Firewall Services Module Operation
Firewall Services Module overview

The Cisco Firewall Services Module (FWSM) is an integrated module for the Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router. The Cisco Catalyst 6500 provides intelligent services such as firewall capability, intrusion detection, and virtual private networking, along with multilayer LAN, WAN, and MAN switching capabilities. The Cisco 7600 Series Internet Router offers optical WAN and metropolitan-area network (MAN) networking with line-rate IP services at the network edge.

The Cisco FWSM is a high-performance firewall solution, providing 5 Gbps of throughput per module and scaling to 20 GB of bandwidth with multiple modules in one chassis. The FWSM is completely VLAN aware, offers dynamic routing, and is fully integrated within the Cisco Catalyst 6500 Series switches . The FWSM is based on Cisco PIX Security Appliance technology, and therefore offers the same security and reliability as the Cisco ASA and PIX Security Appliances. The FWSM can run in one of the following modes:

  • Routed – The FWSM is considered to be a router hop in the network. It performs NAT between connected networks, and can use OSPF or passive RIP, in single context mode.
  • Transparent – The FWSM acts like a "bump in the wire," and is not a router hop. The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN.

Although a FWSM may be installed in the Catalyst 6500 series switches and the Cisco 7600 series routers, the FWSM runs its own operating system. The FWSM operating system is based on the PIX operating system. Although the FWSM OS is similar to the PIX OS, there are differences . Some of the differences are as follows:

  • The FWSM has higher performance.
  • The FWSM supports more VLANs.
  • The FWSM does not include any external physical interfaces. Instead, it uses internal VLANs.
  • Termination of VPN connections for traffic flowing through the FWSM is not supported on a FWSM. The Cisco Catalyst 6500 provides intelligent services such as intrusion detection, and virtual private networking via IDSM, and VPNSM service modules.
  • By default, all traffic is explicitly denied on a FWSM.

FWSM Requirements
The FWSM occupies one slot in a Cisco Catalyst 6500 switch. Up to four FWSM modules can be installed in the same switch chassis. The FWSM has the following requirements for the Catalyst 6500 switch:

  • Supervisor 1A and MSFC2
  • Supervisor 2 with Multilayer Switch Feature Card 2 (with MSFC2)
  • Supervisor 720
  • Cisco IOS software release 12.1(13)E or higher when using the Supervisor 2 option
  • Cisco IOS software release 12.2(14)SX1 or higher when using the Supervisor 720
  • CatOS minimum software release 7.5(1) or higher when using the Supervisor 2
  • CatOS minimum software release 8.2(1) or higher when using the Supervisor 720

A Cisco Catalyst 6500 switch includes a switching supervisor and a Multilayer Switch Feature Card (MSFC). The MSFC can be used as a router. Although the MSFC is necessary as part of the system, it does not have to be used in conjunction with a FWSM. One or more VLAN interfaces can be assigned to the MSFC, if the switch software version supports this feature.