Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
15
Helpful
14
Replies

Cisco Firewall Product Line

lamav
Level 8
Level 8

‎09-20-2009 12:36 AM - edited ‎03-06-2019 07:48 AM

Hi:

I am looking for a firewall solution that can provide 5-Gbps of IPSec 3DES traffic processing.

The highest of the ASA product line (5580) can handle a maximum of 1-Gbps. I think the reason for this is that, in Cisco's view, the ASA is an enterprise-level appliance. That is also probably why it only supports AC power.

What product line should service providers look for to provide at least 5-Gbps of 3DES traffic and DC power support?

Thanks

Victor

Labels:
0 Helpful
14 Replies 14

Lucien Avramov
Level 10
Level 10

‎09-20-2009 12:51 AM

The FWSM module in CAT6k provides you 5.5 GBPS:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

CAT6k can run of AC or DC or mixed powers:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa8.shtml#power_red

ASA 5540 is Up to 1.2 Gbps throughput and BTW there is a DC power supply for ASA, not sure what you are referring to that says it does not. The part number is: ASA-180W-PWR-DC

0 Helpful

lamav
Level 8
Level 8
In response to Lucien Avramov

‎09-20-2009 12:56 AM

Hi:

Thanks.

The FWSM supports up to 5.5 Gbps of clear text, not IPSec. I dont see the IPSec spec on that data sheet.

Would have to check out the DC power thing. It was a Cisco SE who told me the ASA doesnt support DC.

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to lamav

‎09-20-2009 01:12 AM

Give to the SE the part number for the DC power ;)

ASA-180W-PWR-DC

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-20-2009 12:57 AM

Hello Victor,

we have recently installed a pair of ASA 5580-40 that have 10Ge interfaces and should be able to process 5 Gbps of traffic.

see

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

We had a major issue with a bug but it has been solved.

Our experience with FWSM is that they don't support really 5 Gbps so we have used failover groups putting different contexts in different failover groups and making FSWM1 active for group1 and FWSM2 active for group2

( a FWSM pair on two C6500 chassis)

Hope to help

Giuseppe

0 Helpful

lamav
Level 8
Level 8
In response to Giuseppe Larosa

‎09-20-2009 01:03 AM

Hi, Giueseppe:

The 10G specification is for clear text throughput. The spec right below that shows Max VPN throughput. Its 1Gbps.

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to lamav

‎09-20-2009 01:06 AM

Yes as I said its 1.2 GB on the 5540.

It seems you may more be looking for a VPN module then?

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

0 Helpful

lamav
Level 8
Level 8
In response to Lucien Avramov

‎09-20-2009 01:13 AM

You mentioned the FWSM and that it supports 5 Gbps. Thats clear text, not IPSec. Im asking about IPSec throughput.

[Edit] Now that you edited your response to include the VPNSM, I will edit mine to say that I will look that up. [EDIT] :-)

Thanks

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to lamav

‎09-20-2009 01:15 AM

Check my answer: I refer you to the VPNSM module for the IPSEC portion:

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

The solution you are looking for could be met with a couple of VPNSM modules.

It's very unusual to look for such high rates of IPSEC traffic. Maybe the design should be reviewed and split into a couple of devices.

lamav
Level 8
Level 8
In response to Lucien Avramov

‎09-20-2009 01:18 AM

The problem is that the client runs a Juniper shop, and the Juniper srx-3400 supports up to 10Gbps of IPSec. So a Cisco solution would have to support at least half of that, according to client specs.

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to lamav

‎09-20-2009 01:23 AM

For now we support up to 8-80 Gbps on a cat6k switch. Check out that last doc I referred where there is also the ASR1k.

80 GBPS will be with a chassis fully loaded of vpn modules, but technically it's achievable. That will be 8 times that juniper device.

It will boil down to cost, and design. The solution exists.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to lamav

‎09-20-2009 01:25 AM

hello Victor,

sorry I overlooked the table.

if the device has to act as IPSec VPN concentrator you could consider ASR 1006 with ESP 20

a pair of devices should be able to deliver 5 Gbps ipsec each,

see

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/data_sheet_c78-450070.html

Of course VPNSM suggested by Lucien can be attractive if you deploy two C6500 boxes and you need other services / service modules.

Hope to help

Giuseppe

lamav
Level 8
Level 8
In response to Giuseppe Larosa

‎09-20-2009 05:07 AM

Thanks, G:

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to lamav

‎09-20-2009 01:19 AM

Also, here is a complete list of our solutions.

May be the ASR 1k could be the answer in your scenario: 7 GBps of throughput.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html

Hope this resolves your questions. Good luck choosing the product meeting your requirements.

lamav
Level 8
Level 8
In response to Lucien Avramov

‎09-20-2009 01:21 AM

Thank you, sir.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card