[c-nsp] 2611xm slowed to crawl, ip based filter...

Bruce Pinsky bep at whack.org
Wed Sep 8 15:32:44 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Johnson wrote:

| Right, Sorry,
|
| here is the full config:
|
| So i cleaned it up a little bit and made it less restrictive.
|
| I ran nessus last night and again things slowed to a crawl.  i think
| nessus created a dos.
|
| i turned on ip cef this morning, but disabled all of the access-lists
| just to be sure things would just work. as things were terribly slow.  I
| will probably test this on out later this afternoon.
|
| any comments.  you think cef will improve the speed?
|
| i did a "sh ip cef" and the list it returned was quite very long.  i
| assume this is expected.
|

Well, depends on the size of your routing table.  However, given that I see
default routing below and assume no dynamic routing info, I would not
expect a big CEF table at all.  However, see my comments below which could
explain a few things.


|
| -----------------------------------------------
| Current configuration : 1407 bytes
| !
| version 12.2
| service timestamps debug uptime
| service timestamps log uptime
| service password-encryption
| !
| hostname foo.webcoach.com
| !
| enable secret 5 $XXXXXXXX
| enable password 7 XXXXXXXXXXXXXX
| !
| ip subnet-zero
| ip cef
| !
| !
| no ip domain-lookup
| !
| !
| interface Null0
|  no ip unreachables
| !
| interface FastEthernet0/0
|  description inside
|  ip address X.X.X.190 255.255.255.192
|  no ip redirects
|  no ip unreachables
|  no ip proxy-arp
|  ip route-cache flow
|  no ip mroute-cache
|  speed 100
|  full-duplex
| !
| interface FastEthernet0/1
|  description outside
|  ip address X.X.X.205 255.255.255.252
|  speed 100
|  full-duplex
| !
| !
| ip classless
| ip route 0.0.0.0 0.0.0.0 FastEthernet0/1


Why are you default routing to an interface?  That will cause all addresses
to be ARP'd for.  That would be a big load on the router.   Point to the
next-hop IP address of your provider (upstream).


| no ip http server
| ip pim bidir-enable
| !
| !
| access-list 101 deny   ip host 0.0.0.0 any
| access-list 101 deny   ip X.X.X.128 0.0.0.63 any
| access-list 101 permit tcp any any established
| access-list 101 permit tcp any any eq 22
| access-list 101 permit tcp any any eq www
| access-list 101 permit tcp any any eq 443
| access-list 101 permit tcp any any eq 143
| access-list 101 permit icmp any any
| access-list 101 permit tcp any any range ftp-data ftp
| access-list 101 permit tcp any any eq pop3
| access-list 101 permit udp any host X.X.X.129 eq domain
| access-list 101 permit tcp any host X.X.X.148 eq smtp
| !
| line con 0
| line aux 0
| line vty 0 4
|  password 7 141A1D01034507242E2772180D3928
|  login
| !
| !


- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQFBP15cE1XcgMgrtyYRAqVUAKDP7Aj7lS1NBXg7f+Sm8Kr6j07iRQCdHeME
Xb/NIEQL3Ud0T9dL8ES2pBE=
=wZz5
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list