Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

6509 Firewall Service Module (FWSN)

Status
Not open for further replies.
MJewell

MJewell

MIS
Jul 5, 2001
143
US
has anyone purchased one of these yet? We were planning on installing ours but was told there was a bug in the internal code that prevented DHCP from passing from one subnet to another on the protected vlans...

Out Network is: Internet
|
6509/MSFC2 (Dual Sup)
|
5 Internal VLANS

Now, I was told that if I configured the FWSM to be between Internet and the MSFC2's then I wouldn't have any problems, however if I installed it between the MSFC and the vlans I would get better functionallity and easier configurability but it would prevent DHCP from passing between the vlans... Now keep in mind I can't just remove the vlans as I have over 2000 active network jacks in my building (educational institution)

Any suggestions anyone?

-Mike


-Mike
 
Sort by date Sort by votes
HI.

> has anyone purchased one of these yet?
I haven't.

But I want to ask you - do you plan to filter traffic between VLANs?
Or protect the Internet connection?
Or both?

I think that the FWSM should be used of filtering internal traffic (if needed), and a dedicated device (pix or other) for protecting the ISP link.



Yizhar Hurwitz
 
Upvote 0 Downvote
Actually both, because it has the ability to connect into 100 vlans...

I only have a gigabit connection to main campus for our internet connection so I don't see over stressing the FWSM with Dual processors and 1g of ram... it should be able to handle the traffic just fine...

Now all I need is for Cisco to get off their butts and fix the software...


-Mike
 
Upvote 0 Downvote
HI.

Again - I don't have any field experience with these.

But my common sense tells me that it will be wiser to use the FWSM for internetwork filtering, and an additional device for the Internet connection.

This is from an administrator point of view, for example if you later have other problems with the FWSM or the switch itself, and you wish to reconfigure or totaly disable the FWSM, then you still have a protected unaffected Internet firewall.


Yizhar Hurwitz
 
Upvote 0 Downvote
well, our main campus allready has 2 pix 535's on the network edge, the FWSM is more for us to control our stuff directly, for instance I really don't want others on campus attempting to connect to our SQL and mySQL servers... Personally I wouldn't mind breaking our Exchange connectors (they've been a pain since they got installed... (takes 24hrs to add an admin to our exchange tree because it has to replicate before it works...)) and the Firewall is much more efficient at access-management then the MSFC2's are even running in active/active mode....

campus also purchased a FWSM to install in their 6509 core switch that all the schools connect to so they can firewall off a school that has a problem... the last time our campus had a network problem (SQL slammer) the few SQL servers were generating so much traffic they were saturating the campus switch and no school could get out to the internet...

-Mike

-Mike
 
Upvote 0 Downvote
You can also purchase two modules for failover.

We also have a Firewall on our network edge but with the last explosion of BlasterA-Z and Sobig our existing Firewall was Blasted and Soslow. Its several years old and is FW1 running on a single UltraSparc box. (440Mhz) That solution worked well when we only had 2xT's but now with 45Mbps its not cutting it. The FWSM was purchased with performance in mind, 5Gbps and 1Million concurrent connections. I really wish it would have been deployed prior to our students returning. *sigh*
It would have been much easier to manage that traffic with the FWSM and a NIDS module than ACL's on the MSFC2 and edge router protecting the Firewall.

-Neil
 
Upvote 0 Downvote
Yea... Currently we have 13 4006's and in the future I would like to install a second 6509 chassis with a second FWSM in it, but In budget crunch years it may have to wait... I may slowly add second Fiber links to each floor's switch...

You can add redundent modules either in same switch chassis or different chassies...


-Mike
 
Upvote 0 Downvote
I have deployed the FWSM blade within the last week. Our other FW was being overrun by traffic. Upon bringing the FWSM online there were 390,000 simultaneous connections. (show conn count) It was running about 9% cpu at this point. It was obvious why our other Firewall was failing. It can only handle about 25000 connections. The high connection count was due to two machines infected with the MS-SQL (Slammer) exploit. Even while blocking the infectious ports, and CPU reaching 98 percent, there were no signs of sluggishness on traffic through the blade. It was impressive performance at the very least.

The current deployment doesn't take advantage of multiple vlans, it currently is just using two interfaces. (inside, outside). I do plan on setting up multiple vlans on it as soon as things quiet down.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
224
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
149
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
142
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
155
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
109
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top