Cisco Network slow at peak

Unanswered Question
Aug 5th, 2010

Hi All,

I am CCNA. I've setup a small business network in an office with one Cisco 877 ADSL Router and a Cisco 2924 Catalyst switch. The internet connection has 4 MB downspeed. During the course of time i've got complaints from users saying that the internet is really slow. To reduce congestion i've blocked YOUTUBE on the router

    10 deny ip host 82.148.98.144 any log (8926 matches)
    20 deny ip host 82.148.98.147 any log (9013 matches)
    30 deny ip host 82.148.98.148 any log (8646 matches)
    40 deny ip host 82.148.98.150 any log (8218 matches)
    50 deny ip host 82.148.98.151 any log (8220 matches)
    60 deny ip host 82.148.98.153 any log (8413 matches)
    70 deny ip host 82.148.98.154 any log (8447 matches)
    80 permit ip any any (4068884 matches)

I've applied the access-list to the dialer 1 interface inward. There are no other access-list or security on the router or the switch. I've also checked the reliability and they are as follows

R877#sh int | include reliability |line |/sec
FastEthernet0 is up, line protocol is up
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 42000 bits/sec, 17 packets/sec
  5 minute output rate 103000 bits/sec, 18 packets/sec

FastEthernet1 is up, line protocol is up
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 6000 bits/sec, 6 packets/sec
  5 minute output rate 14000 bits/sec, 5 packets/sec

FastEthernet2 is up, line protocol is up
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec

FastEthernet3 is administratively down, line protocol is down
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec

ATM0 is up, line protocol is up
  MTU 4470 bytes, sub MTU 4470, BW 636 Kbit/sec, DLY 570 usec,
     reliability 255/255, txload 22/255, rxload 52/255
  5 minute input rate 132000 bits/sec, 23 packets/sec
  5 minute output rate 55000 bits/sec, 18 packets/sec

ATM0.1 is up, line protocol is up
  MTU 4470 bytes, BW 636 Kbit/sec, DLY 570 usec,
     reliability 255/255, txload 22/255, rxload 52/255
Vlan1 is up, line protocol is up
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 50000 bits/sec, 21 packets/sec
  5 minute output rate 123000 bits/sec, 21 packets/sec

NVI0 is administratively down, line protocol is down
  MTU 1514 bytes, BW 10000000 Kbit/sec, DLY 0 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec

Dialer1 is up, line protocol is up (spoofing)
  MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 236/255, rxload 16/255
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 116000 bits/sec, 0 packets/sec
  5 minute output rate 52000 bits/sec, 0 packets/sec

Virtual-Access1 is up, line protocol is up
  MTU 1500 bytes, BW 636 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 18/255, rxload 48/255
  5 minute input rate 119000 bits/sec, 22 packets/sec
  5 minute output rate 45000 bits/sec, 17 packets/sec

Virtual-Access1 is up, line protocol is up
  MTU 1500 bytes, BW 636 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 18/255, rxload 47/255
  5 minute input rate 119000 bits/sec, 22 packets/sec
  5 minute output rate 45000 bits/sec, 17 packets/sec

Question is how can get a smooth running network ? is there a need for VLAN ? Are there too much broadcast ?

Any help is appriciated

Thanks,

George.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Thu, 08/05/2010 - 16:29

1.  How many users do you have?

2.  2924XL?  These models have very poor coding regarding "auto" negotiation.  Verify that the speed and duplex are correct.

3.  VLAN is integral to Layer 2.  You can't have a Layer 2 switch without VLAN.

4.  Would be nice if you post the configs for both.

anishkgthomas Sat, 08/07/2010 - 10:08

Thank you leo for your reply

i've figured out my self to use the access-list and filter traffic but am still confused with the access-list part.

There are 24 users of which 11 users are connected to the router VIA a 24 port linksys switch and another 12 are connected to the router VIA a 24 port Cisco catalyst 2924 XL switch. One Linksys Wireless device is connected to the rotuer for wireless access.

follwoing is my router config

Building configuration...

Current configuration : 2937 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R877
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5 $1$WYlO$C.hjYkl0kxcVVoagcL5cr/
enable password 7 111D1C0919171F
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.252
!
ip dhcp pool Galileo
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server*********

   domain-name AlQayedTravel
!
!
ip name-server *********

ip name-server *********
!
!
!
username cisco password 7 094F471A1A0A
!
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly
!
interface Vlan101
no ip address
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname s4368777
ppp chap password 7 13544541
ppp pap sent-username s4368777 password 7 08701E1D
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit any
access-list 101 remark BLOCK YOUTUBE,PERMIT WWW,TELNET TO ROUTER AND SWITCH,POP3,SMTP,UDP,AmadeusPrinter and BLOCK REST IP.
access-list 101 deny   ip host 82.148.98.144 any log
access-list 101 deny   ip host 82.148.98.147 any log
access-list 101 deny   ip host 82.148.98.148 any log
access-list 101 deny   ip host 82.148.98.150 any log
access-list 101 deny   ip host 82.148.98.151 any log
access-list 101 deny   ip host 82.148.98.153 any log
access-list 101 deny   ip host 82.148.98.154 any log
access-list 101 permit ip host 212.77.192.59 any
access-list 101 permit ip host 212.77.192.60 any
access-list 101 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 deny   ip any any log
access-list 101 deny   tcp any any log
!
!
!
control-plane
!
banner motd ^C
******* AL QAYED TRAVEL ADSL ROUTER *******
               DOHA QATAR
      UNAUTHORISED ACCESS PROHIBITED ^C
!
line con 0
password 7 050C070328404B064A5342
login
no modem enable
line aux 0
password 7 060506324F41
login
line vty 0 4
password 7 060506324F41
login
!
scheduler max-task-time 5000
end

is the above access-list correct or it the one below

below config works fine but does not let me telnet to the router and telnet to the switch works perfectly. An application that can run on SSL or HTTP ports do not work no matter what access-list i add in either direction.

access-list 101 deny ip any host 82.148.98.144 log
access-list 101 deny ip any host 82.148.98.147 log
access-list 101 deny ip any host 82.148.98.148 log
access-list 101 deny ip any host 82.148.98.150 log
access-list 101 deny ip any host 82.148.98.151 log
access-list 101 deny ip any host 82.148.98.153 log
access-list 101 deny ip any host 82.148.98.154 log
access-list 101 permit ip any host 212.77.192.59
access-list 101 permit ip any host 212.77.192.60
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp host 192.168.1.254 eq telnet any
access-list 101 permit tcp host 192.168.1.254 any eq telnet
access-list 101 permit tcp host 192.168.1.252 any eq telnet
access-list 101 permit icmp any any log
access-list 101 permit udp any any log
access-list 101 deny ip any any log

applied to

int vlan 1 in

thanks in advace

Alexander Pai Tue, 08/10/2010 - 11:39

Hi George,

Your access-lists themselves may be  contributing to the latency.  Whenever we use ACL logging, we require  the packet to be process switched and to spend additional CPU cycles  logging the message, instead of quickly dropping the packet via the CEF  path.  Although these packets are dropped eventually, process switching a  sufficient load can induce latency and high CPU.  Try removing the  "log" keyword from the ACL statements to see if that helps.

The only other common causes of latency based off of your configuration would be your NAT utilization.  How many NAT translations do we have in the table when we observe the latency?

     show ip nat stat

     show ip nat trans

Does performance improve when we clear the nat table?

     clear ip nat trans *

We also should take a look at all the counters included in the full "show interface" output.  Take multiple captures of this when you observe the symptoms and see if any of the counters are increasing.  For example, Leo mentioned possible duplex issues, in which case, we would observe excessive collisions and runts on an misconfigured port.

-Alex

anishkgthomas Wed, 08/11/2010 - 03:28

Hi Alex,

Thank you for for the info about logging and CPU load. i'll chage those onece i get back to site. So far what i've done is i've created two access-lists for two vlan's. The router does not let me create another vlan as 2 is the max number of vlans allowed. The default access list for vlan1 blocks all the users from accessing youtube applied inbound on int vlan1, the second blocks youtube and facebook for selected users. The switch has a vlan 2 to which the users are added to block facebook and youtube. The wireless also works on vlan2.

Regarding the slow network i've monitored the netwrok packets using wireshark and found an infected pc on the network. It was broadcasting a lot of traffic.  So comparetively now the network is better. Should i be worred about other traffic like netbios-dgm, ss & ns? i will post the new config and the results of the commands your mentioned once i reach the site.

Actions

This Discussion

Related Content