Bilge,
I presume all traffic is being process switched because you are
running IDS commands on this router.
This excerpt is from
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/ios_ids.htm
(watch the wrap)
"Memory and Performance Impact
The performance impact of intrusion detection will depend on
the number of signatures enabled, the level of traffic on the
router, the router platform, and other individual features enabled
on the router such as encryption, source route bridging, and
so on. Because this router is being used as a security device,
no packet will be allowed to bypass the security mechanisms.
The IDS process in the Cisco IOS Firewall router sits directly
in the packet path and thus will search each packet for signature
matches. In some cases, the entire packet will need to be searched,
and state information and even application state and awareness
must be maintained by the router."
I infer from this that all traffic will be process switched -
i.e. take the lowest performance path through the router.
>From
http://195.116.208.9/cheat/router_performance.htm
(Watch the wrap)
Throughput in PPS for various platforms:
ID Process Fast
2500 800 4,400
2610 1,500 15,000
2620 1,500 25,000
3620 2,000 40,000
3640 4,000 80,000
3660 12,000 120,000
4500 5,000 40,000
4700 7,000 50,000
If you're seeing these kind of numbers, then this may be the
cause.
Let us know what happens.
Regards
Pete S.
--- Original Message ---
Bilge Karabacak <[EMAIL PROTECTED]> Wrote on
Mon, 06 Dec 1999 16:07:25 +0200
------------------
Here you can find the output of "sh interfaces switching"
---------------SHOW INTERFACES SWITCHING--------------------
FastEthernet0/0
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 0 Drops 0
Protocol Path Pkts In Chars In Pkts Out Chars
Out
Other Process 9270 1271276 43202
2592120
Cache misses 0
Fast 0 0 0
0
Auton/SSE 0 0 0
0
IP Process 31582 2805762 8549
1442358
Cache misses 0
Fast 1210 78738 0
0
Auton/SSE 0 0 0
0
ARP Process 3204 192240 1085
65100
Cache misses 0
Fast 0 0 0
0
Auton/SSE 0 0 0
0
Interface Serial0/0 is disabled
FastEthernet0/1
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 0 Drops 0
Protocol Path Pkts In Chars In Pkts Out Chars
Out
Other Process 65846 7862889 44130
2609371
Cache misses 0
Fast 0 0 0
0
Auton/SSE 0 0 0
0
IP Process 38088 4002553 190
13123
Cache misses 0
Fast 245624 42909834 1210
78738
Auton/SSE 0 0 0
0
ARP Process 238106 14285130 58
3480
Cache misses 0
Fast 0 0 0
0
Auton/SSE 0 0 0
0
Interface Serial0/1 is disabled
Loopback0
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 0 Drops 0
Protocol Path Pkts In Chars In Pkts Out Chars
Out
No traffic sent or received on this interface.
Brian wrote:
> On Mon, 6 Dec 1999, Bilge Karabacak wrote:
>
> > I configured a Cisco 2621 router. The problem with this router
is its
> > throughput. It is ten times slower than a linux machine acting
as a
> > gateway with two ethernet interfaces. The properties of linux
machine is
> > Intel celeron 400, 64 MByte RAM. The second important point
is that,
> > the router gave this result with no access-lists. The last
one to say is
> > that,, NAT operation at this cisco 2621 degrades performance
by 60%
> > percent. This is ridicilous, if all cisco routers are like
this one.
> > May you please comment on this, after examining the configuration
of the
> > router? Is it normal? What should I do to increase performance?
> > Below, you will find
>
> Interesting,
>
> Please show us the output of "sh interfaces switching". Also
you may wish
> to check bugs on ciscos site since NAT bugs are common in 12.0
>
> Brian
>
> >
> > -----------------SHOW STARTUP-CONFIG------------------------
> > !
> > ! Last configuration change at 12:20:40 UTC Thu Nov 30 2000
> > ! NVRAM config last updated at 13:01:17 UTC Thu Nov 30 2000
> > !
> > version 12.0
> > service tcp-keepalives-in
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > service password-encryption
> > !
> > hostname router2
> > !
> > no logging buffered
> > no logging console
> > no logging monitor
> > enable secret 5 ***********
> > !
> > !
> > !
> > !
> > !
> > memory-size iomem 15
> > ip subnet-zero
> > no ip source-route
> > no ip finger
> > ip tcp selective-ack
> > ip tcp path-mtu-discovery
> > ip telnet quiet
> > !
> > no ip bootp server
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface FastEthernet0/0
> > ip address 192.168.1.89 255.255.255.0
> > no ip unreachables
> > no ip directed-broadcast
> > ip nat inside
> > no ip mroute-cache
> > duplex auto
> > speed auto
> > no cdp enable
> > !
> > interface Serial0/0
> > no ip address
> > no ip directed-broadcast
> > no ip mroute-cache
> > shutdown
> > no cdp enable
> > !
> > interface FastEthernet0/1
> > ip address 193.177.77.77 255.255.255.0
> > no ip unreachables
> > no ip directed-broadcast
> > ip nat outside
> > no ip mroute-cache
> > duplex auto
> > speed auto
> > no cdp enable
> > !
> > interface Serial0/1
> > no ip address
> > no ip directed-broadcast
> > no ip mroute-cache
> > shutdown
> > no cdp enable
> > !
> > ip nat inside source list 2 interface FastEthernet0/1 overload
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
> > no ip http server
> > !
> > logging trap debugging
> > logging facility local6
> > logging source-interface FastEthernet0/0
> > access-list 2 permit 192.168.1.0 0.0.0.255
> > dialer-list 1 protocol ip permit
> > dialer-list 1 protocol ipx permit
> > no cdp run
> > !
> > line con 0
> > password 7 ***************
> > login
> > transport input none
> > line aux 0
> > password 7 ****************
> > login
> > line vty 0 4
> > password 7 **********************
> > login
> > transport input none
> > !
> > scheduler interval 500
> > no scheduler allocate
> > end
> >
> >
> > --------------------SHOW VERSION-------------------
> >
> > Cisco Internetwork Operating System Software
> > IOS (tm) C2600 Software (C2600-IO3S56I-M), Version 12.0(7)XK1,
EARLY
> > DEPLOYMENT
> > RELEASE SOFTWARE (fc1)
> > TAC:Home:SW:IOS:Specials for info
> > Copyright (c) 1986-2000 by cisco Systems, Inc.
> > Compiled Wed 15-Mar-00 08:53 by phanguye
> > Image text-base: 0x80008088, data-base: 0x80EB7238
> >
> > ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE
(fc1)
> > ROM: C2600 Software (C2600-IO3S56I-M), Version 12.0(7)XK1,
EARLY
> > DEPLOYMENT RELE
> > ASE SOFTWARE (fc1)
> >
> > router2 uptime is 4 days, 18 hours, 16 minutes
> > System returned to ROM by reload at 15:57:01 UTC Fri Dec
1 2000
> > System restarted at 15:58:42 UTC Fri Dec 1 2000
> > System image file is "flash:aaa1321.bin"
> > Host configuration file is "tftp://192.168.5.78/router2_acl"
> >
> > cisco 2621 (MPC860) processor (revision 0x102) with 41984K/7168K
bytes
> > of memory
> > .
> > Processor board ID JAB040906MD (3523830294)
> > M860 processor: part number 0, mask 49
> > Bridging software.
> > X.25 software, Version 3.0.0.
> > 2 FastEthernet/IEEE 802.3 interface(s)
> > 2 Low-speed serial(sync/async) network interface(s)
> > 32K bytes of non-volatile configuration memory.
> > 16384K bytes of processor board System flash (Read/Write)
> >
> > Configuration register is 0x2102
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> -----------------------------------------------
> Brian Feeny, CCNP+ATM, CCDP [EMAIL PROTECTED]
> Network Administrator
> ShreveNet Inc. (ASN 11881)
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
-----
Sent using MailStart.com ( http://MailStart.Com/welcome.html )
The FREE way to access your mailbox via any web browser, anywhere!
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
