we have 2621 that is connecting to two T1s to our current ISP. We are filling the connection so we wanted to 'off-load' some traffic to a cable connection. I had a consultant configure a 2621 with the attaced config. THe idea is that http/https/ftp goes out the broadband. THings looked good when i turned it on late monday night. However, as the day continued and all our sites started working (all time zones) which would probably be in the range of 500 or less 'connections' through our firewall, browsing response took a nosedive. I checked the cpu it was pegged.
Any comments/questions on this? Do i need a more powerful model or is the logic used inefficient?
Your router config doesnt have any default routes through the comcast modem fast E interface (fa0/1). So I assume you are using policy routing (the route-map ToComcast) and matching traffic on acl 150 and setting the next hop to Comcast default gtwy. The route-map definitions look good, except that i dont see it applied on the fast0/0 interface.
description Public LAN
ip address 22.214.171.124 255.255.255.224
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
There should have been a command "ip policy route-map ToComcast" under this interface to perform what you are trying to do.
Also you said <500 connections, are these the number of nat translations on the router/ fw?
You also have "ip route-cache flow" which enables netflow on the interface, which is not really required for normal operation of router. This can cause unnecessary CPU utilization.
correc that the 'ip policy route-map ToComcast' is missing. had to take it out when it choked but didn't think to put it when i posted this.
i think the answer is yes to the 500 firewall active connections that we may see from the firewall would be the equivalent to the number of nat translations. I assume that each 'connection' listed is a conversation that goes out the router to the modem and that would be a translation?
assuming that, should this router handle it.
i will certainly remove the ip route-cache flow since i'm not doing anything with netflow
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...