Solved

Cisco ASA or Catalyst 6500 ?

Posted on 2009-05-19
12
1,109 Views
Last Modified: 2012-06-27
I am looking for some guidance on the pros/cons of the ASA vs the Catalyst 6500.

I have been using an ASA5520 for some time and am very happy with it, but my concern is over the physical port limitaion. I can have 8 Gig ports if I want them, but if I want IPS then I only have 4 Gig ports to play with.

If I go for the Catalyst 6500 option I am then able to increase the port density but the cost goes up.

Can anyone clarify whether or not I need an additional module on the 6500 to use IPS, and also confirm which would be the best option to use for high firewall throughput ?

TIA
0
Comment
Question by:ccfcfc
12 Comments
 
LVL 8

Assisted Solution

by:akalbfell
akalbfell earned 100 total points
ID: 24424169
Yes you would need another module for IDS, part is WS-X6381-IDS
as for throughput, a 6500 with a FWSM can handle 5 GBPS which compares to the 5580-20 but you can add extra modules to get up higher. You can have a total of 5 modules i believe
0
 
LVL 13

Accepted Solution

by:
3nerds earned 400 total points
ID: 24424491
As AKALBFELL stated you need the Cat6500 and everything that goes along with it.

Along with an additional blade for IDS you would also need to add Firewall services modules which are only rated at about 650mb per blade. You can add additional blades to increase throughput but I want to warn you if you like the new ASA code or the ASDM you will hate the Firewall services module. It is based on the PIX code and has no GUI counter part to my knowledge.

The only place I sell or recommend the CAT6500 for firewall is when growth is a problem as you can add the additional blades for additional throughput and keep them in one chassis. Just keep in mind that even though it has additional ports available the processing throughput of each device is going to be your limiting factor.

Regards,

3nerds
0
 
LVL 13

Expert Comment

by:Quori
ID: 24427410
For what purpose do you need such high port density on a firewall?
0
 

Author Comment

by:ccfcfc
ID: 24431195
The port density isn't necessarily a requirement. However, further development may mean that I need additional ports, and my concern is that I don't limit the port count now only to find that I need more at a later date and need to buy a new box.

That's why the 6500 appeals. It gives me more options and more future-proofing.
0
 

Author Comment

by:ccfcfc
ID: 24431212
akalbfell/3nerds,

What's the difference between having a 6500 with the IPSec/VPN K9 software and one with the Firewall Services Module ?

Aren't they both doing basically the same thing ?
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24431310
ccfcfc,

you could just trunk one of your ports on your asa and expand your port count off of another switch dedicated for that purpose or off of an existing one that just has a couple ports.

Firewall is packet inspection and everything else that goes with it. The IPSEC/VPN one give you those pieces. You have to the firewall services module if you want the actual inspection pieces.

Regards,

3nerds
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ccfcfc
ID: 24431381
Thanks, 3nerds.

I will have high traffic flows on a lot of my ports (video traffic), so I will need to retain 1Gb on the interfaces on the firewall meaning I can't trunk several subnets through one interface.

That's the same reason I was asking about the overall firewall throughput. I potentially need high throughput with a high interface count. For example, I already have 6 interfaces in use so I am 2 off the ASA limit, and I can't sub-divide any of the existing interfaces due to high bandwidth requirements.

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24431833
CCFCFC,

I am now a little confused with your environment.

A Cisco ASA5520 can only handle a max of 450mbps through it so how are you maintaining 1GB?

Specs listed at this link:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

If you want that kind of throughput you will need to scale up to a 5580-20 like what akalbfell listed or Cluster additional 5520's together. Or put multiple Firewall services modules, which will give you 650mbps each, adding additional blades to the chassis will give you more.

The 5520 has the ports but the device can not handle that amount of throughput.

Maybe you can clarify for me?

Regards,

3nerds
0
 

Author Comment

by:ccfcfc
ID: 24431974
Sorry, 3nerds, I will clarify.

The ASA5520 is my current device. I am now looking at options for my next device to clarify what performance I can get for what cost. High throughput and IPS are both requirements that I need to meet, but like everyone else I am also limited by budget so I'm trying to identify just what I would need, and at what cost, to have all of this on a 6500 as opposed to having to stay with an ASA because it's cheaper.

Sorry for any confusion.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24432100
CCFCFC,

Thanks for the clarification!

Seeing that you already have an ASA5520 it would be less expensive to add additional ASA5520 devices as needed in a cluster situation. This will give you additional ports as well as additional throughput. You can add up to 10 of them in a cluster.

As to IDS the only thing I do not like about the SSM module is that you can only use it to monitor traffic that flows through the device. The reason I don't care for that is the module is not that much less expensive than a stand alone IPS and you can monitor other network segments with the stand alone device. If your not using the ASA on an egde that my not ne a big concern but it is a consideration. Depending on the amount of traffic that you plan to monitor with the IPS you will need to size that accordingly as well.

Regards,

3nerds

 
0
 

Author Comment

by:ccfcfc
ID: 24442148
3nerds,

Can you point me at any documentation that explains in detail what benefits clustering would give me, i.e. how does it aggregate devices in such a way as to provide additional ports and throughput, and what do I lose on each additional ASA in order to actually implement the cluster ?

Thanks.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24442507
Cisco ASA 5520 Adaptive Security Appliance
The Cisco ASA 5520 Adaptive Security Appliance delivers security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks in a modular, high-performance appliance. With four Gigabit Ethernet interfaces and support for up to 100 VLANs, businesses can easily deploy the Cisco ASA 5520 into multiple zones within their network. The Cisco ASA 5520 Adaptive Security Appliance scales with businesses as their network security requirements grow, delivering solid investment protection.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 SSL VPN peers or 7500 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520 can also benefit from the Cisco VPN FLEX licenses, which enable administrators to react to or plan for short-term bursts of concurrent SSL VPN remote-access users, for up to a 2-month period.
The advanced application-layer security and content security defenses provided by the Cisco ASA 5520 can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the AIP SSM, or the comprehensive malware protection of the CSC SSM. Using the optional security context capabilities of the Cisco ASA 5520 Adaptive Security Appliance, businesses can deploy up to 20 virtual firewalls within an appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.

Taken from:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

CCFCFC,

Depending on exactly what you want to accomplish will determine if you can just add additional 5520 devices. For example if you are using this and need multiple contexts for many different small firewalls this should work out. On the other hand if you have 1 big connection that is going to grow and grow it will not as you can not share the load across more then one interface if it all if going out your 1 internet connection. Even with the first opion I listed clustering/load balancing may not be necessary in your situation.

The way you were explaining that you wanted additional ports made me think that the additional contexts would be of benefit and allow you to grow them.

This is the only document that I can find on contexts for you.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#lanbas

I have only played with the contexts and will be honest that I don't know your whole situation exactly to say if this would be of benefit. If it isn't then you will have to look at another option like the 5580-20 or the 6500 with a firewall services module. Although I much prefer the new code and options of the ASA product.

Hope this helps.

Regards,

3nerds
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now