[c-nsp] ASA vs ISR ZBFW
Mark Tinka
mtinka at globaltransit.net
Sun Sep 11 13:46:46 EDT 2011
On Monday, September 12, 2011 01:28:22 AM Nick Hilliard
wrote:
> well, yes and no. NPUs are fine but they aren't CPUs and
> you'll never get the flexibility of a CPU-forwarded box
> on NPU based hardware, at least not at a comparable
> price point.
That's why I said "decent-enough", which, of course, varies
depending on where you sway.
For us (the Network department), we sway more toward
routing, but still find some of the firewall features in the
ASR1000 good enough for our requirements. Of course, there
are times when the ASA would be much better, e.g., ACL
filtering based on URL's, which the ASR1000 doesn't do, but
when we consider some of the drawbacks the ASA has in terms
of routing, we go back to ASR1000 because we're skewed
toward routing more than toward the security bits.
I'm sure the ASR1000 BU can make things even more
interesting in that space, but I won't presume to speak on
their behalf :-).
Of course, our Security department are probably going to be
choosing an ASA more times than they will an ASR1000, but
that's them.
We've seen this many times before. Routers/switches are
turned into firewalls either on integrated forwarding
engines, or via dedicated line cards that offload that
capability. Have they all been successful? Yes and No. Have
many of them scaled in real environments? Yes and No. But
one constant has always remained - if you want the job done
right re: firewalls and such, buy a dedicated appliance
that's built for this from Day One. This fact, we certainly
don't dispute.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110912/c0927462/attachment.pgp>
More information about the cisco-nsp
mailing list