[c-nsp] 2611xm slowed to crawl, ip based filter...
Jeff Johnson
jeff at comfrey.net
Wed Sep 8 15:25:03 EDT 2004
Right, Sorry,
here is the full config:
So i cleaned it up a little bit and made it less restrictive.
I ran nessus last night and again things slowed to a crawl. i think
nessus created a dos.
i turned on ip cef this morning, but disabled all of the access-lists
just to be sure things would just work. as things were terribly slow.
I will probably test this on out later this afternoon.
any comments. you think cef will improve the speed?
i did a "sh ip cef" and the list it returned was quite very long. i
assume this is expected.
-----------------------------------------------
Current configuration : 1407 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname foo.webcoach.com
!
enable secret 5 $XXXXXXXX
enable password 7 XXXXXXXXXXXXXX
!
ip subnet-zero
ip cef
!
!
no ip domain-lookup
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description inside
ip address X.X.X.190 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/1
description outside
ip address X.X.X.205 255.255.255.252
speed 100
full-duplex
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
ip pim bidir-enable
!
!
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip X.X.X.128 0.0.0.63 any
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit icmp any any
access-list 101 permit tcp any any range ftp-data ftp
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any host X.X.X.129 eq domain
access-list 101 permit tcp any host X.X.X.148 eq smtp
!
line con 0
line aux 0
line vty 0 4
password 7 141A1D01034507242E2772180D3928
login
!
!
end
-----------------------------------------------------------------------
On Sep 8, 2004, at 8:02 AM, Church, Chuck wrote:
> Jeff,
>
> Something doesn't seem right. If it's a 2611XM, doesn't it have
> fast ethernet interfaces? What router do these interface configs
> belong
> to?
>
>
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com <-note new address!
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Johnson
> Sent: Wednesday, September 08, 2004 2:47 AM
> To: Cisco-nsp
> Subject: [c-nsp] 2611xm slowed to crawl, ip based filter...
>
> Hey all,
>
> Below is an excerpt from my config on a 2611xm. I set this up last
> friday night and foolishly walked away. Upon checking in the next day
> i found that the network had slowed to a crawl and i could not even
> connect vi a ssh. the connections would time out.
>
> Is this acl processor bound or is there some fundamental flaw in its
> design?
>
> i am new to cisco based firewalls, so please go easy on me.
>
> the following section was generated by configmaker.
>
> I appreciate the help,
>
> -Jeff
>
More information about the cisco-nsp
mailing list