[c-nsp] 6500 with IOS Firewall - Any experiences?

Brian Stiff (bstiff) bstiff at cisco.com
Tue Jun 5 15:51:50 EDT 2007


Hi Gustavo-

I'd thought this had come up on the list before, but I couldn't find it
in the archives.  

If you're really looking for performance, breadth of features, and
continued support, I'd really suggest that you steer your customer
toward an FWSM or PIX/ASA.  The IOS Firewall Feature set on the Cisco
IOS Software for the Catalyst platforms is based on *very* old code, and
includes none of the last 4-5 years' development efforts.

If your customer insists that they want to try IOS Firewall, be advised
that some people have had limited success, but more often than not, most
customers I've seen trying this have ended up spending the money on the
appropriate gear after seeing the performance impact and functional
shortfalls that the Supervisor's IOS Firewall offers.

Regards,
Brian

Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw

> Date: Mon, 4 Jun 2007 20:59:47 +0100
> From: "Gustavo Novais" <gustavo.novais at novabase.pt>
> Subject: [c-nsp] 6500 with IOS Firewall - Any experiences?
> To: <cisco-nsp at puck.nether.net>
> Message-ID:
> 	<D976F12A91106C4FA9BFF152C93B4652094B5560 at gemini.novabase.intra>
> Content-Type: text/plain;	charset="us-ascii"
> 
> Hi, 
> 
>  
> 
> I currently have a customer who is buying a 6500 with 
> redundant SUP720, but he doesn't want to use the SUP for L3 
> (only L2) because currently all of its L3 is done on a 
> PIX525, on which he has lots of rules, and is able to manage by ASDM.
> 
> He does not wish to buy a FWSM, so I told him that eventually 
> IOS firewall feature set would do the trick, with the CBAC 
> features, etc. 
> 
>  
> 
> What I'd like to know from the list experience is if indeed trading a
> PIX525 (with fastethernet interfaces) and ASDM for management 
> for a sup720 with IOS Firewall and ____________ (fill in the 
> blanks) for management, is worth it or not.
> 
>  
> 
> I've already alerted him to eventual scalability issues, but 
> his deployment is not that big, only around a dozen vlans, 
> and nothing much else.
> 
> Any suggestions are welcome... 
>  
> 
> I've checked if we could manage that type of features (namely 
> CBAC) with CiscoView, but didn't reach any conclusion...
> 
>  
> 
>  Thanks
> 
>  
> 
> Gustavo Novais
> 


More information about the cisco-nsp mailing list