Catalyst 6500 ASA Service Module

  • 2,958 views
Uploaded on

We were also fortunate to have Chris Morosco from Cisco join BreakingPoint's Mike Hamilton to talk about and demonstrate a live test of the Catalyst 6500 ASA Service Module, which was made up of four …

We were also fortunate to have Chris Morosco from Cisco join BreakingPoint's Mike Hamilton to talk about and demonstrate a live test of the Catalyst 6500 ASA Service Module, which was made up of four ASA 5585x security blades in a Catalyst 6500 switch.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,958
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
60
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • We are constantly evolving our products and portfolio to match the changing needs of our customers. To best do this we need to keep a close eye on changes in the market and customers environments over time and ensure our products keep up with those changes.Several trends became clear that needed to be addressed. First we noticed a change in the performance characteristics in customers environments. While performance requirements continued to increase the mix started to change more and more over time.This has largely been due to the evolution of the devices that are connecting to the network. In the past it was mostly PCs connecting to the network. Now we are seeing that the devices that are connecting to the network are increasingly smaller such as phones and tablets. These devices tend to use a lot of connections but less throughput than a traditional PC requires. Some employees may have several of these devices at once further increasing the problem. This change is shifting the performance demands from raw throughput to a more mixed solution that increasingly requires higher numbers of sessions and connections per second to keep up. Delivering the needed capacities to support this change but without increasing space and power demands are another two keys areas that we see as critical for customers. With an increasing requirement for networks and data centers to become green and reduce the overall power usage becoming a large concern. This has other key advantages as well as any reduction in power draw also reduces costs by reducing the power load needed to run the network. A reduction in power also translates in a reduction in cooling costs which also are a substantial part of the operating cost of a network.We also see that actual space in the rack has and continues to be an issue with customer. Rack space is precious and can often be costly if managed by another company or simply isn't available so any reduction in rack space cal also leads to increased operating cost savings.Market trendsPerformance characteristics changedMore phones, iPads and multi device usersMore connections with fewer throughput per connectionSpace and Power keyGreen NetworksCosts savings are large
  • To solve these and other challenges we have developed the ASA 5585-X platform. It runs the same ASA software as the rest of the other ASA 5500 products and uses the same management as well. Because of this we are able to immediately take advantage of all the award wining capabilities of the ASA software on a next generation hardware platform. This includes everything you’d expect from an ASA from a full suite of remote access solutions, a fully capable firewall and a no compromise IPS solution in the same platform.Runs existing ASA software (FW, IPS, VPN)Next generation HW
  • The 5585 was designed from the beginning for flexibility and simple scalability. Since it is a passive chassis we have the ability to offer a variety of firewall and IPS modules at various perofrmance and capacity levels to match your needs. You can start out with a slower module and as your needs increase you can easily replace it without having to remove the chassis or worry about changes to your configuration or policy. Simply swap out the existing module for a faster one and reload your existing config and policy and you are ready to go.Now lets take a look at the performance numbers for these four modules. Since performance is very dpendant on the enviroment the product runs in and the policy defined in it we typically list perofrmance in one of three ways. Best case (though not realistic), IMIX which is a router standard that is a more accurate interperation of performance based on different packet types and sizes and EMIX wich is a uniqe mix based on an even more realistic test of mixed multi protocol application access. We have teamed up with breaking point to ensure we have the most accurate performance numbers we can get.The numbers listed here are for EMIX. We also publish our IMIX and best case numbers in our data sheets as well. Those numbers are even higher with the highest end module being 40 Gbps for example. So when you do a data sheet comparison be sure you look at the apples to apples numbers. Some vendors don’t publish anything expect their best case number because in a realistic environment they can see a drop of 60-70% from their best case numbers.Designed to scale.Perf measured in three ways, Best, IMIX, EMIX
  • The 5585 was designed from the beginning for flexibility and simple scalability. Since it is a passive chassis we have the ability to offer a variety of firewall and IPS modules at various perofrmance and capacity levels to match your needs. You can start out with a slower module and as your needs increase you can easily replace it without having to remove the chassis or worry about changes to your configuration or policy. Simply swap out the existing module for a faster one and reload your existing config and policy and you are ready to go.Now lets take a look at the performance numbers for these four modules. Since performance is very dpendant on the enviroment the product runs in and the policy defined in it we typically list perofrmance in one of three ways. Best case (though not realistic), IMIX which is a router standard that is a more accurate interperation of performance based on different packet types and sizes and EMIX wich is a uniqe mix based on an even more realistic test of mixed multi protocol application access. We have teamed up with breaking point to ensure we have the most accurate performance numbers we can get.The numbers listed here are for EMIX. We also publish our IMIX and best case numbers in our data sheets as well. Those numbers are even higher with the highest end module being 40 Gbps for example. So when you do a data sheet comparison be sure you look at the apples to apples numbers. Some vendors don’t publish anything expect their best case number because in a realistic environment they can see a drop of 60-70% from their best case numbers.Designed to scale.Perf measured in three ways, Best, IMIX, EMIX
  • The Catalyst 6500 is still a very pop­u­lar switch and selling very well as both a dis­tri­bu­tion switch as well as in a new roll as ser­vice switch. Development is planned well into the future with a rich and long roadmap. An example of this is the brand new Supervisor that was just announced to greatly improve per­form­ance and capa­cit­ies of the switch. Add to that the new ASASM and sev­eral other import­ant pieces com­ing soon such as higher speed inter­face cards and you can see that Cisco is fully com­mit­ted to the Catalyst 6500 for a long time to come.The per­form­ance and fea­tures have greatly improved with the ASASM as you men­tioned. The back­plane con­nectiv­ity has also improved sig­ni­fic­antly. With the FWSM you had six 1Gb links to the back­plane. Now with the ASASM you have two 10Gb links instead. So the back­plane went from 6 Gb total to 20Gbs total. More import­antly the link per flow has increased from 1Gb to 10Gb.The ASASM is more expens­ive than the FWSM at $115k before dis­count but it also much more cap­able and much faster. If you com­pare the ASASM to the FWSM it is about 5x times the through­put over­all. If you look at other meas­ure­ments such as max­imum num­ber of con­nec­tions the ASASM is closer to 10x more cap­able than the FWSM.The ASASM is really more a new form factor of the 5585- X SSP- 60 than an FWSM 2 though since they share the same archi­tec­ture and soft­ware. So price com­par­is­ons to com­pet­it­ive products are the best way to look at what you are get­ting for the money.To put the per­form­ance into per­spect­ive the ASASM is more than twice as fast per blade than the fast­est net­work secur­ity com­pet­itor at 16Gbps based on a real world, multi- protocol test. If you put four of these in a single switch you get to 64Gbps multi- protocol through­put. No other product in the mar­ket can even come close to that in a single chassis.Beyond per­form­ance it also has much higher capa­city as well. At 10million ses­sions it is 2 to 4 times the com­pet­i­tion at a bet­ter price point. To get to the same capa­cit­ies from a com­pet­itor you need to spend more than 5 times as much. Even then the secur­ity and switch­ing are not integ­rated and you end up tak­ing up a lot more rack space and using a lot more power.Because of this sig­ni­fic­ant increase in per­form­ance and capa­cit­ies your CAPEX sav­ings with an ASASM is up to 80% depend­ing on what met­ric is import­ant to your net­work. If it’s through­put only, the CAPEX sav­ing is closer to 50%. If max­imum con­nec­tions and con­nec­tons per second is what mat­ters to you then the CAPEX is closer to 80%. Even more import­antly your OPEX sav­ing can be up to 90% just from the decrease in power usage needed from a single ASASM versus a large chassis to get equi­val­ent per­form­ance. If you are an exist­ing FWSM cus­tomer and you apply the 15% dis­count the value becomes even greater.

Transcript

  • 1. Catalyst 6500 ASA Service Module
  • 2. Increasing Demands
    4G
    4G
    3G
    3G
    Home Office
    Coffee Shop
    Airport
    Mobile User
    Corporate Office
  • 3. CONNECTIONS PER SECOND
    8
    9
    7
    5
    9
    # OF CONCURRENT CONNECTIONS
    Power & Space
    THROUGHPUT
  • 4. MultiScaleTM
    Cisco ASA 5585-X
    Firewall
    IPS
    Remote access
  • 5. Cisco ASA 5500 Series Portfolio
    Comprehensive Solutions from SOHO to the Data Center
    Firewall and VPN Appliance
    ASA 5585 SSP-60(20 Gbps, 350K cps)
    ASA 5585 SSP-40(10 Gbps, 200K cps)
    Multi-Service (Firewall/VPN and IPS)
    ASA 5585 SSP-20(5 Gbps, 125K cps)
    ASA 5585 SSP-10(2 Gbps, 50K cps)
    ASA 5540 (650 Mbps,25K cps)
    Performance and Scalability
    ASA 5520 (450 Mbps,12K cps)
    ASA 5510 (300 Mbps,9K cps)
    ASA 5505 (150 Mbps, 4K cps)
    FWSM(3 Gbps, 50K cps)
    Data Center
    Campus
    Branch Office
    SOHO
    Internet Edge
  • 6. Part of a Full Portfolio Solution
    Software focused and hardware agnostic
    Single code base for all deployments
    No compromising features for form factor
    All managed in the same way with the same tools
    ASDM
    CLI
    CSM
  • 7. Introducing the Cisco Catalyst 6500 series ASA Services Module
    • ASA security blade for the Catalyst 6500
    • 8. Places security directly into the datacenter backbone
    • 9. Simplified installation and greater flexibility
    • 10. High performance and capacity
    MultiScaleTM
  • 11. Cisco ASA 5500 Series Portfolio
    Comprehensive Solutions from SOHO to the Data Center
    Firewall and VPN Appliance
    ASA 5585 SSP-60(20 Gbps, 350K cps)
    NEW
    ASA 5585 SSP-40(10 Gbps, 200K cps)
    Multi-Service (Firewall/VPN and IPS)
    ASA 5585 SSP-20(5 Gbps, 125K cps)
    ASA 5585 SSP-10(2 Gbps, 50K cps)
    ASA 5540 (650 Mbps,25K cps)
    Performance and Scalability
    ASA 5520 (450 Mbps,12K cps)
    ASA 5510 (300 Mbps,9K cps)
    ASA 5505 (150 Mbps, 4K cps)
    ASASM(16 Gbps, 300K cps)
    FWSM(3 Gbps, 100K cps)
    Data Center
    Campus
    Branch Office
    SOHO
    Internet Edge
  • 12. Targeted Deployment
    Available World-wide and Shipping Now
    20Gbps firewall
    10Gbpsfirewall
    5Gbpsfirewall
    2Gbpsfirewall
    16Gbps firewall
    Data Center
    Campus
  • 13. Performance Measurements
  • 14. Performance Results
  • 15. Double the nearest competitors performance
    Session count over four times the nearest competitor
    Best Per Blade Performance
  • 16. Best Solution Price and Performance
    CAT6K-E+ASASM
    Competitor
    ~40% more performance/capacity at less than half the price
  • 24. In Summary
    ASA security blade for the Catalyst 6500 Switch
    Best performance per blade in the industry
    Fastest single chassis performance in the industry
    Works with the majority of Catalyst 6500s
    Leverages the same software, management and feature roadmap as the other ASA products
    Lower Capex and Opex than competing solutions
    Simplifies installation and increases flexibility