Following are some important considerations to consider while deploying FWSM:
Do not configure multiple SVI interfaces unless absolutely necessary.
Configure Active/Standby on two different chassis to avoid the single point of failure. If both Active and Standby units are in the same chassis, and if the switch fails, then both FWSMs fail.
As the ACL is compiled on Control Plane and downloaded to Slow Network Processor, if you have large ACL, be sure to compile it manually to avoid CPU spikes during busy hours. The default option is Automatic compilation, and if you make a single line change in the ACL, the compilation will occur for every change. Hence, make the changes at once, and load the ACL on the FWSM. After that compile the access-list.
Configure Port Fast for the convergence of the Spanning Tree Protocol change if the STP is configured (this is on by default on all Cisco Switches).
Do not configure syslog to debug level unless you are troubleshooting an issue, as this may cause performance issues on the FWSM. This is because Control Plane has to process all the syslog activities and retrieve the syslog information from different Network Processors (NP).
