Tuesday, June 10, 2008

Cisco Woes

I am going to make a suggestion, do NOT put Cisco non-switching blades into a catalyst switch. I am talking specifically about the IDSM and ACE modules, but I'm not impressed with the FWSM either.

IDSM2 Blades:

You should be able to add and remove individual blades without effecting the switch. I can assure you that this is not the case with the IDSM. I do not have these issues with the ASA IPS module...but the IDSM2 is a nightmare.

Why would cisco create and IDS/IPS system that doesn't have remote syslog capabilities? Why must you enable or disable SNMP traps on individual signatures? Is remote logging not a critical requirement when it comes to security monitoring? I guess they just want you to dump a couple grand into the MARS system.

ACE Blades:

Hrmm...I don't know that I can even document how unimpressed I am with these blades. These are buggy as hell to start with, I've only been working with it for a few months and have already run into several show stopping bugs.

Add to that the documentation...less than necessary to really administer them. I'm not an idiot...so it annoys me that I have to put in TAC cases for configuration help simply because its not properly documented.

FWSM:

These blades have their pros and cons. I don't hate them like the IDSM2, I think they are a great idea. What annoys me is that some of the debugging tools available on the ASAs and PIXs are not available on the FWSM.

What I want to see is 'packet-tracer' is that too much to ask? How about some line numbers on the ACLs so I can adjust the policy for performance without having to re-do the entire list?

Switching and routing are Cisco strong points.....but application level stuff....they just induce headaches.

No comments: