Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member



i learned today the IPS-NME-K9 modules for the 29er routers are EoL. We are using a bunch of them on our edge router facing to our mpls backbone. We were told to use the IOS based IPS solution. I believe the performace will not be the same as with the Hardware moduls. Does anybody can provide us with some numbers regarding performace and functionality?

thanks in advanced


Community Member


As you might know, both the NME module and the 2900 router series have a 75Mpbs throughtput, so,

theoretically throuhgput will be the same if you move to IOS IPS.

In practice, well, that'll depend on how much traffic traverses the router at any given time and the functions it performs,

not to mention to the processing resources available.

As you might also know, the IPS AIM and IPS NME have their own CPUs and DRAMs for all IPS functions.

They offload router CPU from processor-intensive tasks such as deep packet inspection from the host router.

The following was taken from a Q&A document :

Q. What are the differences between the Cisco IPS modules and Cisco IOS IPS?

A. Following are some of the major differences between the Cisco IPS AIM and IPS NME and Cisco IOS IPS:

•  Cisco IPS AIM and IPS NME have dedicated CPU and DRAM to offload IPS  processing, whereas Cisco IOS IPS shares router resources with other  processes.

• Cisco IPS AIM and IPS NME support both inline and promiscuous mode, whereas Cisco IOS IPS supports only inline mode.

•  Cisco IPS AIM and IPS NME can support all Cisco IPS signatures that are  not retired by default, whereas Cisco IOS IPS can support only a user  configurable subset.

•  Cisco IPS AIM and IPS NME run Linux-based Cisco IPS Sensor Software,  whereas Cisco IOS IPS runs a Cisco IOS Software-based IPS code.

This too:

Lightweight Signature Engines for HTTP, SMTP and  FTP protocol signatures and Regular Expression Table chaining available  also in 15.0(1)M Release

Memory efficient traffic scanning for attack signatures consuming less memory on the router.

Capability to provide protection for larger number of common threats and vulnerabilities.

Finally, a comparison between the module and the software-based version. Not sure if this is still a valid document, i believe it's from 2007.

It has some good points though.

Couldn't find any information about performance comparison under the same circumstances, i guess it will be a good idea to begin the migration with a couple of sites and compare performance of the units.

CreatePlease to create content