Showing results for 
Search instead for 
Did you mean: 


I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input.  Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.

Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic.  From a company policy, we are not filtering ANY traffic of any kind going outbound.  (I know this isn't best practice but that's another battle for another day.)

Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.

Here's what I'm wondering...could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?

If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?

What are the security ramifications related to simply passing traffic instead of doing the inspection?



1] Inspection inspects the packet i.e it checks and maintains the state information like seq. numbers, port numbers, ip addresses, connection time, idle time etc,

2] Pass option simply passes the traffic without maintaining any records.

3] So when you have your policy set to "Inspect" the traffic, all the retun traffic is allowed by default to Inside.

4] When you have Pass policy from Inside to Outside, you will have to allow the retun traffic explicitly. That would be fine for configurtion but that would create a big security hole as now traffic originating outside of your Device will also be allowed to come Inside . It will be as good as no ZBF.

There are few whitepapers/Technotes on for tweaking the policies to enchance performance.

Let me know if this helped. Thanks.

Nandan Mathure


Thank you Nandan,

Do you happen to have some of the links to the articles you have found especially helpful?