cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2692
Views
0
Helpful
11
Replies

ASR 1001-X ZBF: low throughput

I configured the zone based firewall and the rules seem to work fine. However, the speeds are really bad. Even when just using pass actions it only reaches 1.5 Gbit/s (with the firewall turned off it reaches 9-10 Gbit/s).

This even happens with very minimal ZBF config. There is an VM-Host connected to the first 10GE interface, the VMs reach 10 Gbit/s when using iperf without ZBF active, after enabling they slow down.

class-map type inspect match-any cmap--test
 match protocol tcp
 match protocol udp
!
policy-map type inspect pmap--test
 class type inspect cmap--test
  inspect
 class class-default
  drop
!
zone security test-in
zone security test-out
zone-pair security in-to-out source test-in destination test-out
 service-policy type inspect pmap--test
!
interface TenGigabitEthernet0/0/0.1
 encapsulation dot1Q 1000
 ip address 192.168.1.1 255.255.255.192
 zone-member security test-in
!
interface TenGigabitEthernet0/0/0.2
 encapsulation dot1Q 2000
 ip address 192.168.0.1 255.255.255.0
 zone-member security test-out

Is there any way to improve ZBF performance?

11 Replies 11

Sheraz.Salim
VIP Alumni
VIP Alumni

configuration look good. what image you running on this box?

please do not forget to rate.

I am running asr1001x-universalk9.16.09.04.SPA.bin.

I have AES, 20GE throughput, and 10GE port licenses activated.

16.9.4?
In a Notepad, post the complete output to the command "sh license feature" and attach the file.

Yes, it is version 16.9.4. I have attached the output of "sh license feature".


@AlexanderVotteler wrote:
firewall                 no           no          no             no       no  

What happens if the FW license is enabled?  

What is the command to activate this license?


@AlexanderVotteler wrote:
What is the command to activate this license?

NOTE:  Router is running 16.9.X and this equates to Smart Licensing. 

Read this:  Configuring a Cisco Right-To-Use License

You need to activate the evaluation license for the "firewall" feature 

license boot level firewall

and accept the EULA

license accept end user agreement

.  

The command

license boot level firewall

 is not available on my machine. Does Smart licensing imply I won't be able to activate this license unless activating smart licensing? Should I downgrade to 16.6.X allow activating without smart licensing?

Thanks for your help!

I just did some more testing. Using iperf3 a single connection cannot reach more than 1.5 Gbit/s while ZBF is turned on. However, I can start 3 sessions and each of the go above 1 Gbit. It seems single connections are limited, is there a workaround for this issue?

Try downgrading to 16.6.X and see if you can enable the eval firewall license.

Downgrading doesn't help as well. The command stays unavailable.

I do not think this is a supported command since the configuration guide you mentioned does only say adventerprise, advipservices and ipbase license levels can be activated.

Review Cisco Networking for a $25 gift card