[Info] Inspection & performance

Author	All Replies
Sailing_Nut join:2006-11-07 Annapolis, MD	[Info] Inspection & performance Hi, I'm trying to boost my router's performance and I had a question on how much the IP inspection affecte performance and secondly how useful it is. Here is the inspection section from my config: ip cef ip inspect log drop-pkt ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive no ip bootp server
	to forum · permalink · · 2008-07-02 13:15:16 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	Should have specified that I'm using an 851w router.
	to forum · permalink · · 2008-07-02 13:16:00 ·
rolande Certifiable Premium,Mod join:2002-05-24 Powell, OH clubs: Host: Linksys AT&T Midwest	reply to Sailing_Nut And you do have it configured on an interface to actually inspect? Assuming that is the case, you will definitely see a performance hit for doing inspection. It is different on each platform and based on the amount of traffic being passed. Best thing to do is monitor performance for a period of time with it on and then disable it on the interface and monitor for any differences in utilization. It would not be unexpected to see a 10-20% overhead or more in performance from inspection. -- Scott, CCIE #14618 Routing & Switching Ignorance is temporary...stupidity lasts forever! »www.thewaystation.com/techref/tech.shtml »blog.thewaystation.com/
	to forum · permalink · · 2008-07-02 17:29:27 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	The biggest question I have (and didn't actually ask) is "does it affect performance to have inspection turned on for applications that I don't use." Oh, I do have it set to "ip inspect SDM_LOW out" on my WAN interface. Thanks!
	to forum · permalink · · 2008-07-02 21:07:57 ·
aryoba Premium,MVM join:2002-08-22	Is there any other ip inspect command applied anywhere? I know some people apply ip inspect command on multiple interfaces or on the same interface with "in" and "out" simultaneously. How about any ACL applied to any interface? If there is ACL on any interface, then it should match with the respective ip inspect command. When they don't match, then there will be performance issue on certain or all applications. As how useful there are, it depends on how you configure the CBAC security as a whole. When you configure them properly, then you will have some decent security on your servers and the rest of machines within your network seamlessly without affecting performance.
	to forum · permalink · · 2008-07-05 04:53:10 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	I have cleaned tings up in my router but if anything I seem to be experiencing reduced performance. Si, I guess the best thing would be for me to post my entire config. and hope some of the smart folks here can spot a problem. Current configuration : 9341 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers no service dhcp ! hostname Cisco851W ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 $1$M30K$1A3NfHGhUOITkYS3.kHIc1 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! ! aaa session-id common clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! ! crypto pki trustpoint TP-self-signed-2835392884 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2835392884 revocation-check none rsakeypair TP-self-signed-2835392884 ! ! crypto pki certificate chain TP-self-signed-2835392884 certificate self-signed 01 *********** quit ! dot11 ssid wtbhome vlan 1 authentication open authentication key-management wpa wpa-psk ascii 7 ******************** ! dot11 ssid wtbhome guest-mode ! no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool sdm-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 lease 0 2 ! ! ip cef ip inspect log drop-pkt ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive no ip bootp server ip domain name wtbhome.net ip ddns update method myupdate HTTP add http://tim%40theborlands.us:2and2is5%40dynupdate.no-ip.com/nic/update%3Fhostname=borland.no-ip.info ! ! appfw policy-name SDM_MEDIUM application http strict-http action allow alarm port-misuse p2p action reset alarm port-misuse tunneling action allow alarm ! ! ! username tborland privilege 15 secret 5 *************************** username timvpn password 7 *********************** archive log config hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! bridge irb ! ! interface Null0 no ip unreachables ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description Outside WAN$FW_OUTSIDE$ mac-address 0018.012f.0a95 ip ddns update hostname borland.no-ip.info ip ddns update myupdate ip address dhcp client-id FastEthernet4 ip access-group 107 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable ! interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption mode ciphers tkip ! encryption vlan 1 mode ciphers tkip ! ssid wtbhome ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal network no ip address ip nat inside no ip virtual-reassembly ip tcp adjust-mss 1452 bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge to internal network$FW_INSIDE$ ip address 192.168.0.1 255.255.255.0 ip access-group 106 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! ip local pool SDM_POOL_1 192.168.0.5 192.168.0.10 ip local pool vpnpool 192.168.1.1 192.168.1.10 ip route 0.0.0.0 0.0.0.0 FastEthernet4 ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static tcp 192.168.0.2 20 interface FastEthernet4 20 ip nat inside source static tcp 192.168.0.2 21 interface FastEthernet4 21 ip nat inside source static tcp 192.168.0.54 27000 interface FastEthernet4 27000 ip nat inside source list 111 interface FastEthernet4 overload ! access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any access-list 105 remark VTY Access-class list access-list 105 remark SDM_ACL Category=1 access-list 105 permit ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip any any access-list 106 remark auto generated by SDM firewall configuration access-list 106 remark SDM_ACL Category=1 access-list 106 permit udp any host 192.168.0.1 eq non500-isakmp access-list 106 permit udp any host 192.168.0.1 eq isakmp access-list 106 permit esp any host 192.168.0.1 access-list 106 permit ahp any host 192.168.0.1 access-list 106 deny ip host 255.255.255.255 any access-list 106 deny ip 127.0.0.0 0.255.255.255 any access-list 106 permit ip any any access-list 107 remark auto generated by SDM firewall configuration access-list 107 remark SDM_ACL Category=1 access-list 107 permit tcp any any eq 27000 access-list 107 permit tcp any any eq ftp access-list 107 permit tcp any any eq ftp-data access-list 107 deny ip 192.168.0.0 0.0.0.255 any access-list 107 permit udp any eq bootps any eq bootpc access-list 107 permit icmp any any echo-reply access-list 107 permit icmp any any time-exceeded access-list 107 permit icmp any any unreachable access-list 107 deny ip 10.0.0.0 0.255.255.255 any access-list 107 deny ip 172.16.0.0 0.15.255.255 any access-list 107 deny ip 192.168.0.0 0.0.255.255 any access-list 107 deny ip 127.0.0.0 0.255.255.255 any access-list 107 deny ip host 255.255.255.255 any access-list 107 deny ip any any log access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip any any no cdp run ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^C ----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15. Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands. username <myuser> privilege 15 secret 0 <mypassword> no username cisco Replace <myuser> and <mypassword> with the username and password you want to use. For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/sdm ----------------------------------------------------------------------- ^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 105 in privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
	to forum · permalink · · 2008-07-06 22:15:42 ·
rolande Certifiable Premium,Mod join:2002-05-24 Powell, OH clubs: Host: Linksys AT&T Midwest	Nothing jumps out at me as a glaring issue with your config. What version and feature set of 12.4 IOS are you running? 12.4 is known to have lots of "issues". I personally downgraded one of my own routers to mainline 12.3 to avoid the pain and suffering. I wouldn't call 12.4 anywhere near prime time for deployment. It shouldn't ever hurt to play with new code at home, but in my case it did.
	to forum · permalink · · 2008-07-06 23:59:20 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	I'm running 12.4(15)T1 on my router. I'm stretching my memory a bit, but I think I needed to step up to this version because of a feature I'm using, but I can't 100% remember. Either that or the Cisco people tol me I needed to move up to it to solve a problem I was seeing.
	to forum · permalink · · 2008-07-07 09:13:19 ·
aryoba Premium,MVM join:2002-08-22	I recall sometime ago you had problem with your DNS server. I don't see the DNS-server-related router configuration anywhere. Therefore I'm not sure if you solve the DNS issue or not.
	to forum · permalink · · 2008-07-07 10:27:29 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	WOW! You have a way better memory than I do! I think I might be having some DNS problems now. (I'll go back and look for the solution.) I do know that I'm having lots of problems with web traffic. A while ago I opened a ticket with Cisco & sent them Wire Shark captures. They said it was a problem with my using inspection and that my ISP (Verizon FiOS)was sending lots of out of order packets and that was causing the inspection to puke.
	to forum · permalink · · 2008-07-07 10:50:51 ·
aryoba Premium,MVM join:2002-08-22	Without looking at your traffic inspection packet capture, I'm thinking that you may need to punch in line on your ACL 107 and set static PAT for your DNS server performance just like you set one for your FTP server. A lot of time such setup solves a lot of problem. Btw, what was the web traffic issue anyway?
	to forum · permalink · · 2008-07-07 11:08:30 ·
Sailing_Nut join:2006-11-07 Annapolis, MD	Hmmmmm. I didn't think I would need an entry since my DNS server is only a private one and does not have any DNS "duties" that are inbound from the Internet. My web issues are that sites load slowly or not at all. If a site doesn't load if I refresh in IE it will load very quickly. Sometimes it takes several tries of refreshing to get a site to load. One other question I just came up with in looking over my config is that I have "ip domain name wtbhome.net" This is not really a public domain name, it is just what I use internally on my network. Could this cause problems?
	to forum · permalink · · 2008-07-07 11:17:18 ·


Sunday, 07-Sep 21:09:30	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF