[c-nsp] 2611xm slowed to crawl, ip based filter...

Jeff Johnson jeff at comfrey.net
Wed Sep 8 15:57:31 EDT 2004 

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(8)T5,  RELEASE 
SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 21-Jun-02 08:50 by ccai
Image text-base: 0x80008074, data-base: 0x80A2BD40

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE 
(fc1)

foo uptime is 52 weeks, 20 hours, 22 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.122-8.T5.bin"

cisco 2611XM (MPC860P) processor (revision 0x100) with 125952K/5120K 
bytes of memory.
Processor board ID JAE071600ZR (2259015818)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


and is it safe to change the default route remotely over ssh?

conf t
ip route 0.0.0.0 0.0.0.0 X.X.X.206 0.0.0.3
no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
end

like this,  i wouldn't want to loose connectivity of course.

Then if this is successful how to go about flushing the cef and arp 
tables?


Thanks Much,
-Jeff

On Sep 8, 2004, at 12:45 PM, Rodney Dunn wrote:

> What version of 12.2 is this?
> I'd like to run a quick test to see
> if in this code the netflow policy acceleration
> is on.  That way for a given flow you only
> do the ACL lookup on the first packet.
>
> Bruce is right.  Change that default because
> you force the next hop to proxy for every single
> destination you try to reach which is a very
> bad thing.
>
> Rodney
>
>
> On Wed, Sep 08, 2004 at 12:32:44PM -0700, Bruce Pinsky wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jeff Johnson wrote:
>>
>> | Right, Sorry,
>> |
>> | here is the full config:
>> |
>> | So i cleaned it up a little bit and made it less restrictive.
>> |
>> | I ran nessus last night and again things slowed to a crawl.  i think
>> | nessus created a dos.
>> |
>> | i turned on ip cef this morning, but disabled all of the 
>> access-lists
>> | just to be sure things would just work. as things were terribly 
>> slow.  I
>> | will probably test this on out later this afternoon.
>> |
>> | any comments.  you think cef will improve the speed?
>> |
>> | i did a "sh ip cef" and the list it returned was quite very long.  i
>> | assume this is expected.
>> |
>>
>> Well, depends on the size of your routing table.  However, given that 
>> I see
>> default routing below and assume no dynamic routing info, I would not
>> expect a big CEF table at all.  However, see my comments below which 
>> could
>> explain a few things.
>>
>>
>> |
>> | -----------------------------------------------
>> | Current configuration : 1407 bytes
>> | !
>> | version 12.2
>> | service timestamps debug uptime
>> | service timestamps log uptime
>> | service password-encryption
>> | !
>> | hostname foo.webcoach.com
>> | !
>> | enable secret 5 $XXXXXXXX
>> | enable password 7 XXXXXXXXXXXXXX
>> | !
>> | ip subnet-zero
>> | ip cef
>> | !
>> | !
>> | no ip domain-lookup
>> | !
>> | !
>> | interface Null0
>> |  no ip unreachables
>> | !
>> | interface FastEthernet0/0
>> |  description inside
>> |  ip address X.X.X.190 255.255.255.192
>> |  no ip redirects
>> |  no ip unreachables
>> |  no ip proxy-arp
>> |  ip route-cache flow
>> |  no ip mroute-cache
>> |  speed 100
>> |  full-duplex
>> | !
>> | interface FastEthernet0/1
>> |  description outside
>> |  ip address X.X.X.205 255.255.255.252
>> |  speed 100
>> |  full-duplex
>> | !
>> | !
>> | ip classless
>> | ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
>>
>>
>> Why are you default routing to an interface?  That will cause all 
>> addresses
>> to be ARP'd for.  That would be a big load on the router.   Point to 
>> the
>> next-hop IP address of your provider (upstream).
>>
>>
>> | no ip http server
>> | ip pim bidir-enable
>> | !
>> | !
>> | access-list 101 deny   ip host 0.0.0.0 any
>> | access-list 101 deny   ip X.X.X.128 0.0.0.63 any
>> | access-list 101 permit tcp any any established
>> | access-list 101 permit tcp any any eq 22
>> | access-list 101 permit tcp any any eq www
>> | access-list 101 permit tcp any any eq 443
>> | access-list 101 permit tcp any any eq 143
>> | access-list 101 permit icmp any any
>> | access-list 101 permit tcp any any range ftp-data ftp
>> | access-list 101 permit tcp any any eq pop3
>> | access-list 101 permit udp any host X.X.X.129 eq domain
>> | access-list 101 permit tcp any host X.X.X.148 eq smtp
>> | !
>> | line con 0
>> | line aux 0
>> | line vty 0 4
>> |  password 7 141A1D01034507242E2772180D3928
>> |  login
>> | !
>> | !
>>
>>
>> - --
>> =========
>> bep
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (MingW32)
>>
>> iD8DBQFBP15cE1XcgMgrtyYRAqVUAKDP7Aj7lS1NBXg7f+Sm8Kr6j07iRQCdHeME
>> Xb/NIEQL3Ud0T9dL8ES2pBE=
>> =wZz5
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list