11-14-2019 01:10 PM - edited 11-15-2019 12:19 AM
I configured the zone based firewall and the rules seem to work fine. However, the speeds are really bad. Even when just using pass actions it only reaches 1.5 Gbit/s (with the firewall turned off it reaches 9-10 Gbit/s).
This even happens with very minimal ZBF config. There is an VM-Host connected to the first 10GE interface, the VMs reach 10 Gbit/s when using iperf without ZBF active, after enabling they slow down.
class-map type inspect match-any cmap--test match protocol tcp match protocol udp ! policy-map type inspect pmap--test class type inspect cmap--test inspect class class-default drop ! zone security test-in zone security test-out zone-pair security in-to-out source test-in destination test-out service-policy type inspect pmap--test ! interface TenGigabitEthernet0/0/0.1 encapsulation dot1Q 1000 ip address 192.168.1.1 255.255.255.192 zone-member security test-in ! interface TenGigabitEthernet0/0/0.2 encapsulation dot1Q 2000 ip address 192.168.0.1 255.255.255.0 zone-member security test-out
Is there any way to improve ZBF performance?
11-14-2019 01:48 PM
configuration look good. what image you running on this box?
11-14-2019 02:03 PM
I am running asr1001x-universalk9.16.09.04.SPA.bin.
I have AES, 20GE throughput, and 10GE port licenses activated.
11-14-2019 02:58 PM
11-15-2019 12:14 AM
11-15-2019 04:38 AM
@AlexanderVotteler wrote:
firewall no no no no no
What happens if the FW license is enabled?
11-15-2019 04:50 AM
11-15-2019 05:02 AM
@AlexanderVotteler wrote:
What is the command to activate this license?
NOTE: Router is running 16.9.X and this equates to Smart Licensing.
Read this: Configuring a Cisco Right-To-Use License
You need to activate the evaluation license for the "firewall" feature
license boot level firewall
and accept the EULA
license accept end user agreement
.
11-15-2019 05:30 AM
The command
license boot level firewall
is not available on my machine. Does Smart licensing imply I won't be able to activate this license unless activating smart licensing? Should I downgrade to 16.6.X allow activating without smart licensing?
Thanks for your help!
11-15-2019 12:35 PM
I just did some more testing. Using iperf3 a single connection cannot reach more than 1.5 Gbit/s while ZBF is turned on. However, I can start 3 sessions and each of the go above 1 Gbit. It seems single connections are limited, is there a workaround for this issue?
11-15-2019 03:14 PM
11-22-2019 10:46 AM
Downgrading doesn't help as well. The command stays unavailable.
I do not think this is a supported command since the configuration guide you mentioned does only say adventerprise, advipservices and ipbase license levels can be activated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide