Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IOS Firewall on a Cisco Router adds heavy CPU load

We have a cisco 7204VXR (NSE-1) processor, connecting to Internet, running enterprise IOS with firewall feature set. Has 256DRAM installed and six serial interfaces. When we tried to implement tcp inspect on two serial interfaces we find out that the CPU load increased by over 30% percent.

CPU load before tcp inspect:

CPU utilization for five seconds: 7%/7%; one minute: 11%; five minutes: 13%

CPU load after tcp inspect:

CPU utilization for five seconds: 49%/49%; one minute: 50%; five minutes: 47%

This rise was too much and force us to remove tcp inspect from both interfaces

My question is whether this behaviour is normal and what can be done to implement TCP intercept (upgrade?) without pressing to much router's operation?

Thank you

4 REPLIES
Community Member

Re: IOS Firewall on a Cisco Router adds heavy CPU load

I use CBAC and have also noticed some performance degradation. I think that's normal because the router now has to do more work. In your situation, you might consider letting your router just do routing and add a PIX for firewalling. You'll problably notice a significant improvement in performance.

Community Member

Re: IOS Firewall on a Cisco Router adds heavy CPU load

Do you use CEF or Netflow switching?

Community Member

Re: IOS Firewall on a Cisco Router adds heavy CPU load

We use CEF switching

Community Member

Re: IOS Firewall on a Cisco Router adds heavy CPU load

112
Views
0
Helpful
4
Replies
CreatePlease to create content