Cisco Adds Features to Firewall Services Module

The Firewall Services Module (FWSM) in a Cisco 6500 switch has been the system of choice for those seeking to achieve over 5 Gbps of stateful firewall forwarding performance with over 100K connections/second and over 1 million active connections. On February 9th, 2009 Cisco released Firewall Services Module (FWSM) software version 4.0.4 which has some important new features. Simply by upgraded the software to this version several features are added that can increase the performance of your FWSMs.

In my opinion, the most important feature that version 4.0.4 adds is Virtual Switching System (VSS) support. This is of particular importance to many customers planning their migrations to VSS-enabled core switches. With VSS support both FWSMs will act like a single FWSM and allow for both chassis to handle traffic. No configuration is thus required on the FWSMs to combine them into one large “virtual” multi-chassis firewall. Historically you would use two FWSMs (one in each chassis) and configure active/passive high-availability on a context basis. In the base license the FWSM comes with only two contexts therefore you were allowed to set up active/active load balancing for a single context. Now that VSS support is available you no longer need to worry about the high-availability and let the VSS system within the Sup720 10GE VSS-enabled blades take care of the rest. That created one high performance firewall with tons of interfaces.

New in FWSM 4.0 software is Trusted Flow Acceleration (TFA). This is where the FWSM uses NetFlow information on the chassis to accelerate flows once they are statefully established by the firewall policy. With TFA the FWSM can achieve a total throughput of 20Gbps.

Support for Supervisor 32 Programmable Intelligent Services Accelerator (PISA) cards adds to the FWSMs ability to perform deep inspection of protocols. With this feature the FWSM can perform additional inspection of MS-RPC, HTTP, and SMTP traffic. The caveat is that this required IOS 12.2(18)ZYA or newer be running on the Sup 32.

This new version of FWSM software increases ACL scalability up to 130,000 ACLs which is more than I could ever conceive needing. ACL memory was increased 35% from FWSM 3.x. You can check the amount of ACL memory your FWSM has with the “show np 3 acl stats” and “show np 3 acl count 0 | begin MAX” commands.

Up to now the routing on the FWSM has been primarily limited to static routes used within a context. This is particularly true if you are running in multiple context mode. The risks are high if routes would allow for traffic to bypass the FWSM. That is one of the golden rules of firewalls; they can’t protect traffic that does not flow through them. Now with FWSM 4.x software EIGRP is supported in single context mode. Routing protocols are still verboten in multiple context mode. Multi-mode Route Health Injection (RHI) support allows static routes and NAT pools to be injected into the forwarding tables on the MSFC. This allows the MSFC to use these routes for connectivity to other systems based on availability of the FWSM context.

In order to unlock the potential of these new FWSM features your 6500 switch must be running either Native IOS or Modular IOS version 12.2(33)SXI or newer. The release notes describe several of these caveats.

There is more information about the FWSM configuration on the FWSM documentation home page.


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.