In article , Venkat wrote: :We have a network in which different departments/teams are in different :subnets that are connected using multiple Linux IPTables firewall :boxes.
:Now the number of internal firewalls has become large (currently 7) and :administering them is becoming difficult. So we want to consolidate :them into a single firewall (eg PIX).
:Another point of view is that a layer 3 switch with Firewalling :capability will be better interms of cost and performance.
Cisco multilayer switches with firewalling capabilities are generally more expensive on a cost/performance basis -- you are paying a noticable amount for the extra IOS functional features [which are certainly non-trivial on modern Cisco multilayer switches.]
For example, a Cisco 2811 Integrated Services router is about $US2000 street, and my analysis is that it cannot [always] saturate a 100 Mb/s line. The PIX 506E is half of that price, and can. So then you start getting into port-count questions, and whether the firewalling can distinguish between VLANs (to reduce the port count)... you'd probably want to start going up to a 2821 at least ($2800), and maybe a 2851 ($5K), and compare against a 515E or 525... you have to check what you are getting for your money. For example, the 2851 is faster than the PIX 525, but I dunno if you'd be able to handle 280000 concurrent connections on the 2851...
The Cisco Catalyst Multilayer Switches in the 35x0/37x0 series have ACLs and routes and QoS and other very nice goodies, but they don't have NAT and they don't have stateful firewalling.