802.1n slow with interface acl

Unanswered Question
Nov 21st, 2008
User Badges:
  • Silver, 250 points or more

hello

i'm testing an 802.1n 1250 AP with Cisco 4404 wlc and wisms (all running 5.1.151.0). pretty impressive speeds with intel 4965agn client. problem started when i added an acl on the wlc and applied it to the interface used by the 802.1n ssid. the acl slows the speed of the 802.1n network dramatically ( even if its one line of permit any any). has anyone else has this issue?

is it best practice to apply a wireless network acl on the controller itself or apply it on the vlan svi?

cheers

andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Saini Sun, 11/23/2008 - 08:32
User Badges:
  • Cisco Employee,

Hii andrew


Applying ACL should not create performance issue. are you using any tool to measure throughput .


vinay ?

andrewswanson Mon, 11/24/2008 - 04:19
User Badges:
  • Silver, 250 points or more

hi vinay

Thanks for the reply. I've been doing some throughput tests with Netcordia TTCP and got some interesting results. I've attached a network diagram to show where everything fits together. The WLC is a 4404 running 5.1.151.0 and the APS are 1130 and 1250.

The problem I'm having only happens when I apply an acl (simple permit ip any any) to the interface on the 4404.


Test 1

1250 SSID - wpa2/aes 802.1x, WMM policy set to required


Throughput results between servers and intel 4965agn without acl on SSID interface


Server A - Transmit: 8388608 bytes in 1642 milli-seconds = 5108.775 KB/sec (40870.2 Kbps).

Server B - Transmit: 8388608 bytes in 1953 milli-seconds = 4295.242 KB/sec (34361.938 Kbps).


Throughput results between servers and intel 4965agn with acl on SSID interface


Server A - Transmit: 8388608 bytes in 1622 milli-seconds = 5171.768 KB/sec (41374.145 Kbps).

Server B - Transmit: 8388608 bytes in 23500 milli-seconds = 356.96204 KB/sec (2855.6963 Kbps).


Throughput between Server A and the intel client is unaffected by applying the acl but the difference for Server B is pretty dramatic. Without acl the throughput is 34361.938 Kbps - with the acl it is 2855.6963 Kbps!


Test 2

1130 SSID wpa/tkip 802.1x


This test duplicated what was seen with the 1250. Applying acl only affected throughput between Server B and the intel client. With the 1130, Server B to intel client throughput dropped from 17972.379 Kbps to 1575.5474 Kbps.


Any ideas why this is happening? The links between the 4507s and 6509s are configured for QoS for an IPT pilot we are running.

Thanks

Andy




Attachment: 
ankbhasi Mon, 11/24/2008 - 05:22
User Badges:
  • Cisco Employee,

Hi Andy,


Just looked at your description and tests. The problem is only observed with server B. Can you do one a test where there is no traffic from server A and send onoy traffic between server B and wireless client.


Also what kind of traffic is this tcp/udp? Can you also update the exact acl rule here as you mentioned it is permit ip any any, please paste the complete rule and also which direction you have applied this ACL?


Regards,


Ankur

andrewswanson Mon, 11/24/2008 - 07:05
User Badges:
  • Silver, 250 points or more

hi ankur

problem persists when only B is sending traffic. was using tcp port 80 with TCCP - full output from server Blooks like:-


Transmit: buflen= 8192 nbuf= 1024 port= 80

Transmit connection:

Socket[addr=/,port=80,localport=1620].

Transmit: 8388608 bytes in 23500 milli-seconds = 356.96204 KB/sec (2855.6963 Kbps).


4507 A is a vtp domain server and has svi's configured. trunk link between 4507 and WLC 4404. the config on the 4404 is in xml format so hopefully the following output makes more sense.

output for 'show interface detailed 802dot1n_wireless'


Interface Name................................... 802dot1n_wireless

MAC Address...................................... XX:XX:XX:XX:XX:XX

IP Address....................................... XXX.XXX.XXX.XXX

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... XXX.XXX.XXX.XXX

VLAN............................................. 241

Quarantine-vlan.................................. 0

Active Physical Port............................. LAG (29)

Primary Physical Port............................ LAG (29)

Backup Physical Port............................. Unconfigured

Primary DHCP Server.............................. XXX.XXX.XXX.XXX

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. 8021n

AP Manager....................................... No

Guest Interface.................................. No


output for 'show acl detailed 8021n'


Source Destination Source Port Dest Port

I Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter

-- --- ------------------------------- ------------------------------- ---- ----------- ----------- ---- ------ -----------

1 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 732378



hope the above makes sense - let me know if you need any other info.

thanks

andy

andrewswanson Tue, 11/25/2008 - 06:15
User Badges:
  • Silver, 250 points or more

Carried out more throughput tests with both the 1130 and 1250 APs:-


1130 802.11g


Without ACL on WLC interface:

Server B transmitting to Intel client: 19262Kbps

Intel client transmitting to Server B: 1384Kbps


With ACL on WLC interface:

Server B transmitting to Intel client: 3230Kbps

Intel client transmitting to Server B: 1274Kbps


By applying the ACL the 802.11g client's download throughput is 6 times slower - upload throughput is unaffected.



1250 802.11n


Without ACL on WLC interface:

Server B transmitting to Intel client: 44475Kbps

Intel client transmitting to Server B: 53614Kbps


With ACL on WLC interface:

Server B transmitting to Intel client: 2495Kbps

Intel client transmitting to Server B: 54011Kbps


By applying the ACL the 802.11n client's download throughput is 18 to 20 times slower - upload throughput is unaffected.


I'll try upgrading WLC software to latest rev 5.2.157 and see if that improves things. If not I'll move ACLs off the WLC and apply them to the vlan svi's on the Catalyst 4507.


Cheers

Andy


Vinay Saini Tue, 11/25/2008 - 06:19
User Badges:
  • Cisco Employee,

Hii Andy


Can u plz chek the CPU and Memory utilisation when the throuput is down and lets compare with the normal situation.


Just wanted to make sure is the ACL taking much CPU .


thanks

Vinay

andrewswanson Tue, 11/25/2008 - 06:31
User Badges:
  • Silver, 250 points or more

hi vinay

i've moved all the APs off the 4404 onto a WiSM so that the only associated APs are the 1130 and the 1250 i'm using for testing.


the 4404 is running at a memory usage of 32% and the CPU goes to 4% maximum when i'm running tests (i'm using cacti to poll the 4404 so i think these are 5 minute average values)


i'll try the latest software rev and post back.

thanks

andy

andrewswanson Tue, 11/25/2008 - 08:29
User Badges:
  • Silver, 250 points or more

same problem with 5.2.157 - have rolled back to 5.1.151.0. i'll do some packet captures tomorrow. strange that applying acl on wlc only affects throughput from server B but not server A.

cheers

andy

andrewswanson Wed, 11/26/2008 - 04:14
User Badges:
  • Silver, 250 points or more

hello

thought i'd try some older software revs on the wlc - rolled back to rev 5.0.148.2 and the results look pretty encouraging (compared to revs 5.2.157 and 5.1.151.0). results are for the 1250 802.11n


1250 802.11n


Without ACL on WLC interface:

Server B transmitting to Intel client: 43544Kbps

Intel client transmitting to Server B: 50895Kbps


With ACL on WLC interface:

Server B transmitting to Intel client: 27287Kbps

Intel client transmitting to Server B: 44107Kbps


By applying the ACL the 802.11n client's download throughput is slightly slower - upload throughput is relatively unaffected.


is 5.0.148.2 the most 'stable' of 5.x or is there another rev worth trying?

thanks

andy

gamccall Mon, 11/24/2008 - 06:10
User Badges:
  • Silver, 250 points or more

(never mind, misread)

Actions

This Discussion

 

 

Trending Topics - Security & Network