Just been upgraded to 50Mbps Broadband, but I can only achieve 22Mbps with IPS enabled.
Is this a know problem?
Is there a work around, instead of just disabling IPS?
Clearly if I cant get this fixed I'll be going elsewhere for my router :(
OK, so let me get this straight, a guy in his home office (i.e. me!) has determined that the throuput with IPS is approx 20 Mbps... Shouldn't this be the other way round? That is, Cisco (a multinational company with more resource and understanding) be informing its customers (in the spec/data sheet) of the throughput?!
Anyway, since it looks like I'm going to be stuck with this router for a while longer (until I determine the throughput of a competitor product), can someone let me know what are the actual benefits of IPS and possibly a scenario where the IPS comes into effect?
After reading such articles as: http://www.networkworld.com/columnists/2003/0804snyder.html I'm none the wiser to why I need IPS, but the "fear factor" is the selling point as ever!
If I disable the IPS is there a software/hardware alternative that I can use that will not have the same performance penalty?
While IPS in the WRVS4400N uses signature files you update periodically to the router to provide decection (and prevention) against an anomaly, there is a network (in the cloud) service this router is eligible for which prevents sites with bad reputation (known to distribute worms, spybots and viruses) from connecting to any client behind the router. It also has URL Fiultering by category (66 categories so you dont have to manuallly type URLs) and Email SPAM prevention. Its called Trend Micro's Protect Link Gateway (in the cloud) service (since WRVS4400N FW version 1.1.13 and later)
The cisco.com WRVS4400N FAQ found here has the following information:
1. What is Trend Micro Web Protection used for?
Use Web Protection to manage and protect employee Internet use by blocking access to non-work-related and malicious Web sites.
2. What is Trend Micro InterScan Messaging Hosted Security (IMHS)?
Trend Micro InterScan Messaging Hosted Security is a hosted email security service that can benefit any size organization. We provide the hardware, software, and messaging expertise to cleanse your email of spam, viruses, worms, Trojans, and phishing (identity theft) attacks. The cleaned mail stream is sent directly to your mail server for final delivery to your end users. To use this service you must manage and have administrative access to your own SMTP server. Please have the domain/IP information ready during the registration process.
3. Who do I get the ProtectLink Service?
First you must have a Supported Linksys Router that works with this service (Currently this is only the RV042 but will soon include many of our Business Class Routers, keep checking the Linksys website for firmware updates if you have a router not currently included on the list), then purchase a Registration key from a Linksys approved retailer. After you have a Registration key you can log into your router's interface, got to the Security Protection tab and you should have a link from there to sign up for the service.
4. How much does the Trend Micro service cost?
Trend Micro InterScan Messaging Hosted Security is sold in 5 seat and 25 seat increments on an annual payment plan. Please contact Sales or a Local/Online Retail for exact pricing.
5. How long does the initial setup of the Trend Micro service take?
If just registering for the Web Protection service, it can take up to 24 hours to activate your account through Trend Micro. You should receive an email containing your account information and instructions on managing your account.
Once this portion is active, if you chose to sign up for the IMHS Service during Registration it can take up to another 24-48 hours to receive your account information and instructions on managing this service as well. Once your IMHS account is active it may take an additional 24 hours to update your MX record.
6. My Router is listed but I do not have the Security Protection Tab within the Web UI?
Please go towww.linksys.com/download and upgrade to the latest firmware.
7. I already signed up for the Web Protection service but now I want to use the IMHS service as well. How do I add it?
In order to activate the IMHS Service after initial registration please contacts Trend Micro Support at email@example.com with your SMTP server domain/IP information.
8. How do I begin using the IMHS service> Do I need to install, configure, or maintain anything?
A simple redirection of your Mail exchange (MX) record is all that is needed to start the service. Your email is processed by the Trend Micro InterScan Messaging Hosted Security to remove spam, viruses, worms, Trojans, and Phishing attacks; the clean messages are then sent directly to your mail server. This can be process can be activated either through the Initial Trend Micro Registration or through contacting firstname.lastname@example.org if you have already activated the Web Protection Portion of the service.
9. What level of Web Reputation should I choose?
Security Level: The higher the security level, the more URLs that are known or suspected to be a Web threat will be blocked.
a. High - Blocks a greater number of Web threats but increases the risk of false positives.
b. Medium - Blocks most Web threats and does not create too many false positives. This is the recommended setting.
c. Low - Blocks fewer Web threats but reduces the risk of false positives.
So basically the router has a feature that sucks 97,5% of the throughput capacity out of the router (that's ninetyseven-and-a-half percent)? Doesn't it sound like this IPS feature needs some performance attention from the developers? I mean now that 50Mb and 100Mb broadband connections are becoming more and more common, the feature should at least be able to support those kinds of connections.
I've disabled my IPS for now.
Yep, that pretty much sums it up.
I've got IPS enabled most of the time, unless I need to do a big download and need the extra bandwidth.
Totally concur, the cisco devs need to rethink this, especially as since 100Mbps is on the horizon for my area too... Its rather hilarious that they have posted the figure of throughput with IPS disabled, but fail to mention what it is with IPS enabled...
Have you heard anything from the Product Manager?
I'm mainly interested in if it's considered to be working as designed or if there's any chance of performance improvements in later firmware releases.
I've not heard anything new regarding this, but I'm kinda assuming that it won't be fixed and instead looking for a replacement, which is pretty sad.
Anyone from cisco care to comment?
Could you check for us if URL blocking affects bandwidth. We updated our unit with firmware 22.214.171.124 and our contract bandwith with ISP is 100Mbps.
The scenario that we are experiencing now are as follows:
1. Enable IPS and URL blocking, we'll get 22Mbps.
2. Disable IPS and enable URL blocking, we'll get 39Mbps.
3. Disable both IPS and URL blocking, we'll get 100+Mbps.
Thanks in advance.
Although 20Mbps of throughput when IPS is enabled does not meet the requirement of the 50Mbps internet pipe, the price/performance ratio of $130/20Mbps should be very competitive in the market.
It appears if you do the above procedure and turn OFF the IPS - it will break firewall port forwarding. Now if you don't use any custom ports to port forward, this isn't an issue. BUT, if you do (as we often do) - it will break them and won't work. Again - this only effects CUSTOM FIREWALL PORTS (ie: non standard ports, like mapping a port to 15000 or similar) and turning off IPS. You could leave ON IPS and this is a non-issue.
I am sorry to hear about the problem you found and thanks for sharing it with everyone.
I do think you should report the problem with a formal TAC case so it can be resolved.
You know honestly, I don't see that as much of an issue for it's price point. Competitive products from Sonicwall, Watchguard, Fortinet etc, cost more than this box, and have equivalent or lower throughput when enabling the full UTM capabilities. I think if you're looking for something that can handle 50Mbps, then you're probably looking at something more enterprise class such as an ASA or ISR Router. I haven't seen anything from any vendor that can push that bandwidth for this price point.
given the appearance of wrvs4400n V2 and its latest firmware, is there any improvement in this dimension of quality?
And curiously, why is this fact buried in this forum? I went through the site section on this product, tried the chat and 8xx # with no
success but eventually slogged through to find this post. Such a significant performance number ought not to be buried unless
it is a "dirty little secret".
The fact that signature analysis impacts performance is one which all vendors face with IPS implementation and we Cisco, do advertise this in the data sheet (reduced performance when IPS is enabled).
As you probably know, the operational profile of any unit under test will impact performance and it is difficult to narrow in on any one profile that we could assume everyone would use, but in the case of IPS, it is a BIG impact.
Hope this helps a little.
I think the fact that we have this forum and are willing to discus virtually everything with our Partners should show everyone that we dont keep secrets, or at least we dont try to bu any stretch.
SE in Sales
I see this thread still gets the odd response and similar reaction to what I first had.
I'm still using the WRVS4400N as I still believe it is a good router and I still disable IPS when I need the extra download speed for gigbyte downloads etc., but it would be good to know if the V2 model still has the same 30 Mbps degredation as the V1 model.
Can any one (Cisco) confirm the actual numbers for IPS enabled/disabled on the version 2 WRVS4400N?
this is a simple question - given the answer above for earlier version of the hardware, could you please provide the corresponding result for v2? feel free to use the same scenario so it is apples to apples.
of course IPS reduces throughput! computers are not infinitely fast etc. but we want to know the true cost. is the new hardware any better?
until I saw the number above, the closest thing I had to a number was from phn's review of a rvs4000, giving upstream 530mbps, downstream 15.9 mbps, total 525.6 mbps.Those numbers made me think this was wireless router totally designed for web servers (which sounds really odd as a web server would not need wireless abilities!)
you are close to making a sale, why be squirrely about this? the best customer is the one who can make an informed decision up front instead of being angry afterward.
Well I am happy we are close to a sale, cause I am a Systems Engineer in Sales :-) If you know me, you know I aint 'squirly' either.
Let me ask the BU for the numbers for V2.
I thought you were asking why there was a reduced bandwidth capability, which I know the answer too, so answered :-) Sorry if I misunderstood you.
The actual numbers, I will ask for. Stay tuned. As soon as I get them I will post back here....or ask them too.
thanks. I look forward to the answer. I've reviewed the v2 user guide and will be posting some comments/questions in another thread.
OK, I am back with some data.
With IPS & Firewall enabled, it looks like we can see between 18 - 24mbps (TCP - UDP respectively).
PPPoE,,PPTP, and L2TP client traffic will be less.
Without IPS this same number goes to around 900mbps
thanks, I really appreciate getting a straight answer! :) :) It appears the v2 hardware is more efficient, so I want to be sure to get v2. I also will assume that whether or not I subscribe to the extra service, this overhead will be about the same.
For your sales hat, I will say that I am still waiting on another thread regarding the documentation -vs- bandwidth rules, but if it is anything like the rvl200 I think this is a "Go".
For your SE hat, I would like to say that based on my research at the cisco site, it appears like the wrvs4400n-v2 has been significantly groomed and improved, having perhaps 1 or 2 known problems, whereas the latest rvs4000 firmware still shows lots of issues that would keep me away from it in spite of the low price. Right now I am using a dgl4300 wireless router with two netgear gs108t switches behind it. I use the 'game fuel' rules in the 4300, outbound bandwidth limiting in the nearest switch egress, and QOS in both switches to favor my voip traffic (2 SIP "lines"). the advantage of the 4400 over my existing setup is several-fold:
1) 802.1p QOS support extends into the router rather than stopping at the switch's uplink queue
2) reduce # of boxes to power and administer (get rid of one switch)
3) compatible with wireless N standard if I choose to adopt it (2 of 3 wireless clients are capable already)
4) supports ipv6 should I choose to enable it (not sure of a benefit yet)
5) provides potential for higher throughput should it become available in my area (assuming the bug with port forwarding requiring IPS gets fixed)
so, thanks again and have a great day!
I know that the Business Unit Engineers are also watching this thread too, and we do care about what partners say, suggest, recommend, think here.
I was told that WRVS4400Nv2 has the same issues/limitations as RVS4000, e.g. Bandwidth Management is not working when IPS is disabled, just to clarify that question for you.
I had assumed that as fact (related to point #5) but with something like a fiber service maybe I wouldn't care about bandwidth management so much,
There are many more issues in the 4000's latest firmware release notes compared to the 4400v2. (I see today that a new set came out but it still has a way to go to be at par with the 4400)
the other thread basically asks where you apply the bandwidth profiles as it was not visible in the manual. in the rvl200 manual, you can see bandwidth profiles as part of port map (inbound) rules, and oubound rules.
I hope I am not too far off the topic here ... but if you need higher speeds w/ IPS enabled, then the ASA product line is probably your best bet. You can also use an ISR, but the speeds will not be as great as with the ASA models. The ISR ofcourse offers a lot as well, single platform with many services, applications, modules etc ...
Here is a link to the ASA models and the AIP module that can be installed with it:
As you can see, you can look at a ASA 5505 w/ an AIP module.
interesting product set, reminds me of what AT&T does for its (big) customers pro-actively. in terms of cost and complexity, I would lump even the low end of the series in with the 800 series products as more than I can absorb at this time.
but I like your approach and attention to the thread! maybe it will get someone else thinking - once you have a real need for that kind of bandwidth, one can expect to pay a bit more for the toys...
Understood and agreed.
Glad you did not mind me changing the products or focus on you ... I did not want to distract from the original intent of this good posting.
Yes, the requirement for high speeds certainly demands a lot from the hardware, a lot from the ASICs, memory, chipsets, etc ... and thus we easily move into a the traditional Cisco product sets.
We appreciate you Neal, many thanks.
my other post didn't catch any replies, can anyone with one of these 4400's tell me where the bandwidth profiles get applied? is it just like with the rvl200?
also, will qos be applied downstream for use on the lan? 802.1p qos or dscp doesn't help if one part of the path ignores it...