Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
3
Helpful
5
Replies

Cat6500 w/ Sup720 - IOS Firewall Question

Iain
Level 4
Level 4

‎04-20-2007 08:08 AM - edited ‎03-05-2019 03:34 PM

I need to know if the IOS Firewall processes traffic in hardware or software. I would like to take advantage of the feature, but don't want it to have an impact on performance. Oh, and right now we can't justify the $ for FWSM modules.

Thanks.

Labels:
0 Helpful
5 Replies 5

m.matteson
Level 2
Level 2

‎04-20-2007 09:02 AM

software

0 Helpful

Iain
Level 4
Level 4
In response to m.matteson

‎04-20-2007 09:05 AM

Yikes ..

I'm assuming this factor causes a great reduction in the feasibility of this feature?!

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee

‎04-20-2007 10:14 AM

IOS Firewall processes traffic in software.I will never recommend to run the Cisco IOS firewall on the Sup720 as it can impact the over all performance of the Sup engine. I would recommend to use dedicated hardware FWSM module on the chassis for a better performance. I know that $$ will be a little concern here with FWSM but the kind of featureset and sclabaility is built in the module will justify the $$ value for it. You can create upto 250 virtual firewalls within the same module.

HTH,

-amit singh

0 Helpful

Iain
Level 4
Level 4
In response to Amit Singh

‎04-20-2007 10:33 AM

Since you're a Cisco guy, have you heard of any plans to revamp the FWSM? Isn't it based on older PIX era technology?

When I first heard about the ACE I thought it might be a replacement, but the more I hear it doesn't sound like the two are very comparable.

Thanks.

0 Helpful

lloyd_andrew
Level 1
Level 1
In response to Iain

‎04-20-2007 12:45 PM

ACE is an application control module that can provide some firewall functionality.

Some of the pros when compared to FWSM:

- Better scalability overall:

o 4M total bi-dir connections

o 1M total NAT translations, 4M with PAT

o 256K access-list entries

o Single flow of up to 8 Gbps

o High performance inspection engines

- More flexible and powerful inspection of HTTP, SIP (regex)

- Generic Protocol Parsing can make drop decisions

- Role-based access-control + domains for management

- Integrated SSL offload capabilities

- SNMPv3 for management

Here are some of the cons when compared to FWSM:

- no common FW GUI (ASDM or CSM)

- Syslogs for ACLs: Yes for denies, No for permits

- no dynamic routing

- no multicast routing

- no direct asymmetric routing support

- no Syslogs for deep inspection or other packet drops

- Application inspection limited to HTTP, ICMP, DNS, FTP, RTSP, SIP, H323, SCCP, LDAP

- no AAA for the data plane (only for mgmt)

- NAT config not backward compatible with Cisco firewalls

- no DHCP server (DHCP relay is in there, per context)

- no URL filtering using Websense / N2H2

- no time-based ACLs

- no nested object-groups

Hope that helps.

-lloyd

Please rate posts if they are helpful.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card