Cat6500 w/ Sup720 - IOS Firewall Question

Unanswered Question
Apr 20th, 2007
User Badges:

I need to know if the IOS Firewall processes traffic in hardware or software. I would like to take advantage of the feature, but don't want it to have an impact on performance. Oh, and right now we can't justify the $ for FWSM modules.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Iain Fri, 04/20/2007 - 09:05
User Badges:

Yikes ..


I'm assuming this factor causes a great reduction in the feasibility of this feature?!

Amit Singh Fri, 04/20/2007 - 10:14
User Badges:
  • Cisco Employee,

IOS Firewall processes traffic in software.I will never recommend to run the Cisco IOS firewall on the Sup720 as it can impact the over all performance of the Sup engine. I would recommend to use dedicated hardware FWSM module on the chassis for a better performance. I know that $$ will be a little concern here with FWSM but the kind of featureset and sclabaility is built in the module will justify the $$ value for it. You can create upto 250 virtual firewalls within the same module.


HTH,

-amit singh





Iain Fri, 04/20/2007 - 10:33
User Badges:

Since you're a Cisco guy, have you heard of any plans to revamp the FWSM? Isn't it based on older PIX era technology?


When I first heard about the ACE I thought it might be a replacement, but the more I hear it doesn't sound like the two are very comparable.


Thanks.

lloyd_andrew Fri, 04/20/2007 - 12:45
User Badges:

ACE is an application control module that can provide some firewall functionality.


Some of the pros when compared to FWSM:


- Better scalability overall:

o 4M total bi-dir connections

o 1M total NAT translations, 4M with PAT

o 256K access-list entries

o Single flow of up to 8 Gbps

o High performance inspection engines

- More flexible and powerful inspection of HTTP, SIP (regex)

- Generic Protocol Parsing can make drop decisions

- Role-based access-control + domains for management

- Integrated SSL offload capabilities

- SNMPv3 for management



Here are some of the cons when compared to FWSM:


- no common FW GUI (ASDM or CSM)

- Syslogs for ACLs: Yes for denies, No for permits

- no dynamic routing

- no multicast routing

- no direct asymmetric routing support

- no Syslogs for deep inspection or other packet drops

- Application inspection limited to HTTP, ICMP, DNS, FTP, RTSP, SIP, H323, SCCP, LDAP

- no AAA for the data plane (only for mgmt)

- NAT config not backward compatible with Cisco firewalls

- no DHCP server (DHCP relay is in there, per context)

- no URL filtering using Websense / N2H2

- no time-based ACLs

- no nested object-groups


Hope that helps.


-lloyd


Please rate posts if they are helpful.

Actions

This Discussion