6513 Firewall module

Unanswered Question
May 22nd, 2008

We are going to replace our external PIX 525 pair soon. Along with our IPS. We are looking at the 6513 internal firewall and IPS module vs an external ASA and IPS.

What are the pro and cons of going each route. Some have stated to keep options open and keep the FW and IPS separate. Wouldn't the internal modules give greater flexabilty in there use within your network. We are a small campus using the 6513 as our core routing switch.

Craig

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Rajat Chauhan Thu, 06/05/2008 - 22:57

Hi Craig,

I can suggest you to gor for FWSM and IDSM2.

Lots of pros, and might be a few cons here.

You get high bandwidth connectivity, lower power consumption, reduced rack space, common management etc. Cos can be too uncommon to occur like everything going down to the whole chassis going down or power supplies going bad etc.

I think its a smart decision and the way to go.

HTH

Raj

Jon Marshall Fri, 06/06/2008 - 00:20

Craig

Just to put another point of view. We use the FWSM in out data centres and it has proved to be very good in that scenario. If you are looking to firewall all your vlans or you need multiple virtual firewalls it is a very good option. And you do get greater flexibility in provisioning DMZ's and greater throughput.

However with this increased flexibility/scalability comes a cost. The FWSM/IDS-M modules are significantly more expensive than their standalone counterparts especially as you may be paying for performance/throughput you don't need.

You say you are a small campus environment and this is what makes me think these modules may be overkill in your scenario.

However cost may not be an issue for you or you may have plans for a significant upgrade to your environment. I'm not saying you shouldn't buy these modules, just that there may be other alternatives.

Jon

andrew.butterworth Fri, 06/06/2008 - 02:05

Something else to add to the mix here is that the FWSM doesn't support VPNs, whereas the ASA (& PIX) do. If you are intending to use the Firewall to support VPN clients or remote site VPNs then this isn't possible with the FWSM and you would need to get another device to perform this function.

Andy

cef2lion2 Fri, 06/06/2008 - 06:09

Thanks for all the input. Leaning towards the internal module if funds permit.

Craig

cef2lion2 Wed, 06/18/2008 - 06:23

We are going to order the firewall services module as well as the IDSM-2 module. I have a question. The quote contains IOS advanced IP services. We currently run IP services only on the 6513 with the 720 SUP. All of our routing is static. Is the advanced IP services a requirement for one or both of these modules we are purchasing?

Craig

timflynn Thu, 06/19/2008 - 07:32

Ask your Cisco sales person (or VAR) about the future of the FWSM and the IDSM-2's. I've heard from various sources that it may soon be discontinued, especially the IDSM-2.

cef2lion2 Thu, 06/19/2008 - 07:40

I have a message into our Cisco Sales person about this now.

Craig

cef2lion2 Fri, 06/20/2008 - 04:43

I talked to our Cisco sales rep. We are having a conference call on the matter. He said the modules have not reached end of life as yet. The one we need to talk about is the IDSM-2. He said one option is go FWSM and external IPS. The way things sound I'm inclined to go external ASA with IPS module.

Craig

Actions

Login or Register to take actions

This Discussion

Posted May 22, 2008 at 11:56 AM
Stats:
Replies:8 Avg. Rating:
Views:256 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,730
4 7,083
5 6,742
Rank Username Points
140
73
70
64
45