2621 chokes on broadband connection

we have 2621 that is connecting to two T1s to our current ISP. We are filling the connection so we wanted to 'off-load' some traffic to a cable connection. I had a consultant configure a 2621 with the attaced config. THe idea is that http/https/ftp goes out the broadband. THings looked good when i turned it on late monday night. However, as the day continued and all our sites started working (all time zones) which would probably be in the range of 500 or less 'connections' through our firewall, browsing response took a nosedive. I checked the cpu it was pegged.

Any comments/questions on this? Do i need a more powerful model or is the logic used inefficient?


Your router config doesnt have any default routes through the comcast modem fast E interface (fa0/1). So I assume you are using policy routing (the route-map ToComcast) and matching traffic on acl 150 and setting the next hop to Comcast default gtwy. The route-map definitions look good, except that i dont see it applied on the fast0/0 interface.


interface FastEthernet0/0

description Public LAN

ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

load-interval 30

speed 100



There should have been a command "ip policy route-map ToComcast" under this interface to perform what you are trying to do.

Also you said <500 connections, are these the number of nat translations on the router/ fw?

You also have "ip route-cache flow" which enables netflow on the interface, which is not really required for normal operation of router. This can cause unnecessary CPU utilization.

PS: Please rate the post if it helped you!

correc that the 'ip policy route-map ToComcast' is missing. had to take it out when it choked but didn't think to put it when i posted this.

i think the answer is yes to the 500 firewall active connections that we may see from the firewall would be the equivalent to the number of nat translations. I assume that each 'connection' listed is a conversation that goes out the router to the modem and that would be a translation?

assuming that, should this router handle it.

i will certainly remove the ip route-cache flow since i'm not doing anything with netflow

can u post sh int sr 0/0, 0/1 f0/0, 0/1, sh ip cache flow, sh ip nat stat ---out puts pls , observ the traffic....

