IOS Firewall on a Cisco Router adds heavy CPU load
We have a cisco 7204VXR (NSE-1) processor, connecting to Internet, running enterprise IOS with firewall feature set. Has 256DRAM installed and six serial interfaces. When we tried to implement tcp inspect on two serial interfaces we find out that the CPU load increased by over 30% percent.
CPU load before tcp inspect:
CPU utilization for five seconds: 7%/7%; one minute: 11%; five minutes: 13%
CPU load after tcp inspect:
CPU utilization for five seconds: 49%/49%; one minute: 50%; five minutes: 47%
This rise was too much and force us to remove tcp inspect from both interfaces
My question is whether this behaviour is normal and what can be done to implement TCP intercept (upgrade?) without pressing to much router's operation?
Re: IOS Firewall on a Cisco Router adds heavy CPU load
I use CBAC and have also noticed some performance degradation. I think that's normal because the router now has to do more work. In your situation, you might consider letting your router just do routing and add a PIX for firewalling. You'll problably notice a significant improvement in performance.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...