Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
4
Replies

Performance on Cisco 3945 running IOS 15.3(3)

david.tran
Level 4
Level 4

‎10-05-2013 04:48 AM - edited ‎03-04-2019 09:14 PM

I have a very simple scenario with Cisco 3945 running IOS c3900-universalk9-mz.SPA.153-3.M.bin with two interfaces g0/0 (external) and g0/1 (internal).

I setup NAT on the router as follows:

ip cef

interface g0/0

  ip address 1.1.1.1 255.255.255.252

  ip nat outside

interface g0/1

  ip address 192.168.1.254 255.255.255.0

  ip nat inside

ip access-list extended nat

  permit ip 192.168.190.0 0.0.0.255 any

ip nat inside source list nat interface g0/0 overload

then I have a linux host with ip address 192.168.1.254 behind g0/1 with the gateway of the router 192.168.1.254.  I am able to push 950Mbps through the router without any issues.  So far so good.

No I decide to create an ACL and apply this ACL on interfage g0/0:

ip access-list extended External

  permit ip any any log

interface g0/0

  ip access-group External in

When I apply the ACL on the External interface, the throughput on the router goes from 950Mbps down to 160Mbps, an 80% drop in performance.  Why?

Anyone knows how to improve this?

Thanks,

Labels:
0 Helpful
4 Replies 4

Lei Tian
Cisco Employee
Cisco Employee

‎10-05-2013 04:51 AM

Hi,

Is the log keyword. Log will force the packet being process switched, so performance will drop.

HTH,

Lei Tian

0 Helpful

david.tran
Level 4
Level 4
In response to Lei Tian

‎10-05-2013 05:00 AM

Thanks.  That does work.  However, that does not explain the fact that I am not seeing performance issues on the ASR 1002 and I have about 2000 lines of ACL on the ASR external interface.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to david.tran

‎10-05-2013 06:15 AM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

The ASR is a different architecture, it has hardware forwarding.  (Note: the ASR 1K series, seems to be somewhat like the earlier 7300 series with NSE-100 or -150 or the 7200 series with NSE-1.)

Additionally, the prior 7200s, but not ISRs, had a "compiled ACL" feature that would improve performance for lengthy ACLs - don't know if the ASR 1K has that too.

Non-technically, 3945 vs. ASR 1002 is comparing apples to oranges. 

0 Helpful

Lei Tian
Cisco Employee
Cisco Employee
In response to david.tran

‎10-05-2013 10:07 AM

Hi,

ASR is different platform. It uses hardware offload most if the features, just like 6500, 7600. If still not convinced, hope the following document help.
http://www.cisco.com/web/about/security/intelligence/acl-logging.html

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card