[c-nsp] 2611xm slowed to crawl, ip based filter...

Rodney Dunn rodunn at cisco.com
Wed Sep 8 15:45:05 EDT 2004 

What version of 12.2 is this?
I'd like to run a quick test to see
if in this code the netflow policy acceleration
is on.  That way for a given flow you only
do the ACL lookup on the first packet.

Bruce is right.  Change that default because
you force the next hop to proxy for every single
destination you try to reach which is a very
bad thing.

Rodney


On Wed, Sep 08, 2004 at 12:32:44PM -0700, Bruce Pinsky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeff Johnson wrote:
> 
> | Right, Sorry,
> |
> | here is the full config:
> |
> | So i cleaned it up a little bit and made it less restrictive.
> |
> | I ran nessus last night and again things slowed to a crawl.  i think
> | nessus created a dos.
> |
> | i turned on ip cef this morning, but disabled all of the access-lists
> | just to be sure things would just work. as things were terribly slow.  I
> | will probably test this on out later this afternoon.
> |
> | any comments.  you think cef will improve the speed?
> |
> | i did a "sh ip cef" and the list it returned was quite very long.  i
> | assume this is expected.
> |
> 
> Well, depends on the size of your routing table.  However, given that I see
> default routing below and assume no dynamic routing info, I would not
> expect a big CEF table at all.  However, see my comments below which could
> explain a few things.
> 
> 
> |
> | -----------------------------------------------
> | Current configuration : 1407 bytes
> | !
> | version 12.2
> | service timestamps debug uptime
> | service timestamps log uptime
> | service password-encryption
> | !
> | hostname foo.webcoach.com
> | !
> | enable secret 5 $XXXXXXXX
> | enable password 7 XXXXXXXXXXXXXX
> | !
> | ip subnet-zero
> | ip cef
> | !
> | !
> | no ip domain-lookup
> | !
> | !
> | interface Null0
> |  no ip unreachables
> | !
> | interface FastEthernet0/0
> |  description inside
> |  ip address X.X.X.190 255.255.255.192
> |  no ip redirects
> |  no ip unreachables
> |  no ip proxy-arp
> |  ip route-cache flow
> |  no ip mroute-cache
> |  speed 100
> |  full-duplex
> | !
> | interface FastEthernet0/1
> |  description outside
> |  ip address X.X.X.205 255.255.255.252
> |  speed 100
> |  full-duplex
> | !
> | !
> | ip classless
> | ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> 
> 
> Why are you default routing to an interface?  That will cause all addresses
> to be ARP'd for.  That would be a big load on the router.   Point to the
> next-hop IP address of your provider (upstream).
> 
> 
> | no ip http server
> | ip pim bidir-enable
> | !
> | !
> | access-list 101 deny   ip host 0.0.0.0 any
> | access-list 101 deny   ip X.X.X.128 0.0.0.63 any
> | access-list 101 permit tcp any any established
> | access-list 101 permit tcp any any eq 22
> | access-list 101 permit tcp any any eq www
> | access-list 101 permit tcp any any eq 443
> | access-list 101 permit tcp any any eq 143
> | access-list 101 permit icmp any any
> | access-list 101 permit tcp any any range ftp-data ftp
> | access-list 101 permit tcp any any eq pop3
> | access-list 101 permit udp any host X.X.X.129 eq domain
> | access-list 101 permit tcp any host X.X.X.148 eq smtp
> | !
> | line con 0
> | line aux 0
> | line vty 0 4
> |  password 7 141A1D01034507242E2772180D3928
> |  login
> | !
> | !
> 
> 
> - --
> =========
> bep
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
> 
> iD8DBQFBP15cE1XcgMgrtyYRAqVUAKDP7Aj7lS1NBXg7f+Sm8Kr6j07iRQCdHeME
> Xb/NIEQL3Ud0T9dL8ES2pBE=
> =wZz5
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list