Unanswered Question
Dec 18th, 2009


i am working in Data Center, i m having 6513/FWSM, 6509/IDSM and ASA 5540, i want the right placement of every device, i m having many servers which is currently connected with ASA, what is my thinking now if i replace the ASA with 6513/FWSM then i would have more throughput and will have more interfaces to apply the policies. and in core i wish to keep the 6509 instead of 6513..please give a idea to me so that i can go forward.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Fri, 12/18/2009 - 08:29

Hi ibrahim

6513 with FWSM is a far better choice than ASA because of its superior performance.. You can surely have your FWSM protect internal servers wtih FWSM routed mode configured on the 6513...

The design can basically depend on your existing setup.. you can have your 6513's as the internal core with firewall services in it.. you can then have your IDS protect your network on the outside.. but my query would be, why is the 6509 used ? Are there users/servers connected to it ?

you can actually re-deploy ASA to protect external facing servers ... something like a mail relay or external dns... by doing this you can protect yur network with a 2 layered firewall approach .. again there are so many options, but it depends on your requirement...

Hope this helps.. all the best


Traditional 6509 or 6513 has side-to-side airflow, which can cause heating problem if it is congested by number of cables and traffic volume...6509-V has the vertical slots, and can provide front-to-rear airflow. You can choose depending on your DC design.

9-slot chassis require a 1000W or 1300W power supply and the 13-slot chassis requires a 2500W or 4000W power supply.


Also, it depends on size of your traffic. If you go with ASA, you have the flexibility to upgrade the box to a newer version, lets say 5580-40 or 5580-20 with 10-G capability. It is easier to change the box, than changing the design.

Muhammad Ibrahi... Mon, 12/21/2009 - 09:32

Hi mohsin,


i want to put the 6509 in Core block and 6513/FWSM to Enterprise block where my servers are connected. and ASA in Access layer where Co-location servers will be connected and for co-locations servers not so security is required as for my internal Servers.                  


A topology showing internal and external traffic flow will help us understand your concern.

Usually, ASA is placed on the core layer to make use of the zone based connectivity (i know the doc at cisco site connects it to the aggregation layer, but practically placement for it on that layer is useless for my network atleast). If you have to secure inter-service traffic, then yes you can use the FWSM on aggregation/6513. In DC design, corporate user traffic is supposed to be on the outside zone, and hence an ASA sort of box is required at the core layer/6509.

Muhammad Ibrahi... Tue, 12/22/2009 - 08:41

Hi mohsin,

i am having one E1 link to Airport. E1 is terminated in 3700 Router in Airport, in Airport i want to give connection from my router to different Airlines, i mean like customer's. i am having three customers there with different bandwith requirements. from 3700 router one cable goes to switch and then from my switch they are connected. what is my thinking i want to make Class-map for Access-list in which i will match the ip addresses of Customers, then in policy-map i want to call the class-map and assign a bandwith according to customer requirement. then at last appy the policy on interface which is connected to switch & service policy is applying only in outward direction, but i don't know should i apply the policy on both directions? is it fullfil my requirement to allocate the bandwith to different customers?


Customers offices<----------------------Switch2960<------------------Router3700<---------------------E1link from service provider

To my knowledge, marking is done on the ingress interface and scheduling/policying is done on the egree interface. So in your case, service policy containing class maps for servers will be applied on the LAN interface of your router (or may be the switch).

Also, more people would come to help you if you open this discussion in the section of Routing/switching..

sachinraja Tue, 12/22/2009 - 11:00

Hi Ibrahim

since you have a 2960 on the access, you cannot mark layer 3 packets on this switch... it does basic layer 2 qos markings which might not be helpful in your case...

If you are thinking only to restrict bandwidth for the airlines (customers), you can look at some policing strategies on your 3700 router.. Committed Access Rate can be used to restrict traffic inbound to that router based on IP addresses, port etc.. but just to keep in mind, this wont do prioritizing.. It can do bandwidth policing or remark packets on your egress.

you can apply CAR on the ingress interface Ethernet where the traffic enters:

interface fasteth 0/0

rate-limit input access-group customer1 2000000 375000 375000 conform-action transmit exceed-action drop

rate-limit input access-group customer2 2000000 375000 375000 conform-action transmit exceed-action drop

access-list customer1 permit ip any (considering customer1s IP range is


If you need both policing & traffic shaping, you can look at class based weighted fair queue, or if you have voice, look at LLQ.. there are lots of configuration examples in Cisco for both these technologies.

Hope this helps.. all the best..



This Discussion

Related Content