Guest

Cisco Services Modules

The Cisco Catalyst 6500 Series ASA Services Module

  • Viewing Options

  • PDF (157.0 KB)
  • Feedback
Q. What is the Cisco ® Catalyst ® 6500 Series ASA Services Module?
A. The Cisco Catalyst 6500 Series ASA Services Module is a high-speed, integrated network security module for Cisco Catalyst 6500 Series switches. Delivering industry-leading firewall data rates, this module provides exceptional scalability to meet the needs of today's dynamic organizations - in a single blade architecture.
Q. What are the benefits of the Cisco Catalyst 6500 Series ASA Services Module?
A. The Cisco Catalyst 6500 Series ASA Services Module seamlessly integrates with Cisco Catalyst 6500 Series switches. By taking advantage of the existing infrastructure to deliver new services, the ASA Services Module delivers superior return on investment (ROI) and greatly simplifies maintenance and management. Full firewall capabilities can be easily added by sliding a blade into an empty slot in the existing Cisco Catalyst 6500 Series switch - no additional rack space, cabling, power, or physical interface is required. It also works in tandem with other modules in the chassis to deliver robust security throughout the entire chassis, effectively making every port a security port.
Q. What kind of performance can the Cisco Catalyst 6500 Series ASA Services Module achieve?
A. The Cisco Catalyst 6500 Series ASA Services Module provides twice the performance and four times the session count of competitive network security modules.

Metric

ASA Services Module

Maximum firewall throughput

20 Gbps

Multiprotocol firewall throughput

16 Gbps

Concurrent connections

10,000,000

Connections per second

300,000

Security contexts

250

VLANs

1000

Q. How does the Cisco Catalyst 6500 Series ASA Services Module compare with the Cisco ASA 5585-X Adaptive Security Appliance?
A. The ASA Services Module is essentially the firewall component of the ASA 5585-X, but in a blade form factor. As such, the firewall performance and capabilities of the ASA Services Module are strikingly similar to that of the ASA 5585-X with a Security Services Processor 60 (SSP-60).

Metric

ASA Services Module

ASA 5585-X w/SSP-60

Maximum firewall throughput

20 Gbps

40 Gbps

Multiprotocol firewall throughput

16 Gbps

20 Gbps

Concurrent connections

10,000,000

10,000,000

Connections per second

300,000

350,000

Security contexts

250

250

VLANs

1000

1000

Q. When would I buy Cisco ASA 5585-X Adaptive Security Appliance instead of a Cisco Catalyst 6500 Series ASA Services Module?
A. It depends on your deployment. If you have a Cisco Nexus ® 7000 Series deployment, an ASA 5585-X is a perfect fit. But if you are using a Cisco Catalyst 6500 Series switch, the ASA Services Module is more appropriate. In the end, it comes down to personal preference - some customers prefer that their firewall be integrated into the switch, while others want it as a separate appliance. That's the main advantage of having the same code base in multiple form factors. In addition, if intrusion prevention is a requirement, the ASA 5585-X appliance is a better choice, since it combines a full-featured firewall and a comprehensive IPS in a single 2-RU chassis.
Q. How does the ASA Services Module compare with the Firewall Services Module?
A. The Firewall Services Module is based on an older Cisco PIX ® technology-based architecture. The ASA Services Module is based on the architecture of the ASA 5585-X; in fact, it runs the same code base. And while the ASA Services Module is expected to replace the Firewall Services Module over time, the ASA Services Module is really a new form factor of the ASA 5585-X. The ASA Services Module represents a dramatic step forward, reaping the performance and feature benefits of the ASA code base and achieving five times the performance of the Firewall Services Module.

Metric

ASA Services Module

Firewall Services Module

Maximum firewall throughput

20 Gbps

5 Gbps

Multiprotocol firewall throughput

16 Gbps

3 Gbps

Concurrent connections

10,000,000

1,000,000

Connections per second

300,000

100,000

Security contexts

250

250

VLANs

1000

1000

In addition, the major Firewall Services Module capabilities have been ported to the ASA Services Module.

Capability

ASA Services Module

Firewall Services Module

Real-IP ACLs/Global ACLs

Yes

No

Bridge groups

8 bridge groups

4 interfaces each

8 bridge groups

2 interfaces each

Virtual contexts

250 maximum

250 maximum

Mixed-mode

Yes

Yes

Auto-state

Yes

Yes

Route health injection

No

Yes

VPNs

Management only

Management only

Q. Which Cisco Catalyst chassis can run the ASA Services Module?
A. Any Cisco Catalyst 6500-E Series chassis can support the ASA Services Module. Switches older than these will not work with the ASA Services Module, due to power and cooling limitations. The following switches have been tested and are supported:

• WS-C6503-E: 3-slot chassis

• WS-C6504-E: 4-slot chassis

• WS-C6506-E: 6-slot chassis

• WS-C6509-E: 9-slot chassis

• WS-C6509-VE: 9-slot chassis

• WS-C6513-E: 13-slot chassis

Q. Which supervisor cards are supported by the Cisco Catalyst 6500 Series ASA Services Module?
A. The Cisco Catalyst Virtual Switching Supervisor 720-10G will be supported at FCS, and the Supervisor 720-3B will be certified shortly thereafter. The following cards have been tested and are (or will be) supported:

• VS-S720-10G-3C

• VS-S720-10G-3CXL

• WS-SUP720-3B

• WS-SUP720-3BXL

Q. What version of Cisco IOS ® Software does the ASA Services Module require to work on Cisco Catalyst 6500-E Series switches?
A. The ASA Services Module requires Cisco IOS Software Release 12.2(33)SXJ or later.
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
Q. Can an ASA Services Module and a Firewall Services Module simultaneously run in the same Cisco Catalyst 6500-E Series chassis?
A. Yes. The ASA Services Module and the Firewall Services Module can run simultaneously in the same chassis.
Q. What is the difference between the ASA Services Module and the Firewall Services Module?
A. The Cisco Catalyst 6500 Series ASA Services Module uses the same platform as Cisco ASA 5500 Series appliances - the most widely deployed firewall in the industry. The ASA platform is the subject of ongoing development to maximize performance and security efficacy, as well as add industry-leading innovations; the ASA Services Module will benefit from many of these development efforts as well. In contrast, the Firewall Services Module uses a separate platform that is maintained specifically for this product.
Q. Will the Cisco Catalyst 6500 Series ASA Services Module have its own unique software releases?
A. No. The ASA Services Module uses the same platform as the Cisco ASA 5500 Series appliances, and will receive the same platform releases as the rest of the ASA family.
Q. What are the differences between the software features that are available in the ASA Services Module and the Firewall Services Module?
A. The Cisco Catalyst 6500 Series ASA Services Module is based on the Cisco ASA 5500 Series appliance and is feature-to-feature compatible with Cisco ASA Software Version 8.4.1. As a result, the ASA Services Module has more advanced features, compared with the Firewall Services Module. However, some features that are present in the Firewall Services Module do not exist in the Cisco ASA 5500 Series, and will therefore not be present in the ASA Services Module. In the case of major features such as Layer 2/Layer 3 mixed-mode support and auto-state, the capabilities have been ported to the ASA Services Module to support those Firewall Services Module use cases.
Q. Are there any software features available in Cisco ASA 5500 Series appliances that are not supported in the Cisco Catalyst 6500 Series ASA Services Module?
A. Yes. While at FCS the ASA Services Module will use the feature set of Cisco ASA Software Version 8.4.1, not all features will be enabled. Specifically, VPN capabilities and Unified Communications licenses will not be available on the ASA Services Module at FCS. All other major features of Cisco ASA Software Version 8.4.1 will be available to the ASA Services Module at FCS.
Q. Does the ASA Services Module have any external interfaces?
A. No. The ASA Services Module only includes logical interfaces, which are located within the switch itself. The console port is virtual and accessible directly through the switch.
Q. How many rules does the Cisco Catalyst 6500 Series ASA Services Module support?
A. The ASA Services Module supports over two million firewall rules.
Q. How many virtual contexts and VLANs does the Cisco Catalyst 6500 Series ASA Services Module support?
A. The ASA Services Module supports 250 virtual contexts and 1000 VLANs. Virtual contexts are sold as a separate license.
Q. Does the Cisco Catalyst 6500 Series ASA Services Module support VPNs?
A. Not at FCS. The ASA Services Module is fully capable of supporting VPNs, but Cisco ASA Software has not yet been certified to work with VPNs.
Q. How do I manage the Cisco Catalyst 6500 Series ASA Services Module?
A. The ASA Services Module can be managed by either the embedded Cisco Adaptive Security Device Manager (ASDM) Version 6.5.1 or later, or by the enterprise-class Cisco Security Manager 4.2 or later.
Q. Will I have to upgrade my Cisco Catalyst 6500 Series Supervisor software to support the ASA Services Module?
A. Yes. You will need to be running Cisco IOS Software Release 12.2(33)SXJ or later to work with the ASA Services Module.
Q. Which Cisco Catalyst 6500 Series chassis slots can the ASA Services Module be placed into?
A. The ASA Services Module does not require a specific slot in the Cisco Catalyst 6500 Series chassis.
Q. Is the Cisco Catalyst 6500 Series ASA Services Module 64-bit?
A. Yes. The ASA Services Module runs Cisco ASA Software Version 8.5 at release, which is a 64-bit release based on Version 8.4.1. There will not be a 32-bit version of the ASA Services Module.
Q. How much memory does the Cisco Catalyst 6500 Series ASA Services Module have installed?
A. The ASA Services Module has 12 gigabytes of addressable memory.
Q. Does the Cisco Catalyst 6500 Series ASA Services Module support multicast?
A. Yes. Since the ASA Services Module uses the same code base as ASA appliances, it can support the same multicast features as well. This support includes multicast routing protocols like PIM-SM and IGMP stub-mode.
Q. Does the Cisco Catalyst 6500 Series ASA Services Module require a span reflector for multicast like the Firewall Services Module did?
A. No. The span reflector that was needed on the Firewall Services Module to pass multicast is no longer required.
Q. Can I migrate a Firewall Services Module configuration to the ASA Services Module?
A. Yes. A migration tool is provided on Cisco.com to migrate a Firewall Services Module configuration to an ASA Services Module configuration. Keep in mind that the ASA Services Module configuration will look much different than the Firewall Services Module configuration, including significant changes to the NAT and ACL configurations. The switch-side configuration in Cisco IOS Software is the same for the Firewall Services Module and the ASA Services Module.
Q. The Firewall Services Module has bridge groups and Layer 2/Layer 3 mixed mode in multicontext support, but ASA appliances do not. Will the ASA Services Module have these features?
A. Yes. To minimize the differences between the Firewall Services Module and the ASA Services Module, the ASA Services Module has added bridge groups and mixed context mode support.
Q. Can I migrate a Cisco ASA appliance configuration to the Cisco Catalyst 6500 Series ASA Services Module?
A. Yes, with a caveat. The ASA Services Module is configured like any other ASA appliance, so the configurations are compatible, with one notable exception: The ASA Services Module does not have physical interfaces (like Gigabit Ethernet 0/0); instead, it has VLAN interfaces (like VLAN142). As long as you change the ASA configuration to use VLAN interfaces instead of physical interfaces, you can load the configuration to the ASA Services Module, or simply copy it into the ASA Services Module.
Q. Does the Cisco Catalyst 6500 Series ASA Services Module use the new NAT system or global ACLs?
A. The ASA Services Module uses both, just like ASA appliances. Since Cisco ASA Software Version 8.5 on the ASA Services Module is a later version than when these features were added, the ASA Services Module will get the full benefit of NAT simplification and global ACLs.
Q. Since the Cisco Catalyst 6500 Series ASA Services Module uses the NAT system available with Cisco ASA Software Version 8.3 and later, can I load an earlier Cisco ASA Software configuration on the ASA Services Module?
A. Yes, but you cannot paste it in. Just like any other Cisco ASA appliance running Cisco ASA Software Version 8.3 or later, the ASA Services Module will migrate older configurations to the new NAT and Real-IP ACL systems. Also, just like other ASA appliances, you will need to load the earlier software configuration into the startup-configuration, then reload to activate the configuration migrator.
Q. Will the ASA Services Module support the Cisco Catalyst Virtual Switching System (VSS) at FCS?
A. Yes, depending on which supervisor you use. The ASA Services Module supports VSS either as a single firewall or as a failover pair of firewalls, when used with the Supervisor 720-10G (VS-S720-10G-3C and VS-S720-10G-3CXL). Transparent and multi-context modes also work with the VSS in this configuration. However, though the SUP 720-3B (WS-SUP720-3B and WS-SUP720-3BXL) is supported by the ASA Services Module, it is not capable of supporting the VSS.
Q. Does the ASA Services Module support Firewall Services Module licenses?
A. The ASA Services Module will use the same licenses as the ASA appliances. Firewall Services Module licenses are not used.
Q. Will Cisco Security Manager receive syslogs from the Cisco Catalyst 6500 Series ASA Services Module?
A. Yes. Cisco Security Manager can manage the ASA Services Module, as well as receive its log information.
Q. What will be the orderable PIDs (SKUs) for the Cisco Catalyst 6500 Series ASA Services Module?
A. The following PIDs will be available.

PID

Description

WS-SVC-ASA-SM1-K9

ASA Services Module for Cisco Catalyst 6500-E, 3DES/AES

WS-SVC-ASA-SM1-K9=

ASA Services Module for Cisco Catalyst 6500-E, 3DES/AES (Spare)

WS-SVC-ASA-SM1-K8

ASA Services Module for Cisco Catalyst 6500-E, DES

WS-SVC-ASA-SM1-K8=

ASA Services Module for Cisco Catalyst 6500-E, DES (spare)

WS-SVC-ASA-SM1-K7

ASA Services Module for Cisco Catalyst 6500-E, NPE

WS-SVC-ASA-SM1-K7=

ASA Services Module for Cisco Catalyst 6500-E, NPE (spare)

Q. What licenses will be available for the Cisco Catalyst 6500 Series ASA Services Module?
A. The ASA Services Module will have several licenses available at launch, including Cisco ASA 5500 Series Security Contexts and Cisco ASA 5500 Series GTP licenses.

License

Description

ASA5500-SC-5

ASA 5500 5 Security Contexts License

ASA5500-SC-5=

ASA 5500 5 Security Contexts License

ASA5500-SC-10

ASA 5500 10 Security Contexts License

ASA5500-SC-10=

ASA 5500 10 Security Contexts License

ASA5500-SC-20

ASA 5500 20 Security Contexts License

ASA5500-SC-20=

ASA 5500 20 Security Contexts License

ASA5500-SC-50

ASA 5500 50 Security Contexts License

ASA5500-SC-50=

ASA 5500 50 Security Contexts License

ASA5500-SC-100

ASA 5500 100 Security Contexts License

ASA5500-SC-100=

ASA 5500 100 Security Contexts License

ASA5500-SC-250

ASA 5500 250 Security Contexts License

ASA5500-SC-250=

ASA 5500 250 Security Contexts License

ASA5500-SC-5-10=

ASA 5500 Upgrade from 5 to 10 Security Contexts License

ASA5500-SC-10-20=

ASA 5500 Upgrade from 10 to 20 Security Contexts License

ASA5500-SC-20-50=

ASA 5500 Upgrade from 20 to 50 Security Contexts License

ASA5500-SC-50-100=

ASA 5500 Upgrade from 50 to 100 Security Contexts License

ASA5500-SC-100-250=

ASA 5500 Upgrade from 100 to 250 Security Contexts License

ASA5500-GTP

ASA 5500 GTP/GPRS Inspection License

ASA5500-GTP=

ASA 5500 GTP/GPRS Inspection License