[c-nsp] FWSM, Contexts and ASA's

Fred Reimer freimer at ctiusa.com
Wed Feb 13 20:24:29 EST 2008


The solution for the classifier issue is to put a VRF routing instance on
the SUP720 in between the FWSM contexts, so that you don't share a VLAN
between contexts and hence it will not get confused.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Kent
Sent: Wednesday, February 13, 2008 1:06 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM, Contexts and ASA's

AFAIK, the FWSM is not going to be able to be a general perimeter
firewall, in conjunction with other contexts.  That is, if you think
"Hey, I've got multiple contexts, why not use one for general
Internet filtering and then that can funnel into per-customer
and/or per-businessUnit contexts?" then the answer is "it'll confuse
the classifier for outbound traffic"

The fwsm does not seem to be as "advanced" as the ASA in at least 
a few ways (no enhanced object groups, no ability to tie a unique MAC
address to shared interfaces).

Also, multiple contexts means static routing.

Regarding this:

> I would also ask a strategy question, Do you think the FWSM
> product really has a future compared to ASA?

Is that rhetorical?  Is it generally believed that the answer is "No"?

Regarding this comment:

> We recently had an issue where one of the network processors in an
> FWSM got confused and refused to pass traffic for new flows.

I think that happened to me yesterday (with 3.2(4)).  Spent hours
trying to figure out what was going on, finally ripped out the
contexts, redefined them and all was OK.  This isn't even in
production yet (i.e., no real load).

Thanks,
-mark
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080213/45305163/attachment.bin 


More information about the cisco-nsp mailing list