Cisco Firewall Services Module Real-World Information Request

Gary Flynn flynngn at
Wed May 28 23:28:53 GMT 2003


The number of ACLs we're using is taxing the CPU
on our 6500 series switches. I'm investigating
using the FWSM module to offload this function.

The FWSM module data sheet says it can handle
120,000 ACLs. Anyone using anywhere near that
number? How about 10,000? 1,000? I'd sure like
to hear some real-world stories. What kind of
throughput are you dealing with? How specific and
varied are the rules? Across how many vlans?
How does logging affect the situation?

When we reload some of our ACLs on some of
our vlans, the router CPU goes to 100% for a
period of time. If we reload the ACLS across
all vlans, the CPU goes to 100% for an
unacceptible period of time.

What happens when various parts of the ruleset
of a FWSM is reloaded? Ideally, I'd like to be
able to change ACLs on the fly regularly without
impacting operation to enable such applications
as IDS Shunning and a user interface allowing
limited access adjustments.

The Cisco web site refers to a document entitled
"Cisco PIX vs. Firewall Module Differences" which
doesn't exist at the link specified. Anyone have
a copy of this document?

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list