tag:blogger.com,1999:blog-23021255.post6256169730297790617..comments2008-06-26T07:12:18.886+02:00Ivan Pepelnjakhttp://www.blogger.com/profile/13457151406311272386noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-23021255.post-38902528526064713612008-06-26T07:12:00.000+02:002008-06-26T07:12:00.000+02:002008-06-26T07:12:00.000+02:00Thanks for the feedback. I suspected that they use the same infrastructure, but it's nice to get the confirmation.<BR/><BR/>I'll write another post detailing the design I wrote about ... obviously I have a bit of a problem getting the wording right every now and then :) After all, English is not my native language.Ivan Pepelnjakhttp://www.blogger.com/profile/13457151406311272386noreply@blogger.comtag:blogger.com,1999:blog-23021255.post-29420338853471818842008-06-26T00:01:00.000+02:002008-06-26T00:01:00.000+02:002008-06-26T00:01:00.000+02:00The discrepancy between the two docs is the result of an error when the "Integrated Firewall Solutions" was updated, shortly before the ASR launch. Zone Firewall in all releases between 12.4(6)T and 12.4(15)T applies the same basic underpinnings as Classic FW, so performance should be roughly on par, unless application-specific inspection is applied.<BR/><BR/>Regarding the comment about David's observation; I'm not sure I understand the significance. If you need to apply policy between interfaces, they need to be in different zones. Unless I'm mistaken, that's the well-known expecatation for using Zone Firewall. Granted, this behavior has limits in cases where very large numbers are all assigned to unique zones, because managing the number of zone-pairs could become tedious. In this case, the firewall would need to offer a capability to apply intra-zone policy between interfaces. I bet that if you wait long enough, you'll see this happen.Brianhttp://www.blogger.com/profile/03597480354940423937noreply@blogger.com