[c-nsp] 2611xm slowed to crawl, ip based filter...

Rodney Dunn rodunn at cisco.com
Wed Sep 8 11:11:16 EDT 2004 

Like other said turn on CEF because we will
by default in later code accelerate the lookup
for a flow.

You should also consider going to 12.3(4)T or
later code that has the new TRIE based ACL's.
They are much faster lookups.

Rodney


On Wed, Sep 08, 2004 at 12:17:52AM -0700, Jeff Johnson wrote:
> On Sep 8, 2004, at 12:05 AM, Bruce Pinsky wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Jeff Johnson wrote:
> >
> > | Hey all,
> > |
> > | Below is an excerpt from my config on a 2611xm.  I set this up last
> > | friday night and foolishly walked away.  Upon checking in the next 
> > day i
> > | found that the network had slowed to a crawl and i could not even
> > | connect vi a ssh.  the connections would time out.
> > |
> > | Is this acl processor bound or is there some fundamental flaw in its
> > | design?
> > |
> > | i am new to cisco based firewalls, so please go easy on me.
> > |
> > | the following section was generated by configmaker.
> > |
> > | I appreciate the help,
> > |
> >
> >
> > Doesn't seem that unreasonable.  A little more info might help narrow 
> > it
> > down.  What does "show proc cpu" indicate?   Do you have some other
> > features turned on such as NAT or IPSEC?   Is CEF your switching path
> > (check with "sh ip int")?
> >
> 
> no nat or ipsec.
> 
> It is hard to say about the cpu utilization as it stands now as the 
> list is not active.
> 
> 2611#sh ip int
> FastEthernet0/0 is up, line protocol is up
>    Internet address is X.X.X.190/26
>    Broadcast address is 255.255.255.255
>    Address determined by non-volatile memory
>    MTU is 1500 bytes
>    Helper address is not set
>    Directed broadcast forwarding is disabled
>    Outgoing access list is not set
>    Inbound  access list is not set
>    Proxy ARP is enabled
>    Local Proxy ARP is disabled
>    Security level is default
>    Split horizon is enabled
>    ICMP redirects are always sent
>    ICMP unreachables are always sent
>    ICMP mask replies are never sent
>    IP fast switching is disabled
>    IP fast switching on the same interface is disabled
>    IP Flow switching is disabled
>    IP Fast switching turbo vector
>    IP multicast fast switching is disabled
>    IP multicast distributed fast switching is disabled
>    IP route-cache flags are None
>    Router Discovery is disabled
>    IP output packet accounting is disabled
>    IP access violation accounting is disabled
>    TCP/IP header compression is disabled
>    RTP/IP header compression is disabled
>    Probe proxy name replies are disabled
>    Policy routing is disabled
>    Network address translation is disabled
>    WCCP Redirect outbound is disabled
>    WCCP Redirect inbound is disabled
>    WCCP Redirect exclude is disabled
>    BGP Policy Mapping is disabled
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list