[c-nsp] FWSM, Contexts and ASA's

Dale W. Carder dwcarder at wisc.edu
Wed Feb 13 11:50:22 EST 2008


On Feb 13, 2008, at 10:36 AM, Christian Koch wrote:
>
> we are deploying FWSM for a customer firewalls, and someone has  
> brought up
> the thought of moving our coproate firewalls (now on asa's) over to  
> these
> same FWSM's..
>
> my main thoughts are to stray away from this.. does anyone run  an
> architecture like this now? or have any opinions on WHY to or to  
> not do it?

While the FWSM does offer pretty decent resource provisioning,
are you actually using it and tuning how many resources each
context can eat up?

I would also ask a strategy question, Do you think the FWSM
product really has a future compared to ASA?

If and when there is a problem on the FWSM, do you want your
corporate network to be down?  This is like any other such
egg/basket issue, and NOT specific to the FWSM.

We have several FWSM's and ASA's.  We recently had an issue
where one of the network processors in an FWSM got confused
and refused to pass traffic for new flows.  Strange situation
for 50 customers in a funny ~40% state of "down".  Based on
geography this would have been the basket our eggs would
have been in had we not separated the NOC out from various
potential situations like this.

Dale


More information about the cisco-nsp mailing list