[HELP] IOS IPS -- Is the performance hit worth it?

Author	All Replies
jrpavel3 join:2002-03-16 UK	[HELP] IOS IPS -- Is the performance hit worth it? I am running an 877W with IOS 12.4(9)T3 (and I have also tried 12.4(11)T1). DSL throughput with IPS is halved (900k/s instead of 1.7M/s) using the 128Mb.sdf Is this normal? I have an extensive ACL/firewall and NAT. ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 ntp ip inspect name DEFAULT100 http ip inspect name DEFAULT100 https ip inspect name DEFAULT100 fragment maximum 250 timeout 1 ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 isakmp ip inspect name DEFAULT100 ipsec-msft ip inspect name DEFAULT100 l2tp ip inspect name DEFAULT100 pptp access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip host 0.0.0.0 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 169.254.0.0 0.0.255.255 any log access-list 101 deny ip 0.0.0.0 0.255.255.255 any log access-list 101 permit tcp any host <my ip address> eq www access-list 101 permit esp any host <my ip address> access-list 101 permit udp any host <my ip address> eq isakmp access-list 101 permit udp any host <my ip address> eq non500-isakmp access-list 101 permit udp any host <my ip address> eq 5005 access-list 101 permit udp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 554 access-list 101 permit tcp any host <my ip address> eq 3389 access-list 101 permit tcp any host <my ip address> eq 1723 access-list 101 permit gre any host <my ip address> log access-list 101 permit tcp any host <my ip address> eq 4125 access-list 101 permit tcp any host <my ip address> eq 444 access-list 101 permit tcp any host <my ip address> eq 443 access-list 101 permit tcp any host <my ip address> eq smtp access-list 101 permit icmp any host <my ip address> echo-reply access-list 101 permit icmp any host <my ip address> time-exceeded access-list 101 permit icmp any host <my ip address> unreachable access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66 access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp access-list 101 deny icmp any any redirect log access-list 101 deny ip any any log Could anyone suggest any strategies for optimizing my setup? Should I just dump IPS?
	to forum · permalink · · 2007-03-31 17:36:54 ·
tdoran Premium join:2003-09-27 Ridge, NY	You do not have IOS IPS enabled from configuration example provided, you do have Cisco SDM Express firewall enabled, and the "inspect" statements (if too many can slow things down. Only relatation between Cisco SDM Express firewall and IOS IPS is that they both share and use a lot of "core" CBAC code deep within the IOS. Also you seemed to have configured via SDM Express, try upgrading to the full SDM, new SDM later this week, version 2.4. Tim
	to forum · permalink · · 2007-03-31 18:30:47 ·
jrpavel3 join:2002-03-16 UK	Thanks. I have only posted an extract. I have ip ips sdf location flash://sdmips.sdf ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule I used Express for initial setup, but the rest has been moded by hand/SDM. I realise that IPS and CBAC are different functions, but it seems that I can't have everything without maxing out the cpu and limiting performance. I also have "ip verify unicast reverse-path" but it's not clear whether than means that I can drop the spoofing ACL entries, eg. Looking forward to 2.4 -- SDM is a pretty good tool. But IPS5 seems to be even more resource hungry than IPS4, so the benefits may be limited. The cisco web site claims that 12.4(11)T is 30% more cpu-hungry than 12.4(9)T.
	to forum · permalink · · 2007-03-31 18:41:19 ·
aryoba Premium,MVM join:2002-08-22	The CPU and memory increased utilization might or might not worth it, depends on what your objective here. To have better understanding and avoid misunderstanding, can you post the full configuration of the router then?
	to forum · permalink · · 2007-03-31 18:48:16 ·
jrpavel3 join:2002-03-16 UK	Here it is: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Sat 24-Mar-07 03:56 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE router uptime is 1 day, 2 hours, 50 minutes System returned to ROM by reload at 20:58:42 BST Fri Mar 30 2007 System restarted at 20:59:33 BST Fri Mar 30 2007 System image file is "flash:c870-advipservicesk9-mz.124-9.T3.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory. Processor board ID FCZ1042406V MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10 4 FastEthernet interfaces 1 ATM interface 1 802.11 Radio 128K bytes of non-volatile configuration memory. 36864K bytes of processor board System flash (Intel Strataflash) Configuration register is 0x3922 ------------------ show running-config ------------------ Building configuration... Current configuration : 20774 bytes ! ! Last configuration change at 22:18:24 BST Sat Mar 31 2007 by xxx ! NVRAM config last updated at 19:54:10 BST Sat Mar 31 2007 by xxx ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname router ! boot-start-marker boot system flash:c870-advipservicesk9-mz.124-9.T3.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius aaa authorization exec default local aaa authorization network default group radius aaa authorization network sdm_vpn_group_ml_1 group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius ! aaa session-id common ! resource policy ! clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 no ip source-route ip icmp rate-limit unreachable 100 ip icmp rate-limit unreachable DF 1 ip cef ! ! ! ! ip tcp ecn ip tcp selective-ack ip tcp window-size 65537 ip tcp synwait-time 10 no ip bootp server ip domain name Company.local ip name-server 192.168.<x>.<server> ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect tcp reassembly queue length 64 ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 ntp ip inspect name DEFAULT100 http ip inspect name DEFAULT100 https ip inspect name DEFAULT100 fragment maximum 250 timeout 1 ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 isakmp ip inspect name DEFAULT100 ipsec-msft ip inspect name DEFAULT100 l2tp ip inspect name DEFAULT100 pptp ip ips sdf location flash://sdmips.sdf ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule ip dhcp-server 192.168.<x>.<server> vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication l2tp tunnel receive-window 256 ! ! appfw policy-name DEFAULT100 application http strict-http action allow alarm port-misuse tunneling action allow alarm ! password encryption aes ! crypto pki trustpoint TP-self-signed-3534083426 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3534083426 revocation-check none rsakeypair TP-self-signed-3534083426 ! crypto pki trustpoint titan enrollment mode ra enrollment url http://192.168.<x>.<server>:80/certsrv/mscep/mscep.dll usage ike password <removed> subject-name CN=Me,O=Company revocation-check crl none ! ! crypto pki certificate chain TP-self-signed-3534083426 certificate self-signed 01 <removed> quit crypto pki certificate chain titan certificate <removed> quit certificate ca <removed> quit no crypto engine onboard 0 ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit username xxx privilege 15 secret 5 <removed> ! ! ! crypto isakmp policy 1 encr 3des group 2 lifetime 900 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 900 crypto isakmp key <removed> address 0.0.0.0 0.0.0.0 no-xauth ! crypto ipsec security-association idle-time 900 ! crypto ipsec transform-set ESP-3DES-SHA-transport esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 description L2TP/IPSec set transform-set ESP-3DES-SHA-transport reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! bridge irb ! ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description Internet$ES_WAN$$FW_OUTSIDE$ bandwidth 18147 ip address <my ip address> 255.255.248.0 ip access-group 101 in ip verify unicast reverse-path 103 no ip redirects no ip proxy-arp ip accounting access-violations ip mtu 1500 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly no snmp trap link-status atm route-bridged ip atm route-bridged ipv6 pvc BeUnlimited 0/101 oam-pvc manage encapsulation aal5snap ! ipv6 enable ipv6 nd ra suppress crypto map SDM_CMAP_1 ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template1 description L2TP ip unnumbered BVI1 no ip redirects no ip proxy-arp ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1360 peer default ip address dhcp ppp mtu adaptive ppp authentication eap ms-chap-v2 ppp ipcp header-compression ack ppp ipcp username unique ppp timeout idle 600 either ! interface Dot11Radio0 description Wireless interface no ip address no ip redirects no ip unreachables ip accounting access-violations countermeasure tkip hold-time 5 ! encryption mode ciphers tkip ! ssid Wireless authentication open authentication key-management wpa guest-mode wpa-psk ascii <removed> ! world-mode dot11d country GB indoor speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address no ip redirects no ip unreachables ip accounting access-violations ip tcp adjust-mss 1452 bridge-group 1 ! interface BVI1 description LAN$ES_LAN$$FW_INSIDE$ ip address 192.168.<x>.1 255.255.255.0 ip access-group 100 in no ip redirects no ip proxy-arp ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! ip route 0.0.0.0 0.0.0.0 <gateway> ! ip flow-top-talkers top 25 sort-by bytes cache-timeout 36000 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface ATM0.1 overload ip nat inside source static udp 192.168.<x>.<server> 5005 interface ATM0.1 5005 ip nat inside source static udp 192.168.<x>.<server> 1755 interface ATM0.1 1755 ip nat inside source static tcp 192.168.<x>.<server> 1755 interface ATM0.1 1755 ip nat inside source static tcp 192.168.<x>.<server> 554 interface ATM0.1 554 ip nat inside source static tcp 192.168.<x>.<server> 3389 interface ATM0.1 3389 ip nat inside source static tcp 192.168.<x>.<server> 1723 interface ATM0.1 1723 ip nat inside source static tcp 192.168.<x>.<server> 4125 interface ATM0.1 4125 ip nat inside source static tcp 192.168.<x>.<server> 444 interface ATM0.1 444 ip nat inside source static tcp 192.168.<x>.<server> 443 interface ATM0.1 443 ip nat inside source static tcp 192.168.<x>.<server> 25 interface ATM0.1 25 ip nat inside source static tcp 192.168.<x>.<server> 80 interface ATM0.1 80 ! logging trap debugging logging 192.168.<x>.<server> access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.<x>.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit udp host 192.168.<x>.<server> eq 1645 host 192.168.<x>.1 access-list 100 permit udp host 192.168.<x>.<server> eq 1646 host 192.168.<x>.1 access-list 100 deny ip 87.194.32.0 0.0.7.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit gre any any log access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip host 0.0.0.0 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 169.254.0.0 0.0.255.255 any log access-list 101 deny ip 0.0.0.0 0.255.255.255 any log access-list 101 permit tcp any host <my ip address> eq www access-list 101 permit esp any host <my ip address> access-list 101 permit udp any host <my ip address> eq isakmp access-list 101 permit udp any host <my ip address> eq non500-isakmp access-list 101 permit udp any host <my ip address> eq 5005 access-list 101 permit udp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 554 access-list 101 permit tcp any host <my ip address> eq 3389 access-list 101 permit tcp any host <my ip address> eq 1723 access-list 101 permit gre any host <my ip address> log access-list 101 permit tcp any host <my ip address> eq 4125 access-list 101 permit tcp any host <my ip address> eq 444 access-list 101 permit tcp any host <my ip address> eq 443 access-list 101 permit tcp any host <my ip address> eq smtp access-list 101 permit icmp any host <my ip address> echo-reply access-list 101 permit icmp any host <my ip address> time-exceeded access-list 101 permit icmp any host <my ip address> unreachable access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66 access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp access-list 101 deny icmp any any redirect log access-list 101 deny ip any any log access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.<x>.0 0.0.0.255 any access-list 102 deny ip any any access-list 103 remark Log any unicast reverse path packets access-list 103 remark SDM_ACL Category=1 access-list 103 remark Deny any packets that fail unicast reverse path access-list 103 deny ip any any log snmp-server community <removed> RW snmp-server community <removed> RO no cdp run ! ! ! radius-server host 192.168.<x>.<server> auth-port 1645 acct-port 1646 key 7 <removed> ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username <myuser> privilege 15 secret 0 <mypassword> Replace <myuser> and <mypassword> with the username and password you want to use. ----------------------------------------------------------------------- ^C banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet speed 115200 line aux 0 transport output telnet line vty 0 4 access-class 102 in transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp logging ntp clock-period 17175097 ntp source BVI1 ntp server 193.190.230.66 source ATM0.1 ntp server 213.2.4.80 source ATM0.1 ! webvpn install svc flash:/webvpn/svc.pkg end
	to forum · permalink · · 2007-03-31 19:03:08 ·
tdoran Premium join:2003-09-27 Ridge, NY	reply to jrpavel3 said by jrpavel3 : Thanks. But IPS5 seems to be even more resource hungry than IPS4, so the benefits may be limited. That is not a true fact IOS IPS v5 is much less than IOS IPS v5, especially if many signatures are enabled. However, the most current IOS images that support IOS IPS v5 have resource issue that are not related to IOS IPS v5. A Pi6 type IOS image was to be available in late Feb. 2007, now it will be late May - June may offer some major improvements. Also the IOS Pi6 images will enable additional IOS IPS engines that are not now available to the public. If you have a SMARTNET support agreement (and you really should), open a TAC case on this, and the TAC engineer will help you "balance" resources" until the new images are available. All CBAC, FW, IOS IPS and similar statements along with some BUFFER adjustments will have to be made at the IOS CLI by the TAC engineer to reduce resource load. I have been working "test builds" of a Pi6 build for months. Tim
	to forum · permalink · · 2007-03-31 22:11:08 ·
jrpavel3 join:2002-03-16 UK	Thanks Tim. Will do. I hope that the improvements will extend to the 877. I suspect that since disabling IPS makes such a dramatic difference, it is probably going to be a matter of waiting for IPS6 -- and an SDM to go with it. I thought that I would just check that my ACLs, etc, were not being overzealous.
	to forum · permalink · · 2007-04-01 06:24:47 ·
tdoran Premium join:2003-09-27 Ridge, NY	said by jrpavel3 : Thanks Tim. Will do. I hope that the improvements will extend to the 877. All C870's have had some issues with thelast few Pi5 and Pi6 IOS images, Cisco is very well aware of this. said by jrpavel3 : I suspect that since disabling IPS makes such a dramatic difference, it is probably going to be a matter of waiting for IPS6 -- and an SDM to go with it. Again, IOS IPS should not make a major impact, especially IOS IPS v5, since it is "lighter" than IOS IPS v4. IOS IPS v5 uses a form of dynamic loading, thus not consuming as many resources. However, ther are at least two current IOS images out for the C870's, one is Pi5 based, the other is Pi6 based (you can search on CCO if you want to know more of what the differences between the two tracks are in detail). Both Pi5 and Pi6 were to be "merged", but that has been "delayed". said by jrpavel3 : I thought that I would just check that my ACLs, etc, were not being overzealous. With any of the last few IOS images, Pi5 or Pi6 track on the C870's, resources has been an issue. Tim
	to forum · permalink · · 2007-04-01 08:52:06 ·
godric @co.uk	Tim, Thanks. I tried 12.4(11)T1 (and only the ios_basic sigs) and 12.4(9)T3 (and the 128Mb sigs, less the Unix sigs). IPS in either of those seems to halve throughput and max out the cpu. There is also a significant increase in memory usage. Can you point me at a Pi6 image? I could not see other than the two images above. Thanks.
	to forum · permalink · 2007-04-01 13:45:02 ·
tdoran Premium join:2003-09-27 Ridge, NY	said by godric : Can you point me at a Pi6 image? I could not see other than the two images above. Most are "TEST", "ENGINEERING", or "SPECIAL BUILD", not in the "normal" public distribution method. If you have a SMARTNET (and you really should) open up a TAC case, they will place one out there for you to grab. Tim
	to forum · permalink · · 2007-04-01 14:45:55 ·
jrpavel3 join:2002-03-16 UK	Well I am still not much further forward even with 12.4(11)T2. The CPU is still maxed out downloading at roughly 1MB/s. What I had not noticed before was that it is interrupts and not cpu that is sapping the cpu. Eg, the cpus is at 95%, with 89% accounted for by interrupts. CPU utilization for five seconds: 95%/89%; one minute: 41%; five minutes: 12% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 4 2232292 112872 19777 2.83% 1.26% 1.23% 0 Check heaps 41 1101908 828463 1330 1.02% 0.99% 0.64% 0 COLLECT STAT COU 77 50776 6442 7882 0.48% 0.10% 0.02% 2 Virtual Exec 79 122432 136100 899 0.16% 0.13% 0.08% 0 IP Input 47 28804 2023517 14 0.16% 0.03% 0.00% 0 Dot11 driver 211 21964 146202 150 0.16% 0.04% 0.01% 0 HyBridge Input P 2 9992 33229 300 0.08% 0.01% 0.00% 0 Load Meter 207 16004 5152782 3 0.08% 0.02% 0.00% 0 PPP manager 213 10588 257205 41 0.08% 0.01% 0.00% 0 Spanning Tree 111 2224 82940 26 0.08% 0.00% 0.00% 0 ILMI Timer Proce I had expected the problem to be the cpu spending its time matching incoming traffic to the IPS signatures, but clearly something else is going on. Does anyone have any pointers as to how to track this down?
	to forum · permalink · · 2007-05-13 17:17:03 ·
TROLL131313 join:2004-12-21 Horsham, PA	reply to jrpavel3 This might help...... »www.cisco.com/warp/public/63/sho···cpu.html It gives a good brake down of the processes commands that are running. What do your processes look like with out IPS on?
	to forum · permalink · · 2007-05-13 20:24:12 ·
NoPI6Yet @cox.net	reply to tdoran quote: However, ther are at least two current IOS images out for the C870's, one is Pi5 based, the other is Pi6 based I wouldn't call pi6 out - it has not been released yet. 12.4(11)T is pi5. Not sure what the number for pi6 will be when it is released. quote: Both Pi5 and Pi6 were to be "merged", but that has been "delayed". This makes no sense. Pi5 and pi6 are different release of 12.4T. Pi6 is pi5 plus additional features (and bug fixes) just like pi5 is pi4 (12.4(9)T) plus additional features and bug fixes. "Merged" has no meaning.
	to forum · permalink · 2007-05-13 21:18:29 ·


Monday, 08-Sep 08:50:48	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com.republican-creole page compression OFF