[c-nsp] context firewall

Peter Rathlev peter at rathlev.dk
Sat Mar 6 19:56:13 EST 2010


On Fri, 2010-03-05 at 17:21 +0000, mohieddeen yousef wrote:
> Any had used the cotext frewall on the FWSM?
> 
> Is there any drawbackes of using it?

Apart from what others said: Remember the FWSM doesn't do any crypto
apart from management sessions, so no IPSec tunnels or anything like
that. (This isn't a multiple session limitation though, it's a FWSM
limitation.)

About the throughput: The 5.5 Gb/s max is really 6 x 1 Gb/s etherchannel
from the supervisor to the FWSM, so no one flow can be > 1 Gb/s and two
flows of 1 Gb/s (or below) might lead to congestion even though the
total throughput is less than 2 Gb/s.

The multiple context setup is good if you primarily have "vertical"
traffic, i.e. the contexts (and what's behind them) dont talk much to
each other. For the typical SP scenario (e.g. as a hosted firewall)
they're good IMO.

-- 
Peter




More information about the cisco-nsp mailing list