Introduction to the Cisco Security Appliance Family
Expanding the features of the security appliance

PIX 515E
The two expansion slots support Fast Ethernet expansion option cards and Hardware VPN Accelerator cards. The features of both cards are as follows:

  • Single-port and four-port Fast Ethernet expansion option cards are available . With the restricted license, the PIX 515E supports one additional expansion network port. With the restricted license, the PIX 515E supports up to four additional expansion network ports.
  • Hardware VPN acceleration is available through the addition of a VAC or VAC+ card . Offloading encryption functions to the VAC and VAC+ cards improves IPSec encryption processing. The VAC card provides 56-bit DES and 168-bit 3DES encryption. The VAC card has a 32-bit, 33-MHz PCI interface. The VAC+ card, in addition to supporting DES and 3DES, also provides 128-, 192-, and 256-bit AES encryption. The VAC+ card has a 64-bit, 66-MHz PCI interface.

The VAC+ card is supported in Cisco PIX Software Release 6.3(1) or later. VAC and VAC+ cards are limited to one per 515E, 525, and 535 chassis.

PIX 525
The PIX 525 Security Appliance supports additional network interfaces through three PCI expansion slots. It supports expansions cards including single-port Fast Ethernet cards, four-port Fast Ethernet cards, single-port Gigabit Ethernet cards, as well as VAC and VAC+ cards.

A maximum of six interfaces are supported with a Restricted license, and a maximum of ten interfaces are possible with the Unrestricted license. Currently, a VAC+ card is included with every PIX 525 by default.

When connecting the network cables to the expansion interface ports, use the following guidelines. The first expansion port number, at the top left, is interface 2. Starting from that port and going from left to right and top to bottom, the next port is interface 3, the next is interface 4, and so on.

PIX 535
Gigabit Ethernet (1GE), single- (1FE) and four-port (4FE) Fast Ethernet, and VPN Accelerator cards (VAC and VAC+) are available for the PIX 535. For most card types, there is a 33-MHz and a 66-MHz version. For example, the 1GE card has a 33-MHz PCI interface. The 1GE-66 card has a 66-MHz PCI interface. There are nine interface slots and three buses in the PIX 535.

The slots and buses are configured as follows:

  • Slots 0 and 1 – 64-bit/66-MHz bus 0
  • Slots 2 and 3 – 64-bit/66-MHz bus 1
  • Slots 4 to 8 – 32-bit/33-MHz bus 2

For optimum performance and throughput for the interface circuit boards, use the following guidelines:

  • A total of eight interfaces are configurable on the PIX 535 with the restricted license, and a total of fourteen are configurable with the unrestricted license.
  • For best performance, the 1GE-66, 4FE-66, and VAC+ (66 MHz) circuit boards should be installed in a 64-bit/66-MHz card slot.
  • The 1GE, 1FE, 4FE, and VAC (33 MHz) circuit boards should be installed in the 32-bit/33-MHz card slots.
NOTE:

The 1GE circuit board is not recommended for use in the PIX 535, because it can severely degrade performance. It is capable of only half the throughput of the 1GE-66 circuit board. If this circuit board is detected in the PIX 535, a warning about degraded performance will be issued.

  • The 1FE circuit board (33 MHz) can be installed in any bus or slot (32-bit/33-MHz or 64-bit/66-MHz). Up to nine 1FE circuit boards or up to two 4FE circuit boards can be installed. The 1FE circuit boards should be installed in the 32-bit/33-MHz card slots first.
  • Do not mix the 1FE circuit boards with the 1GE-66 circuit boards on the same 64-bit/66-MHz bus (Bus 0 or bus 1). The overall speed of the bus is reduced by the lower-speed circuit board.
  • If statefulfailover is enabled for 1GE-66 traffic, the failover link must be PIX-1GE-66. The amount of stateful failover information is proportional to the amount of traffic flowing through the PIX Firewall and, if it is not configured properly, loss of state information or 256-byte block depletion can occur.
  • The discontinued 4FE card can be installed only in a 32-bit/33-MHz card slot and must never be installed in a 64-bit/66-MHz card slot. Installation of this circuit board in a 64-bit/66-MHz card slot can cause the system to hang at boot time.

Adaptive Security Appliance
Additional security services for the Cisco ASA5500 Adaptive Security Appliance family are provided on the Security Services Module (SSM) plug-in hardware modules . SSM are high performance modules based on a Pentium 4 Class processor. Diskless (flash-based) design provides improved reliability. The current offering is an AIP-SSM card.

The AIP-SSM card is available in two versions, the AIP-SSM-10 and the AIP-SSM-20. The AIP-SSM module can function in inline or promiscuous mode. In the inline mode, packets are sent to the AIP-SSM module, inspected, and then returned to the Adaptive Security Appliance. Operating in inline mode puts the AIP-SSM module directly into the traffic flow. In promiscuous mode, AIP-SSM module is not directly in the packet flow. The AIP-SSM module performs analysis on a copy of the traffic instead of on the actual forwarded packets.

The SSM has the following LEDs:

  • Power – When the SSM has power, the light shines.
  • Status – When the power-up diagnostics are running or the system is booting, the light flashes. When the system passes power-up diagnostics, the green light shines. When power-up diagnostics fail, the amber light shines.
  • Speed – With 10 Mbps of traffic, the LED is off. With 100 Mbps traffic, LED is green. With 1000Mbps of traffic, LED is amber.
  • Link/Act – When there is network activity, the light flashes.