Re: [Info] Inspection & performance in Cisco

Re: [Info] Inspection & performance

Mon, 07 Jul 2008 11:17:18 EDT

Sailing_Nut : Hmmmmm. I didn't think I would need an entry since my DNS server is only a private one and does not have any DNS "duties" that are inbound from the Internet.

My web issues are that sites load slowly or not at all. If a site doesn't load if I refresh in IE it will load very quickly. Sometimes it takes several tries of refreshing to get a site to load.

One other question I just came up with in looking over my config is that I have "ip domain name wtbhome.net" This is not really a public domain name, it is just what I use internally on my network. Could this cause problems?

Re: [Info] Inspection & performance

Mon, 07 Jul 2008 11:08:30 EDT

aryoba : Without looking at your traffic inspection packet capture, I'm thinking that you may need to punch in line on your ACL 107 and set static PAT for your DNS server performance just like you set one for your FTP server. A lot of time such setup solves a lot of problem. :D

Btw, what was the web traffic issue anyway? :)

Re: [Info] Inspection & performance

Mon, 07 Jul 2008 10:50:51 EDT

Sailing_Nut : WOW! You have a way better memory than I do!

I think I might be having some DNS problems now. (I'll go back and look for the solution.)

I do know that I'm having lots of problems with web traffic. A while ago I opened a ticket with Cisco & sent them Wire Shark captures. They said it was a problem with my using inspection and that my ISP (Verizon FiOS)was sending lots of out of order packets and that was causing the inspection to puke.

Re: [Info] Inspection & performance

Mon, 07 Jul 2008 10:27:29 EDT

aryoba : I recall sometime ago you had problem with your DNS server. I don't see the DNS-server-related router configuration anywhere. Therefore I'm not sure if you solve the DNS issue or not.

Re: [Info] Inspection & performance

Mon, 07 Jul 2008 09:13:19 EDT

Sailing_Nut : I'm running 12.4(15)T1 on my router.

I'm stretching my memory a bit, but I think I needed to step up to this version because of a feature I'm using, but I can't 100% remember. Either that or the Cisco people tol me I needed to move up to it to solve a problem I was seeing.

Re: [Info] Inspection & performance

Sun, 06 Jul 2008 23:59:20 EDT

rolande : Nothing jumps out at me as a glaring issue with your config. What version and feature set of 12.4 IOS are you running? 12.4 is known to have lots of "issues". I personally downgraded one of my own routers to mainline 12.3 to avoid the pain and suffering. I wouldn't call 12.4 anywhere near prime time for deployment. It shouldn't ever hurt to play with new code at home, but in my case it did. ;)

Re: [Info] Inspection & performance

Sun, 06 Jul 2008 22:15:42 EDT

Sailing_Nut : I have cleaned tings up in my router but if anything I seem to be experiencing reduced performance.

Si, I guess the best thing would be for me to post my entire config. and hope some of the smart folks here can spot a problem.

Current configuration : 9341 bytes!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbersno service dhcp!hostname Cisco851W!boot-start-markerboot-end-marker!logging buffered 51200logging console criticalenable secret 5 $1$M30K$1A3NfHGhUOITkYS3.kHIc1!aaa new-model!!aaa authentication login default localaaa authentication login sdm_vpn_xauth_ml_1 localaaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local !!aaa session-id commonclock timezone PCTime -5clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00! !crypto isakmp policy 1 encr 3des authentication pre-share group 2!!crypto pki trustpoint TP-self-signed-2835392884 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2835392884 revocation-check none rsakeypair TP-self-signed-2835392884!!crypto pki certificate chain TP-self-signed-2835392884 certificate self-signed 01*************  quit!dot11 ssid wtbhome   vlan 1   authentication open    authentication key-management wpa   wpa-psk ascii 7 ************************!dot11 ssid wtbhome guest-mode!no ip source-routeno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool sdm-pool   import all   network 10.10.10.0 255.255.255.248   default-router 10.10.10.1    lease 0 2!!ip cefip inspect log drop-pktip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW icmpip inspect name SDM_LOW imapip inspect name SDM_LOW pop3ip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW esmtpip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdoliveno ip bootp serverip domain name wtbhome.netip ddns update method myupdate HTTP  add http://tim%40theborlands.us:2and2is5%40dynupdate.no-ip.com/nic/update%3Fhostname=borland.no-ip.info!!appfw policy-name SDM_MEDIUM  application http    strict-http action allow alarm    port-misuse p2p action reset alarm    port-misuse tunneling action allow alarm!!!username tborland privilege 15 secret 5 *******************************username timvpn password 7 *************************archive log config  hidekeys!!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2!bridge irb!!interface Null0 no ip unreachables!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface FastEthernet4 description Outside WAN$FW_OUTSIDE$ mac-address 0018.012f.0a95 ip ddns update hostname borland.no-ip.info ip ddns update myupdate ip address dhcp client-id FastEthernet4 ip access-group 107 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable!interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption mode ciphers tkip  ! encryption vlan 1 mode ciphers tkip  ! ssid wtbhome ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio0.1 encapsulation dot1Q 1 native no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Vlan1 description Internal network no ip address ip nat inside no ip virtual-reassembly ip tcp adjust-mss 1452 bridge-group 1 bridge-group 1 spanning-disabled!interface BVI1 description Bridge to internal network$FW_INSIDE$ ip address 192.168.0.1 255.255.255.0 ip access-group 106 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow!ip local pool SDM_POOL_1 192.168.0.5 192.168.0.10ip local pool vpnpool 192.168.1.1 192.168.1.10ip route 0.0.0.0 0.0.0.0 FastEthernet4!ip http serverip http access-class 2ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface FastEthernet4 overloadip nat inside source static tcp 192.168.0.2 20 interface FastEthernet4 20ip nat inside source static tcp 192.168.0.2 21 interface FastEthernet4 21ip nat inside source static tcp 192.168.0.54 27000 interface FastEthernet4 27000ip nat inside source list 111 interface FastEthernet4 overload!access-list 1 remark INSIDE_IF=BVI1access-list 1 remark SDM_ACL Category=2access-list 1 permit 192.168.0.0 0.0.0.255access-list 2 remark HTTP Access-class listaccess-list 2 remark SDM_ACL Category=1access-list 2 permit 192.168.0.0 0.0.0.255access-list 2 deny   anyaccess-list 105 remark VTY Access-class listaccess-list 105 remark SDM_ACL Category=1access-list 105 permit ip 192.168.0.0 0.0.0.255 anyaccess-list 105 deny   ip any anyaccess-list 106 remark auto generated by SDM firewall configurationaccess-list 106 remark SDM_ACL Category=1access-list 106 permit udp any host 192.168.0.1 eq non500-isakmpaccess-list 106 permit udp any host 192.168.0.1 eq isakmpaccess-list 106 permit esp any host 192.168.0.1access-list 106 permit ahp any host 192.168.0.1access-list 106 deny   ip host 255.255.255.255 anyaccess-list 106 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 106 permit ip any anyaccess-list 107 remark auto generated by SDM firewall configurationaccess-list 107 remark SDM_ACL Category=1access-list 107 permit tcp any any eq 27000access-list 107 permit tcp any any eq ftpaccess-list 107 permit tcp any any eq ftp-dataaccess-list 107 deny   ip 192.168.0.0 0.0.0.255 anyaccess-list 107 permit udp any eq bootps any eq bootpcaccess-list 107 permit icmp any any echo-replyaccess-list 107 permit icmp any any time-exceededaccess-list 107 permit icmp any any unreachableaccess-list 107 deny   ip 10.0.0.0 0.255.255.255 anyaccess-list 107 deny   ip 172.16.0.0 0.15.255.255 anyaccess-list 107 deny   ip 192.168.0.0 0.0.255.255 anyaccess-list 107 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 107 deny   ip host 255.255.255.255 anyaccess-list 107 deny   ip any any logaccess-list 111 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255access-list 111 permit ip any anyno cdp run!control-plane!bridge 1 protocol ieeebridge 1 route ipbanner login ^C-----------------------------------------------------------------------Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15. Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands. username <myuser>  privilege 15 secret 0 <mypassword>no username cisco Replace <myuser> and <mypassword> with the username and password you want to use.  For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/sdm -----------------------------------------------------------------------^C!line con 0 no modem enable transport output telnetline aux 0 transport output telnetline vty 0 4 access-class 105 in privilege level 15 transport input telnet ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500end

Re: [Info] Inspection & performance

Sat, 05 Jul 2008 04:53:10 EDT

aryoba : Is there any other ip inspect command applied anywhere? I know some people apply ip inspect command on multiple interfaces or on the same interface with "in" and "out" simultaneously.

How about any ACL applied to any interface? If there is ACL on any interface, then it should match with the respective ip inspect command. When they don't match, then there will be performance issue on certain or all applications.

As how useful there are, it depends on how you configure the CBAC security as a whole. When you configure them properly, then you will have some decent security on your servers and the rest of machines within your network seamlessly without affecting performance.

Re: [Info] Inspection & performance

Wed, 02 Jul 2008 21:07:57 EDT

Sailing_Nut : The biggest question I have (and didn't actually ask) is "does it affect performance to have inspection turned on for applications that I don't use."

Oh, I do have it set to "ip inspect SDM_LOW out" on my WAN interface.

Thanks!

Re: [Info] Inspection & performance

Wed, 02 Jul 2008 17:29:27 EDT

rolande : And you do have it configured on an interface to actually inspect?

Assuming that is the case, you will definitely see a performance hit for doing inspection. It is different on each platform and based on the amount of traffic being passed. Best thing to do is monitor performance for a period of time with it on and then disable it on the interface and monitor for any differences in utilization. It would not be unexpected to see a 10-20% overhead or more in performance from inspection.
--
Scott, CCIE #14618 Routing & Switching
Ignorance is temporary...stupidity lasts forever!
»www.thewaystation.com/techref/tech.shtml
»blog.thewaystation.com/

Re: [Info] Inspection & performance

Wed, 02 Jul 2008 13:16:00 EDT

Sailing_Nut : Should have specified that I'm using an 851w router.

[Info] Inspection & performance

Wed, 02 Jul 2008 13:15:16 EDT

Sailing_Nut : Hi,

I'm trying to boost my router's performance and I had a question on how much the IP inspection affecte performance and secondly how useful it is.

Here is the inspection section from my config: