Catalyst 6500 with firewall question

Discussion in 'Cisco' started by Rob, Feb 3, 2004.

  1. Rob

    Rob Guest

    I have a question regarding the Catalyst 6500 switches.

    Is it required to get the FWSM module to have individual port firewall
    capabilities on the switch? Or with any of the later Supervisor
    engines, do I have the abililty to do firewall functions within the
    switch IOS?

    I don't have a 6500 yet for our datacenter, but am gathering
    information. I primarily want to upgrade from a 4006 to a 6513 for
    port density, and the ability to use the IDS module. However, I can
    see a need for firewall or port filtering capabilities on a couple
    ports, but not $25,000 worth for a full FWSM module. I'm talking
    about protecting a few key servers within a VLAN.

    I'm running CatOS now on our 4006, so I am not aware of the
    capabilities of the IOS based 6513 out of the box, hence this post.

    Rob, Feb 3, 2004
    1. Advertisements

  2. Rob

    Jason Kau Guest

    Assuming you get a Cat 6500 with a MSFC3/PFC3:

    The Firewall Services Module does not give you "firewall functions within
    the switch IOS". There's a separate OS running on the FWSM (based on
    PIX/Finese) that you have to connect to from the switch IOS and
    configure, much like how you had to connect to an RSM or ATM LANE card
    from CatOS on the Catalyst 5000/5000. The Firewall Services module is a
    virtual firewall that sits in front of the Catalyst 6500's MSFC3 or
    behind the MSFC3 connected to the MSFC via VLAN(s).

    You can apply standard/extended IOS ACLs directly to Layer 3 ports of
    VLAN logical interfaces and they're processed in hardware. Reflexive
    ACLs are processed in software on the MSFC3 I believe. All of this is
    part of the standard Cat 6500 IOS. No FWSM is needed. However, this
    does not give you true "stateful packet inspection" firewall capability.
    For stateful packet inspection on the Catalyst 6500 platform, you need

    1) Use Cat 6500 IOS Firewall Feature Set which gives you stateful packet
    inspection aka Context-Base Access Control (CBAC) or "ip inspect". CBAC
    is probably processed in software, so you don't want too much stuff using
    CBAC or you could overload the MSFC3 CPU.

    2) Use a FWSM.

    Since you only need to protect a few servers, you can probably get by
    with IOS Firewall Feature Set. But I can't say for sure as I've not used
    it. Consult with Cisco.
    Jason Kau, Feb 3, 2004
    1. Advertisements

  3. Rob

    Rob Guest

    If the IOS Firewall feature set is available on the Catalyst, that is
    what I'd prefer. thanks!
    Rob, Feb 3, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.