Re: [HELP] IOS IPS -- Is the performance hit worth it? in Cisco http://www.dslreports.com/forum/r18328248 en Wed, 11 Nov 2009 07:33:44 EDT Wed, 11 Nov 2009 07:33:44 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18329270 anon :
quote:
However, ther are at least two current IOS images out for the C870's, one is Pi5 based, the other is Pi6 based
I wouldn't call pi6 out - it has not been released yet. 12.4(11)T is pi5. Not sure what the number for pi6 will be when it is released.
quote:
Both Pi5 and Pi6 were to be "merged", but that has been "delayed".
This makes no sense. Pi5 and pi6 are different release of 12.4T. Pi6 is pi5 plus additional features (and bug fixes) just like pi5 is pi4 (12.4(9)T) plus additional features and bug fixes. "Merged" has no meaning.]]> http://www.dslreports.com/forum/remark,18329270 Sun, 13 May 2007 21:18:29 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18329019 TROLL131313 : This might help......

»www.cisco.com/warp/public/63/sho···cpu.html

It gives a good brake down of the processes commands that are running.

What do your processes look like with out IPS on?]]> http://www.dslreports.com/forum/remark,18329019 Sun, 13 May 2007 20:24:12 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18328248 jrpavel3 : Well I am still not much further forward even with 12.4(11)T2.

The CPU is still maxed out downloading at roughly 1MB/s.

What I had not noticed before was that it is interrupts and not cpu that is sapping the cpu. Eg, the cpus is at 95%, with 89% accounted for by interrupts.

CPU utilization for five seconds: 95%/89%; one minute: 41%; five minutes: 12%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  4     2232292    112872      19777  2.83%  1.26%  1.23%   0 Check heaps
 41     1101908    828463       1330  1.02%  0.99%  0.64%   0 COLLECT STAT COU
 77       50776      6442       7882  0.48%  0.10%  0.02%   2 Virtual Exec
 79      122432    136100        899  0.16%  0.13%  0.08%   0 IP Input
 47       28804   2023517         14  0.16%  0.03%  0.00%   0 Dot11 driver
211       21964    146202        150  0.16%  0.04%  0.01%   0 HyBridge Input P
  2        9992     33229        300  0.08%  0.01%  0.00%   0 Load Meter
207       16004   5152782          3  0.08%  0.02%  0.00%   0 PPP manager
213       10588    257205         41  0.08%  0.01%  0.00%   0 Spanning Tree
111        2224     82940         26  0.08%  0.00%  0.00%   0 ILMI Timer Proce

I had expected the problem to be the cpu spending its time matching incoming traffic to the IPS signatures, but clearly something else is going on.

Does anyone have any pointers as to how to track this down?
]]> http://www.dslreports.com/forum/remark,18328248 Sun, 13 May 2007 17:17:03 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18099789 tdoran :
said by godric :

Can you point me at a Pi6 image? I could not see other than the two images above.
Most are "TEST", "ENGINEERING", or "SPECIAL BUILD", not in the "normal" public distribution method. If you have a SMARTNET (and you really should) open up a TAC case, they will place one out there for you to grab.

Tim]]> http://www.dslreports.com/forum/remark,18099789 Sun, 01 Apr 2007 14:45:55 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18099541 anon : Tim, Thanks. I tried 12.4(11)T1 (and only the ios_basic sigs) and 12.4(9)T3 (and the 128Mb sigs, less the Unix sigs). IPS in either of those seems to halve throughput and max out the cpu. There is also a significant increase in memory usage.

Can you point me at a Pi6 image? I could not see other than the two images above.

Thanks.]]> http://www.dslreports.com/forum/remark,18099541 Sun, 01 Apr 2007 13:45:02 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18098203 tdoran :
said by jrpavel3 See Profile :

Thanks Tim. Will do.
I hope that the improvements will extend to the 877.
All C870's have had some issues with thelast few Pi5 and Pi6 IOS images, Cisco is very well aware of this.

said by jrpavel3 See Profile :

I suspect that since disabling IPS makes such a dramatic difference, it is probably going to be a matter of waiting for IPS6 -- and an SDM to go with it.
Again, IOS IPS should not make a major impact, especially IOS IPS v5, since it is "lighter" than IOS IPS v4. IOS IPS v5 uses a form of dynamic loading, thus not consuming as many resources.

However, ther are at least two current IOS images out for the C870's, one is Pi5 based, the other is Pi6 based (you can search on CCO if you want to know more of what the differences between the two tracks are in detail). Both Pi5 and Pi6 were to be "merged", but that has been "delayed".

said by jrpavel3 See Profile :

I thought that I would just check that my ACLs, etc, were not being overzealous.
With any of the last few IOS images, Pi5 or Pi6 track on the C870's, resources has been an issue.

Tim]]> http://www.dslreports.com/forum/remark,18098203 Sun, 01 Apr 2007 08:52:06 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18097973 jrpavel3 : Thanks Tim. Will do.

I hope that the improvements will extend to the 877.

I suspect that since disabling IPS makes such a dramatic difference, it is probably going to be a matter of waiting for IPS6 -- and an SDM to go with it.

I thought that I would just check that my ACLs, etc, were not being overzealous.]]> http://www.dslreports.com/forum/remark,18097973 Sun, 01 Apr 2007 06:24:47 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18096812 tdoran :
said by jrpavel3 See Profile :

Thanks.
But IPS5 seems to be even more resource hungry than IPS4, so the benefits may be limited.
That is not a true fact IOS IPS v5 is much less than IOS IPS v5, especially if many signatures are enabled.

However, the most current IOS images that support IOS IPS v5 have resource issue that are not related to IOS IPS v5.

A Pi6 type IOS image was to be available in late Feb. 2007, now it will be late May - June may offer some major improvements. Also the IOS Pi6 images will enable additional IOS IPS engines that are not now available to the public.

If you have a SMARTNET support agreement (and you really should), open a TAC case on this, and the TAC engineer will help you "balance" resources" until the new images are available. All CBAC, FW, IOS IPS and similar statements along with some BUFFER adjustments will have to be made at the IOS CLI by the TAC engineer to reduce resource load.

I have been working "test builds" of a Pi6 build for months.

Tim]]> http://www.dslreports.com/forum/remark,18096812 Sat, 31 Mar 2007 22:11:08 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18095805 jrpavel3 : Here it is:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Sat 24-Mar-07 03:56 by prod_rel_team
 
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
 
router uptime is 1 day, 2 hours, 50 minutes
System returned to ROM by reload at 20:58:42 BST Fri Mar 30 2007
System restarted at 20:59:33 BST Fri Mar 30 2007
System image file is "flash:c870-advipservicesk9-mz.124-9.T3.bin"
Last reload reason: Reload Command
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory.
Processor board ID FCZ1042406V
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
36864K bytes of processor board System flash (Intel Strataflash)
 
Configuration register is 0x3922
 
------------------ show running-config ------------------
 
Building configuration...
 
Current configuration : 20774 bytes
!
! Last configuration change at 22:18:24 BST Sat Mar 31 2007 by xxx
! NVRAM config last updated at 19:54:10 BST Sat Mar 31 2007 by xxx
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-9.T3.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local 
aaa authorization network default group radius 
aaa authorization network sdm_vpn_group_ml_1 group radius 
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
!
aaa session-id common
!
resource policy
!
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
ip cef
!
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp window-size 65537
ip tcp synwait-time 10
no ip bootp server
ip domain name Company.local
ip name-server 192.168.<x>.<server>
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect tcp reassembly queue length 64
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 fragment maximum 250 timeout 1
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 ipsec-msft
ip inspect name DEFAULT100 l2tp
ip inspect name DEFAULT100 pptp
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
ip dhcp-server 192.168.<x>.<server>
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel receive-window 256
!
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow alarm
    port-misuse tunneling action allow alarm
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-3534083426
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3534083426
 revocation-check none
 rsakeypair TP-self-signed-3534083426
!
crypto pki trustpoint titan
 enrollment mode ra
 enrollment url http://192.168.<x>.<server>:80/certsrv/mscep/mscep.dll
 usage ike
 password <removed>
 subject-name CN=Me,O=Company
 revocation-check crl none
!
!
crypto pki certificate chain TP-self-signed-3534083426
 certificate self-signed 01
  <removed>
  quit
crypto pki certificate chain titan
 certificate <removed>
  quit
 certificate ca <removed>
  quit
no crypto engine onboard 0
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
username xxx privilege 15 secret 5 <removed>
!
! 
!
crypto isakmp policy 1
 encr 3des
 group 2
 lifetime 900
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 900
crypto isakmp key <removed> address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec security-association idle-time 900
!
crypto ipsec transform-set ESP-3DES-SHA-transport esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 description L2TP/IPSec
 set transform-set ESP-3DES-SHA-transport 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description Internet$ES_WAN$$FW_OUTSIDE$
 bandwidth 18147
 ip address <my ip address> 255.255.248.0
 ip access-group 101 in
 ip verify unicast reverse-path 103
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1500
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no snmp trap link-status
 atm route-bridged ip
 atm route-bridged ipv6
 pvc BeUnlimited 0/101 
  oam-pvc manage
  encapsulation aal5snap
 !
 ipv6 enable
 ipv6 nd ra suppress
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 
 description L2TP
 ip unnumbered BVI1
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1360
 peer default ip address dhcp
 ppp mtu adaptive
 ppp authentication eap ms-chap-v2
 ppp ipcp header-compression ack
 ppp ipcp username unique
 ppp timeout idle 600 either
!
interface Dot11Radio0
 description Wireless interface
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 countermeasure tkip hold-time 5
 !
 encryption mode ciphers tkip 
 !
 ssid Wireless
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii <removed>
 !
 world-mode dot11d country GB indoor
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description LAN$ES_LAN$$FW_INSIDE$
 ip address 192.168.<x>.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 <gateway>
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 36000
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static udp 192.168.<x>.<server> 5005 interface ATM0.1 5005
ip nat inside source static udp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 554 interface ATM0.1 554
ip nat inside source static tcp 192.168.<x>.<server> 3389 interface ATM0.1 3389
ip nat inside source static tcp 192.168.<x>.<server> 1723 interface ATM0.1 1723
ip nat inside source static tcp 192.168.<x>.<server> 4125 interface ATM0.1 4125
ip nat inside source static tcp 192.168.<x>.<server> 444 interface ATM0.1 444
ip nat inside source static tcp 192.168.<x>.<server> 443 interface ATM0.1 443
ip nat inside source static tcp 192.168.<x>.<server> 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.<x>.<server> 80 interface ATM0.1 80
!
logging trap debugging
logging 192.168.<x>.<server>
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.<x>.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.<x>.<server> eq 1645 host 192.168.<x>.1
access-list 100 permit udp host 192.168.<x>.<server> eq 1646 host 192.168.<x>.1
access-list 100 deny   ip 87.194.32.0 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit gre any any log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit tcp any host <my ip address> eq www
access-list 101 permit esp any host <my ip address>
access-list 101 permit udp any host <my ip address> eq isakmp
access-list 101 permit udp any host <my ip address> eq non500-isakmp
access-list 101 permit udp any host <my ip address> eq 5005
access-list 101 permit udp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 554
access-list 101 permit tcp any host <my ip address> eq 3389
access-list 101 permit tcp any host <my ip address> eq 1723
access-list 101 permit gre any host <my ip address> log
access-list 101 permit tcp any host <my ip address> eq 4125
access-list 101 permit tcp any host <my ip address> eq 444
access-list 101 permit tcp any host <my ip address> eq 443
access-list 101 permit tcp any host <my ip address> eq smtp
access-list 101 permit icmp any host <my ip address> echo-reply
access-list 101 permit icmp any host <my ip address> time-exceeded
access-list 101 permit icmp any host <my ip address> unreachable
access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org
access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66
access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp
access-list 101 deny   icmp any any redirect log
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.<x>.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark Log any unicast reverse path packets
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Deny any packets that fail unicast reverse path
access-list 103 deny   ip any any log
snmp-server community <removed> RW
snmp-server community <removed> RO
no cdp run
!
!
!
radius-server host 192.168.<x>.<server> auth-port 1645 acct-port 1646 key 7 <removed>
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp clock-period 17175097
ntp source BVI1
ntp server 193.190.230.66 source ATM0.1
ntp server 213.2.4.80 source ATM0.1
!
webvpn install svc flash:/webvpn/svc.pkg
end
]]> http://www.dslreports.com/forum/remark,18095805 Sat, 31 Mar 2007 19:03:08 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18095740 aryoba : The CPU and memory increased utilization might or might not worth it, depends on what your objective here.

To have better understanding and avoid misunderstanding, can you post the full configuration of the router then?]]> http://www.dslreports.com/forum/remark,18095740 Sat, 31 Mar 2007 18:48:16 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18095711 jrpavel3 : Thanks.

I have only posted an extract. I have

ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule

I used Express for initial setup, but the rest has been moded by hand/SDM.

I realise that IPS and CBAC are different functions, but it seems that I can't have everything without maxing out the cpu and limiting performance.

I also have "ip verify unicast reverse-path" but it's not clear whether than means that I can drop the spoofing ACL entries, eg.

Looking forward to 2.4 -- SDM is a pretty good tool. But IPS5 seems to be even more resource hungry than IPS4, so the benefits may be limited. The cisco web site claims that 12.4(11)T is 30% more cpu-hungry than 12.4(9)T.
]]> http://www.dslreports.com/forum/remark,18095711 Sat, 31 Mar 2007 18:41:19 EDT Re: [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18095668 tdoran : You do not have IOS IPS enabled from configuration example provided, you do have Cisco SDM Express firewall enabled, and the "inspect" statements (if too many can slow things down. Only relatation between Cisco SDM Express firewall and IOS IPS is that they both share and use a lot of "core" CBAC code deep within the IOS.

Also you seemed to have configured via SDM Express, try upgrading to the full SDM, new SDM later this week, version 2.4.

Tim]]> http://www.dslreports.com/forum/remark,18095668 Sat, 31 Mar 2007 18:30:47 EDT [HELP] IOS IPS -- Is the performance hit worth it? http://www.dslreports.com/forum/remark,18095478 jrpavel3 : I am running an 877W with IOS 12.4(9)T3 (and I have also tried 12.4(11)T1).

DSL throughput with IPS is halved (900k/s instead of 1.7M/s) using the 128Mb.sdf

Is this normal?

I have an extensive ACL/firewall and NAT.

ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 fragment maximum 250 timeout 1
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 ipsec-msft
ip inspect name DEFAULT100 l2tp
ip inspect name DEFAULT100 pptp
 
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit tcp any host <my ip address> eq www
access-list 101 permit esp any host <my ip address>
access-list 101 permit udp any host <my ip address> eq isakmp
access-list 101 permit udp any host <my ip address> eq non500-isakmp
access-list 101 permit udp any host <my ip address> eq 5005
access-list 101 permit udp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 554
access-list 101 permit tcp any host <my ip address> eq 3389
access-list 101 permit tcp any host <my ip address> eq 1723
access-list 101 permit gre any host <my ip address> log
access-list 101 permit tcp any host <my ip address> eq 4125
access-list 101 permit tcp any host <my ip address> eq 444
access-list 101 permit tcp any host <my ip address> eq 443
access-list 101 permit tcp any host <my ip address> eq smtp
access-list 101 permit icmp any host <my ip address> echo-reply
access-list 101 permit icmp any host <my ip address> time-exceeded
access-list 101 permit icmp any host <my ip address> unreachable
access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org
access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66
access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp
access-list 101 deny   icmp any any redirect log
access-list 101 deny   ip any any log

Could anyone suggest any strategies for optimizing my setup? Should I just dump IPS?
]]> http://www.dslreports.com/forum/remark,18095478 Sat, 31 Mar 2007 17:36:54 EDT