Cisco ASA or Catalyst 6500 ?
I am looking for some guidance on the pros/cons of the ASA vs the Catalyst 6500.
I have been using an ASA5520 for some time and am very happy with it, but my concern is over the physical port limitaion. I can have 8 Gig ports if I want them, but if I want IPS then I only have 4 Gig ports to play with.
If I go for the Catalyst 6500 option I am then able to increase the port density but the cost goes up.
Can anyone clarify whether or not I need an additional module on the 6500 to use IPS, and also confirm which would be the best option to use for high firewall throughput ?
TIA
I have been using an ASA5520 for some time and am very happy with it, but my concern is over the physical port limitaion. I can have 8 Gig ports if I want them, but if I want IPS then I only have 4 Gig ports to play with.
If I go for the Catalyst 6500 option I am then able to increase the port density but the cost goes up.
Can anyone clarify whether or not I need an additional module on the 6500 to use IPS, and also confirm which would be the best option to use for high firewall throughput ?
TIA
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Quori
For what purpose do you need such high port density on a firewall?
ASKER
The port density isn't necessarily a requirement. However, further development may mean that I need additional ports, and my concern is that I don't limit the port count now only to find that I need more at a later date and need to buy a new box.
That's why the 6500 appeals. It gives me more options and more future-proofing.
That's why the 6500 appeals. It gives me more options and more future-proofing.
ASKER
akalbfell/3nerds,
What's the difference between having a 6500 with the IPSec/VPN K9 software and one with the Firewall Services Module ?
Aren't they both doing basically the same thing ?
What's the difference between having a 6500 with the IPSec/VPN K9 software and one with the Firewall Services Module ?
Aren't they both doing basically the same thing ?
ccfcfc,
you could just trunk one of your ports on your asa and expand your port count off of another switch dedicated for that purpose or off of an existing one that just has a couple ports.
Firewall is packet inspection and everything else that goes with it. The IPSEC/VPN one give you those pieces. You have to the firewall services module if you want the actual inspection pieces.
Regards,
3nerds
you could just trunk one of your ports on your asa and expand your port count off of another switch dedicated for that purpose or off of an existing one that just has a couple ports.
Firewall is packet inspection and everything else that goes with it. The IPSEC/VPN one give you those pieces. You have to the firewall services module if you want the actual inspection pieces.
Regards,
3nerds
ASKER
Thanks, 3nerds.
I will have high traffic flows on a lot of my ports (video traffic), so I will need to retain 1Gb on the interfaces on the firewall meaning I can't trunk several subnets through one interface.
That's the same reason I was asking about the overall firewall throughput. I potentially need high throughput with a high interface count. For example, I already have 6 interfaces in use so I am 2 off the ASA limit, and I can't sub-divide any of the existing interfaces due to high bandwidth requirements.
I will have high traffic flows on a lot of my ports (video traffic), so I will need to retain 1Gb on the interfaces on the firewall meaning I can't trunk several subnets through one interface.
That's the same reason I was asking about the overall firewall throughput. I potentially need high throughput with a high interface count. For example, I already have 6 interfaces in use so I am 2 off the ASA limit, and I can't sub-divide any of the existing interfaces due to high bandwidth requirements.
CCFCFC,
I am now a little confused with your environment.
A Cisco ASA5520 can only handle a max of 450mbps through it so how are you maintaining 1GB?
Specs listed at this link:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
If you want that kind of throughput you will need to scale up to a 5580-20 like what akalbfell listed or Cluster additional 5520's together. Or put multiple Firewall services modules, which will give you 650mbps each, adding additional blades to the chassis will give you more.
The 5520 has the ports but the device can not handle that amount of throughput.
Maybe you can clarify for me?
Regards,
3nerds
I am now a little confused with your environment.
A Cisco ASA5520 can only handle a max of 450mbps through it so how are you maintaining 1GB?
Specs listed at this link:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
If you want that kind of throughput you will need to scale up to a 5580-20 like what akalbfell listed or Cluster additional 5520's together. Or put multiple Firewall services modules, which will give you 650mbps each, adding additional blades to the chassis will give you more.
The 5520 has the ports but the device can not handle that amount of throughput.
Maybe you can clarify for me?
Regards,
3nerds
ASKER
Sorry, 3nerds, I will clarify.
The ASA5520 is my current device. I am now looking at options for my next device to clarify what performance I can get for what cost. High throughput and IPS are both requirements that I need to meet, but like everyone else I am also limited by budget so I'm trying to identify just what I would need, and at what cost, to have all of this on a 6500 as opposed to having to stay with an ASA because it's cheaper.
Sorry for any confusion.
The ASA5520 is my current device. I am now looking at options for my next device to clarify what performance I can get for what cost. High throughput and IPS are both requirements that I need to meet, but like everyone else I am also limited by budget so I'm trying to identify just what I would need, and at what cost, to have all of this on a 6500 as opposed to having to stay with an ASA because it's cheaper.
Sorry for any confusion.
CCFCFC,
Thanks for the clarification!
Seeing that you already have an ASA5520 it would be less expensive to add additional ASA5520 devices as needed in a cluster situation. This will give you additional ports as well as additional throughput. You can add up to 10 of them in a cluster.
As to IDS the only thing I do not like about the SSM module is that you can only use it to monitor traffic that flows through the device. The reason I don't care for that is the module is not that much less expensive than a stand alone IPS and you can monitor other network segments with the stand alone device. If your not using the ASA on an egde that my not ne a big concern but it is a consideration. Depending on the amount of traffic that you plan to monitor with the IPS you will need to size that accordingly as well.
Regards,
3nerds
Thanks for the clarification!
Seeing that you already have an ASA5520 it would be less expensive to add additional ASA5520 devices as needed in a cluster situation. This will give you additional ports as well as additional throughput. You can add up to 10 of them in a cluster.
As to IDS the only thing I do not like about the SSM module is that you can only use it to monitor traffic that flows through the device. The reason I don't care for that is the module is not that much less expensive than a stand alone IPS and you can monitor other network segments with the stand alone device. If your not using the ASA on an egde that my not ne a big concern but it is a consideration. Depending on the amount of traffic that you plan to monitor with the IPS you will need to size that accordingly as well.
Regards,
3nerds
ASKER
3nerds,
Can you point me at any documentation that explains in detail what benefits clustering would give me, i.e. how does it aggregate devices in such a way as to provide additional ports and throughput, and what do I lose on each additional ASA in order to actually implement the cluster ?
Thanks.
Can you point me at any documentation that explains in detail what benefits clustering would give me, i.e. how does it aggregate devices in such a way as to provide additional ports and throughput, and what do I lose on each additional ASA in order to actually implement the cluster ?
Thanks.
Cisco ASA 5520 Adaptive Security Appliance
The Cisco ASA 5520 Adaptive Security Appliance delivers security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks in a modular, high-performance appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can easily deploy the Cisco ASA 5520 into multiple zones within their network. The Cisco ASA 5520 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering solid investment protection.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 SSL VPN peers or 7500 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent SSL VPN remote-access users, for up to a 2-month period.
The advanced application-layer security and content security defenses provided by the Cisco ASA 5520 can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the AIP SSM, or the comprehensive malware protection of the CSC SSM. Using the optional security context capabilities of the Cisco ASA 5520 Adaptive Security Appliance, businesses can deploy up to 20 virtual firewalls within an appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.
Taken from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
CCFCFC,
Depending on exactly what you want to accomplish will determine if you can just add additional 5520 devices. For example if you are using this and need multiple contexts for many different small firewalls this should work out. On the other hand if you have 1 big connection that is going to grow and grow it will not as you can not share the load across more then one interface if it all if going out your 1 internet connection. Even with the first opion I listed clustering/load balancing may not be necessary in your situation.
The way you were explaining that you wanted additional ports made me think that the additional contexts would be of benefit and allow you to grow them.
This is the only document that I can find on contexts for you.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#lanbas
I have only played with the contexts and will be honest that I don't know your whole situation exactly to say if this would be of benefit. If it isn't then you will have to look at another option like the 5580-20 or the 6500 with a firewall services module. Although I much prefer the new code and options of the ASA product.
Hope this helps.
Regards,
3nerds
The Cisco ASA 5520 Adaptive Security Appliance delivers security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks in a modular, high-performance appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can easily deploy the Cisco ASA 5520 into multiple zones within their network. The Cisco ASA 5520 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering solid investment protection.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 SSL VPN peers or 7500 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent SSL VPN remote-access users, for up to a 2-month period.
The advanced application-layer security and content security defenses provided by the Cisco ASA 5520 can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the AIP SSM, or the comprehensive malware protection of the CSC SSM. Using the optional security context capabilities of the Cisco ASA 5520 Adaptive Security Appliance, businesses can deploy up to 20 virtual firewalls within an appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.
Taken from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
CCFCFC,
Depending on exactly what you want to accomplish will determine if you can just add additional 5520 devices. For example if you are using this and need multiple contexts for many different small firewalls this should work out. On the other hand if you have 1 big connection that is going to grow and grow it will not as you can not share the load across more then one interface if it all if going out your 1 internet connection. Even with the first opion I listed clustering/load balancing may not be necessary in your situation.
The way you were explaining that you wanted additional ports made me think that the additional contexts would be of benefit and allow you to grow them.
This is the only document that I can find on contexts for you.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#lanbas
I have only played with the contexts and will be honest that I don't know your whole situation exactly to say if this would be of benefit. If it isn't then you will have to look at another option like the 5580-20 or the 6500 with a firewall services module. Although I much prefer the new code and options of the ASA product.
Hope this helps.
Regards,
3nerds