Educause Security Discussion mailing list archives
Re: Cisco IOS Firewall CPU resource needs
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Fri, 5 Nov 2010 09:55:00 -0500
Hi Gary, Is the ordering of the IOSFW rules sane? Do you have an ip any any established rule? Did cisco provide a rationale for why the ASA/FWSM would be better? Even 20% CPU to me would imply the IOFW inspection is process switched but Cisco should be able to confirm how the traffic flow traverses the hardware/software interface on the 7600. If you email me offline, I can recommend a TAC engineer who had a strong working knowledge of the ASIC architecture and was helpful. We run FWSM blades on 6509-VE/SUP 720 10G VSS and given the traffic rates you have below (500M) would strongly recommend an ASA as the FWSM has XLATE limitations and an easy to exceed ruleset limit once the policy is expanded. In general, we are migrating away from specialized service modules in our 6Ks (WiSM -> 5508, FWSM -> ASA) to retain the highest degree of freedom to replace the core eventually (Nexus 7K?). That tradeoff analysis is worth considering as the FWSM is getting long on the tooth. Regards, Josh Richard University of Minnesota Duluth On Fri, Nov 5, 2010 at 8:41 AM, Flynn, Gary - flynngn <flynngn () jmu edu> wrote:
We've been using the Cisco IOS firewall feature set to inspect FTP traffic and open dynamic holes in our default deny policy enforced by ACLs. It has worked well for the past four years and router CPU has been running around 20% at full traffic load. We recently changed our topology to include interfaces from National LambdaRail. When we try to activate that new topology, router CPU utilization maxes out. If the IOS FW inspection rule is deleted, CPU utilization returns to normal. We temporarily saw similar symptoms last summer when we switched Internet providers but simply disabling and re-enabling the inspection made the problem go away. No such luck this time. Cisco is telling us that high CPU utilization is a characteristic of the IOS FW feature and that we should upgrade to ASA or FWSM. My objection is that it has been working fine using low CPU cycles for the past four years with almost identical traffic. In addition, my understanding is that only the selected traffic is inspected which in our case consists only of FTP traffic and that volume is low. Finally, I would assume that only the FTP control channel on port 21 needs to be inspected because all the port information needed by the feature set to determine what dynamic ports to open is contained on the control channel. Since control channel traffic is made up of low volume, well defined ASCII command sets and response codes I don't understand how this could present significant CPU challenges. We had originally been inspecting traffic on both the inside and outside interfaces. With the new connections, we tried inspecting on all interfaces (the new ones having almost no traffic) and when we ran into the CPU problem, tried inspecting on only the inside interface with all ACL on that interface. It did not help the problem. We're running around 500Mb of total traffic through a 7600 series router. Is anyone else using the IOS Firewall feature set and if so, can you comment on your experience with performance? We are looking at options to upgrade our firewall technology but we'd rather do that in a designed manner rather than as a fix to a problem that has suddenly arisen in a product that has previously worked fine and seems, according to published documentation, not to be working as expected. Thanks for any information. -- Gary Flynn Security Engineer James Madison University
Current thread:
- Cisco IOS Firewall CPU resource needs Flynn, Gary - flynngn (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Josh Richard (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Flynn, Gary - flynngn (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Josh Richard (Nov 05)