Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 2.3
Specifications
Downloads: This chapterpdf (PDF - 192.0KB) The complete bookPDF (PDF - 4.49MB) | Feedback

Specifications

Table Of Contents

Specifications

Physical Attributes

Feature Limits

Managed System Resources

Fixed System Resources

Rule Limits


Specifications


This chapter lists the specifications of the Firewall Services Module (FWSM) and includes the following sections:

Physical Attributes

Feature Limits

Managed System Resources

Fixed System Resources

Rule Limits

Physical Attributes

Table A-1 lists the physical attributes of the FWSM.

Table A-1 Physical Attributes 

Specification
Description

Bandwidth

CEF256 line card with a 6-Gbps path to the Switch Fabric Module (if present) or the 32-Gbps shared bus.

Memory

1 GB RAM.

128-MB Flash memory.

Modules per switch

Maximum four modules per switch.

If you are using failover, you can still only have four modules per switch even if two of them are in standby mode.


Feature Limits

Table A-2 lists the feature limits for the FWSM.

Table A-2 Feature Limits 

Specification
Context Mode
Single
Multiple

AAA servers (RADIUS and TACACS+)

16

4 per context

Failover interface monitoring

250

250 divided between all contexts

Filtering servers (Websense Enterprise and Sentian by N2H2)

16

4 per context

Jumbo Ethernet packets

8500 Bytes

8500 Bytes

Security contexts

N/A

100 security contexts (depending on your software license).

Syslog servers

16

4 per context

VLAN interfaces

   

Routed Mode

256

256 per context

The FWSM has an overall limit of 1000 VLAN interfaces divided between all contexts. You can share outside interfaces between contexts, and in some circumstances, you can share inside interfaces.

Transparent Mode

2

2 per context


Managed System Resources

Table A-3 lists the managed system resources of the FWSM. You can manage these resources per context using the resource manager. See the "Configuring Resource Management" section on page 5-10.

Table A-3 Managed System Resources 

Specification
Context Mode
Single
Multiple

MAC addresses (transparent firewall mode only)

64,000

64,000 divided between all contexts

Hosts allowed to connect through the FWSM, concurrent

256,000

256,000 divided between all contexts

Inspection engine connections, rate

10,000 per second

10,000 per second divided between all contexts

IPSec management connections, concurrent

5

5 per context

Maximum of 10 divided between all contexts

PDM management sessions, concurrent1

5

Up to 5 per context

Maximum of 32 divided between all contexts

NAT translations, concurrent

256,000

256,000 divided between all contexts

SSH2 management connections, concurrent

5

5 per context

Maximum of 100 divided between all contexts

System messages, rate

30,000 per second for messages sent to the FWSM terminal or buffer

25,000 per second for messages sent to a syslog server

30,000 per second divided between all contexts for messages sent to the FWSM terminal or buffer

25,000 per second divided between all contexts for messages sent to a syslog server

TCP3 or UDP4 connections5 between any two hosts, including connections between one host and multiple other hosts, concurrent and rate6

999,900

100,000 per second

999,900 divided between all contexts

100,000 per second divided between all contexts

Telnet management connections, concurrent

5

5 per context

Maximum of 100 connections divided between all contexts.

1 PDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 PDM sessions represents a limit of 64 HTTPS connections.

2 Secure Shell

3 Transmission Control Protocol

4 User Datagram Protocol

5 The FWSM might take up to 500 ms to remove a connection that is marked for deletion. Because any traffic on the connection is dropped during this period, you cannot initiate a new connection to the same destination using the same source and destination ports until the connection is deleted. Although most TCP applications do not resuse the same ports in back-to-back connections, RSH might reuse the same ports. If you use RSH or any other application that resuses the same ports in back-to-back connections, the FWSM might drop packets.

6 Because Port Address Translation (PAT) requires a separate translation for each connection, the effective limit of connections using PAT is the translation limit (256,000), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session.


Fixed System Resources

Table A-4 lists the fixed system resources of the FWSM.

Table A-4 Fixed System Resources 

Specification
Context Mode
Single
Multiple

AAA1 connections, rate

80 per second

80 per second divided between all contexts

ACL logging flows, concurrent

32,000

32,000 divided between all contexts

Alias statements

1000

1000 divided between all contexts

ARP2 table entries, concurrent

64,000

64,00 divided between all contexts

DNS inspections, rate

5000 per second

5000 per second divided between all contexts

Global statements

1051

1051 divided between all contexts

Inspection engine (fixup) statements

32

32 per context3

NAT statements

2000

2000 divided between all contexts

Packet reassembly, concurrent

30,000

30,000 fragments divided between all contexts

Route table entries, concurrent

32,000

32,000 divided between all contexts

Shun statements

5000

5000 divided between all contexts

SIP connections, concurrent

5000

5000 divided between all contexts

Static NAT statements

2000

2000 divided between all contexts

TFTP sessions, concurrent4

999,100

999,100 divided between all contexts

User authentication sessions, concurrent

50,000

50,000 divided between all contexts

User authorization sessions, concurrent

150,000

Maximum 15 sessions per user.

150,000 divided between all contexts

Maximum 15 sessions per user.

1 authentication, authorization, and accounting

2 Address Resolution Protocol

3 This limit includes the following inspection engines that are enabled by default, making the total number of configurable inspection engines 27: TFTP, Sun RPC over UDP, NetBIOS NameServer, XDMCP, and CUSeeMe. The OraServ and RealAudio inspection engines, which are also enabled by default, do not affect this limit.

4 In FWSM Version 1.1, the number of TFTP sessions was limited to 1024 sessions.


Rule Limits

The FWSM supports approximately 80K rules for the entire system in single mode, and 142K rules for multiple mode.

In multiple context mode, each context supports at most 12,130 rules, but the actual number of rules supported in a context might be less, depending on how many contexts you have. A context belongs to one of 12 pools that offers a maximum of 12,130 rules. The FWSM assigns contexts to the pools in the order they are loaded at startup. For example, if you have 12 contexts, each context is assigned to its own pool, and can use 12,130 rules. If you add one more context, then context number 1 and the new context number 13 are both assigned to pool 1, and can use 12,130 rules divided between them; the other 11 contexts continue to use 12,130 rules each. If you delete contexts, the pool membership does not shift, so you might have some unequal distribution until you reboot, at which time the contexts are evenly distributed.


Note Rules are used up on a first come, first served basis, so one context might use more rules than another context.


Table A-5 lists the maximum number of each rule type.

Table A-5 Rule Limits 

Specification
Context Mode
Single
Multiple (Maximum per Pool)

AAA Rules

3942

6061

ACEs2

63,078

9704

Downloaded ACEs for network access authorization

3000

3000

Established Rules

788

121

Filter Rules

3942

606

ICMP3 , Telnet, SSH, and HTTP4 Rules

2365

363

Policy NAT ACEs

3942

606

1 For example, if you have 96 contexts evenly distributed among the 12 pools, so there are 8 contexts per pool, each context can use 75 filter rules, if evenly divided.

2 access control entries

3 Internet Control Message Protocol

4 HyperText Transfer Protocol