I am going to make a suggestion, do NOT put Cisco non-switching blades into a catalyst switch. I am talking specifically about the IDSM and ACE modules, but I'm not impressed with the FWSM either.
IDSM2 Blades:
You should be able to add and remove individual blades without effecting the switch. I can assure you that this is not the case with the IDSM. I do not have these issues with the ASA IPS module...but the IDSM2 is a nightmare.
Why would cisco create and IDS/IPS system that doesn't have remote syslog capabilities? Why must you enable or disable SNMP traps on individual signatures? Is remote logging not a critical requirement when it comes to security monitoring? I guess they just want you to dump a couple grand into the MARS system.
ACE Blades:
Hrmm...I don't know that I can even document how unimpressed I am with these blades. These are buggy as hell to start with, I've only been working with it for a few months and have already run into several show stopping bugs.
Add to that the documentation...less than necessary to really administer them. I'm not an idiot...so it annoys me that I have to put in TAC cases for configuration help simply because its not properly documented.
FWSM:
These blades have their pros and cons. I don't hate them like the IDSM2, I think they are a great idea. What annoys me is that some of the debugging tools available on the ASAs and PIXs are not available on the FWSM.
What I want to see is 'packet-tracer' is that too much to ask? How about some line numbers on the ACLs so I can adjust the policy for performance without having to re-do the entire list?
Switching and routing are Cisco strong points.....but application level stuff....they just induce headaches.
Tuesday, June 10, 2008
Subscribe to:
Posts (Atom)
