PIX 515E
The two expansion slots support Fast Ethernet
expansion option cards and Hardware VPN Accelerator cards. The features of both
cards are as follows:
- Single-port and four-port Fast Ethernet expansion option cards are
available
. With the
restricted license, the PIX 515E supports one additional expansion network
port. With the restricted license, the PIX 515E supports up to four additional
expansion network ports.
- Hardware VPN acceleration is available through the addition of a VAC or
VAC+ card
.
Offloading encryption functions to the VAC and VAC+ cards improves IPSec
encryption processing. The VAC card provides 56-bit DES and 168-bit 3DES
encryption. The VAC card has a 32-bit, 33-MHz PCI interface. The VAC+ card, in
addition to supporting DES and 3DES, also provides 128-, 192-, and 256-bit AES
encryption. The VAC+ card has a 64-bit, 66-MHz PCI interface.
The VAC+ card is supported in Cisco PIX Software Release 6.3(1) or
later. VAC and VAC+ cards are limited to one per 515E, 525, and 535
chassis.
PIX 525
The PIX 525 Security Appliance supports
additional network interfaces through three PCI expansion slots. It supports
expansions cards including single-port Fast Ethernet cards, four-port Fast
Ethernet cards, single-port Gigabit Ethernet cards, as well as VAC and VAC+
cards.
A maximum of six interfaces are supported with a Restricted
license, and a maximum of ten interfaces are possible with the Unrestricted
license. Currently, a VAC+ card is included with every PIX 525 by default.
When connecting the network cables to the expansion interface ports, use the
following guidelines. The first expansion port number, at the top left, is
interface 2. Starting from that port and going from left to right and top to
bottom, the next port is interface 3, the next is interface 4, and so on.
PIX 535
Gigabit Ethernet (1GE), single- (1FE) and four-port (4FE)
Fast Ethernet, and VPN Accelerator cards (VAC and VAC+) are available for the
PIX 535. For most card types, there is a 33-MHz and a 66-MHz version. For
example, the 1GE card has a 33-MHz PCI interface. The 1GE-66 card has a 66-MHz
PCI interface. There are nine interface slots and three buses in the PIX
535.
The slots and buses are configured as follows:
- Slots 0 and 1 – 64-bit/66-MHz bus 0
- Slots 2 and 3 – 64-bit/66-MHz bus 1
- Slots 4 to 8 – 32-bit/33-MHz bus 2
For optimum performance and throughput for the interface circuit
boards, use the following guidelines:
- A total of eight interfaces are configurable on the PIX 535 with the
restricted license, and a total of fourteen are configurable with the
unrestricted license.
- For best performance, the 1GE-66, 4FE-66, and VAC+ (66 MHz) circuit boards
should be installed in a 64-bit/66-MHz card slot.
- The 1GE, 1FE, 4FE, and VAC (33 MHz) circuit boards should be installed in
the 32-bit/33-MHz card slots.
 |
NOTE:
The 1GE circuit board is not recommended for use in the PIX 535,
because it can severely degrade performance. It is capable of only half the
throughput of the 1GE-66 circuit board. If this circuit board is detected in
the PIX 535, a warning about degraded performance will be issued.
|
- The 1FE circuit board (33 MHz) can be installed in any bus or slot
(32-bit/33-MHz or 64-bit/66-MHz). Up to nine 1FE circuit boards or up to two
4FE circuit boards can be installed. The 1FE circuit boards should be installed
in the 32-bit/33-MHz card slots first.
- Do not mix the 1FE circuit boards with the 1GE-66 circuit boards on the
same 64-bit/66-MHz bus (Bus 0 or bus 1). The overall speed of the bus is
reduced by the lower-speed circuit board.
- If statefulfailover is enabled for 1GE-66 traffic, the failover
link must be PIX-1GE-66. The amount of stateful failover information is
proportional to the amount of traffic flowing through the PIX Firewall and, if
it is not configured properly, loss of state information or 256-byte block
depletion can occur.
- The discontinued 4FE card can be installed only in a 32-bit/33-MHz card
slot and must never be installed in a 64-bit/66-MHz card slot. Installation of
this circuit board in a 64-bit/66-MHz card slot can cause the system to hang at
boot time.
Adaptive Security Appliance
Additional security services
for the Cisco ASA5500 Adaptive Security Appliance family are provided on the
Security Services Module (SSM) plug-in hardware modules
. SSM are high
performance modules based on a Pentium 4 Class processor. Diskless
(flash-based) design provides improved reliability. The current offering is an
AIP-SSM card.
The AIP-SSM card is available in two versions, the
AIP-SSM-10 and the AIP-SSM-20. The AIP-SSM module can function in inline or
promiscuous mode. In the inline mode, packets are sent to the AIP-SSM module,
inspected, and then returned to the Adaptive Security Appliance. Operating in
inline mode puts the AIP-SSM module directly into the traffic flow. In
promiscuous mode, AIP-SSM module is not directly in the packet flow. The
AIP-SSM module performs analysis on a copy of the traffic instead of on the
actual forwarded packets.
The SSM has the following LEDs:
- Power – When the SSM has power, the light shines.
- Status – When the power-up diagnostics are running or the system is
booting, the light flashes. When the system passes power-up diagnostics, the
green light shines. When power-up diagnostics fail, the amber light
shines.
- Speed – With 10 Mbps of traffic, the LED is off. With 100 Mbps traffic, LED
is green. With 1000Mbps of traffic, LED is amber.
- Link/Act – When there is network activity, the light flashes.