×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 2801 bandwidth issues

Unanswered Question
Dec 22nd, 2011
User Badges:

I'm trying to replace a ASA 5505 with a Cisco 2801 w/ security bundle.


I have gone through a pretty basic set up of configuring what I could and letting the Cisco Config Prof do the security audit to lock it down. I have everything working just fine except for the bandwidth.


As soon as I plug the router in it seems to give all the bandwidth to one computer and the rest of the campus slows down to a crawl.


I turned on "fair-queue" and even tried the QoS wizard in CCP, but it seems like thats if you want to prioritize voice over data - which we aren't running VOIP so I don't need.


I am completely missing something and could really use some help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jaydubya3 Fri, 12/23/2011 - 04:48
User Badges:

version 12.4


no service pad


service tcp-keepalives-in


service tcp-keepalives-out


service timestamps debug datetime msec localtime show-timezone


service timestamps log datetime msec localtime show-timezone


service password-encryption


service sequence-numbers


!


hostname


!


boot-start-marker


boot-end-marker


!


security authentication failure rate 3 log


security passwords min-length 6


logging buffered 51200 debugging


logging console critical


enable secret 5


!


aaa new-model


!


!


aaa authentication login local_authen local


aaa authorization exec local_author local


!


aaa session-id common


!


resource policy


!


mmi polling-interval 60


no mmi auto-configure


no mmi pvc


mmi snmp-timeout 180


ip subnet-zero


no ip source-route


ip cef


!


!


ip port-map pptp port tcp 1723 list 4


ip inspect name CCP_LOW cuseeme


ip inspect name CCP_LOW dns


ip inspect name CCP_LOW ftp


ip inspect name CCP_LOW h323


ip inspect name CCP_LOW sip


ip inspect name CCP_LOW https


ip inspect name CCP_LOW icmp


ip inspect name CCP_LOW imap


ip inspect name CCP_LOW pop3


ip inspect name CCP_LOW netshow


ip inspect name CCP_LOW rcmd


ip inspect name CCP_LOW realaudio


ip inspect name CCP_LOW rtsp


ip inspect name CCP_LOW esmtp


ip inspect name CCP_LOW sqlnet


ip inspect name CCP_LOW streamworks


ip inspect name CCP_LOW tftp


ip inspect name CCP_LOW tcp


ip inspect name CCP_LOW udp


ip inspect name CCP_LOW vdolive


ip inspect name CCP_LOW http urlfilter


ip inspect name sdm_ins_in_100 cuseeme


ip inspect name sdm_ins_in_100 dns


ip inspect name sdm_ins_in_100 ftp


ip inspect name sdm_ins_in_100 h323


ip inspect name sdm_ins_in_100 sip


ip inspect name sdm_ins_in_100 https


ip inspect name sdm_ins_in_100 icmp


ip inspect name sdm_ins_in_100 imap


ip inspect name sdm_ins_in_100 pop3


ip inspect name sdm_ins_in_100 netshow


ip inspect name sdm_ins_in_100 rcmd


ip inspect name sdm_ins_in_100 realaudio


ip inspect name sdm_ins_in_100 rtsp


ip inspect name sdm_ins_in_100 esmtp


ip inspect name sdm_ins_in_100 sqlnet


ip inspect name sdm_ins_in_100 streamworks


ip inspect name sdm_ins_in_100 tftp


ip inspect name sdm_ins_in_100 tcp


ip inspect name sdm_ins_in_100 udp


ip inspect name sdm_ins_in_100 vdolive


ip tcp synwait-time 10


!


!


ip flow-cache timeout active 1


no ip bootp server


ip name-server 10.10.10.13


ip urlfilter server vendor n2h2 10.10.10.60


ip ssh time-out 60


ip ssh authentication-retries 2


ip ssh version 2


!


!


!


crypto pki trustpoint TP-self-signed-2736186409


enrollment selfsigned


subject-name cn=IOS-Self-Signed-Certificate-2736186409


revocation-check none


rsakeypair TP-self-signed-2736186409


!


!


crypto pki certificate chain TP-self-signed-2736186409


certificate self-signed 01



  quit


username privilege 15 secret 5


!


!


!


!


!


interface Null0


no ip unreachables


!


interface FastEthernet0/0


description $ETH-WAN$$FW_OUTSIDE$


ip address


ip access-group 107 in


ip verify unicast reverse-path


no ip redirects


no ip unreachables


no ip proxy-arp


ip inspect sdm_ins_in_100 in


ip inspect CCP_LOW out


ip flow ingress


ip nat outside


ip virtual-reassembly


ip route-cache flow


duplex auto


speed auto


fair-queue


no mop enabled


!


interface FastEthernet0/1


description $FW_INSIDE$


ip address 10.10.10.2 255.255.0.0


ip access-group 106 in


no ip redirects


no ip unreachables


no ip proxy-arp


ip flow egress


ip nat inside


ip virtual-reassembly


ip route-cache flow


duplex auto


speed auto


fair-queue


no mop enabled


!


ip default-gateway


ip classless


ip route 0.0.0.0 0.0.0.0 FastEthernet0/0


ip flow-export source FastEthernet0/1


ip flow-export version 5


ip flow-export destination 10.10.10.11 9996


ip flow-top-talkers


top 10


sort-by bytes


cache-timeout 60000


!


ip http server


ip http access-class 2


ip http secure-server


ip nat inside source list 5 interface FastEthernet0/0 overload


ip nat inside source static 10.10.10.10


!


logging trap debugging


access-list 1 remark CCP_ACL Category=2


access-list 1 permit 10.10.0.0 0.0.255.255


access-list 2 remark HTTP Access-class list


access-list 2 remark CCP_ACL Category=1


access-list 2 permit 10.10.0.0 0.0.255.255


access-list 2 deny   any


access-list 3 remark CCP_ACL Category=2


access-list 3 permit 10.10.0.0 0.0.255.255


access-list 4 remark CCP_ACL Category=1


access-list 4 permit 10.10.10.10


access-list 5 remark CCP_ACL Category=2


access-list 5 permit 10.10.0.0 0.0.255.255


access-list 100 remark auto generated by CCP firewall configuration


access-list 100 remark CCP_ACL Category=1


access-list 100 deny   ip 0.0.0.7 any


access-list 100 deny   ip host 255.255.255.255 any


access-list 100 deny   ip 127.0.0.0 0.255.255.255 any


access-list 100 permit ip any any


access-list 106 remark auto generated by CCP firewall configuration


access-list 106 remark CCP_ACL Category=1


access-list 106 deny   ip 0.0.0.7 any


access-list 106 deny   ip host 255.255.255.255 any


access-list 106 deny   ip 127.0.0.0 0.255.255.255 any


access-list 106 permit ip any any


access-list 107 remark auto generated by CCP firewall configuration


access-list 107 remark CCP_ACL Category=1


access-list 107 permit udp any host


access-list 107 permit tcp any host


access-list 107 remark GRE


access-list 107 permit gre any host


access-list 107 deny   ip 10.10.0.0 0.0.255.255 any


access-list 107 permit icmp any host echo-reply


access-list 107 permit icmp any host time-exceeded


access-list 107 permit icmp any host unreachable


access-list 107 deny   ip 10.0.0.0 0.255.255.255 any


access-list 107 deny   ip 172.16.0.0 0.15.255.255 any


access-list 107 deny   ip 192.168.0.0 0.0.255.255 any


access-list 107 deny   ip 127.0.0.0 0.255.255.255 any


access-list 107 deny   ip host 255.255.255.255 any


access-list 107 deny   ip host 0.0.0.0 any


access-list 107 deny   ip any any log


snmp-server ifindex persist


no cdp run


!


!


control-plane


!


banner motd ^C


******************************


You are accessing $(hostname)


Unauthorized access prohibited


******************************


^C


!


line con 0


authorization exec local_author


logging synchronous


login authentication local_authen


transport output telnet


line aux 0


transport output telnet


line vty 0 4


authorization exec local_author


logging synchronous


login authentication local_authen


transport input ssh


!


end

Jaydubya3 Fri, 12/23/2011 - 11:34
User Badges:

Well, there are a few things that happen.


First, I get reports for multiple people that someone is hogging all the bandwidth. On the other hand I have had other people say that their internet hasn't slowed down and is fine.


I then go and check the flows and it shows one local IP using almost all of the bandwidth for small tasks, such as email recovery. For instance, I turned it on yesterday and a computer of someone who wasn't here immediately spiked on the logs with a source of 1e100.net (which I'm assuming was just gmail as we use Google Apps).

vmiller Fri, 12/23/2011 - 12:13
User Badges:
  • Gold, 750 points or more

It would be helpful to have some knowledge of the topology behind the router.

Just an editorial here, I would use the ASA for security, and the 2801 for routing and not combine the two functions.


start looking at traffic policing, it may meet your needs regarding overconsumption of resources.



with any luck some one else will pick up this thread next week. I'm on vacation.

Jaydubya3 Fri, 12/23/2011 - 14:00
User Badges:

More info: My current topology is ISP - ASA - Core Switch


I need to replace the ASA as it is not passing PCI compliance.


I changed the static route as per your first reply.


After working on it again today I think instead of giving away too much bandwidth it may be not giving enough.


I plugged it in and ran a speedtest on my phone via wifi and it only was giving me .05Mbps download, but close to 4.0Mbps upload. There is hardly anyone here because of the impending holiday and I checked the flows and no one even got close to peaking at our max of 4.5Mbps download.

The ASA is by far a better firewall than a 2800 because it is a firewall by design. It is PCI compliant (and generally considered more secure than IOS) assuming your old configuration was correct. That being said IOS inspection is a much slower firewall. I would remove all ACLs and the CBAC both inbound and out and test the speed. If your results are still bad I would set the interfaces to manual speed and duplex on all network devices. If you results are better, I would try to use zone based firewall or go back to the ASA.


Sent from Cisco Technical Support iPhone App

Actions

This Discussion