I have a 2611 set up with NAT and the throughput is under 1mbit/s. Is this normal for this router? If I plug in my laptop directly to the WAN I get an 11-12mbit/s connection.
service timestamps debug datetime msec
service timestamps log datetime msec
enable secret 5 ****
enable password 7 ****
aaa authentication login default enable
aaa authentication login ssh-authent local
aaa authentication login console-authent local
aaa authentication login ra-authent local
aaa authorization network ra-authori local
aaa session-id common
ip domain name mydomain.local
ip name-server 192.168.0.1
ip inspect name basic-firewall tcp
ip inspect name basic-firewall udp
ip audit po max-events 100
ip ssh time-out 60
username **** privilege 15 password 7 ****
crypto isakmp keepalive 30 3
crypto isakmp xauth timeout 15
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ip address 192.168.50.254 255.255.255.0
ip nat inside
no ip address
ip address dhcp
ip access-group 151 in
ip nat outside
ip nat inside source route-map nat-map-block-vpn interface Ethernet0/1 overload
ip http server
no ip http secure-server
access-list 109 permit ip 192.168.50.0 0.0.0.255 any
access-list 110 permit ip host 192.168.100.50 any
access-list 110 deny ip any any
no cdp run
route-map nat-map-block-vpn permit 10
match ip address 109
line con 0
login authentication console-authent
line aux 0
line vty 0 4
access-class 110 in
login authentication ssh-authent
transport input ssh
Is it the router or am I doing something horribly wrong?
More than likely, it's the firewall processes that are choking your connection.
The firewall works, but is very processor intensive, the 2611 just doesn't have the guts to really crank the traffic through.
The new IOS firewall on the X800 (1800, 2800, 3800...) series really rocks, but it's got a much beefier processor and more RAM.
Try it without the firewalland I'll bet you get much better performance.
The firewall wasn't applied to any interfaces but I removed the two commands anyways.
apt-router-1(config)#no ip inspect name basic-firewall tcp
apt-router-1(config)#no ip inspect name basic-firewall udp
However it still runs under 1mbit/s. I don't really need this router for my internet as it is for studying but it would be nice to use it for my ISP as well. 11mbit down to 1mbit is a big hit when it comes to downloads/xbox though. Any other ideas?
Can you let us know how your outgoing link is connected to Ethernet 0/1 ?
Do you observe any errors on Ethernet0/1 (show int e0/1 statistics..)
I could see a access-group command under this interface, but the access-list is not present..? (ip access-group 151 in)
It is using an Ethernet Wireless Adapter to connect to a wireless network which connects to Comcast cable. The ethernet wireless adapter connected to the ethernet port on my laptop gives the full throughput just not with the router.
apt-router-1#show int e0/1 stat
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 215 53987 540 36242
Route cache 5487 3884200 3496 1596073
Total 5702 3938187 4036 1632315
apt-router-1#show int e0/1
Ethernet0/1 is up, line protocol is up
Hardware is AmdP2, address is 0030.94d8.ff01 (bia 0030.94d8.ff01)
Internet address is 192.168.0.107/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:01:39, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5806 packets input, 3992356 bytes, 0 no buffer
Received 27 broadcasts, 0 runts, 0 giants, 0 throttles
177 input errors, 177 CRC, 100 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
4072 packets output, 1636758 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
I originally had an access-list applied to interface e0/1 but removed the access-list while forgetting to remove the access-group. I just removed that and still have the issue.
Thanks for the update.
Can you check an extended ping from the ethernet0/1 of the router to the ethernet interface ip of your wireless adapter and see if there are any packet drops observed.
While initiating the extended ping, you can also specify a datagram size, use something like 1000 bytes there to observe the performance.
Repeat the extended ping tests with the ethernet 0/1 as source and the destination as the outside ips (which are reachable via your wireless adapter.)
Also, check the speed/duplex settings of the ethernet interface of your wireless adapter.
According to Cisco router performance datasheet, this router can do upto 7.68Mbps with CEF and 0.768Mbps at process switching. This are best figures you will ever able to squeeze out of this box using minimal configuration and 'ideal' packet size. On many models of that range 'ideal' packet happens to be 512Byte.
As you start adding features (access lists, NAT, firewall inspection rules etc.) performance will degrade.
If you say it's under 1Mbps looks like the router is doing mostly process switching.
Just for the test, try disabling absolutely everything, leave only IP address on the WAN-facing interface and try download something from the internet directly from the router (use 'copy ftp null:' command). See what performance you achieve. If it's higher, then you can start adding features one by one to see how performance follows.
If even with minimal configuration you still get extremely low performance, then look at your WAN interface - there are some errors there.
I found a solution to the speed issue. I dropped the E0/1 interface to half-duplex and the speed jumped to 4Mbit download. Then I switched E0/0 to half-duplex and the speed jumped up to 6Mbit+ which is close to the max the router will do according to one of the other posts.
Possible explaination to this is that systems connected to E0/0 and E0/1 were configured for auto-negotiation. On the router you had strict 10Mbps/full-duplex. Auto-negotiation procedure requires system to fall-back to half-duplex if it hears no auto-negotiation sequence from the other side.
So result in your initial case probably was: router full-duplex, but other systems (switches?) - half-duplex. Effect of it: on your router you've probably seen noticible number of input errors, while remote system operating in half-duplex had collisions. Your laptop is likely configured for auto-negotiation, that explains why you had good performance with it.
I could suggest you to check other systems where the router is connected to and set them explicitly to 10Mbps/full-duplex operations and set your router to the same 10Mbps/full-duplex.
In Additonal to Ilya's feedback, most old Ethernet is using 10Mpbs half-duplex. So please ensure your point-to-point connected equipment is using the same duplex mode to avoid the problem.
Hope this helps.