[c-nsp] 2611xm slowed to crawl, ip based filter...

rwcrowe at comcast.net rwcrowe at comcast.net
Wed Sep 8 08:40:22 EDT 2004 

Looks like you are process switching on the interface:
> 2611#sh ip int 
> FastEthernet0/0 is up, line protocol is up 
> Internet address is X.X.X.190/26 
> Broadcast address is 255.255.255.255 
> Address determined by non-volatile memory 
> MTU is 1500 bytes 
> Helper address is not set 
> Directed broadcast forwarding is disabled 
> Outgoing access list is not set 
> Inbound access list is not set 
> Proxy ARP is enabled 
> Local Proxy ARP is disabled 
> Security level is default 
> Split horizon is enabled 
> ICMP redirects are always sent 
> ICMP unreachables are always sent 
> ICMP mask replies are never sent 
> IP fast switching is disabled 
> IP fast switching on the same interface is disabled 
> IP Flow switching is disabled 
> IP Fast switching turbo vector 
> IP multicast fast switching is disabled 
> IP multicast distributed fast switching is disabled 
> IP route-cache flags are None 
> Router Discovery is disabled 
> IP output packet accounting is disabled 
> IP access violation accounting is disabled 
> TCP/IP header compression is disabled 
> RTP/IP header compression is disabled 
> Probe proxy name replies are disabled 
> Policy routing is disabled 
> Network address translation is disabled 
> WCCP Redirect outbound is disabled 
> WCCP Redirect inbound is disabled 
> WCCP Redirect exclude is disabled 
> BGP Policy Mapping is disabled 

Use "ip route-cache" under the interface to turn on Fast Switching or turn on cef globally with "ip cef" and "ip route-cache cef" under the interface.

--
Rob Crowe 
rwcrowe at comcast.net


-------------- Original message -------------- 

> On Sep 8, 2004, at 12:05 AM, Bruce Pinsky wrote: 
> 
> > -----BEGIN PGP SIGNED MESSAGE----- 
> > Hash: SHA1 
> > 
> > Jeff Johnson wrote: 
> > 
> > | Hey all, 
> > | 
> > | Below is an excerpt from my config on a 2611xm. I set this up last 
> > | friday night and foolishly walked away. Upon checking in the next 
> > day i 
> > | found that the network had slowed to a crawl and i could not even 
> > | connect vi a ssh. the connections would time out. 
> > | 
> > | Is this acl processor bound or is there some fundamental flaw in its 
> > | design? 
> > | 
> > | i am new to cisco based firewalls, so please go easy on me. 
> > | 
> > | the following section was generated by configmaker. 
> > | 
> > | I appreciate the help, 
> > | 
> > 
> > 
> > Doesn't seem that unreasonable. A little more info might help narrow 
> > it 
> > down. What does "show proc cpu" indicate? Do you have some other 
> > features turned on such as NAT or IPSEC? Is CEF your switching path 
> > (check with "sh ip int")? 
> > 
> 
> no nat or ipsec. 
> 
> It is hard to say about the cpu utilization as it stands now as the 
> list is not active. 
> 
> 2611#sh ip int 
> FastEthernet0/0 is up, line protocol is up 
> Internet address is X.X.X.190/26 
> Broadcast address is 255.255.255.255 
> Address determined by non-volatile memory 
> MTU is 1500 bytes 
> Helper address is not set 
> Directed broadcast forwarding is disabled 
> Outgoing access list is not set 
> Inbound access list is not set 
> Proxy ARP is enabled 
> Local Proxy ARP is disabled 
> Security level is default 
> Split horizon is enabled 
> ICMP redirects are always sent 
> ICMP unreachables are always sent 
> ICMP mask replies are never sent 
> IP fast switching is disabled 
> IP fast switching on the same interface is disabled 
> IP Flow switching is disabled 
> IP Fast switching turbo vector 
> IP multicast fast switching is disabled 
> IP multicast distributed fast switching is disabled 
> IP route-cache flags are None 
> Router Discovery is disabled 
> IP output packet accounting is disabled 
> IP access violation accounting is disabled 
> TCP/IP header compression is disabled 
> RTP/IP header compression is disabled 
> Probe proxy name replies are disabled 
> Policy routing is disabled 
> Network address translation is disabled 
> WCCP Redirect outbound is disabled 
> WCCP Redirect inbound is disabled 
> WCCP Redirect exclude is disabled 
> BGP Policy Mapping is disabled 
> 
> _______________________________________________ 
> cisco-nsp mailing list cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list