[c-nsp] FWSM going away rumor

Jeff Fitzwater jfitz at Princeton.EDU
Wed May 7 14:38:29 EDT 2008 

On May 7, 2008, at 1:42 PM, Dale W. Carder wrote:

>
> On May 7, 2008, at 10:37 AM, Jeff Fitzwater wrote:
>> We currently have two FWSM running 3.2 and are awaiting new code to
>> fix some transparent mode issues.
>
> I would like to know what you're seeing.
Our FWSM is in a 6509 with a sup 720-3CXL and logically sits between  
our 3 ISP as a transparent FW configured with 3 BVIs, one for each ISP.
Our first major issue was that each BVI required a separate IP, not  
just for management but so it could ARP for host if it was not in  
bridge table.  That forced us to change all our ISP from /30 to /29 in  
order to allocate an IP on that net for the FWSM BVI.

We initially did not want to block anything so we could control all  
functions of the FWSM, so we disabled STATE checking, Random Sequence  
Number generation and all Inspection functions.
What was left, but not clearly documented, was DNS-GUARD which only  
allows the first response thru then closes the connection.   This made  
many DNS (things) fail on campus.
It turned out that there is no way to disable it.

We are in the process of testing BETA code.

So we have had our FWSM for about a year of just sitting in the chassis.

Jeff Fitzwater
OIT Network Systems
Princeton University
>
>
>> The rumor I heard is that CISCO will only have one more release of
>> FWSM code and thats it;  No more FWSM, the future will only be the  
>> ASA.
>
> Your account team would likely know more, but in my opinion,
> 5 years without a hardware refresh sure seems awful damning
> about the platform's future.
>
> Sure there might be another software release to attempt to
> breathe life-support into those network processors, but there
> is going to be a finite limit as to what they can and can
> not do (example: ginormous ACL's, IPv6, handling huge flows
> without significant hackery).
>
> I would expect there will be a strong motivation to develop
> software for and sell you shinny new ASA 5580-40's instead
> of fwsm.
>
>> The FWSM isn't that old, maybe 2-3 years.
> We got our 1st one in early 2003.
>
>> I thought the FWSM was the  latest and greatest and came from
>> the ASA.
>
> The FWSM is sort of it's own beast, with hardware assist from
> network processors.  The ASA is truly a next-gen PIX.
>
> Dale

More information about the cisco-nsp mailing list