You are here: Home / Blog / Outburst: Cisco Catalyst 6500 ASA Services Module

Outburst: Cisco Catalyst 6500 ASA Services Module

31st March 2011 by 22 Comments

The Cisco C6500 ASA module has * finally* been released. Let take a look and make some comments.

  • The module has arrived two or so years later than expected. It may have missed the window of opportunity when Service Modules were in demand.
  • Given that Nexus 7K/5K is the future, C6500 is, for all practical purposes, on a downward slide to history.
  • The question is “will people actually buy the ASA service modules ?”
  • will people buy enough of them for Cisco to continue to produce them. Cisco has a habit of killing products that don’t make money, or are not popular. Consider the CSM module which has only this month has been EOL because enough people were buying them.
  • are you taking a risk buying a product that might die in a years time ? I think the answer is yes, it’s a risky purchase.
  • I’m planning on waiting for a year to see how much demand there is or whether Cisco kills it off for lack of sales.
  • Cisco will support the C6500 but don’t expect much product development in the next ten years, if any.
  • As such, the C6500 it will be a nice profitable business for Cisco “selling ice to the eskimos”.

So who might buy the C6500 ASA-SM ?

  • people who have already got Services modules – especially FWSM that need more performance.
  • FWSM handles IPv6 badly. ASA-SM seems to do better, so it might be the IPv6 upgrade for existing networks.

Comments

Performance:

  • 20 Gbps maximum firewall throughput (max)
  • 16 Gbps of maximum firewall throughput (multi-protocol)
  • 300,000 connections per second
  • 10 million concurrent connections
  • 250 security contexts
  • 1,000 VLANs

The performance list looks pretty good.

This has me wondering what the price point is going to be.

I’m also wondering how what the maximum performance per flow will be. For the FWSM, it can handle only 1Gbps flows due to the way that the backplane transfers data to the module. If the ASA SM handles up to 20Gbps, how does that connectivity work ?

Anything I’ve missed ?

Cisco Catalyst 6500 Series ASA Services Module – Products & Services – Cisco Systems

Filed Under: Blog, Opinion Tagged With: ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • http://pktmaniac.info Yandy

    The numbers are decent, would’ve thought the number of Security Contexts would’ve been bigger. That’s the same as the FWSM if I’m not mistaken, could’ve been better I believe in that stance.

  • http://billyc5022.blogspot.com Bill

    I thought of you Greg as soon as a I saw the slide! They did saw a Nexus 7K version is coming.

    • PG

      Sure. Do you know long our local Cisco SE has been telling me the N7k will be getting service modules? By the time they release them N7k will be nearly EOL.

  • Bryan

    Greg –

    Agreed, this is a product that is a bit late in the coming. Especially with the ASA 5585 appliances out there, I’m not sure why I would go this direction (or a N7K version). Unless there is a significant price point advantage. But I’m sure they’ll make you pay for all that bandwidth (ala ACE module).

    Regards.

    - Bryan

    • http://etherealmind.com Greg Ferro

      One use case is that there are companies whose data centres are strictly controlled and getting new firewall physically installed is painful. But installing a modules into an existing chassis ? That’s easy.

      There are others around low latency of using the backplane, single elements per solution. But generally I agree with you, I’m over service modules and prefer to use external equipment because it’s more cost effective, more flexible and genereally less encumbered with problems.

      I guess you could say I was let down by the FWSM and the ACE. I’m not going back in a hurry.

      • Tristan Rhodes

        We have used ACE10 and FWSM and we are replacing them both with standalone appliances. We like that new software is often released for the appliances first, modules second.

        FWSM -> ASA 5585
        ACE10 -> ACE 4710 appliance (which has enough bandwidth for us, but I wish it was refreshed hardware)

        We also have WISM modules, but there is no good standalone appliance to replace it. The 5508 are nice, but the over-subscription on your 8 Gbps uplink is enormous! 8 Gbps / 500 APs = 16 Mbps per AP! Now why did you just upgrade to 802.11n APs that run at 300 Mbps each?

        The WISM2 is out, but I don’t know if it has a 10 or 20 Gbps backplane connection. Anyone know? Cisco needs to make a standalone wireless appliance that has multiple 10 gig connections.

  • Brett Mason

    I’m in the process of doing an design which involves both switching and firewall upgrades. I already have another vendor firewall at the border and need an internal firewall (from a different vendor) and since we are consolidating a lot of the little access style switches into a Cisco 6500 I’ve been getting pressure to go down the FWSM path, as it is seen to simplify management and support etc… Mainly by the ops guys…

    Anyway I have been fighting against the FWSM as I did not want to implement what I considered a dead/dying/limiting technology. However, since I’m being pushed to at least recommend a module as an alternative option to a stand alone firewall appliance, this seems like a timely and hopefully suitable one, although to mirror Gregs concern, my main concern is then the longevity of this module…

    So I think for anyone that is currently looking at the FWSM for whatever reason then apart from the stated concerns this is a better option in that scenario…

  • MikeInSeoul

    Actually, I wouldn’t expect them to kill it off TOO soon, for one reason you didn’t mention. This module will be running the same software as the ASA appliances. Cisco won’t have to maintain/support 2 firewall software platforms (and feature sets) like they have now with the FWSM-ASA software now.

    This is the situation they have now with the IPS appliances and the IDSM-2 modules. One code base, one feature set. If the platform can’t support a feature, it’s deactivated/unavailable.

    I would think that saves $$ on product maintenance over the long term for Cisco.

    One question I haven’t seen addressed – what’s the roadmap/timeline for the FWSM at this point? They didn’t make an EoS/EoL announcement, so I guess they’ll be selling both for a while.

  • CM

    Greg,

    I’d like to answer a few of your questions directly to help clear things up.

    The Catalyst 6500 is still a very popular switch and selling very well as both a distribution switch as well as in a new roll as service switch. Development is planned well into the future with a rich and long roadmap. An example of this is the brand new Supervisor that was just announced to greatly improve performance and capacities of the switch. Add to that the new ASASM and several other important pieces coming soon such as higher speed interface cards and you can see that Cisco is fully committed to the Catalyst 6500 for a long time to come.

    The performance and features have greatly improved with the ASASM as you mentioned. The backplane connectivity has also improved significantly. With the FWSM you had six 1Gb links to the backplane. Now with the ASASM you have two 10Gb links instead. So the backplane went from 6 Gb total to 20Gbs total. More importantly the link per flow has increased from 1Gb to 10Gb.

    The ASASM is more expensive than the FWSM at $115k before discount but it also much more capable and much faster. If you compare the ASASM to the FWSM it is about 5x times the throughput overall. If you look at other measurements such as maximum number of connections the ASASM is closer to 10x more capable than the FWSM.

    The ASASM is really more a new form factor of the 5585-X SSP-60 than an FWSM 2 though since they share the same architecture and software. So price comparisons to competitive products are the best way to look at what you are getting for the money.

    To put the performance into perspective the ASASM is more than twice as fast per blade than the fastest network security competitor at 16Gbps based on a real world, multi-protocol test. If you put four of these in a single switch you get to 64Gbps multi-protocol throughput. No other product in the market can even come close to that in a single chassis.

    Beyond performance it also has much higher capacity as well. At 10million sessions it is 2 to 4 times the competition at a better price point. To get to the same capacities from a competitor you need to spend more than 5 times as much. Even then the security and switching are not integrated and you end up taking up a lot more rack space and using a lot more power.

    Because of this significant increase in performance and capacities your CAPEX savings with an ASASM is up to 80% depending on what metric is important to your network. If it’s throughput only, the CAPEX saving is closer to 50%. If maximum connections and connectons per second is what matters to you then the CAPEX is closer to 80%. Even more importantly your OPEX saving can be up to 90% just from the decrease in power usage needed from a single ASASM versus a large chassis to get equivalent performance. If you are an existing FWSM customer and you apply the 15% discount the value becomes even greater.

    • http://etherealmind.com Greg Ferro

      Readers, please note that Chris Morosco is the Cisco Product Manager for the C6500 ASA-SM.

      Chris, in future, it’s courtesy to disclose your employer & relationship and whether you are speaking on your own or the your company’s behalf.

      greg

      • Steve B

        Yep, an edited version of the post also appeared under the Network World story as “Anon”.

        As with Greg’s advice – it’s not good form to do that and can be spotted a mile off, most Anon commentators don’t talk about CAPEX , so no benefit is gained anyway.

        However I like to see Vendors comment and engage on media/blogs so state your affiliation and gain some kudos from the readers.

    • Julien Goodwin

      “No other product in the market can even come close to that in a single chassis.”

      Er, what about the Juniper SRX 5k, lab tested to over 100Gb of throughput (IIRC 160Gb in theory)

      • CM

        Hi Julien,

        It’s true that the SRX 5800 states a max of over 100Gb. This is based on an unrealistic test of only passing UDP packets at 1500 bytes. Check their data sheet again and you’ll notice that when tested in a more realistic manner using IMIX it can only do 45 Gbps at most. The ASASM can do more than this with just three modules. Add a forth and you are at 64 Gbps. That’s almost 20Gbps faster than the SRX using a metric that is much closer to what you would see in a realistic environment.

        Performance isn’t the only difference though. The SRX needs 16U of rack space and 8 SPCs versus 3 ASASMs. The rack space and power usage difference is pretty large and so is the price. To get to that 45 Gbps number you are spending over $1.2M on the Juniper solution. A similar solution from Cisco using ASASMs would cost much less for more performance. If you already have a Catalyst and a Supervisor card the savings is that much greater.

        Chris Morosco
        Cisco Product Manager

  • CM

    Hi Steve and Greg,

    I thought the fact that I mentioned CAPEX and OPEX made it obvious I worked at Cisco.

    Yes, I’m the PM for the ASA Services module and have been doing what I can to answer any questions I see come up in various forums and blogs. I don’t have any accounts setup for these sites so I’ve just been posting as the default. I’ll be sure to call out my Cisco connection more clearly.

    Thanks,

    Chris

  • Jeff

    I would take a external device any day over a service module any day. After living with FWSM, WISM, CSM, etc, etc, I do not like all the dependencies that it creates within the chassis (whether its hardware or software).

    While I really like the SRX, the ASA 5585 is a nice play for this high end space, maybe cisco can upgrade the other ASAs to make them better than the SRX (should only take another 4 years to do that).

    These service modules are meant for very specific customers and not a large majority of the networking population. Its just that the small majority spends a ton of cash.

  • amin

    I would like to know whether or not the ASA service module is supported by 6500 VSS design.

    What is the minimum IOS?
    Are the ASA SMs independent in VSS System?

    • http://www.cisco.com/go/asasmc CM

      Hi Amin,

      Yes, the ASASM supports VSS with a SUP 3C or above. We also support the SUP 3Bs but they don’t support VSS. The IOS version that supports the ASASM is 12.2(33)SXJ wich comes out just before we start shipping the modules.

      You can treat the two ASASMs as separate firewalls but it is recommended that you set them up in an Active/Standby pair and manage them as a single firewall instead.

      Chris Morosco
      Cisco Product Manager

  • Pingback: Should I Choose Cisco Service Modules for the Future

  • http://www.facebook.com/profile.php?id=566030671 Brendan Franklin

    Any idea whether Packet Trace will be available with ASDM? I really miss that in the FWSM :/

  • Mel Chandler

    Now, should I buy it now?  I waited…    hahha

  • MikeInSeoul

    Well … it only took a full year (almost to the day), but Cisco finally announced the EoS/EoL schedule for the FWSMs.

    http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html

  • http://twitter.com/dailydoseofJMM JohnMichaelMichaels

    I came across this old post, but I thought I would add that having a CSM, FWSM, etc. limits your entire backplane to the lower speed cards. I couldn’t quickly find a link, and maybe newer software releases fix that, but that was one of the little-advertised caveats of those. I came into a place that had the FWSM and the older IDS blade, and I showed them that all of the higher throughput cards were all being limited with backplane commands. That was 2007, so they might have fixed it. I’ve seen nothing but ACE modules since then