Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
696
Views
0
Helpful
2
Replies

ZBF and DPI

jnrnetworks
Level 1
Level 1

‎04-15-2012 12:29 PM - edited ‎03-04-2019 04:01 PM

I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input.  Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.

Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic.  From a company policy, we are not filtering ANY traffic of any kind going outbound.  (I know this isn't best practice but that's another battle for another day.)

Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.

Here's what I'm wondering...could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?

If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?

What are the security ramifications related to simply passing traffic instead of doing the inspection?

Labels:
0 Helpful
2 Replies 2

Nandan Mathure
Level 1
Level 1

‎04-15-2012 06:54 PM

Hi!

1] Inspection inspects the packet i.e it checks and maintains the state information like seq. numbers, port numbers, ip addresses, connection time, idle time etc,

2] Pass option simply passes the traffic without maintaining any records.

3] So when you have your policy set to "Inspect" the traffic, all the retun traffic is allowed by default to Inside.

4] When you have Pass policy from Inside to Outside, you will have to allow the retun traffic explicitly. That would be fine for configurtion but that would create a big security hole as now traffic originating outside of your Device will also be allowed to come Inside . It will be as good as no ZBF.

There are few whitepapers/Technotes on cisco.com for tweaking the policies to enchance performance.

Let me know if this helped. Thanks.

Nandan Mathure

0 Helpful

jnrnetworks
Level 1
Level 1
In response to Nandan Mathure

‎04-15-2012 08:49 PM

Thank you Nandan,

Do you happen to have some of the links to the articles you have found especially helpful?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card