
> releases.
>
> But the FWSM is very compelling, yet it has to meet your
> requirements. You asked for a comparision, and as others have
> responded with some points. These are more on the design.
>
> Chassis versus standalone:
> FWSM 'interface' is a set of virtual gigabit intfs. bound into a
> single GEC (gigabit ether channel). Packets are 'load balanced' over
> these. You work with vlans, not interfaces.
> ASA top model supports (8) gig interfaces, but ether channel
> still does not appear to be supported. Not a big deal as the top ASA
> only supports up to 1.2gbs throughput.
yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
worst hardware design ever.
> FWSM uses the shared bus of the chassis, not the switched bus.
> Thus the SUP32 and SUP720 modules are supported.
> Or less desireable, as your switched bus cards still have to send
> traffic over the shared bus for the FWSM.
> With externally connected firewalls, you save a chassis slot for
> another (48) port switch card, or some other special purpose module.
>
> There is another interesting design "feature" of the FWSM, it
> uses ONE MAC address per module. Thus all interfaces, layer 3, across
> all virtual firewalls share this MAC. This precludes some designs
> that would share a vlan.
>
> Capabilities, there are dozens of comparison points, my top 5 are:
> FWSM vs ASA5500
> 1: FWSM 5gbs over ASA 1.2gbs
> 2: flexible vlans, FWSM over ASA.
> 3: FWSM support for more ACLs, vlans, connections over ASA.
> 4: ASA for VPNs, not possible with FWSM.
> 5: ASA uses (8) network ports versus the FWSM usage of a slot.
>
> Hope this helps.
>
> Yours,
> Duncan Sharp
>
> Security Guy wrote:
>
> >As Avishai said, the FWSM is just a firewall, no VPN or IDS support
> >at all (those are different modules ;)
> >
> >If you can do without the features, you still have to consider cost:
> >the last time I looked at FWSMs they were in the 20k USD range..
> >
> >The main thing you get with FWSM is performance (supposedly about
> >6gb/s limited by the 6-gb etherchannel it takes from the backplane)
> >tied directly to your core switch/router, if that's what you're
> >looking for.
> >
> >
> >On 4/12/07, Kimberly Fields <kimberlymfields@gmail.com> wrote:
> >
> >
> >>Can anyone tell me what, if any, are the differences between the
> >>Cisco ASA firewall features and the Cisco FWSM firewall features?
> >>
> >>_______________________________________________
> >>firewall-wizards mailing list
> >>firewall-wizards@listserv.icsalabs.com
> >>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
pgpHY0CkaEuFp.pgp
Description: PGP signature
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|