Cisco IOS Firewall CPU resource needs

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

We've been using the Cisco IOS firewall feature set to inspect FTP traffic
and open dynamic holes in our default deny policy enforced by ACLs. It has
worked well for the past four years and router CPU has been running around
20% at full traffic load.

We recently changed our topology to include interfaces from National
LambdaRail. When we try to activate that new topology, router CPU
utilization maxes out. If the IOS FW inspection rule is deleted, CPU
utilization returns to normal.  We temporarily saw similar symptoms last
summer when we switched Internet providers but simply disabling and
re-enabling the inspection made the problem go away. No such luck this time.

Cisco is telling us that high CPU utilization is a characteristic of the IOS
FW feature and that we should upgrade to ASA or FWSM. My objection is that
it has been working fine using low CPU cycles for the past four years with
almost identical traffic. In addition, my understanding is that only the
selected traffic is inspected which in our case consists only of FTP traffic
and that volume is low. Finally, I would assume that only the FTP control
channel on port 21 needs to be inspected because all the port information
needed by the feature set to determine what dynamic ports to open is
contained on the control channel. Since control channel traffic is made up
of  low volume, well defined ASCII command sets and response codes I don't
understand how this could present significant CPU challenges.

We had originally been inspecting traffic on both the inside and outside
interfaces. With the new connections, we tried inspecting on all interfaces
(the new ones having almost no traffic) and when we ran into the CPU
problem, tried inspecting on only the inside interface with all ACL on that
interface. It did not help the problem.

We're running around 500Mb of total traffic through a 7600 series router.

Is anyone else using the IOS Firewall feature set and if so, can you comment
on your experience with performance?

We are looking at options to upgrade our firewall technology but we'd rather
do that in a designed manner rather than as a fix to a problem that has
suddenly arisen in a product that has previously worked fine and seems,
according to published documentation, not to be working as expected.

Thanks for any information.

-- 
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: