All Cisco-Network Study Notes: Running Older Code

Running Older Code

If you are running Cisco IOS version less than 12.2(8) T, you should seriously consider upgrading the code base, because a major performance initiative materialized from this specific version. Here are some of the changes that were made to improve the performance of CBAC:

Allow users to dynamically change the size of the session hash table from 1K to 8K without reloading the router by using the ip inspect hashtable command. When a packet belonging to an existing session comes into the router, a hash table is used to map the packet to an existing firewall session. By increasing the size of the hash table, the number of sessions per hash bucket can be reduced, and consequently the search time for the session is greatly reduced. This improves the throughput performance of the base engine. You should increase the hash table size when the total number of sessions running through the CBAC router is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.
In versions prior to the performance improvement initiative, while processing a packet for connection setup and connection teardown of TCP connections, the base engine of CBAC "bumps up" several packets to the process-switching path. This drastically slows down their processing. Also, the base engine needs to process each packet again when it is bumped up into the process switching path. This whole process of punting packets back and forth degrades performance substantially. The new version prevents these restrictions by allowing only the first packet of any connection to be bumped up to the process-switching path, while the remaining packets are processed by the base engine in the fast path. Thus, the base engine is no longer slowed down by bumping up several packets or by processing packets twice.
With the release of version 12.3(7) T, Cisco IOS Firewall Access Control Lists (ACL) bypass enhances the performance of Cisco IOS Firewall by removing multiple lookups on the return traffic passing through the router. Before this release, multiple checks are performed of each packet of the return traffic of an existing firewall flow: the input ACL search, the output ACL search, and the inspection session search. With updated code, a check is performed only once, and packets are marked if they belong to an existing firewall session before the input ACL search. This marking is used to skip the input and output dynamic ACL searches.