[c-nsp] 2611xm slowed to crawl, ip based filter...

Rodney Dunn rodunn at cisco.com
Wed Sep 8 16:30:46 EDT 2004


On Wed, Sep 08, 2004 at 12:57:31PM -0700, Jeff Johnson wrote:
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-I-M), Version 12.2(8)T5,  RELEASE 
> SOFTWARE (fc1)
> TAC Support: http://www.cisco.com/tac
> Copyright (c) 1986-2002 by cisco Systems, Inc.
> Compiled Fri 21-Jun-02 08:50 by ccai
> Image text-base: 0x80008074, data-base: 0x80A2BD40
> 
> ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE 
> (fc1)
> 
> foo uptime is 52 weeks, 20 hours, 22 minutes
> System returned to ROM by power-on
> System image file is "flash:c2600-i-mz.122-8.T5.bin"
> 
> cisco 2611XM (MPC860P) processor (revision 0x100) with 125952K/5120K 
> bytes of memory.
> Processor board ID JAE071600ZR (2259015818)
> M860 processor: part number 5, mask 2
> Bridging software.
> X.25 software, Version 3.0.0.
> 2 FastEthernet/IEEE 802.3 interface(s)
> 32K bytes of non-volatile configuration memory.
> 16384K bytes of processor board System flash (Read/Write)
> 
> Configuration register is 0x2102

Ok..I just tested it and by default the ACL lookup wasn't
accelerated.  You have netflow on the inbound interface
so any packet coming in will bypass lookups after the first
packet for a flow.  Turn on NETFLOW for the interface you put
the ACL under.

> 
> 
> and is it safe to change the default route remotely over ssh?
> 
> conf t
> ip route 0.0.0.0 0.0.0.0 X.X.X.206 0.0.0.3
> no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> end

You should just do:

ip route 0.0.0.0 0.0.0.0 <nexthopip>
no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1


To make it safe do it this way:

a) save the config as is
b) reload in 2   /* that will reload in 2 minutes*/
c) make change
d) if you are still in after the change do "reload cancel"
e) if not, it will reload in 2 minutes on it's own and come
   back up with the old config.

> 
> like this,  i wouldn't want to loose connectivity of course.
> 
> Then if this is successful how to go about flushing the cef and arp 
> tables?
>

'clear arp' and 'clear ip cache' is all you need to do.

 
> 
> Thanks Much,
> -Jeff
> 
> On Sep 8, 2004, at 12:45 PM, Rodney Dunn wrote:
> 
> > What version of 12.2 is this?
> > I'd like to run a quick test to see
> > if in this code the netflow policy acceleration
> > is on.  That way for a given flow you only
> > do the ACL lookup on the first packet.
> >
> > Bruce is right.  Change that default because
> > you force the next hop to proxy for every single
> > destination you try to reach which is a very
> > bad thing.
> >
> > Rodney
> >
> >
> > On Wed, Sep 08, 2004 at 12:32:44PM -0700, Bruce Pinsky wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Jeff Johnson wrote:
> >>
> >> | Right, Sorry,
> >> |
> >> | here is the full config:
> >> |
> >> | So i cleaned it up a little bit and made it less restrictive.
> >> |
> >> | I ran nessus last night and again things slowed to a crawl.  i think
> >> | nessus created a dos.
> >> |
> >> | i turned on ip cef this morning, but disabled all of the 
> >> access-lists
> >> | just to be sure things would just work. as things were terribly 
> >> slow.  I
> >> | will probably test this on out later this afternoon.
> >> |
> >> | any comments.  you think cef will improve the speed?
> >> |
> >> | i did a "sh ip cef" and the list it returned was quite very long.  i
> >> | assume this is expected.
> >> |
> >>
> >> Well, depends on the size of your routing table.  However, given that 
> >> I see
> >> default routing below and assume no dynamic routing info, I would not
> >> expect a big CEF table at all.  However, see my comments below which 
> >> could
> >> explain a few things.
> >>
> >>
> >> |
> >> | -----------------------------------------------
> >> | Current configuration : 1407 bytes
> >> | !
> >> | version 12.2
> >> | service timestamps debug uptime
> >> | service timestamps log uptime
> >> | service password-encryption
> >> | !
> >> | hostname foo.webcoach.com
> >> | !
> >> | enable secret 5 $XXXXXXXX
> >> | enable password 7 XXXXXXXXXXXXXX
> >> | !
> >> | ip subnet-zero
> >> | ip cef
> >> | !
> >> | !
> >> | no ip domain-lookup
> >> | !
> >> | !
> >> | interface Null0
> >> |  no ip unreachables
> >> | !
> >> | interface FastEthernet0/0
> >> |  description inside
> >> |  ip address X.X.X.190 255.255.255.192
> >> |  no ip redirects
> >> |  no ip unreachables
> >> |  no ip proxy-arp
> >> |  ip route-cache flow
> >> |  no ip mroute-cache
> >> |  speed 100
> >> |  full-duplex
> >> | !
> >> | interface FastEthernet0/1
> >> |  description outside
> >> |  ip address X.X.X.205 255.255.255.252
> >> |  speed 100
> >> |  full-duplex
> >> | !
> >> | !
> >> | ip classless
> >> | ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> >>
> >>
> >> Why are you default routing to an interface?  That will cause all 
> >> addresses
> >> to be ARP'd for.  That would be a big load on the router.   Point to 
> >> the
> >> next-hop IP address of your provider (upstream).
> >>
> >>
> >> | no ip http server
> >> | ip pim bidir-enable
> >> | !
> >> | !
> >> | access-list 101 deny   ip host 0.0.0.0 any
> >> | access-list 101 deny   ip X.X.X.128 0.0.0.63 any
> >> | access-list 101 permit tcp any any established
> >> | access-list 101 permit tcp any any eq 22
> >> | access-list 101 permit tcp any any eq www
> >> | access-list 101 permit tcp any any eq 443
> >> | access-list 101 permit tcp any any eq 143
> >> | access-list 101 permit icmp any any
> >> | access-list 101 permit tcp any any range ftp-data ftp
> >> | access-list 101 permit tcp any any eq pop3
> >> | access-list 101 permit udp any host X.X.X.129 eq domain
> >> | access-list 101 permit tcp any host X.X.X.148 eq smtp
> >> | !
> >> | line con 0
> >> | line aux 0
> >> | line vty 0 4
> >> |  password 7 141A1D01034507242E2772180D3928
> >> |  login
> >> | !
> >> | !
> >>
> >>
> >> - --
> >> =========
> >> bep
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.2.2 (MingW32)
> >>
> >> iD8DBQFBP15cE1XcgMgrtyYRAqVUAKDP7Aj7lS1NBXg7f+Sm8Kr6j07iRQCdHeME
> >> Xb/NIEQL3Ud0T9dL8ES2pBE=
> >> =wZz5
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list