Overview of FWSM Firewall

Overview of FWSM Firewall

As previously mentioned, the FWSM is like the PIX Firewall/ASA in that they are both stateful, as discussed in detail in Chapter 3. The difference between the FWSM and PIX/ASA lies in the unique and complex architecture of the FWSM, which is discussed next.

FWSM Architecture

A block diagram (Figure 4-1) best explains the architecture of FWSM.

Figure 4-1. FWSM Hardware Block Diagram

[View full size image]

The different components of the FWSM that are pictured in Figure 4-1 are discussed in the sections that follow.

Control Plane (CP)

The FWSM module comprises primarily two elements: a CP, and a daughter card that hosts three Network Processors (NPs). Most of the memory-intensive tasks and complex operations are performed in the CP. The high performance is achieved by moving the frequently used simple tasks within the packet processing to the Network Processors. The CP is responsible for the following tasks:

  • Layer 7 fixups

  • Overall management of the blade

  • Supervisory functions for each NP

  • Running of routing protocols

  • Preliminary compilation of the access rules before downloading them into the slow NP

CP has two Gigabit Ethernet ports connected to the Session Management Path NP (NP3), which is discussed next. You can verify the Gigabit Ethernet ports on the CP by executing the show nic command.

Network Processors (NP)

The Network Processor performs a subset of functions for the FWSM. Each NP has four Gigabit Ethernet interfaces. FWSM consists of the following three NPs:

  • Session Management Path Network Processor (NP3) Session Management Path, which is shown in Figure 4-1, is referred to as NP3. NP3 connects to the CP using two Gigabit Ethernet portsports 3 and 4. Ports 1 and 2 are connected to the Fast Path Network Processors (NP1 and NP2).

  • Fast Path Network processors (NP1 and NP2) The Fast Path NPs are referred to as NP1 and NP2. The fourth Gigabit Ethernet port of each NP connects to Port 1 and 2 of NP3. This leaves three available Gigabit Ethernet ports for each Fast Path NPNP1 and NP2to connect with the Catalyst 6500/7600 switching crossbar-SFM (offers 256 GBps) or backplane (offers 32 GBps). Hence, there are a total of six Gigabit Ethernet ports from Fast NPsNP1 and NP2 form an EtherChannel to connect with the Switch (cat6500/7600) bus/crossbar. The EtherChannel that is formed uses six Gigabit ports with Fast Path NPs.

EtherChannel

For maximizing the efficiency of the six Gigabit Ethernet interfaces between the FastPath NPs and the Pinnacle, the switch software automatically bundles them together and creates an 802.1Q trunking Etherchannel connection. With a FWSM installed in slot 3, Example 4-1 shows the Etherchannel characteristics for that slot 3.