09-20-2009 12:36 AM - edited 03-06-2019 07:48 AM
Hi:
I am looking for a firewall solution that can provide 5-Gbps of IPSec 3DES traffic processing.
The highest of the ASA product line (5580) can handle a maximum of 1-Gbps. I think the reason for this is that, in Cisco's view, the ASA is an enterprise-level appliance. That is also probably why it only supports AC power.
What product line should service providers look for to provide at least 5-Gbps of 3DES traffic and DC power support?
Thanks
Victor
09-20-2009 12:51 AM
The FWSM module in CAT6k provides you 5.5 GBPS:
CAT6k can run of AC or DC or mixed powers:
ASA 5540 is Up to 1.2 Gbps throughput and BTW there is a DC power supply for ASA, not sure what you are referring to that says it does not. The part number is: ASA-180W-PWR-DC
09-20-2009 12:56 AM
Hi:
Thanks.
The FWSM supports up to 5.5 Gbps of clear text, not IPSec. I dont see the IPSec spec on that data sheet.
Would have to check out the DC power thing. It was a Cisco SE who told me the ASA doesnt support DC.
09-20-2009 01:12 AM
Give to the SE the part number for the DC power ;)
ASA-180W-PWR-DC
09-20-2009 12:57 AM
Hello Victor,
we have recently installed a pair of ASA 5580-40 that have 10Ge interfaces and should be able to process 5 Gbps of traffic.
see
We had a major issue with a bug but it has been solved.
Our experience with FWSM is that they don't support really 5 Gbps so we have used failover groups putting different contexts in different failover groups and making FSWM1 active for group1 and FWSM2 active for group2
( a FWSM pair on two C6500 chassis)
Hope to help
Giuseppe
09-20-2009 01:03 AM
Hi, Giueseppe:
The 10G specification is for clear text throughput. The spec right below that shows Max VPN throughput. Its 1Gbps.
09-20-2009 01:06 AM
Yes as I said its 1.2 GB on the 5540.
It seems you may more be looking for a VPN module then?
Check out the VPNSM blade that can be added to the FWSM:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html
09-20-2009 01:13 AM
You mentioned the FWSM and that it supports 5 Gbps. Thats clear text, not IPSec. Im asking about IPSec throughput.
[Edit] Now that you edited your response to include the VPNSM, I will edit mine to say that I will look that up. [EDIT] :-)
Thanks
09-20-2009 01:15 AM
Check my answer: I refer you to the VPNSM module for the IPSEC portion:
Check out the VPNSM blade that can be added to the FWSM:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html
The solution you are looking for could be met with a couple of VPNSM modules.
It's very unusual to look for such high rates of IPSEC traffic. Maybe the design should be reviewed and split into a couple of devices.
09-20-2009 01:18 AM
The problem is that the client runs a Juniper shop, and the Juniper srx-3400 supports up to 10Gbps of IPSec. So a Cisco solution would have to support at least half of that, according to client specs.
09-20-2009 01:23 AM
For now we support up to 8-80 Gbps on a cat6k switch. Check out that last doc I referred where there is also the ASR1k.
80 GBPS will be with a chassis fully loaded of vpn modules, but technically it's achievable. That will be 8 times that juniper device.
It will boil down to cost, and design. The solution exists.
09-20-2009 01:25 AM
hello Victor,
sorry I overlooked the table.
if the device has to act as IPSec VPN concentrator you could consider ASR 1006 with ESP 20
a pair of devices should be able to deliver 5 Gbps ipsec each,
see
http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/data_sheet_c78-450070.html
Of course VPNSM suggested by Lucien can be attractive if you deploy two C6500 boxes and you need other services / service modules.
Hope to help
Giuseppe
09-20-2009 05:07 AM
Thanks, G:
09-20-2009 01:19 AM
Also, here is a complete list of our solutions.
May be the ASR 1k could be the answer in your scenario: 7 GBps of throughput.
Hope this resolves your questions. Good luck choosing the product meeting your requirements.
09-20-2009 01:21 AM
Thank you, sir.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide