Cisco Firewall Product Line

Unanswered Question
Sep 20th, 2009

Hi:

I am looking for a firewall solution that can provide 5-Gbps of IPSec 3DES traffic processing.

The highest of the ASA product line (5580) can handle a maximum of 1-Gbps. I think the reason for this is that, in Cisco's view, the ASA is an enterprise-level appliance. That is also probably why it only supports AC power.

What product line should service providers look for to provide at least 5-Gbps of 3DES traffic and DC power support?

Thanks

Victor

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Lucien Avramov Sun, 09/20/2009 - 00:51

The FWSM module in CAT6k provides you 5.5 GBPS:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

CAT6k can run of AC or DC or mixed powers:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa8.shtml#power_red

ASA 5540 is Up to 1.2 Gbps throughput and BTW there is a DC power supply for ASA, not sure what you are referring to that says it does not. The part number is: ASA-180W-PWR-DC

lamav Sun, 09/20/2009 - 00:56

Hi:

Thanks.

The FWSM supports up to 5.5 Gbps of clear text, not IPSec. I dont see the IPSec spec on that data sheet.

Would have to check out the DC power thing. It was a Cisco SE who told me the ASA doesnt support DC.

Giuseppe Larosa Sun, 09/20/2009 - 00:57

Hello Victor,

we have recently installed a pair of ASA 5580-40 that have 10Ge interfaces and should be able to process 5 Gbps of traffic.

see

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

We had a major issue with a bug but it has been solved.

Our experience with FWSM is that they don't support really 5 Gbps so we have used failover groups putting different contexts in different failover groups and making FSWM1 active for group1 and FWSM2 active for group2

( a FWSM pair on two C6500 chassis)

Hope to help

Giuseppe

lamav Sun, 09/20/2009 - 01:03

Hi, Giueseppe:

The 10G specification is for clear text throughput. The spec right below that shows Max VPN throughput. Its 1Gbps.

lamav Sun, 09/20/2009 - 01:13

You mentioned the FWSM and that it supports 5 Gbps. Thats clear text, not IPSec. Im asking about IPSec throughput.

[Edit] Now that you edited your response to include the VPNSM, I will edit mine to say that I will look that up. [EDIT] :-)

Thanks

Lucien Avramov Sun, 09/20/2009 - 01:15

Check my answer: I refer you to the VPNSM module for the IPSEC portion:

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

The solution you are looking for could be met with a couple of VPNSM modules.

It's very unusual to look for such high rates of IPSEC traffic. Maybe the design should be reviewed and split into a couple of devices.

lamav Sun, 09/20/2009 - 01:18

The problem is that the client runs a Juniper shop, and the Juniper srx-3400 supports up to 10Gbps of IPSec. So a Cisco solution would have to support at least half of that, according to client specs.

Lucien Avramov Sun, 09/20/2009 - 01:23

For now we support up to 8-80 Gbps on a cat6k switch. Check out that last doc I referred where there is also the ASR1k.

80 GBPS will be with a chassis fully loaded of vpn modules, but technically it's achievable. That will be 8 times that juniper device.

It will boil down to cost, and design. The solution exists.

Giuseppe Larosa Sun, 09/20/2009 - 01:25

hello Victor,

sorry I overlooked the table.

if the device has to act as IPSec VPN concentrator you could consider ASR 1006 with ESP 20

a pair of devices should be able to deliver 5 Gbps ipsec each,

see

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/data_sheet_c78-450070.html

Of course VPNSM suggested by Lucien can be attractive if you deploy two C6500 boxes and you need other services / service modules.

Hope to help

Giuseppe

Actions

This Discussion