cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2641
Views
0
Helpful
11
Replies

ASR 1001-X ZBF: low throughput

I configured the zone based firewall and the rules seem to work fine. However, the speeds are really bad. Even when just using pass actions it only reaches 1.5 Gbit/s (with the firewall turned off it reaches 9-10 Gbit/s).

This even happens with very minimal ZBF config. There is an VM-Host connected to the first 10GE interface, the VMs reach 10 Gbit/s when using iperf without ZBF active, after enabling they slow down.

class-map type inspect match-any cmap--test
 match protocol tcp
 match protocol udp
!
policy-map type inspect pmap--test
 class type inspect cmap--test
  inspect
 class class-default
  drop
!
zone security test-in
zone security test-out
zone-pair security in-to-out source test-in destination test-out
 service-policy type inspect pmap--test
!
interface TenGigabitEthernet0/0/0.1
 encapsulation dot1Q 1000
 ip address 192.168.1.1 255.255.255.192
 zone-member security test-in
!
interface TenGigabitEthernet0/0/0.2
 encapsulation dot1Q 2000
 ip address 192.168.0.1 255.255.255.0
 zone-member security test-out

Is there any way to improve ZBF performance?

11 Replies 11

configuration look good. what image you running on this box?

please do not forget to rate.

I am running asr1001x-universalk9.16.09.04.SPA.bin.

I have AES, 20GE throughput, and 10GE port licenses activated.

16.9.4?
In a Notepad, post the complete output to the command "sh license feature" and attach the file.

Yes, it is version 16.9.4. I have attached the output of "sh license feature".


@AlexanderVotteler wrote:
firewall                 no           no          no             no       no  

What happens if the FW license is enabled?  

What is the command to activate this license?


@AlexanderVotteler wrote:
What is the command to activate this license?

NOTE:  Router is running 16.9.X and this equates to Smart Licensing. 

Read this:  Configuring a Cisco Right-To-Use License

You need to activate the evaluation license for the "firewall" feature 

license boot level firewall

and accept the EULA

license accept end user agreement

.  

The command

license boot level firewall

 is not available on my machine. Does Smart licensing imply I won't be able to activate this license unless activating smart licensing? Should I downgrade to 16.6.X allow activating without smart licensing?

Thanks for your help!

I just did some more testing. Using iperf3 a single connection cannot reach more than 1.5 Gbit/s while ZBF is turned on. However, I can start 3 sessions and each of the go above 1 Gbit. It seems single connections are limited, is there a workaround for this issue?

Try downgrading to 16.6.X and see if you can enable the eval firewall license.

Downgrading doesn't help as well. The command stays unavailable.

I do not think this is a supported command since the configuration guide you mentioned does only say adventerprise, advipservices and ipbase license levels can be activated.

Review Cisco Networking for a $25 gift card