[c-nsp] Cisco FWSM vs Juniper NetScreen 5400

Edoardo Martelli em.mlist at gmail.com
Thu Aug 9 07:35:46 EDT 2007 

Hi

We recently had to upgrade our pix535 with something more powerful, we
made a market survey for powerful firewalls and we ended up evaluating
those two boxes, the FWSM and the NS5400.


>  I need a high throughput firewall solution for campus
> segmentation.


We tested the performance with a traffic generator. The NS5400 with two
10Gbps  interfaces was capable of 5.4Gbps full-duplex.
The FWSM was only up to 2Gbps full duplex. The FWSM connects to the
backplane  with six 1Gbps links, so it is physically limited to 3Gbps in
any direction.The packet size were in the range 500-1500B.

> 
>  I need to be able
> to feed traffic to the firewall at up to 10Gbps (Ethernet) and not
> have it vomit. 

It's not possible with a single box. Since we needed around 20Gbps, we
built a system that, using policy based routing, offloads some well
defined traffic.

>  It
> needs to be stable and have multi-chassis failover support.

Both have it.
The fwsm supports a configuration with two active modules that share the
load. The problem is that they need to exchange traffic (as far as i
understood, packets belonging to a certain session must stick on a
module; if a packet arrive to the other one than it is transferred to
the module that "own" the session) so the overall performance is still
limited to 3Gbps.

> I searched the archives a found a few similar questions. Most people
> didn't have nice things to say about the FWSM. I wonder if things have
> improved in the last year or so?

We ended up with the fwsm and we are quite happy; the box is stable, the
latests OS version are ok.
Although the NS5400 was somehow better, we decided for the fwsm mainly
for few reasons: the price (no need to buy interfaces if you already
have a catalyst); the duration of the migration (we had a pretty complex
configuration in the pix that would have been quite long to translate,
and some rules were not supported); the tuning of a new technology (we
needed several months before we had the pix handling correctly all the
applications we have, so we feared the same for the NS). The fwsm
behaves almost exactly like the pix, no much surprise.


cheers
Edoardo

More information about the cisco-nsp mailing list