Question : Problem: Cisco 2514 & CBAC Performance Problems

I have a Cisco 2514 that is setup as my Internet router/firewall.  E0 is connected to the Road-Runner cable modem and E1 is connected to my internal network.  I am using NAT and DHCP.  There is a basic Extended IP ACL inbound on E0 (Internet) and there are the basic Inspect statements for State filtering.  

The problem occurs when I activate the CBAC (firewall) State filtering.  Normally I get 1.8mbps throughput on the Internet connection, but when the 'IP Inspect filter1 out' statement is applied to E0 the throughput drops to around 700 to 800kbps(about half).  This is on a very small network (less than 10 nodes) with very little traffic.  If I remove the ‘Inspect’ statement with ‘No IP Inspect’, the throughput goes back up to the normal 1.8mbps.

Prior to installing the 2514, I was using a D-link 704P as my router/firewall and was getting the normal 1.8mbps throughput with it.

The router is running IOS Version 12.2(1) with 16mb flash and 16mb ram.  In researching this problem, all of the documents on CBAC indicated that CBAC has a very minimal performance hit.

I expected to see a performance hit when I activated the ACL and CBAC firewall, but I did not expect it reduced my throughput by 50%.

Any help, suggestions, or explanations would be appreciated.  I have posted the Running Configuration and Version information below.

Henry
[email protected]
318 329-1506

Running Configuration:

Current configuration : 3286 bytes
!
version 12.2
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname RR
!
logging rate-limit console 10 except errors
logging console informational
enable secret 5 $1$GPz2$S7pazsJvCMfhyWlvBgXKg.
!
no ip subnet-zero
no ip source-route
no ip finger
ip name-server 24.164.193.54
ip name-server 24.164.193.55
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
!
ip dhcp pool inside
   import all
   network xxx.xxx.xxx.xxx 255.255.255.0
   default-router xxx.xxx.xxx.xxx
   dns-server 24.164.193.54 24.164.193.55
   domain-name jam.rr.com
!
ip cef
ip inspect audit-trail
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name filter1 ftp timeout 1800
ip inspect name filter1 http timeout 1800
ip inspect name filter1 realaudio timeout 1800
ip inspect name filter1 smtp timeout 1800
ip inspect name filter1 tcp timeout 1800
ip inspect name filter1 udp timeout 15
no ip dhcp-client network-discovery
!
!
!
!
interface Ethernet0
 description RoadRunner
 ip address dhcp
 ip access-group 112 in
 ip nat outside
 ip inspect filter1 out
 no ip route-cache cef
 no ip mroute-cache
 no keepalive
 no cdp enable
!
interface Ethernet1
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip access-group 101 in
 ip nat inside
 no ip route-cache cef
 no ip mroute-cache
 no keepalive
 no cdp enable
!
interface Serial0
 no ip address
 shutdown
 no cdp enable
!
interface Serial1
 no ip address
 shutdown
 no cdp enable
!
ip kerberos source-interface any
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
logging xxx.xxx.xxx.xxx
access-list 1 permit xxx.xxx.xxx.xxx 0.0.0.255
access-list 101 permit udp host 0.0.0.0 host 255.255.255.255 eq bootps log
access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 101 permit udp xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 101 permit icmp xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 101 deny   ip any any
access-list 112 deny   tcp any any log
access-list 112 deny   udp any any log
access-list 112 permit icmp any any unreachable
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any traceroute
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any echo
access-list 112 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 112 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 112 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 112 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 112 deny   icmp any any log
access-list 112 deny   ip any any log
no cdp run
!
!
line con 0
  password x xxxxxxxxxxxxxxxxx
 logging synchronous
 login
 transport input none
line aux 0
line vty 0 4
  password x xxxxxxxxxxxxxxxxx
 logging synchronous
 login
 transport input telnet
!
end


*Note:  The 'xxx' entries above represent site specific information that I do not
want to publish in this post.


Version:

RR#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JK8OS-L), Version 12.2(1), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 27-Apr-01 15:20 by cmong
Image text-base: 0x0307EE08, data-base: 0x00001000

ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTW
ARE (fc1)

RR uptime is 2 hours, 9 minutes
System returned to ROM by power-on
System image file is "flash:/c2500-jk8os-l.122-1.bin"

cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 02942180, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
2 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)

Configuration register is 0x2102

Answer : Problem: Cisco 2514 & CBAC Performance Problems

PAQ'd and points NOT refunded.

SpideyMod
Community Support Moderator @Experts Exchange