Re: Questions on 6500 series

pfisterfarm wrote:
We're looking at replacing a 4507R at the core of our network with a
6500 series. Currently, the 4507R has a supervisor engine IV, 3 48-
port copper blades, and 2 6-port fiber blades. We're hoping to include
in the 6500 series replacement the firewall module (to replace a PIX
525), vpn (to replace a 3005 concentrator), and IDS/IPS.

I'm a little confused as to what I need from looking at the Cisco
product pages. Is there a guide somewhere as to what to get? The
firewall that we would be replacing is actually a pair of PIX 525s in
an active/standby pair. We'd like to have some redundancy in the 6500
as well. We'd also like some sort of failover for the IDS/IPS if

A couple of questions:
- if I have two FWSMs installed, they would load balance, and if one
failed, the other would take over all traffic, correct?
- I see a "VPN services port adapter" and a "VPN shared port
adapter"... I'm not sure how they differ
- The supervisor engine 720 and the supervisor engine 32... we'd need
one or the other, correct?
- Would we need the Policy Feature Card and the Distributed Forwarding


You know that's one hour+ worth of sales meeting to answer those questions, right? :-)

Very briefly - I'd stay away from service modules. ASA5500 series will get you better performance for less money for both firewall and VPN. You can get IDS/IPS module for it too, I believe (I don't deal with IDS much , if at all).

If you decide to go with FWSM - yes, it can provide Active/Passive fail-over in the same 6500 chassis (or different chassis). Active/Active is gimmick when you have multiple context and flipping Active/Passive roles between the boxes.

VPN - I think you are looking at SPA, that's not VPN service module.

Supervisor - only 720. Otherwise you may stick with 4705R (6Gbps per slot vs. 32Gbps shared bus on Sup32).

DFC is needed for distributed forwarding - local switching on line card.

At this particular time I'd be very careful about buying 6500 in general. If you are somewhat local to western seaboard of USA, we can take it off-line.


Relevant Pages

  • SBS2k3 Server not responding to VPN Clients & Advice on SP2 Firewall configuration for VPN use
    ... We are using a Cisco PIX firewall and have remote workstations ... terminate on the PIX which is sitting in front out our internal network. ... The PIX VPN is working correctly and we are able to ping internal ... Unfortunately the external clients are unable to contact the SBS2k3 server ...
  • Re: VPN and third party appliances
    ... The firewall is setup for NAT, I have checked my personal firewall at home ... into the network the connection stalls then eventually disconnects. ... a VPN config that I may have missed in AD or something with win2k3sbs. ... > remote access VPN with a Cisco PIX as the VPN Server. ...
  • RE: [fw-wiz] insecurity in internet connection thro cable modems
    ... They are both similar firewall types, but if you're partial to the PIX CLI ... If I'm building a larger VPN infrastructure though, ... > Netscreens. ...
  • RE: Firewall Hardware Recommendations
    ... VPN Licensees + Client Licensees = More then a PIX 515. ... What cisco firewall do you currently have and what version OS ...
  • Re: Firewall Hardware Recommendations
    ... are an excellent alternative for second line and vpn solutions. ... Subject: Firewall Hardware Recommendations ... VPN Licensees + Client Licensees = More then a PIX 515. ... What cisco firewall do you currently have and what version OS ...