ASA vs. FWSM

Unanswered Question
Feb 24th, 2010
User Badges:

All,


I am looking on some realword feedback on comparing the ASA series to the FWSM on a 6500 series.  Looking at things like robustness, flexibilty, IDS/IPS, etc. and anything else that migght be relevant in the real world.


Thanks in advance!  All replies rated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Panos Kampanakis Wed, 02/24/2010 - 11:10
User Badges:
  • Cisco Employee,

It depends on the ASA you are thinking of.

The 5580-40 is much more robust than an FWSM.


Also the 5510, 5520, 5540 have the capability to incorporate an IPS card in them.


The FWSM has some hardware limitations like ACL space.


I would suggest to check what KS suggested and also check the speeds the models you are thinking of can support.

the FWSM has a name maximum throughput about 5.5Gbps.


I hope it helps.


PK

GrumpyBear Thu, 02/25/2010 - 10:29
User Badges:

That depends ...


The FWSMs are weird beasts that run a code version somewhere between PIXOS and ASA.


They have crazy throughput and nice vlan support and integrate tightly with the 6500s.  I met a guy running a huge finacial datacentre who had 6 in a 6509E :-0


We have three pairs of them.  One is in a DataCentre, where these puppies really make sense.


I know lots of hosting providers use them so they can use the virtualization for clients (i.e. one virtual firewall for each client)


The code base doesn't seem to be developed as fast as the ASA it's almost seems to be an afterthought sometimes.


I've got a couple of ASA5580-20s sitting on the loading dock but haven't had time to play with them yet.  We were considering the -40 models with 10gig modules but they are crazy expensive (both the Xenpaks & the two additional CPU & Memory Kits).


A limit with any ASA (correct me if I am wrong please) is that you can't port-channel the interfaces so you are limited to a single Gig on your outside interface which is an issue for us in our data centre (and, like I said the 10Gig modules are insanely expensive).


As for the comments about the IDS - you can get the IDSM2 service modules for the 6500 but, again, they are expensive and limited again to 2 gigE taps.

Actions

This Discussion