[c-nsp] Hardware for 'managed firewall'

[Justin Shore]

Dave Weis wrote:
> 
> We want to provide a hosted/managed firewall service for our MPLS 
> customers. Is a pair of ASA's with multiple contexts the best way to do 
> this or would something else work better? I'm not concerned with the 
> customers being able to make changes themselves.

We do this with a pair of FWSMs in a pair of 7600s.  Customers in our 
data center reside in MPLS/VPNs.  The FWSMs upstream in the network are 
their ticket out of the MPLS/VPN and out to the Internet.  Each customer 
is in their own context.  Not too difficult.

We could have done this with ASAs but they do not scale as well.  If you 
want to start cheaply then yes you can use ASAs but research their 
limitations (especially, # of context and throughput vs price).  Also be 
sure that you understand that you can not use VPN on a ASA with multiple 
contexts.  If you need to terminate VPN services (L2L or client) and put 
them into isolated customer environments on the secured side of the 
network then you need to look into a router-based platform.

So you know, no Cisco firewalls are MPLS-aware; that includes the FWSM. 
  However you don't really need it since you only need to map VLANs to 
it.  The VLANs themselves can be in the necessary VRF, thus making that 
context partially in that VRF.  ie, VLAN 100 is in the 
privately-addressed customer VRF and is assigned to the context and used 
as the "inside" interface.  VLAN 200 is publicly-addressed, not in a 
defined VRF (default VRF or wherever you keep your public Internet at), 
is assigned to the context and is used as the "outside" interface.  The 
customer can manage their own context if they want but we don't yet have 
any that do this.  You could let customers bring their own FW if they 
want by mapping the inside and outside VLANs to switchports in your data 
center (one on the public side and one in the customer VRF) and letting 
the users use those.

Justin