Questions on 6500 series

Discussion in 'Cisco' started by pfisterfarm, Aug 5, 2009.

  1. pfisterfarm

    pfisterfarm Guest

    We're looking at replacing a 4507R at the core of our network with a
    6500 series. Currently, the 4507R has a supervisor engine IV, 3 48-
    port copper blades, and 2 6-port fiber blades. We're hoping to include
    in the 6500 series replacement the firewall module (to replace a PIX
    525), vpn (to replace a 3005 concentrator), and IDS/IPS.

    I'm a little confused as to what I need from looking at the Cisco
    product pages. Is there a guide somewhere as to what to get? The
    firewall that we would be replacing is actually a pair of PIX 525s in
    an active/standby pair. We'd like to have some redundancy in the 6500
    as well. We'd also like some sort of failover for the IDS/IPS if

    A couple of questions:
    - if I have two FWSMs installed, they would load balance, and if one
    failed, the other would take over all traffic, correct?
    - I see a "VPN services port adapter" and a "VPN shared port
    adapter"... I'm not sure how they differ
    - The supervisor engine 720 and the supervisor engine 32... we'd need
    one or the other, correct?
    - Would we need the Policy Feature Card and the Distributed Forwarding


    pfisterfarm, Aug 5, 2009
    1. Advertisements

  2. Steve,

    You know that's one hour+ worth of sales meeting to answer those
    questions, right? :)

    Very briefly - I'd stay away from service modules. ASA5500 series will
    get you better performance for less money for both firewall and VPN. You
    can get IDS/IPS module for it too, I believe (I don't deal with IDS much
    , if at all).

    If you decide to go with FWSM - yes, it can provide Active/Passive
    fail-over in the same 6500 chassis (or different chassis). Active/Active
    is gimmick when you have multiple context and flipping Active/Passive
    roles between the boxes.

    VPN - I think you are looking at SPA, that's not VPN service module.

    Supervisor - only 720. Otherwise you may stick with 4705R (6Gbps per
    slot vs. 32Gbps shared bus on Sup32).

    DFC is needed for distributed forwarding - local switching on line card.

    At this particular time I'd be very careful about buying 6500 in
    general. If you are somewhat local to western seaboard of USA, we can
    take it off-line.

    Andrey Tarasov, Aug 5, 2009
    1. Advertisements

  3. pfisterfarm

    bod43 Guest

    Is the right answer. You need to get somone to sell you
    a solution that will do what you ask. Would be my advice.
    Intriguing. Well I am out of that for the moment so I will wait n see.
    bod43, Aug 5, 2009
  4. pfisterfarm

    pfisterfarm Guest

    You know that's one hour+ worth of sales meeting to answer those
    Yes, and I appreciate you taking your time... :)
    I'm still not sure which is which. Guess I'll need to look at the
    cisco product pages a little more.
    So, the 6500 with a Sup32 is about the same performance as a 4507R?
    Really? What should we be careful?
    pfisterfarm, Aug 6, 2009
  5. pfisterfarm

    Stephen Guest

    the backplane limits the traffic between slots to 32 Gbps or so.

    by contrast a 4500 with Sup5 or later gets at least 6 Gbps per slot
    thru its fabric - so the balance depends on how many slots you

    having said that - if you want more than 32 Gbps thru VPN + F/wall you
    have other problems to worry about....

    Note the FWSM is fast but fairly old - AFAIR not up to the same
    features as a high end ASA.
    Stephen, Aug 6, 2009
  6. It's really not about my time - after all I'm not chained to the
    keyboard and nobody is forcing me to answer.
    Two things - face to face communication is more quicker, and second -
    NDA. There is just so much people can answer in public forum.
    Here is the link to VPN service module -

    as you can see it's end-of-life. Replacement is

    SPA-IPSEC-2G and 7600-SSC-400 combo.
    Pretty close. Unless you are going to run 6500 chassis with single GigE
    module. In that case 6500 will be faster.
    One word - Nexus.

    Andrey Tarasov, Aug 7, 2009
  7. pfisterfarm

    Thrill5 Guest

    Why are you replacing the 4507? Do you need more slots or more throughput?
    If it's throughput how do you know the 4507 is the bottleneck?

    On another note, I have yet to see a network design in which a 6500 service
    module provided any value over using a separate device. The FWSM is very
    expensive, and does not have the performance or all the features of an ASA.
    From talk I've heard from Cisco, the FWSM is also nearing EOS.
    Thrill5, Aug 8, 2009
  8. Please don't compare the Cat4500 series with the Cat6500 series switches
    as the Cat6500 is much more flexible... With a Cat6500, you can :

    _ deploy Service Modules (load-balancers, firewalls, IDS, Wireless
    _ install WAN cards (ATM OC48/STM16 or OC192/STM64, 10GigEth WAN PHY...)
    _ run MPLS protocols (Yes, the Cat6500 is more a router than a switch)
    _ use distributed CEF (Cat4500 line cards are 100% passive)
    _ configure NAT (it's the only Cisco switch supporting NAT - even if it
    does not perform very well)
    _ run VSS on pair of distant chassis (VSS allows two Cat6500 chassis to
    share the same control-plane using 10G links as "backplane
    interconnects" (VSS requires specific supervisor and line cards)
    _ use reflexive ACL
    _ run NetFlow (FYI, NetFlow was an option on the SupIV and it was
    integrated on the SupV-10G for the Cat4500 - NetFlow is not available on
    Cisco's standalone switches).

    Nevertheless, if you don't need these features, you should consider the
    new Sup6-E supervisor card for the 4500-E series switch (up to 320 Gbps
    per system and up to 5 line cards connected to the backplane @ 24 Gbps
    per slot / new non-blocking 24-SFP slot "E" card / new 6-port 10G "E"
    card) / new 48-port GbE RJ45 "E" card (all these cards can support Jumbo
    frames). The "only" bad news with the Sup6-E is the lack of NetFlow
    support (moreover there's no slot on the Sup6-E for an optional NetFlow
    daughter card... so we have to wait for the next generation of
    Supervisor cards for the 4500E series).

    If you really need advanced features, you should consider Nexus series
    switchs (Nexus 5000 with fabric extenders are probably a cost-effective
    solution for GbE/10GbE LAYER-2 switching - Nexus 7000 is more or less
    dedicated to large datacenters).

    Good luck.

    - Ludal -
    Ludovic BOISSEAU, Aug 10, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.