Avoid Non-Cisco Expansion Cards in the PIX-515E
Mar 17th, 2004 by Alex
The Cisco PIX 515E Firewall is one hell of a versatile appliance. We won’t bother citing the performance specs since they are readily available on Cisco’s product page (linked above), but one of the nice features is it’s capability for expansion. Sure enough, if you open up the rear slot cover, you’ll see a PCI slot or two (depending on what components your model ships with). It’s sitting right there, staring you in the face, and it’s tempting to throw another network card in there. Here’s a few reasons why you might not want to.
Sure, we were tempted. Our security team was on our backs to implement a fiber-only network outside of the racks. Buying and powering fiber-to-copper transceivers was beginning to be a royal pain, since most of the transceivers available seem to be cheap and unreliable. As usual, the Cisco-branded expansion cards follow suit with most other Cisco products, meaning they’re expensive. Sitting in the stockroom were several Intel 10/100/1000 multi-mode fiber (MMF) cards. Why not install one? They’re PCI, right? They’re there.
So is it possible? Yes.
Do we recommend it? No. Certainly not for most applications.
Cisco NICs are rumored to use various industry chipsets, Intel’s included. While there have been success stories using Intel NICs within a 515E chassis with few issues, we still don’t recommend it. While the chipsets may be Intel, the MAC addresses of authentic NICs will surely belong to Cisco’s range, and who knows how picky the PIX software will be about conversing with non-Cisco MAC addresses. Some applications do filtering based on MAC addresses. Additionally, there are prevalent rumors that PIX NICs have been modified to disable promiscuous mode and that they contain proprietary firmware chips needed to use some of the more advanced PIX features.
Cisco may or may not support you if they determine that you’re using custom hardware in their devices. Certainly they aren’t obligated to. Using non-Cisco components within your Cisco device is probably grounds to void the warranty. It is primarily for this reason that using non-Cisco hardware isn’t endorsed. For most business customers we recommend you plunk down the extra cash and purchase supported hardware from your preferred channel partner (or direct from Cisco as the case may be), especially if the device is part of your active infrastructure. While painful in the short-term, those extra dollars will be well invested for the long-term.
Now if you have a few thousand dollars to fling around, or just acquired a stack of firewalls that fell off the back of a truck somewhere, or have already have a void warranty, give it a shot in your lab. Chances are that if the PIX OS recognizes the card, you’ll be good to go. The results might even be good.
