[rescue] Cisco 5000 parts

Mike Meredith mike at blackhairy.demon.co.uk
Tue May 4 17:51:34 CDT 2004 

On Tue, 4 May 2004 14:49:09 -0700 (PDT), Janet L. Campbell wrote:
> I assume you're talking about the MSFC.  A 5000 with RSP does run with

Yes. I wouldn't know an RSP if it fell out of the sky and hit me on the
head.

> What's your thought on the FWSM?  Cisco is pushing them on us and I'm 

Do you want it with or without the swearwords ? I'm at three weeks after
making the transition from an UE250 running FW-1 to a 6509 with dual
FWSM blades, and it was a fucking nightmare ... chiefly because the
consultant provided by the vendor was a bit on the useless side (there's
a CISSP walking around with a severe crisis of confidence as every time
he came down we rang rings around him).

Let's see ...

The FWSM is similar to the PIX but not quite the same. Some of the
differences are understandable as the PIX is interface based, whilst the
FWSM understands nothing but VLANs (you assign VLANs to the FWSM blade
in the supervisor (or possible in the MSFCs ... I'm a little vague on
the switch side)). But there are more unnecessary differences such as
the fact that 'clear configure all' doesn't work (which our SSE is
currently saying "eh?" to).

The current FWSM code base is based on the code from PIX 6.0 with some
stuff from PIX 6.2. The next public release of the software supposedly
takes it up to equivalent to PIX 6.3; it may already be available in the
US.

I don't like the fact you have to do NAT even when your not ... having
to setup static NAT rules when you're using the same addresses on both
sides counts as NATting for me. It makes things more complex which is
something I don't like to see in a firewall.

I don't like the way that ACLs only apply to traffic in one direction;
being able to apply ACLs to both directions would help keep the
complexity down. In the same vein, it would be helpful if you could
create ACLs which could be applied in more than one access group.

I don't like the lack of consistency in naming services ... some the
FWSM knows about have names ('www') and some don't (I think one example
is the Windows Media stuff which has a 'hidden' fixup but no name). The
same applies to the fixups ... there seem to be some fixups which do
clever stuff but there's no fixup command associated with them and very
little documentation on them.

To be fair, we were stitched up by our vendor who were supposed to do
all the configuration working from our FW-1 config. We ended up doing it
without any training except for playing with a couple of PIX501s, so
there's stuff I'm probably missing.

> leery, and not just because of the price tag.  I've had some bad 
> experiences with PIXs in the past.

Go for Netscreen. You'll still have bad experiences, but they'll be new
and interesting ones :)

More information about the rescue mailing list