Questions on 6500 series

We're looking at replacing a 4507R at the core of our network with a

6500 series. Currently, the 4507R has a supervisor engine IV, 3 48- port copper blades, and 2 6-port fiber blades. We're hoping to include in the 6500 series replacement the firewall module (to replace a PIX 525), vpn (to replace a 3005 concentrator), and IDS/IPS.

I'm a little confused as to what I need from looking at the Cisco product pages. Is there a guide somewhere as to what to get? The firewall that we would be replacing is actually a pair of PIX 525s in an active/standby pair. We'd like to have some redundancy in the 6500 as well. We'd also like some sort of failover for the IDS/IPS if possible.

A couple of questions:

- if I have two FWSMs installed, they would load balance, and if one failed, the other would take over all traffic, correct?

- I see a "VPN services port adapter" and a "VPN shared port adapter"... I'm not sure how they differ

- The supervisor engine 720 and the supervisor engine 32... we'd need one or the other, correct?

- Would we need the Policy Feature Card and the Distributed Forwarding Card?



Reply to
Loading thread data ...


You know that's one hour+ worth of sales meeting to answer those questions, right? :-)

Very briefly - I'd stay away from service modules. ASA5500 series will get you better performance for less money for both firewall and VPN. You can get IDS/IPS module for it too, I believe (I don't deal with IDS much , if at all).

If you decide to go with FWSM - yes, it can provide Active/Passive fail-over in the same 6500 chassis (or different chassis). Active/Active is gimmick when you have multiple context and flipping Active/Passive roles between the boxes.

VPN - I think you are looking at SPA, that's not VPN service module.

Supervisor - only 720. Otherwise you may stick with 4705R (6Gbps per slot vs. 32Gbps shared bus on Sup32).

DFC is needed for distributed forwarding - local switching on line card.

At this particular time I'd be very careful about buying 6500 in general. If you are somewhat local to western seaboard of USA, we can take it off-line.


Reply to
Andrey Tarasov

Is the right answer. You need to get somone to sell you a solution that will do what you ask. Would be my advice.

Intriguing. Well I am out of that for the moment so I will wait n see.

Reply to

Yes, and I appreciate you taking your time... :-)

I'm still not sure which is which. Guess I'll need to look at the cisco product pages a little more.

So, the 6500 with a Sup32 is about the same performance as a 4507R?

Really? What should we be careful?

Reply to

the backplane limits the traffic between slots to 32 Gbps or so.

by contrast a 4500 with Sup5 or later gets at least 6 Gbps per slot thru its fabric - so the balance depends on how many slots you populate.

having said that - if you want more than 32 Gbps thru VPN + F/wall you have other problems to worry about....

Note the FWSM is fast but fairly old - AFAIR not up to the same features as a high end ASA.

Reply to

It's really not about my time - after all I'm not chained to the keyboard and nobody is forcing me to answer. Two things - face to face communication is more quicker, and second - NDA. There is just so much people can answer in public forum.

Here is the link to VPN service module -

formatting link
as you can see it's end-of-life. Replacement is

SPA-IPSEC-2G and 7600-SSC-400 combo.

Pretty close. Unless you are going to run 6500 chassis with single GigE module. In that case 6500 will be faster.

One word - Nexus.

Regards, Andrey.

Reply to
Andrey Tarasov

Why are you replacing the 4507? Do you need more slots or more throughput? If it's throughput how do you know the 4507 is the bottleneck?

On another note, I have yet to see a network design in which a 6500 service module provided any value over using a separate device. The FWSM is very expensive, and does not have the performance or all the features of an ASA. From talk I've heard from Cisco, the FWSM is also nearing EOS.

Reply to

Please don't compare the Cat4500 series with the Cat6500 series switches as the Cat6500 is much more flexible... With a Cat6500, you can :

_ deploy Service Modules (load-balancers, firewalls, IDS, Wireless controller...) _ install WAN cards (ATM OC48/STM16 or OC192/STM64, 10GigEth WAN PHY...) _ run MPLS protocols (Yes, the Cat6500 is more a router than a switch) _ use distributed CEF (Cat4500 line cards are 100% passive) _ configure NAT (it's the only Cisco switch supporting NAT - even if it does not perform very well) _ run VSS on pair of distant chassis (VSS allows two Cat6500 chassis to share the same control-plane using 10G links as "backplane interconnects" (VSS requires specific supervisor and line cards) _ use reflexive ACL _ run NetFlow (FYI, NetFlow was an option on the SupIV and it was integrated on the SupV-10G for the Cat4500 - NetFlow is not available on Cisco's standalone switches).

Nevertheless, if you don't need these features, you should consider the new Sup6-E supervisor card for the 4500-E series switch (up to 320 Gbps per system and up to 5 line cards connected to the backplane @ 24 Gbps per slot / new non-blocking 24-SFP slot "E" card / new 6-port 10G "E" card) / new 48-port GbE RJ45 "E" card (all these cards can support Jumbo frames). The "only" bad news with the Sup6-E is the lack of NetFlow support (moreover there's no slot on the Sup6-E for an optional NetFlow daughter card... so we have to wait for the next generation of Supervisor cards for the 4500E series).

If you really need advanced features, you should consider Nexus series switchs (Nexus 5000 with fabric extenders are probably a cost-effective solution for GbE/10GbE LAYER-2 switching - Nexus 7000 is more or less dedicated to large datacenters).

Good luck.

- Ludal -

Reply to
Ludovic BOISSEAU Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.