[c-nsp] FWSM, Contexts and ASA's

Mark Kent mark at noc.mainstreet.net
Wed Feb 13 13:06:06 EST 2008


AFAIK, the FWSM is not going to be able to be a general perimeter
firewall, in conjunction with other contexts.  That is, if you think
"Hey, I've got multiple contexts, why not use one for general
Internet filtering and then that can funnel into per-customer
and/or per-businessUnit contexts?" then the answer is "it'll confuse
the classifier for outbound traffic"

The fwsm does not seem to be as "advanced" as the ASA in at least 
a few ways (no enhanced object groups, no ability to tie a unique MAC
address to shared interfaces).

Also, multiple contexts means static routing.

Regarding this:

> I would also ask a strategy question, Do you think the FWSM
> product really has a future compared to ASA?

Is that rhetorical?  Is it generally believed that the answer is "No"?

Regarding this comment:

> We recently had an issue where one of the network processors in an
> FWSM got confused and refused to pass traffic for new flows.

I think that happened to me yesterday (with 3.2(4)).  Spent hours
trying to figure out what was going on, finally ripped out the
contexts, redefined them and all was OK.  This isn't even in
production yet (i.e., no real load).

Thanks,
-mark


More information about the cisco-nsp mailing list