Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cat6500 w/ Sup720 - IOS Firewall Question

I need to know if the IOS Firewall processes traffic in hardware or software. I would like to take advantage of the feature, but don't want it to have an impact on performance. Oh, and right now we can't justify the $ for FWSM modules.


New Member

Re: Cat6500 w/ Sup720 - IOS Firewall Question


New Member

Re: Cat6500 w/ Sup720 - IOS Firewall Question

Yikes ..

I'm assuming this factor causes a great reduction in the feasibility of this feature?!

Cisco Employee

Re: Cat6500 w/ Sup720 - IOS Firewall Question

IOS Firewall processes traffic in software.I will never recommend to run the Cisco IOS firewall on the Sup720 as it can impact the over all performance of the Sup engine. I would recommend to use dedicated hardware FWSM module on the chassis for a better performance. I know that $$ will be a little concern here with FWSM but the kind of featureset and sclabaility is built in the module will justify the $$ value for it. You can create upto 250 virtual firewalls within the same module.


-amit singh

New Member

Re: Cat6500 w/ Sup720 - IOS Firewall Question

Since you're a Cisco guy, have you heard of any plans to revamp the FWSM? Isn't it based on older PIX era technology?

When I first heard about the ACE I thought it might be a replacement, but the more I hear it doesn't sound like the two are very comparable.


New Member

Re: Cat6500 w/ Sup720 - IOS Firewall Question

ACE is an application control module that can provide some firewall functionality.

Some of the pros when compared to FWSM:

- Better scalability overall:

o 4M total bi-dir connections

o 1M total NAT translations, 4M with PAT

o 256K access-list entries

o Single flow of up to 8 Gbps

o High performance inspection engines

- More flexible and powerful inspection of HTTP, SIP (regex)

- Generic Protocol Parsing can make drop decisions

- Role-based access-control + domains for management

- Integrated SSL offload capabilities

- SNMPv3 for management

Here are some of the cons when compared to FWSM:

- no common FW GUI (ASDM or CSM)

- Syslogs for ACLs: Yes for denies, No for permits

- no dynamic routing

- no multicast routing

- no direct asymmetric routing support

- no Syslogs for deep inspection or other packet drops

- Application inspection limited to HTTP, ICMP, DNS, FTP, RTSP, SIP, H323, SCCP, LDAP

- no AAA for the data plane (only for mgmt)

- NAT config not backward compatible with Cisco firewalls

- no DHCP server (DHCP relay is in there, per context)

- no URL filtering using Websense / N2H2

- no time-based ACLs

- no nested object-groups

Hope that helps.


Please rate posts if they are helpful.

CreatePlease to create content