CBAC Performance

Given all of the inspection features that CBAC supports, this can put a large burden on your router, especially in a large network that has many simultaneous sessions that CBAC must maintain. For each session that the router must keep track of, an additional 600 bytes of memory are required to the entry in the state table. If your router must support thousands of connections, your router's memory requirements will be high, as will the CPU cycles needed to handles all of these entries.

CBAC provides for three performance-improvement features, however, to help with reducing the overhead and load on your firewall router:

  • Throughput improvement

  • Connections per second improvement

  • CPU utilization improvement

Throughput Improvement Feature

Throughput, from the CBAC perspective, is defined by the number of packets transferred from one interface to another interface over a 1-second interval. CBAC uses a hash table to perform the lookup process to determine what session a packet is associated with. The issue of using a hashed table is that multiple session entries might match to the same hash value, thereby slowing down the search function of CBAC. When more then one connection entry matches the same hash value, this is called a collision. The more collisions that occur, the longer it takes to find a match, and, thus, the lower your throughput becomes. This is especially true as your connection table becomes larger.

The throughput performance feature of CBAC enables you to dynamically change the size of the hash table that references the connections without having to reboot the router. This feature is new in Cisco IOS 12.2(8)T and is configured using the following command:

Router(config)# ip inspect hashtable hash_number

The hash number that you configure specifies the number of buckets that the hash table uses. A bucket is basically a reference to one or more sessions. The more buckets you have, the less likely it is that you will experience collisions. The default number of buckets is 1024; this can be changed to 2048, 4096, or 8192.


The hash table size should be approximately the same number as the total number of concurrent sessions that CBAC is maintaining. If you set the size to a larger size and then later determine that the average number of concurrent sessions is smaller, you dynamically can change the bucket size. Typically, when the number of concurrent sessions falls to below half of the current size, you should adjust the table size downward.

Connections Per Second Improvement Feature

CBAC measures the number of short-lived connections that are created or deleted over a 1-second interval. CBAC can measure only connection-oriented connections. Therefore, only TCP connections are counted; UDP and ICMP are not. Normally, CBAC would process-switch packets for the first few initial TCP packets in adding or removing a connection from the state table. Then packets would be switched normally using whatever switching method was enabled on the router or its interfaces, including CEF. However, the problem with this approach is that it affects the performance of the router, especially if it was hit with hundreds of simultaneous TCP setup or teardown requests.

A good example of this is if your users constantly access Internet web servers. With HTTP, a single downloaded page could include dozens of small HTTP connections, each lasting a second or two. With hundreds of people simultaneously trying to download pages from a website, this seriously could degrade the performance of your router as CBAC is adding and then immediately deleting these connections from the state table.

The connections per second improvement feature reduces the number of packets that have to be processed switched to 1: only the first packet in the session is processed-switched (all packets after that are processed normally). This feature provides a significant boost in performance when your router experiences many short-lived connections, such as HTTP. This feature is new in Cisco IOS 12.2(8)T.

CPU Utilization Improvement Feature

Maintaining a low CPU utilization is important for a router using CBAC, especially when it has to handle hundreds or thousands of sessions. Cisco recently rewrote the code for identifying new sessions and how they are added and removed from the state table, reducing the number of CPU cycles required to process the connection. As mentioned in the discussion of the first feature, Cisco allows you to dynamically change the size of the hash table to reduce the likelihood of collisions that occur when the Cisco IOS is performing a CBAC state table lookup. As mentioned in the last section, the Cisco IOS reduces the number of times that it must perform process switching by doing this only on the first packet of a session. All other packets are switched normally, which means that fewer CPU cycles are required per packet and session. The CPU utilization feature also was introduced in Cisco IOS 12.2(8)T.