Cisco 2801 bandwidth issues

Jaydubya3 · ‎12-22-2011

I'm trying to replace a ASA 5505 with a Cisco 2801 w/ security bundle.

I have gone through a pretty basic set up of configuring what I could and letting the Cisco Config Prof do the security audit to lock it down. I have everything working just fine except for the bandwidth.

As soon as I plug the router in it seems to give all the bandwidth to one computer and the rest of the campus slows down to a crawl.

I turned on "fair-queue" and even tried the QoS wizard in CCP, but it seems like thats if you want to prioritize voice over data - which we aren't running VOIP so I don't need.

I am completely missing something and could really use some help.

andrew.prince · ‎12-23-2011

Post your config for review.

Jaydubya3 · ‎12-23-2011

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

ip port-map pptp port tcp 1723 list 4

ip inspect name CCP_LOW cuseeme

ip inspect name CCP_LOW dns

ip inspect name CCP_LOW ftp

ip inspect name CCP_LOW h323

ip inspect name CCP_LOW sip

ip inspect name CCP_LOW https

ip inspect name CCP_LOW icmp

ip inspect name CCP_LOW imap

ip inspect name CCP_LOW pop3

ip inspect name CCP_LOW netshow

ip inspect name CCP_LOW rcmd

ip inspect name CCP_LOW realaudio

ip inspect name CCP_LOW rtsp

ip inspect name CCP_LOW esmtp

ip inspect name CCP_LOW sqlnet

ip inspect name CCP_LOW streamworks

ip inspect name CCP_LOW tftp

ip inspect name CCP_LOW tcp

ip inspect name CCP_LOW udp

ip inspect name CCP_LOW vdolive

ip inspect name CCP_LOW http urlfilter

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 dns

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 sip

ip inspect name sdm_ins_in_100 https

ip inspect name sdm_ins_in_100 icmp

ip inspect name sdm_ins_in_100 imap

ip inspect name sdm_ins_in_100 pop3

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 esmtp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip tcp synwait-time 10

!

ip flow-cache timeout active 1

no ip bootp server

ip name-server 10.10.10.13

ip urlfilter server vendor n2h2 10.10.10.60

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

crypto pki trustpoint TP-self-signed-2736186409

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2736186409

revocation-check none

rsakeypair TP-self-signed-2736186409

!

crypto pki certificate chain TP-self-signed-2736186409

certificate self-signed 01

quit

username privilege 15 secret 5

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description $ETH-WAN$$FW_OUTSIDE$

ip address

ip access-group 107 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect sdm_ins_in_100 in

ip inspect CCP_LOW out

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

fair-queue

no mop enabled

!

interface FastEthernet0/1

description $FW_INSIDE$

ip address 10.10.10.2 255.255.0.0

ip access-group 106 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow egress

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

fair-queue

no mop enabled

!

ip default-gateway

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 10.10.10.11 9996

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 60000

!

ip http server

ip http access-class 2

ip http secure-server

ip nat inside source list 5 interface FastEthernet0/0 overload

ip nat inside source static 10.10.10.10

!

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.0.0 0.0.255.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.10.0.0 0.0.255.255

access-list 2 deny any

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 10.10.0.0 0.0.255.255

access-list 4 remark CCP_ACL Category=1

access-list 4 permit 10.10.10.10

access-list 5 remark CCP_ACL Category=2

access-list 5 permit 10.10.0.0 0.0.255.255

access-list 100 remark auto generated by CCP firewall configuration

access-list 100 remark CCP_ACL Category=1

access-list 100 deny ip 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 106 remark auto generated by CCP firewall configuration

access-list 106 remark CCP_ACL Category=1

access-list 106 deny ip 0.0.0.7 any

access-list 106 deny ip host 255.255.255.255 any

access-list 106 deny ip 127.0.0.0 0.255.255.255 any

access-list 106 permit ip any any

access-list 107 remark auto generated by CCP firewall configuration

access-list 107 remark CCP_ACL Category=1

access-list 107 permit udp any host

access-list 107 permit tcp any host

access-list 107 remark GRE

access-list 107 permit gre any host

access-list 107 deny ip 10.10.0.0 0.0.255.255 any

access-list 107 permit icmp any host echo-reply

access-list 107 permit icmp any host time-exceeded

access-list 107 permit icmp any host unreachable

access-list 107 deny ip 10.0.0.0 0.255.255.255 any

access-list 107 deny ip 172.16.0.0 0.15.255.255 any

access-list 107 deny ip 192.168.0.0 0.0.255.255 any

access-list 107 deny ip 127.0.0.0 0.255.255.255 any

access-list 107 deny ip host 255.255.255.255 any

access-list 107 deny ip host 0.0.0.0 any

access-list 107 deny ip any any log

snmp-server ifindex persist

no cdp run

!

control-plane

!

banner motd ^C

******************************

You are accessing $(hostname)

Unauthorized access prohibited

******************************

^C

!

line con 0

authorization exec local_author

logging synchronous

login authentication local_authen

transport output telnet

line aux 0

transport output telnet

line vty 0 4

authorization exec local_author

logging synchronous

login authentication local_authen

transport input ssh

!

end

vmiller · ‎12-23-2011

Not sure what you mean by "all the bandwidth goes to one computer"

but...one thing I spotted was your static route points to an interface.

read the link below, and consider making the change.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml

Jaydubya3 · ‎12-23-2011

Well, there are a few things that happen.

First, I get reports for multiple people that someone is hogging all the bandwidth. On the other hand I have had other people say that their internet hasn't slowed down and is fine.

I then go and check the flows and it shows one local IP using almost all of the bandwidth for small tasks, such as email recovery. For instance, I turned it on yesterday and a computer of someone who wasn't here immediately spiked on the logs with a source of 1e100.net (which I'm assuming was just gmail as we use Google Apps).

vmiller · ‎12-23-2011

It would be helpful to have some knowledge of the topology behind the router.

Just an editorial here, I would use the ASA for security, and the 2801 for routing and not combine the two functions.

start looking at traffic policing, it may meet your needs regarding overconsumption of resources.

with any luck some one else will pick up this thread next week. I'm on vacation.

Jaydubya3 · ‎12-23-2011

More info: My current topology is ISP - ASA - Core Switch

I need to replace the ASA as it is not passing PCI compliance.

I changed the static route as per your first reply.

After working on it again today I think instead of giving away too much bandwidth it may be not giving enough.

I plugged it in and ran a speedtest on my phone via wifi and it only was giving me .05Mbps download, but close to 4.0Mbps upload. There is hardly anyone here because of the impending holiday and I checked the flows and no one even got close to peaking at our max of 4.5Mbps download.

jyoung · ‎12-23-2011

The ASA is by far a better firewall than a 2800 because it is a firewall by design. It is PCI compliant (and generally considered more secure than IOS) assuming your old configuration was correct. That being said IOS inspection is a much slower firewall. I would remove all ACLs and the CBAC both inbound and out and test the speed. If your results are still bad I would set the interfaces to manual speed and duplex on all network devices. If you results are better, I would try to use zone based firewall or go back to the ASA.

Sent from Cisco Technical Support iPhone App