The Cisco Firewall Services Module (FWSM) is an integrated module for the
Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Router.
The Cisco Catalyst 6500 provides intelligent services such as firewall
capability, intrusion detection, and virtual private networking, along with
multilayer LAN, WAN, and MAN switching capabilities. The Cisco 7600 Series
Internet Router offers optical WAN and metropolitan-area network (MAN)
networking with line-rate IP services at the network edge.
The Cisco FWSM
is a high-performance firewall solution, providing 5 Gbps of throughput per
module and scaling to 20 GB of bandwidth with multiple modules in one chassis.
The FWSM is completely VLAN aware, offers dynamic routing, and is fully
integrated within the Cisco Catalyst 6500 Series switches
. The FWSM is
based on Cisco PIX Security Appliance technology, and therefore offers the same
security and reliability as the Cisco ASA and PIX Security Appliances. The FWSM
can run in one of the following modes:
- Routed – The FWSM is considered to be a router hop in the network. It
performs NAT between connected networks, and can use OSPF or passive RIP, in
single context mode.
- Transparent – The FWSM acts like a "bump in the wire," and is not
a router hop. The FWSM connects the same network on its inside and outside
ports, but each port must be on a different VLAN.
Although a FWSM may be installed in the Catalyst 6500 series switches
and the Cisco 7600 series routers, the FWSM runs its own operating system. The
FWSM operating system is based on the PIX operating system. Although the FWSM
OS is similar to the PIX OS, there are differences
. Some of
the differences are as follows:
- The FWSM has higher performance.
- The FWSM supports more VLANs.
- The FWSM does not include any external physical interfaces. Instead, it
uses internal VLANs.
- Termination of VPN connections for traffic flowing through the FWSM is not
supported on a FWSM. The Cisco Catalyst 6500 provides intelligent services such
as intrusion detection, and virtual private networking via IDSM, and VPNSM
service modules.
- By default, all traffic is explicitly denied on a FWSM.
FWSM Requirements
The FWSM occupies one slot in a Cisco
Catalyst 6500 switch. Up to four FWSM modules can be installed in the same
switch chassis. The FWSM has the following requirements for the Catalyst 6500
switch:
- Supervisor 1A and MSFC2
- Supervisor 2 with Multilayer Switch Feature Card 2 (with MSFC2)
- Supervisor 720
- Cisco IOS software release 12.1(13)E or higher when using the Supervisor 2
option
- Cisco IOS software release 12.2(14)SX1 or higher when using the Supervisor
720
- CatOS minimum software release 7.5(1) or higher when using the Supervisor
2
- CatOS minimum software release 8.2(1) or higher when using the Supervisor
720
A Cisco Catalyst 6500 switch includes a switching supervisor and a
Multilayer Switch Feature Card (MSFC). The MSFC can be used as a router.
Although the MSFC is necessary as part of the system, it does not have to be
used in conjunction with a FWSM. One or more VLAN interfaces can be assigned to
the MSFC, if the switch software version supports this feature.