Zone-based firewall performance
David asked me an interesting question:
Can you comment on the performance differences between zone-based firewalls and the classic Content-Based Access Control (CBAC) IOS firewall? I’m running into issues where the router is running VoIP and CBAC, and call quality issues are appearing during heavy data usage.
I never did performance tests with one or the other, but I wouldn’t expect the zone-based firewall (ZFW) performance to exceed CBAC. They use the same (or at least very similar) code, ZFW is primarily a different method of configuring the same functionality.
Does anyone have different experience? It looks like Colin McNamara disagrees with me, but the document with performance data I found at Cisco’s web site does not list different figures for CBAC and ZFW (and they would surely make them public if the ZFW would be way better than CBAC).
This article is part of You've asked for it series.
http://www.cisco.com/en/US/partner/prod/collateral/routers/ps5855/prod_white_paper0900aecd8061536b_ps1018_Products_White_Paper.html
william chu - please post URLs to pdf instead of HTML if possible.
Topology is pretty much one or two T1's, PPP encap, between either a 2430 IAD or 2821 ISR and a 7206VXR. Some routers are configured with varying levels of QoS, some have none. Some routers are also configured with URL filtering pointing at a remote Websense server, and others aren't. There's even one router with no voice at all, just a full T1 of internet, CBAC, and Websense, and it's running (on average) at 75-80% CPU.
I'll see if I can get some sample configs out for people to look at.
ip inspect audit-trail
ip inspect name inside_outbound ftp audit-trail on timeout 3600
ip inspect name inside_outbound esmtp audit-trail on timeout 3600
ip inspect name inside_outbound sip audit-trail on timeout 3600
ip inspect name inside_outbound fragment maximum 256 timeout 1
ip inspect name inside_outbound rtsp audit-trail on timeout 3600
ip inspect name inside_outbound h323 audit-trail on timeout 3600
ip inspect name inside_outbound tcp audit-trail on timeout 3600
ip inspect name inside_outbound udp audit-trail on timeout 3600
ip inspect name inside_outbound http java-list 99 audit-trail on timeout 3600
!
!
isdn switch-type primary-ni
!
!
voice service voip
modem passthrough nse codec g711ulaw
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
!
!
class-map match-all MGMT
match access-group name MGMT
class-map match-any VOICE-SIG
match ip precedence 3
class-map match-any VOICE-RTP
match ip precedence 5
class-map match-any GOLD-IPP7-OUT
match ip dscp 15
class-map match-any GOLD-IPP6-OUT
match ip dscp af13
class-map match-any GOLD-IPP5-OUT
match ip dscp cs5
class-map match-any GOLD-IPP4-OUT
match ip dscp af12
class-map match-any GOLD-IPP3-OUT
match ip dscp cs3
class-map match-any GOLD-IPP2-OUT
match ip dscp af11
class-map match-any GOLD-IPP1-OUT
match ip dscp 9
class-map match-any GOLD-IPP0-OUT
match ip dscp cs1
class-map match-any PREMIUM-CUST
match access-group name PREMIUM-DATA
match ip precedence 1
class-map match-any GOLD-IPP6-IN
match ip precedence 6
class-map match-any GOLD-IPP7-IN
match ip precedence 7
class-map match-any GOLD-IPP4-IN
match ip precedence 4
class-map match-any GOLD-IPP5-IN
match access-group name CUST-VOICE-RTP
class-map match-any GOLD-IPP2-IN
match ip precedence 2
class-map match-any GOLD-IPP3-IN
match access-group name CUST-VOICE-SIG
class-map match-any GOLD-IPP0-IN
match ip precedence 0
class-map match-any GOLD-IPP1-IN
match ip precedence 1
match protocol gre
match protocol ipinip
match protocol ipsec
match protocol l2tp
!
!
policy-map GOLD-LAN-OUT
description Inbound from Customer LAN
class GOLD-IPP5-OUT
set ip precedence 5
class GOLD-IPP3-OUT
set ip precedence 3
class GOLD-IPP1-OUT
set ip precedence 1
class GOLD-IPP4-OUT
set ip precedence 4
class GOLD-IPP2-OUT
set ip precedence 2
class GOLD-IPP6-OUT
set ip precedence 6
class GOLD-IPP7-OUT
set ip precedence 7
class GOLD-IPP0-OUT
set ip precedence 0
policy-map CPE-49-OUT
description CPE Standard Policy # 49
class VOICE-RTP
priority percent 96
class VOICE-SIG
bandwidth percent 2
class MGMT
bandwidth percent 1
class class-default
fair-queue
random-detect
policy-map CPE-32-OUT
description CPE Standard Policy # 32
class VOICE-RTP
priority percent 48
class VOICE-SIG
bandwidth percent 2
class MGMT
set ip precedence 2
bandwidth percent 1
class PREMIUM-CUST
bandwidth percent 16
random-detect
class class-default
bandwidth percent 32
random-detect
policy-map GOLD-LAN-IN
description Inbound from Customer LAN
class GOLD-IPP5-IN
set ip dscp cs5
class GOLD-IPP3-IN
set ip dscp cs3
class GOLD-IPP1-IN
set ip dscp 9
class GOLD-IPP4-IN
set ip dscp af12
class GOLD-IPP2-IN
set ip dscp af11
class GOLD-IPP6-IN
set ip dscp af13
class GOLD-IPP7-IN
set ip dscp 15
class GOLD-IPP0-IN
set ip dscp cs1
policy-map MARK-IPP-0
description Mark all inbound packets to IP Prec 0
class class-default
set precedence 0
!
!
interface Loopback0
ip address x.x.x.x 255.255.255.255
!
interface Loopback11
ip vrf forwarding CUSTOMER-123456
ip address 11.5.192.46 255.255.255.255
!
interface Tunnel101
ip vrf forwarding CUSTOMER-123456
ip address 172.16.0.2 255.255.255.252
ip mtu 1500
ip nat inside
ip virtual-reassembly
qos pre-classify
tunnel source x.x.x.x
tunnel destination x.x.x.x
!
interface Tunnel183944101
ip vrf forwarding CPE-MGMT
ip address 11.10.1.110 255.255.255.254
tunnel source x.x.x.x
tunnel destination x.x.x.x
!
interface Multilink101
description ** Public Interface **
mtu 1540
ip address x.x.x.x 255.255.255.254
ip access-group outside_inbound in
ip access-group outside_outbound out
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect inside_outbound out
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 101
ppp multilink fragment disable
max-reserved-bandwidth 99
service-policy output CPE-32-OUT
!
interface GigabitEthernet0/0
description *** Internet to Customer ***
ip address x.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
duplex auto
speed auto
service-policy input GOLD-LAN-IN
service-policy output GOLD-LAN-OUT
!
interface GigabitEthernet0/1
description *** Private LAN to Customer ***
ip vrf forwarding CUSTOMER-123456
ip address 172.16.200.2 255.255.255.0 secondary
ip address 192.168.200.1 255.255.255.0
ip access-group inside_outbound in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
service-policy input GOLD-LAN-IN
service-policy output GOLD-LAN-OUT
!
interface Serial0/0/0:1
mtu 1540
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 101
max-reserved-bandwidth 99
!
interface Serial0/0/1:1
mtu 1540
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 101
max-reserved-bandwidth 99
!
interface Serial0/1/0:1
mtu 1540
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 101
max-reserved-bandwidth 99
!
!
ip route 0.0.0.0 0.0.0.0 Multilink101
ip route vrf CUSTOMER-123456 0.0.0.0 0.0.0.0 Tunnel183944101
!
!
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip nat inside source list 1 interface Multilink101 overload
!
ip access-list extended CUST-VOICE-RTP
deny ip any any fragments
permit udp any any range 16384 32767
permit udp any any range 49152 53247
ip access-list extended CUST-VOICE-SIG
deny ip any any fragments
permit udp any any eq 5060
permit tcp any any eq 5060
permit udp any any range 1718 1720
permit tcp any any range 1718 1720
permit udp any any eq 2427
permit tcp any any eq 2427
permit udp any any eq 2000
permit tcp any any eq 2000
ip access-list extended MGMT
permit tcp any eq telnet x.x.x.x 0.0.0.255
permit tcp any x.x.x.x 0.0.0.255 eq telnet
permit tcp any eq telnet 11.0.0.0 0.127.255.255
permit tcp any 11.0.0.0 0.127.255.255 eq telnet
ip access-list extended PREMIUM-DATA
permit ip any any
ip access-list extended inside_outbound
deny udp any any eq 14110
permit tcp any any eq www
permit tcp any any eq 443
permit udp any any eq domain
permit ip any any
ip access-list extended outside_inbound
permit udp any host x.x.x.x eq isakmp
permit udp any host x.x.x.x eq non500-isakmp
permit tcp any host x.x.x.x eq telnet
permit ip any host x.x.x.x
remark =================================================
remark = Block RFC1918 addresses sourced from Internet =
deny ip 10.0.0.0 0.255.255.255 any
permit esp any host x.x.x.x
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
remark =======================================
remark = Allow management/voice access =
permit tcp host x.x.x.x host x.x.x.x eq telnet
permit tcp host x.x.x.x host x.x.x.x eq telnet
permit tcp host x.x.x.x any
permit tcp host x.x.x.x any
permit tcp host x.x.x.x any
permit tcp host x.x.x.x any
permit udp host x.x.x.x any eq snmp
permit icmp host x.x.x.x any
permit icmp host 4.2.2.2 any
permit ip host x.x.x.x any
permit ip host x.x.x.x any
permit tcp x.x.x.x 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host x.x.x.x any
permit gre host x.x.x.x host x.x.x.x
permit ip host x.x.x.x any
permit ip any host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
permit ip host x.x.x.x host x.x.x.x
permit ip host x.x.x.x any
permit ip host x.x.x.x any
permit ip host x.x.x.x any
deny ip any any log
ip access-list extended outside_outbound
permit ip any host x.x.x.x
permit ip any any
remark =========================================================
remark = Block RFC1918 addresses sourced from internal network =
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
!