Zone-based firewall performance

David asked me an interesting question:

Can you comment on the performance differences between zone-based firewalls and the classic Content-Based Access Control (CBAC) IOS firewall? I’m running into issues where the router is running VoIP and CBAC, and call quality issues are appearing during heavy data usage.

I never did performance tests with one or the other, but I wouldn’t expect the zone-based firewall (ZFW) performance to exceed CBAC. They use the same (or at least very similar) code, ZFW is primarily a different method of configuring the same functionality.

Does anyone have different experience? It looks like Colin McNamara disagrees with me, but the document with performance data I found at Cisco’s web site does not list different figures for CBAC and ZFW (and they would surely make them public if the ZFW would be way better than CBAC).

This article is part of You've asked for it series.

6 comments:

  1. Just wondering what type of quality issues he is having(e.g. droped calls, silience, garbled audio, etc.), and if it would be possible for him to post generic version of his config including any QoS configuration, and a basic topology with link speeds? As well as what version of IOS.

    ReplyDelete
  2. I found this on cisco.com about the Zone based firewall performance guidelines (may require login). It covered ISR routers from 871 to 3845.

    http://www.cisco.com/en/US/partner/prod/collateral/routers/ps5855/prod_white_paper0900aecd8061536b_ps1018_Products_White_Paper.html

    ReplyDelete
  3. Login not required

    william chu - please post URLs to pdf instead of HTML if possible.

    ReplyDelete
  4. Call quality issues include mostly one-way or choppy audio. It usually starts with the receiving end hearing the chop, with the sender not noticing the difference (which worries me that it's happening more than I know, and it's not being reported).

    Topology is pretty much one or two T1's, PPP encap, between either a 2430 IAD or 2821 ISR and a 7206VXR. Some routers are configured with varying levels of QoS, some have none. Some routers are also configured with URL filtering pointing at a remote Websense server, and others aren't. There's even one router with no voice at all, just a full T1 of internet, CBAC, and Websense, and it's running (on average) at 75-80% CPU.

    I'll see if I can get some sample configs out for people to look at.

    ReplyDelete
  5. IOS version is a mix of either 12.3(11)T10 or 12.4(15)T4. Here's a sample of a config from a troublesome router (with any public IP changed to protect the innocent)... warning, it's long...

    ip inspect audit-trail
    ip inspect name inside_outbound ftp audit-trail on timeout 3600
    ip inspect name inside_outbound esmtp audit-trail on timeout 3600
    ip inspect name inside_outbound sip audit-trail on timeout 3600
    ip inspect name inside_outbound fragment maximum 256 timeout 1
    ip inspect name inside_outbound rtsp audit-trail on timeout 3600
    ip inspect name inside_outbound h323 audit-trail on timeout 3600
    ip inspect name inside_outbound tcp audit-trail on timeout 3600
    ip inspect name inside_outbound udp audit-trail on timeout 3600
    ip inspect name inside_outbound http java-list 99 audit-trail on timeout 3600
    !
    !
    isdn switch-type primary-ni
    !
    !
    voice service voip
    modem passthrough nse codec g711ulaw
    sip
    bind control source-interface Loopback0
    bind media source-interface Loopback0
    !
    !
    class-map match-all MGMT
    match access-group name MGMT
    class-map match-any VOICE-SIG
    match ip precedence 3
    class-map match-any VOICE-RTP
    match ip precedence 5
    class-map match-any GOLD-IPP7-OUT
    match ip dscp 15
    class-map match-any GOLD-IPP6-OUT
    match ip dscp af13
    class-map match-any GOLD-IPP5-OUT
    match ip dscp cs5
    class-map match-any GOLD-IPP4-OUT
    match ip dscp af12
    class-map match-any GOLD-IPP3-OUT
    match ip dscp cs3
    class-map match-any GOLD-IPP2-OUT
    match ip dscp af11
    class-map match-any GOLD-IPP1-OUT
    match ip dscp 9
    class-map match-any GOLD-IPP0-OUT
    match ip dscp cs1
    class-map match-any PREMIUM-CUST
    match access-group name PREMIUM-DATA
    match ip precedence 1
    class-map match-any GOLD-IPP6-IN
    match ip precedence 6
    class-map match-any GOLD-IPP7-IN
    match ip precedence 7
    class-map match-any GOLD-IPP4-IN
    match ip precedence 4
    class-map match-any GOLD-IPP5-IN
    match access-group name CUST-VOICE-RTP
    class-map match-any GOLD-IPP2-IN
    match ip precedence 2
    class-map match-any GOLD-IPP3-IN
    match access-group name CUST-VOICE-SIG
    class-map match-any GOLD-IPP0-IN
    match ip precedence 0
    class-map match-any GOLD-IPP1-IN
    match ip precedence 1
    match protocol gre
    match protocol ipinip
    match protocol ipsec
    match protocol l2tp
    !
    !
    policy-map GOLD-LAN-OUT
    description Inbound from Customer LAN
    class GOLD-IPP5-OUT
    set ip precedence 5
    class GOLD-IPP3-OUT
    set ip precedence 3
    class GOLD-IPP1-OUT
    set ip precedence 1
    class GOLD-IPP4-OUT
    set ip precedence 4
    class GOLD-IPP2-OUT
    set ip precedence 2
    class GOLD-IPP6-OUT
    set ip precedence 6
    class GOLD-IPP7-OUT
    set ip precedence 7
    class GOLD-IPP0-OUT
    set ip precedence 0
    policy-map CPE-49-OUT
    description CPE Standard Policy # 49
    class VOICE-RTP
    priority percent 96
    class VOICE-SIG
    bandwidth percent 2
    class MGMT
    bandwidth percent 1
    class class-default
    fair-queue
    random-detect
    policy-map CPE-32-OUT
    description CPE Standard Policy # 32
    class VOICE-RTP
    priority percent 48
    class VOICE-SIG
    bandwidth percent 2
    class MGMT
    set ip precedence 2
    bandwidth percent 1
    class PREMIUM-CUST
    bandwidth percent 16
    random-detect
    class class-default
    bandwidth percent 32
    random-detect
    policy-map GOLD-LAN-IN
    description Inbound from Customer LAN
    class GOLD-IPP5-IN
    set ip dscp cs5
    class GOLD-IPP3-IN
    set ip dscp cs3
    class GOLD-IPP1-IN
    set ip dscp 9
    class GOLD-IPP4-IN
    set ip dscp af12
    class GOLD-IPP2-IN
    set ip dscp af11
    class GOLD-IPP6-IN
    set ip dscp af13
    class GOLD-IPP7-IN
    set ip dscp 15
    class GOLD-IPP0-IN
    set ip dscp cs1
    policy-map MARK-IPP-0
    description Mark all inbound packets to IP Prec 0
    class class-default
    set precedence 0
    !
    !
    interface Loopback0
    ip address x.x.x.x 255.255.255.255
    !
    interface Loopback11
    ip vrf forwarding CUSTOMER-123456
    ip address 11.5.192.46 255.255.255.255
    !
    interface Tunnel101
    ip vrf forwarding CUSTOMER-123456
    ip address 172.16.0.2 255.255.255.252
    ip mtu 1500
    ip nat inside
    ip virtual-reassembly
    qos pre-classify
    tunnel source x.x.x.x
    tunnel destination x.x.x.x
    !
    interface Tunnel183944101
    ip vrf forwarding CPE-MGMT
    ip address 11.10.1.110 255.255.255.254
    tunnel source x.x.x.x
    tunnel destination x.x.x.x
    !
    interface Multilink101
    description ** Public Interface **
    mtu 1540
    ip address x.x.x.x 255.255.255.254
    ip access-group outside_inbound in
    ip access-group outside_outbound out
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect inside_outbound out
    ip virtual-reassembly
    no cdp enable
    ppp multilink
    ppp multilink group 101
    ppp multilink fragment disable
    max-reserved-bandwidth 99
    service-policy output CPE-32-OUT
    !
    interface GigabitEthernet0/0
    description *** Internet to Customer ***
    ip address x.x.x.x 255.255.255.248
    no ip redirects
    no ip unreachables
    duplex auto
    speed auto
    service-policy input GOLD-LAN-IN
    service-policy output GOLD-LAN-OUT
    !
    interface GigabitEthernet0/1
    description *** Private LAN to Customer ***
    ip vrf forwarding CUSTOMER-123456
    ip address 172.16.200.2 255.255.255.0 secondary
    ip address 192.168.200.1 255.255.255.0
    ip access-group inside_outbound in
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    service-policy input GOLD-LAN-IN
    service-policy output GOLD-LAN-OUT
    !
    interface Serial0/0/0:1
    mtu 1540
    no ip address
    encapsulation ppp
    ppp multilink
    ppp multilink group 101
    max-reserved-bandwidth 99
    !
    interface Serial0/0/1:1
    mtu 1540
    no ip address
    encapsulation ppp
    ppp multilink
    ppp multilink group 101
    max-reserved-bandwidth 99
    !
    interface Serial0/1/0:1
    mtu 1540
    no ip address
    encapsulation ppp
    ppp multilink
    ppp multilink group 101
    max-reserved-bandwidth 99
    !
    !
    ip route 0.0.0.0 0.0.0.0 Multilink101
    ip route vrf CUSTOMER-123456 0.0.0.0 0.0.0.0 Tunnel183944101
    !
    !
    no ip http server
    no ip http secure-server
    ip http client source-interface Loopback0
    ip nat inside source list 1 interface Multilink101 overload
    !

    ip access-list extended CUST-VOICE-RTP
    deny ip any any fragments
    permit udp any any range 16384 32767
    permit udp any any range 49152 53247
    ip access-list extended CUST-VOICE-SIG
    deny ip any any fragments
    permit udp any any eq 5060
    permit tcp any any eq 5060
    permit udp any any range 1718 1720
    permit tcp any any range 1718 1720
    permit udp any any eq 2427
    permit tcp any any eq 2427
    permit udp any any eq 2000
    permit tcp any any eq 2000
    ip access-list extended MGMT
    permit tcp any eq telnet x.x.x.x 0.0.0.255
    permit tcp any x.x.x.x 0.0.0.255 eq telnet
    permit tcp any eq telnet 11.0.0.0 0.127.255.255
    permit tcp any 11.0.0.0 0.127.255.255 eq telnet
    ip access-list extended PREMIUM-DATA
    permit ip any any
    ip access-list extended inside_outbound
    deny udp any any eq 14110
    permit tcp any any eq www
    permit tcp any any eq 443
    permit udp any any eq domain
    permit ip any any
    ip access-list extended outside_inbound
    permit udp any host x.x.x.x eq isakmp
    permit udp any host x.x.x.x eq non500-isakmp
    permit tcp any host x.x.x.x eq telnet
    permit ip any host x.x.x.x
    remark =================================================
    remark = Block RFC1918 addresses sourced from Internet =
    deny ip 10.0.0.0 0.255.255.255 any
    permit esp any host x.x.x.x
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    remark =======================================
    remark = Allow management/voice access =
    permit tcp host x.x.x.x host x.x.x.x eq telnet
    permit tcp host x.x.x.x host x.x.x.x eq telnet
    permit tcp host x.x.x.x any
    permit tcp host x.x.x.x any
    permit tcp host x.x.x.x any
    permit tcp host x.x.x.x any
    permit udp host x.x.x.x any eq snmp
    permit icmp host x.x.x.x any
    permit icmp host 4.2.2.2 any
    permit ip host x.x.x.x any
    permit ip host x.x.x.x any
    permit tcp x.x.x.x 0.0.0.255 any
    permit ip host x.x.x.x any
    permit ip host x.x.x.x any
    permit gre host x.x.x.x host x.x.x.x
    permit ip host x.x.x.x any
    permit ip any host x.x.x.x
    permit ip host x.x.x.x host x.x.x.x
    permit ip host x.x.x.x host x.x.x.x
    permit ip host x.x.x.x any
    permit ip host x.x.x.x any
    permit ip host x.x.x.x any
    deny ip any any log
    ip access-list extended outside_outbound
    permit ip any host x.x.x.x
    permit ip any any
    remark =========================================================
    remark = Block RFC1918 addresses sourced from internal network =
    deny ip any 10.0.0.0 0.255.255.255
    deny ip any 172.16.0.0 0.15.255.255
    deny ip any 192.168.0.0 0.0.255.255
    !

    ReplyDelete
  6. I'd be interested to see what the CPU utilization and number of active firewall sessions looks like during periods of diminished audio quality. If the firewall is too busy to pregen the pinholes for RTP, I'd expect to see one-way audio or no audio at all. However, bad quality or choppy audio is generally indiciative of an overloaded CPU or link saturation.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.