IP Inspection

The 2611XL is supposed to be able to forward 20k pps. Even with small packets, that's still over 10 Mbps so I thought it would make a suitable firewall for a school with about 300 students and a 10Mbps link to the Internet.

I attempted to configure IP Inspection (for the first time ever) on this box and internet throughput dropped from 5 Mbps to under 1 Mbps. Is this to be expected with this router, or is my configuration flawed (or both)?

ip inspect name myfw http ip inspect name myfw smtp ip inspect name myfw tcp ip inspect name myfw udp

interface FastEthernet0/0 ip address x.y.235.18 255.255.255.252 ip access-group block-out2in in ip nat outside ip inspect myfw out duplex auto speed auto ! interface FastEthernet0/1 ip address 10.0.0.1 255.255.255.0 ip nat inside speed 100 full-duplex

ip access-list extended block-out2in permit icmp any any echo-reply permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any packet-too-big permit icmp any any traceroute deny ip 10.0.0.0 0.255.255.255 any log-input deny ip host 255.255.255.255 any log-input deny ip any any

Reply to
bobneworleans
Loading thread data ...

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@yahoo.com chose the tried and tested strategy of:

Try just TCP and UDP inspection, you may see an improvement in speed. Personally, I usually set inspection to the absolute minimum because, eg HTTP inspection causes a wide variety of websites to stop working, SIP inspection allows a REGISTER but nothing else, etc.

Reply to
alexd

So applying "ip inspect myfw out" to the outside interface is correct rather than "ip inspect myfw in" on the inside interface?

I will try the generic inspection rules only next time I have a maintenance window.

Reply to
bobneworleans

the comp.dcom.sys.cisco Job Justification Hearings,

From memory http inspection turns on java blocking. Quite why it is called http inspection I have no idea.

I have also a vague idea that the way that the inspect was implemented was changed a while back (12.3T?) one thing achieved may have been improved performance. Might be worth evaluating later software.

Make sure that your packets are not process switched.

ATM0

Protocol PPP over ATM Switching path Pkts In Chars In Pkts Out Chars Out Process 286773 126867811 375574 16988816 Cache misses 0 - - - Fast 13127319 2603971067 7650584 764067395 Auton/SSE 0 0 0 0

You want something like this where the vast majority of packets are being Fast Switched.

If you have no inbound traffic i.e. no static NATs do you need a "firewall"? I certainly don't have a clue how to break in past an overloading NATTer.

You could consider reflexive (i.e. reflecting) access lists or that old standby for TCP the "established" keyword. If all you are doing is web bowsing and email you could perhaps just block all UDP anyway.

Reply to
bod43

t the comp.dcom.sys.cisco Job Justification Hearings,

I'm running (C2600-IK9O3S-M), Version 12.3(26), RELEASE SOFTWARE (fc2). Is this after 12.3T?

ut =A0Chars Out

=A0 =A0 375574 =A0 16988816

=A0- =A0 =A0 =A0 =A0 =A0- =A0 =A0 =A0 =A0 =A0-

=A07650584 =A0764067395

=A0 =A00 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A00

I don't recognize this output. What command did you issue to generate this?

Show CEF Interface gives the following output for both f0/0 and f0/1 so this seems to be ok. IP CEF switching enabled IP CEF Feature Fast switching turbo vector

I don't know how to do it either but that doesn't necessarily mean we're safe without a firewall. Obviously the outside address will respond to ping. After that, isn't it simply a matter of trying different ports until something gets through?

Thanks for the suggestions. Although I'm familiar with "established" from working with iptables, I know nothing about reflexive access lists so I'll read up on them.

Can you please explain why applying "ip inspect myfw out" to the outside interface is better than "ip inspect myfw in" on the inside interface?

Reply to
bobneworleans

bod43 schrieb:

comp.dcom.sys.cisco Job Justification Hearings,

If using the http inspection you should create a standard access list with a single permit any and refer to this in the http inspection. And your http throughput will significantly improve.

Reply to
Uli Link

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@yahoo.com chose the tried and tested strategy of:

If you haven't got any static NATs and you've tied down management of the router itself to known IPs, then an outsider trying different ports will yield nothing.

Reply to
alexd

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, bod43 chose the tried and tested strategy of:

Yes, it does, which stops the BT speed tester from working. Usually disabling HTTP inspection gets the speed tester working again, and eliminates the need for the customer to be running tester in the first place :-) Quite why Java was chosen for this treatment but not say, any other type of executable, is beyond me.

Presumably with it enabled and some more sensible settings on what's permitted [ie not the defaults], you can then do cleverer things than basic L4 ACLs, eg block particular URLs or paths in URLs.

Reply to
alexd

Sorry I meant to post the command and forgot.

sh int switching

As regards forwarding performance is doesn't matter which fast switching method is in use, CEF, Netflow, Fast Switching, others mostly obsolete

The sh int switching does not distinguish and lumps all fast switching types together. Which is what you want:)

I don't know. I think I know what applying an inspect statement to the outside interface means, but I have no idea what applying it to an inside interface will mean. I would apply it to the outside interface.

The inspect process does two things.

  1. Makes temporary holes in the inbound access-list to allow the return traffic.
  2. "Inspects" the traffic. I have no real idea what this amounts to on a Cisco router.

Oh yes. I was guessing about 12.3T so it does not matter much whether it is after 12.3 or not.

It happens that it is after. In general the T (Technology) train has all the new stuff that eventually ends up in the next main release.

12.2T --> 12.3 mainline 12.3T --> 12.4 mainline 12.4T --> 15 mainline

The mainline software is effectively frozen apart from bug fixes and all new hardware and software features end up in the T.

The other weird releases are generally desigend to get specific hardware or software features out the door and end up folded back into the T train quite quickly.

There are a couple of exceptions.

An example is that the "Switches" tend to use different releases.

For the most stable software for routers, use mainline of you can, T if you need the features and avoid any others if at all possible.

For switches go with the flow. There is no alternative)

Reply to
bod43

ip inspect is probably slow path (process switch) since it has so much to look at.

cisco routers slow down a lot when process switching

formatting link
for a 2611XM fast switch in 20k packet / sec, but process switching is

1.5k...
Reply to
Stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.