Firepower 2100 –The Architectural “Need to Know”
Why the new Firepower 2100 is not at all like the Firepower 4100 and not like a ASA5516-X either?
Legacy Firewalling–ASA5512-X to ASA5555-X
This ASA platform is probably the most used today. The reason for this is the performance and modularity. It does support three different IPS engines and the possibility to add more 1Gbit interfaces on the higher end devices.
This block diagram above depicts the architecture of the ASA5512-X through ASA5555-X. The ASA5512-X and ASA5515-X have already been replaced with the newer ASA5508-X and ASA5516-X platform, and now the Firepower 2100 is supposed to relieve the ASA5525-X, ASA5545-X and ASA5555-X platforms of their duties.
Legacy upgrades – ASA5508-X and ASA5516-X
The replacing of the ASA5512-X and ASA5515-X was long overdue, but Cisco hit a soft spot with the customers with the ASA5508-X and ASA5516-X. The price-performance ratio was great for small customers and branches with the option to install Firepower Threat Defense for increased security.
You should make a note of the placement of the NPU and compare it to the ASA5512-X to ASA5555-X platform. The NPU on this platform is doing most crypto tasks for IPSec and SSL VPN, just like the crypto engine used to do without the limitation of a system bus connecting the external NICs.
If you want to migrate to Cisco’s Next-Generation Firewall, you can read the ASA 5500-X Series Migration Options
Legacy Firewalls |
Migration to Cisco NGFW |
Cisco ASA 5505 | Cisco ASA 5506-X |
Cisco ASA 5510 | Cisco ASA 5508-X |
Cisco ASA 5512-X | Cisco ASA 5516-X |
Cisco ASA 5515-X | Cisco ASA 5516-X |
Cisco ASA 5520 |
Cisco ASA 5525-X or Cisco FirePower 2100 Series |
Cisco ASA 5540 | Cisco ASA 5545-X or Cisco FirePower 2100 Series |
Cisco ASA 5550 | Cisco ASA 5555-X or Cisco FirePower 2100 Series |
Cisco ASA 5580 | Cisco FirePower 4100 Series |
Cisco ASA 5585-X | Cisco FirePower 4100 Series |
Finding the sweet spot – Firepower 2100
With Firepower 2100 being the youngest brother in the Firepower appliance series, Cisco took a step back towards the ASA X-series architecture. In this we have no supervisor in charge of the switching fabric or the networking interfaces. Everything is owned by the security module itself and this gives us an advantage in the direction of single box deployment management. On-box management is possible on the new Firepower 2100 series appliances but it is not possible on the 4100 nor the 9300 series. Under the hood of the operating system on the 2100 there is a small subset of the FXOS features needed to handle the interface configuration. The main difference (secret sauce) between the 5516-X architecture and the Firepower 2100 is that the NPU is not just used for crypto operations anymore. The new line also uses this NPU for layer 2 – 4 firewall operations and “fast path” traffic offloading. This is a great architectural step forward, but it is of course not as streamlined as the 4100 or 9300 series, where the Smart NIC is doing the traffic offloading and yet another NPU is handling the crypto operations. Personally, I like that every chip is made for specific problems, in opposite to one chip doing all kinds of tasks it was not optimized for.
As of Firepower Threat Defense 6.2 Active/Standby failover is possible on both the 2100, 4100 and 9300. Active/Active will be possible when the multi-context feature will be included in the FTD image. Clustering is unfortunately only supported on the 4100 and the 9300 appliances. Five 9300 chassis can be clustered with three security modules each, while sixteen 4100 appliances can be clustered.
The Firepower 2110 and 2120 appliances come with 12 x 1Gbit RJ-45 ports and 4 x 1Gbit SFP ports with no options to expand this. This is a great rip and replace option for the current owners of the ASA5525-X, ASA5545-X and ASA5555-X firewalls. If you need to upgrade the edge firewall to 10Gbit you will need to buy either the 2130 or 2140 appliances. The Firepower 2130 and 2140 also come with the same 12 x 1Gbit RJ-45 ports as the lower end Firepower 2100 models. Along with this there is 4 x 10Gbit SFP+ ports and the option to put a network module (NM) card to add an additional 8 x 10Gbit SFP+ ports. Fail-to-wire network modules will be available. I do not expect 40Gbit interfaces to be available for this platform.
The Firepower 2100 is a great next generation firewall. As I see it the popularity of this will depend on two things;
- The price. If it is too expensive customers will find another firewall manufacturer and buy a cheaper model with the same specifications.
- The feature set. If the features of the ASA software is not implemented in FTD in haste the customer is forced to keep buying ASA X series or, again, go to another manufacturer.
Original article From https://blogs.cisco.com/perspectives/firepower-2100-the-architectural-need-to-know
More Related
The New Cisco Firepower 2100 Series
The Most Common NGFW Deployment Scenarios
EoS and EoL Announcement for the Cisco ASA 5512-X and ASA 5515-X
Cisco’s High-end Next Generation Firewalls-Firepower 4100 and 9300 Series