||This article may require cleanup to meet Wikipedia's quality standards. (October 2008) (Learn how and when to remove this template message)|
||The topic of this article may not meet Wikipedia's general notability guideline. (July 2012) (Learn how and when to remove this template message)|
Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a firewall port and integrates firewall security inside the network infrastructure.
The FWSM is based on Cisco PIX technology and uses the same Cisco PIX Operating System, a secure, real-time operating system. The Cisco FWSM enables organizations to manage multiple firewalls from the same management platform.
The FWSM has five processors, two central CPUs (Pentium IV 1 GHz processor) and three network processors (IBM 4GS3 PowerNP). It is unknown if both of the Pentium CPUs are used for management.
The central CPUs are responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPUs are also responsible for rule-base compilation. The rulebase is converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware.
The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager.
As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.
Resource manager helps organizations limit the resources allocated to any security context at any time thus ensuring that one security context does not interfere with another.
Configure Interfaces for FWSM—Before you can allow traffic through the FWSM, you need to configure an interface name and an IP address. You should also change the security level from the default, which is 0. If you name an interface inside, and you do not set the security level explicitly, then the FWSM sets the security level to 100. Note: Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100, while the outside network connected to the Internet can be level 0. Other networks, such as DMZs, can be in between. You can add any VLAN ID to the configuration, but only VLANs, for example, 10, 15, 20 and 25, that are assigned to the FWSM by the switch can pass traffic. Use the show vlan command in order to view all VLANs assigned to the FWSM. interface vlan 20
nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0
interface vlan 10
nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0
interface vlan 15
nameif dmz1 security-level 60 ip address 192.168.2.1 255.255.255.224
interface vlan 25
nameif dmz2 security-level 50 ip address 192.168.3.1 255.255.255.224
|This computer networking article is a stub. You can help Wikipedia by expanding it.|