Skip to content

Cisco’s Diverse Firewall Selection – Good or Bad?


Bad – but only because I suck at this job.


Take a look at Cisco’s firewall offering.  You’ll find the 5512, 5515, 5525, 5545, 5555, and 5585.  Six appliances to choose from!  And their capabilities slowy ramp up as the model number increases.  See below:




On the surface here this seems like it could be beneficial.  Let’s say you have a remote site with an Ethernet WAN circuit that provides 100Mb but can scale as needed to 1Gb and you only need firewalling.  Obviously you probably only need a 5512.

What happens though, if you connect a number of servers to a separate DMZ and they each have their own vault?  That means that the throughput becomes all guess work now.  Sure you could get some traffic analysis done assuming you have the time, tools, servers, and support, but that would still just be estimated (and probably poorly if you do not use a very expensive network modeling tool like Guru).

This is why I suck.  Most servers are 10Gb now and I just do not know what firewall I should use.  So do I leave it up to the customer?  Do I say that, well your non enterprise servers at that remote site or in that test building are all 10Gb connected but they probably will never really use that bandwidth and so we can include a bottle neck in the design.

Do I write these down on notepad, throw them in a hat, and select at random?  Really – who knows if you need 1, 1.2, or 2 Gbps.  Who knows if they need 200 or 250 or 300 Mbs VPN throughput?

Do I tell the customer to buy cheap and then if it doesnt work to their satisfaction, buy expensive later and use the cheaper firewalls on another project?

Do I buy an expensive network analysis suite like Guru and pleade that the systems guys prebuild the environment so I can gauge?

Or do I just say screw it and buy the 5555X and state that will STILL be a bottle neck for 10Gb servers.

Or do I plead with the security group to allow different level security vaults to circumvent the bottleneck firewall?

Do I tell the customer that 10Gb only belongs in an enterprise data center and so one-off solutions will be configured and so have bottle necks or be inordinately expensive?  And what if they say sure we understand – which firewall are you going to use?  It is still like pulling out of a hat.

What if I get real and just take a look at the average throughput of 10Gb servers (and find that their throughput is somewhere around the lines of 1Gbs with occasional spikes)?  Well that seems to show me that I can go with the 5512 or 5515.  But I dont feel safe with that – especially on high visibility projects (they all are these days right?).

I just do not see myself ever ordering the 5515 or 5545.

Now – If there was just one chassis, say the 5500, and this chassis was field upgradable – ie you could turn a 5512 into a 5515 and then into a 5525 and so on with a cheap RAM or processor upgrade, I would feel much safer saving money on the low end appliance.



From → Data Center, Firewall

One Comment
  1. Ali.A permalink

    with new ASA OS 9.2 you can use Firewall cluster feature (differ from old fashion HA) to get higher bandwidth for your can use up to 16 ASA 5585-X on a single cluster to achieved 640Gbps firewall.note that on lower end model (ASA 5500-X) only two ASA supported on a single cluster.anyway i agree with you that firewall performance is a real bottleneck on DC network that use 40G/100G ports.with enhancement like TRILL firewall vendor should find some workaround.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: