Re: Cisco IOS Firewall CPU resource needs

[Josh Richard <jrichar4 () D UMN EDU>]

Hi Gary,

Is the ordering of the IOSFW rules sane?  Do you have an ip any any
established rule?  Did cisco provide a rationale for why the ASA/FWSM
would be better?  Even 20% CPU to me would imply the IOFW inspection
is process switched but Cisco should be able to confirm how the
traffic flow traverses the hardware/software interface on the 7600.
If you email me offline, I can recommend a TAC engineer who had a
strong working knowledge of the ASIC architecture and was helpful.

We run FWSM blades on 6509-VE/SUP 720 10G VSS and given the traffic
rates you have below (500M) would strongly recommend an ASA as the
FWSM has XLATE limitations and an easy to exceed ruleset limit once
the policy is expanded.  In general, we are migrating away from
specialized service modules in our 6Ks (WiSM -> 5508, FWSM -> ASA) to
retain the highest degree of freedom to replace the core eventually
(Nexus 7K?).  That tradeoff analysis is worth considering as the FWSM
is getting long on the tooth.

Regards,

Josh Richard
University of Minnesota Duluth



On Fri, Nov 5, 2010 at 8:41 AM, Flynn, Gary - flynngn <flynngn () jmu edu> wrote:
> We've been using the Cisco IOS firewall feature set to inspect FTP traffic
> and open dynamic holes in our default deny policy enforced by ACLs. It has
> worked well for the past four years and router CPU has been running around
> 20% at full traffic load.
> We recently changed our topology to include interfaces from National
> LambdaRail. When we try to activate that new topology, router CPU
> utilization maxes out. If the IOS FW inspection rule is deleted, CPU
> utilization returns to normal.  We temporarily saw similar symptoms last
> summer when we switched Internet providers but simply disabling and
> re-enabling the inspection made the problem go away. No such luck this time.
> Cisco is telling us that high CPU utilization is a characteristic of the IOS
> FW feature and that we should upgrade to ASA or FWSM. My objection is that
> it has been working fine using low CPU cycles for the past four years with
> almost identical traffic. In addition, my understanding is that only the
> selected traffic is inspected which in our case consists only of FTP traffic
> and that volume is low. Finally, I would assume that only the FTP control
> channel on port 21 needs to be inspected because all the port information
> needed by the feature set to determine what dynamic ports to open is
> contained on the control channel. Since control channel traffic is made up
> of  low volume, well defined ASCII command sets and response codes I don't
> understand how this could present significant CPU challenges.
> We had originally been inspecting traffic on both the inside and outside
> interfaces. With the new connections, we tried inspecting on all interfaces
> (the new ones having almost no traffic) and when we ran into the CPU
> problem, tried inspecting on only the inside interface with all ACL on that
> interface. It did not help the problem.
> We're running around 500Mb of total traffic through a 7600 series router.
> Is anyone else using the IOS Firewall feature set and if so, can you comment
> on your experience with performance?
> We are looking at options to upgrade our firewall technology but we'd rather
> do that in a designed manner rather than as a fix to a problem that has
> suddenly arisen in a product that has previously worked fine and seems,
> according to published documentation, not to be working as expected.
> Thanks for any information.
> --
> Gary Flynn
> Security Engineer
> James Madison University