[c-nsp] 2851 throughput / guidance
Matthew Marlowe
matt at deploylinux.net
Tue Feb 27 22:50:51 EST 2007
>> Is the IPS being down with the IPS module, or by the router CPU itself?
The existing hw module for the ISR's was IDS only, not IPS, last I checked.
So, yes, IPS gets done by the router CPU -- but you can apply access
lists to finely control what traffic gets inspected, control what ips signatures
are checked, and most of the packets going through IPS stay fast switched.
So, if you pay careful attention you can set whtever level of IPS inspection
you want and therefore control the impact on performance.
Unfortunately, the IOS IPS feature set does seem to trail the appliance software
unless you're willing to run unstable code. And, the IPS management tools claim
to support IOS IPS but perform rather badly unless you're willing to use SDM :)
>> That seems like it'd be a CPU killer if anything would be. From what
>> the performance doc says for process and fast switched pps, the 2851 is
>> pretty close to an NPE-225. If you equate CPU power to process-switched
>> PPS, the 2851 should be a little faster than a 3660.
>>
And I have vague memories from the past about having to disable some ACL's on
a 3662 to handle 80-100Mbps traffic flows... We had ~4 BGP feeds then.
More information about the cisco-nsp
mailing list