[c-nsp] Question - FWSM on 6500 switches

[Christian Zeng]

* Vish Yelsangikar <vyelsangikar at netflix.com> wrote:
> Does anyone have any experiences (both good and bad) with Firewall 
> module on 6500?

Yes. Last year we implemented a larger and complex datacenter with 4
CAT6k5/Sup 720, FWSMs, CSMs and SSLMs.

In general, the FWSMs were implemented in L3/multiple context mode. We
ran into some bugs, but the multiple context code was relatively new at
this time (v2.2) and these bugs are fixed by now.

Most of our problems were related to multiple context mode. At the
beginning it was difficult to understand the limitations of a
virtualized FWSM (shared VLANs) and its releationship with NAT, because
the documentation is short about this and leaves room for
interpretation.

Having a integrated service module intruduces some limitations and 
additional complexity compared to a standalone appliance (packet 
sniffing, VLAN routing at the Sup etc.).

But, when you only want to implement single context mode the FWSM
behaves much like a PIX. And yes, if you are familiar with PIX OS, then
the FWSM should not cause you major config trouble. 

Overall, the stability and performance of the FWSM is good, if you run a
post 2.2 software version.

A weak point is GUI-based management, if you want to have this. PDM was
a pain in the rear, and luckily I could convince the operation people to
use CLI-based administration. I do not know the successor of the PDM,
but I'd have doubts, especially if you have handcrafted configurations
that a GUI must life with.

Best regards,


Christian