Articles Tagged ‘hardware modules’

Cisco ASA 5500 Series Firewall Modules & Cards – Content Security (CSC-SSM), IPS - IDS (AIP SCC & AIP SSM) Hardware Modules

cisco-asa-firewall-5500-series-ips-ids-content-filtering-antimalware-hardware-modules-1Cisco’s Adaptive Security Appliance (ASA) Firewalls are one of the most popular and proven security solutions in the industry. Since the introduction of the PIX and ASA Firewall into the market, Cisco has been continuously expanding its firewall security features and intrusion detection/prevention capabilities to adapt to the evolving security threats while integrating with other mission-critical technologies to protect corporate networks and data centers.

In recent years, we’ve seen Cisco tightly integrate separate security technologies such as Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software modules supported only by the newer ASA 5500-X series security appliances.

With the addition of the software or hardware module, customers are able to increase the firewall’s security and protection capabilities while at the same time simplifing security management and administration by dealing with a single firewall device instead of multiple firewall, IPS or IDS devices.

While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series, upcoming articles will cover both software and hardware modules along with Cisco FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.

Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540 have been announced as End-of-Sale & End-of-Life. Modules below are no longer sold by Cisco, however, they will be fully supported until 30th of September 2018.

Users interested in the newer ASA 5500-X IPS, Context-Aware and FirePOWER services can read our article Cisco ASA 5500-X Series Firewall with IPS, ASA CX & FirePower Services. Application Visibility and Control (AVC), Web Security, Botnet Filtering & IPS / IDS.

Hardware Modules for ASA 5500 Series Firewalls

The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security appliances with the capability to integrate hardware modules for enhanced security and threat protection.

To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:

  • Content Security and Control Security Services (CSC-SSM)
  • Advanced Inspection and Prevention Security Services (AIP-SCC & AIP-SSM)

Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a separate operating system that integrates with the ASA Firewall via its internal network ports.

Let’s take a brief look at each category.

The Content Security and Control Security Services Modules

The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, anti-phishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks.

Following are the hardware modules supporting Content Security and Control Security Services:

Cisco Nexus 7000 Series Module Shutdown and Removal Procedure

cisco-nexus-7000-module-shutdown-replacement-removal-1aThis article explains the procedure that should be followed to correctly shutdown/powerdown a Cisco Nexus 7000 series module and remove it from the chassis. We also include important tips that will help ensure you avoid common problems and mistakes during the removal procedure.

The Nexus 7010 is one of the larger data center switches in the Nexus portfolio found in most enterprise-class data centers. Even though the Nexus 7000 series switches have been in the market since 2008 there are still a lot of data centers powering their core infrastructure using the well-known Cisco Catalyst series.

The Nexus 7000 series switches are designed for continuous operation, which means all parts are hot-swappable thereby eliminating downtime for upgrades or parts replacement.

The process covered in this installation guide can be used with all Nexus 7000 series modules including:

  • 48-port 10/100/1000 Ethernet module (N7K-M148GT-11)
  • 48-port 10/100/1000 Ethernet module with XL option (N7K-M148GT-11L)
  • 48-port 1-Gigabit Ethernet I/O module (N7K-M148GS-11)
  • 48-port 1-Gigabit Ethernet I/O module with XL option (N7K-M148GS-11L)
  • 48-port 1-/10-Gigabit Ethernet I/O modules with XL (N7K-F248XP-25 and N7K-F248XP-25E)
  • 32-port 10-Gigabit Ethernet I/O module (N7K-M132XP-12)
  • 32-port 10-Gigabit Ethernet I/O module with XL option (N7K-M132XP-12L)
  • 32-port 1- and 10-Gigabit Ethernet I/O module (N7K-F132XP-15)
  • 8-port 10-Gigabit Ethernet I/O module with XL option (N7K-M108X2-12L)

Step 1. Nexus 7000 Module Shutdown - Poweroff

The Nexus 7000 series modules are hot swappable and support automatic shutdown when ejected, however, it is always advisable to poweroff the module before removing it. If the module is to be removed or swapped with a different module type it is advisable to also ensure all configuration associated with the old module’s ports is cleared and ports are shutdown before the module is removed.

Locate the slot number of the module to be uninstalled and remove all attached cables. It is very important no cables are attached to the module and there is enough space on both sides of the module. In our example we’ll be removing the module located in slot No.9:

Click on the images to enlarge

cisco-nexus-7000-module-shutdown-replacement-removal-1Figure 1. Nexus 7010 with module No.9 to be removed.

Issuing the show module 9 command will reveal the module’s model, status, capabilities, serial number and diagnostic status:

FCX_NEXUS_7010# show module 9
Mod Ports Module-Type                         Model             Status
--- ----- ----------------------------------- ------------------ ----------
9   48     10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L     ok
Mod Sw             Hw
--- -------------- ------
9   6.0(2)         1.0    
Mod MAC-Address(es)                         Serial-Num
--- -------------------------------------- ----------
9   e8-b7-48-d4-75-00 to e8-b7-48-d4-75-34 JAF1327BFHA
Mod Online Diag Status
--- ------------------
9   Pass
 
Chassis Ejector Support: Enabled
Ejector Status:
Top ejector CLOSE, Bottom ejector CLOSE, Module HW does support ejector based shutdown.

The output of the show module is also reflected on the module’s status LED. A green Status LED, as shown in the photo on the left, tells us that the module is currently online (powered on) and operating.

The orange interface LEDs confirm that the interfaces are in a shutdown state.

The specific card we are about to remove is a 48-port 10/100/1000 Ethernet card (N7K-M148GT-11L):

Nexus 7000 Module Status and Interface LEDsFigure 2. Nexus 7000 Module Status and Interface LEDs

Now proceed to power off the module using the poweroff module 9 command:

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup