Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Blue

Cisco Firewall Product Line

Hi:

I am looking for a firewall solution that can provide 5-Gbps of IPSec 3DES traffic processing.

The highest of the ASA product line (5580) can handle a maximum of 1-Gbps. I think the reason for this is that, in Cisco's view, the ASA is an enterprise-level appliance. That is also probably why it only supports AC power.

What product line should service providers look for to provide at least 5-Gbps of 3DES traffic and DC power support?

Thanks

Victor

14 REPLIES

Re: Cisco Firewall Product Line

The FWSM module in CAT6k provides you 5.5 GBPS:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

CAT6k can run of AC or DC or mixed powers:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa8.shtml#power_red

ASA 5540 is Up to 1.2 Gbps throughput and BTW there is a DC power supply for ASA, not sure what you are referring to that says it does not. The part number is: ASA-180W-PWR-DC

Blue

Re: Cisco Firewall Product Line

Hi:

Thanks.

The FWSM supports up to 5.5 Gbps of clear text, not IPSec. I dont see the IPSec spec on that data sheet.

Would have to check out the DC power thing. It was a Cisco SE who told me the ASA doesnt support DC.

Re: Cisco Firewall Product Line

Give to the SE the part number for the DC power ;)

ASA-180W-PWR-DC

Hall of Fame Super Silver

Re: Cisco Firewall Product Line

Hello Victor,

we have recently installed a pair of ASA 5580-40 that have 10Ge interfaces and should be able to process 5 Gbps of traffic.

see

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

We had a major issue with a bug but it has been solved.

Our experience with FWSM is that they don't support really 5 Gbps so we have used failover groups putting different contexts in different failover groups and making FSWM1 active for group1 and FWSM2 active for group2

( a FWSM pair on two C6500 chassis)

Hope to help

Giuseppe

Blue

Re: Cisco Firewall Product Line

Hi, Giueseppe:

The 10G specification is for clear text throughput. The spec right below that shows Max VPN throughput. Its 1Gbps.

Re: Cisco Firewall Product Line

Yes as I said its 1.2 GB on the 5540.

It seems you may more be looking for a VPN module then?

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

Blue

Re: Cisco Firewall Product Line

You mentioned the FWSM and that it supports 5 Gbps. Thats clear text, not IPSec. Im asking about IPSec throughput.

[Edit] Now that you edited your response to include the VPNSM, I will edit mine to say that I will look that up. [EDIT] :-)

Thanks

Re: Cisco Firewall Product Line

Check my answer: I refer you to the VPNSM module for the IPSEC portion:

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

The solution you are looking for could be met with a couple of VPNSM modules.

It's very unusual to look for such high rates of IPSEC traffic. Maybe the design should be reviewed and split into a couple of devices.

Blue

Re: Cisco Firewall Product Line

The problem is that the client runs a Juniper shop, and the Juniper srx-3400 supports up to 10Gbps of IPSec. So a Cisco solution would have to support at least half of that, according to client specs.

Re: Cisco Firewall Product Line

For now we support up to 8-80 Gbps on a cat6k switch. Check out that last doc I referred where there is also the ASR1k.

80 GBPS will be with a chassis fully loaded of vpn modules, but technically it's achievable. That will be 8 times that juniper device.

It will boil down to cost, and design. The solution exists.

Hall of Fame Super Silver

Re: Cisco Firewall Product Line

hello Victor,

sorry I overlooked the table.

if the device has to act as IPSec VPN concentrator you could consider ASR 1006 with ESP 20

a pair of devices should be able to deliver 5 Gbps ipsec each,

see

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/data_sheet_c78-450070.html

Of course VPNSM suggested by Lucien can be attractive if you deploy two C6500 boxes and you need other services / service modules.

Hope to help

Giuseppe

Blue

Re: Cisco Firewall Product Line

Thanks, G:

Re: Cisco Firewall Product Line

Also, here is a complete list of our solutions.

May be the ASR 1k could be the answer in your scenario: 7 GBps of throughput.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html

Hope this resolves your questions. Good luck choosing the product meeting your requirements.

Blue

Re: Cisco Firewall Product Line

Thank you, sir.

517
Views
15
Helpful
14
Replies