[c-nsp] context firewall
Justin M. Streiner
streiner at cluebyfour.org
Fri Mar 5 12:45:27 EST 2010
On Fri, 5 Mar 2010, mohieddeen yousef wrote:
> Any had used the cotext frewall on the FWSM?
Yes, I have several FWSMs in multi-context mode in production. The nice
thing is that you can have up to 8 bridge groups per context, compared to
an ASA, which only allows one bridge per context in transparent mode.
I had some Java issues with Cisco's ASDM, but newer versions of the ASDM
seem to be more stable.
> Is there any drawbackes of using it?
That depends on your needs, but there are the following caveats:
1. Forget about IPv6 support - the hardware is optimized for v4
forwarding, and forwarding v6 ends up having to be done software, so the
performance hit is substantial
2. If you use the web-based ASDM, MacOSX/Safari is not 'officially'
supported
3. Data collection, if you're concerned about, via SNMP is kind of clunky
in multi-context mode. Things like connections and CPU utilization have
to be polled per context and combined if you want to get reasonably
accurate data across the entire FWSM.
4. The rated max throughput is 5.5 Gb/s. In practice I've been able to
get 3+ Gb/s through them without problems.
5. The writing is on the wall that Cisco is planning to stop new
development on the FWSM in the near future. I've heard unconfirmed
rumors of a newer, faster flade-based firewall, but nothing definite at
this point.
jms
More information about the cisco-nsp
mailing list