[c-nsp] 3845 and urlfilter with websense

Roman Serbski mefystofel at gmail.com
Thu Sep 1 15:47:07 EDT 2011 

Hello list-

I appreciate your help with the following two questions.

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version
12.4(25b), RELEASE SOFTWARE (fc1)
Cisco 3845 (revision 1.0) with 1008640K/39936K bytes of memory.
2 Gigabit Ethernet interfaces
1 Compression AIM
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
250368K bytes of ATA System CompactFlash (Read/Write)

We're using websense to filter http traffic.  Here is the relevant
config on 3845:

!
ip inspect name wbsns http java-list 51 urlfilter timeout 30
ip urlfilter allow-mode on
ip urlfilter cache 50
ip urlfilter server vendor websense 192.168.100.33
!
interface GigabitEthernet0/1
 description -=INTERNAL=-
 ip address x.x.x.x x.x.x.x
 ip virtual-reassembly
 ip inspect wbsns in
 duplex full
 speed 100
 media-type rj45
 standby 3 ip x.x.x.x
 standby 3 priority 115
 standby 3 preempt
 standby 3 track GigabitEthernet0/0
!
access-list 51 permit any
!

With ~50Mbps load the CPU load jumps to 33-35% and we start
experiencing issues with the browsing.  If I disable 'ip inspect wbsns
in' the CPU load reduces to 5-7% and everything is back to normal.

Is 33-35% CPU load normal for 3845 handling 50Mbps and urlfilter
configured?  I googled for urlfilter with websense examples and wasn't
able to spot anything wrong in my config. Do you think 3845 should be
able to handle such load (it doesn't do much in our case: no VPN, no
NAT, a couple of static routes and HSRP on both interfaces)?

In my attempt to reduce CPU load I configured 'ip urlfilter cache',
however I don't see it being used -- 'sh ip urlfilter cache' is always
empty. Are there any conditions that trigger urlfilter cache
activation?

Maximum number of cache entries: 50
Number of entries cached: 0
--------------------------------------------------------
    IP address        Age         Time since last hit
                   (In seconds)     (In seconds)
--------------------------------------------------------

Many thanks for your time.

More information about the cisco-nsp mailing list