Re: Issue with internet speed after adding Cisco to network

Ricohit123 · ‎11-03-2011

Oki guys, ill try my best in explaining the issue we are experiencing. It all started with our company buying new Cisco Switch for around 20 000 dollars. As none of us knew anything about Cisco, we had a guy from our Branch in england to set it up for us. He came and did his job and then left day after.

Problems start showing up some days after he did his job. Main problem is our Internet speed. The internet speed has simply gone down to around 5% of what we had before. And while trying to solve the problem, it is simply making it even worse now. We think it is related to the Cisco switches we have installed in our network, but the guy in england is keep on saying that its something to do with the proxy server. I find it hard to believe as this proxy was in our network before the Cisco swithces, when everything was running fine.

Cisco switches we bought are as follows:

1 X WS-C3750G-24TS-S10

3 X C2960G-24TC-L

I think there is some routing issue in the Cores switch which is the 3750G. In the picture below you will see how our network is connected, its a little bit complicated but i will try to explain as much as possible. Remeber that i am not even drawing the 2960 switches because i have already connected directly to our 3750G switch and the problem still presisted.

I have a feeling that if you see the picture above, the internet traffic for some reason is trying to go thru the fiber communication towards our branches in europe, instead of going directly to the ISP router and then FW and out. Is there a way i can see how the traffic towards outer world is routed in Cisco Switch?

John Blakley · ‎11-03-2011

I'm assuming that internet access is slow for people that are local to the switch, or do other locations come to your for internet access? Is your 3750 configured as L3? How many vlans are on it? Which vlan does your proxy server connect to?

The easiest way to see where you're going for the outside world is if your 3750 is configured as L3, you can do 1 of 2 things:

sh run | inc ip route

OR

sh ip route | inc Gateway

Either one of these commands will show you your default gateway for the switch.

HTH, John *** Please rate all useful posts ***

Ricohit123 · ‎11-03-2011

Hi

Thanks for answering. We have other branches in the same country who also get internet access thru us, but anyhow all of them are connected local the switch. What is L3? layer 3 i guess? i assume it is configured as L3, but how can i varify that?

Here are the vlans on the core switch:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/24

2 Server_Print active Gi1/0/1, Gi1/0/2, Gi1/0/3

Gi1/0/4, Gi1/0/5, Gi1/0/6

100 Data1 active Gi1/0/7, Gi1/0/8, Gi1/0/9

Gi1/0/10, Gi1/0/11, Gi1/0/12

Gi1/0/13, Gi1/0/14, Gi1/0/25

Gi1/0/26

101 Data2 active Gi1/0/15, Gi1/0/16, Gi1/0/17

Gi1/0/18, Gi1/0/19, Gi1/0/20

Gi1/0/21, Gi1/0/22, Gi1/0/27

Gi1/0/28

200 Voice1 active

201 Voice2 active

300 WiFiS active

301 WiFiC active

400 DMZ active

900 WAN active Gi1/0/23

990 MNGT active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

Fir IP route im getting this

ip route 0.0.0.0 0.0.0.0 10.145.193.193

ip route 10.144.0.0 255.252.0.0 10.145.193.193

ip route 10.144.3.96 255.255.255.224 172.17.187.254

ip route 10.144.3.128 255.255.255.224 172.17.187.254

ip route 10.144.5.32 255.255.255.224 172.17.187.254

ip route 10.144.5.160 255.255.255.224 172.17.187.254

ip route 10.144.130.0 255.255.255.224 172.17.187.254

ip route 10.144.130.32 255.255.255.224 172.17.187.254

ip route 10.144.133.32 255.255.255.224 172.17.187.254

ip route 10.144.133.128 255.255.255.224 172.17.187.254

ip route 10.144.133.160 255.255.255.248 172.17.187.254

ip route 10.144.133.192 255.255.255.224 172.17.187.254

ip route 10.144.133.224 255.255.255.224 172.17.187.254

ip route 10.144.224.32 255.255.255.224 172.17.187.254

ip route 10.144.224.64 255.255.255.224 172.17.187.254

ip route 10.144.224.96 255.255.255.224 172.17.187.254

ip route 10.144.232.160 255.255.255.240 172.17.187.254

ip route 10.144.248.0 255.255.255.224 172.17.187.254

ip route 10.144.248.128 255.255.255.224 172.17.187.254

ip route 10.144.248.160 255.255.255.224 172.17.187.254

ip route 10.144.248.192 255.255.255.224 172.17.187.254

ip route 10.145.235.32 255.255.255.224 172.17.187.254

ip route 10.145.235.64 255.255.255.224 172.17.187.254

ip route 10.145.235.96 255.255.255.224 172.17.187.254

ip route 10.145.235.224 255.255.255.224 172.17.187.254

ip route 10.145.249.8 255.255.255.248 172.17.187.254

ip route 10.145.249.32 255.255.255.248 172.17.187.254

ip route 10.145.249.40 255.255.255.248 172.17.187.254

ip route 10.146.13.64 255.255.255.192 172.17.187.254

ip route 10.146.13.128 255.255.255.192 172.17.187.254

ip route 10.146.13.192 255.255.255.192 172.17.187.254

ip route 10.148.0.0 255.255.0.0 10.145.193.193

ip route 10.192.4.56 255.255.255.248 172.17.187.249

ip route 62.50.18.209 255.255.255.255 10.145.193.193

ip route 172.16.0.0 255.240.0.0 10.145.193.193

ip route 172.17.195.8 255.255.255.248 172.17.187.249

ip route 172.17.195.16 255.255.255.248 172.17.187.249

ip route 192.168.242.0 255.255.255.0 10.145.193.193

ip route 212.17.129.83 255.255.255.255 172.17.187.249

I will get back to you on which vlan the proxy is connected to.

John Blakley · ‎11-03-2011

ip route 0.0.0.0 0.0.0.0 10.145.193.193

10.145.193.193 is your default device outbound. What's this device? Is it your proxy server's IP address?

HTH, John *** Please rate all useful posts ***

Ricohit123 · ‎11-03-2011

By the way, our proxy is toally on a different Vlan which has nothing to do with our Core Cisco switch.

Ricohit123 · ‎11-03-2011

You wont believe it, this is actually our BT router for communication towards Europe. So does it mean that if a user type in a adress in his internet explorer, it will first try to route thru 10.145.193.193? how can i do it so it does not route to this adress when using internet. But remember that this connection is still essential as we need to have connection to our branches in Europe.

Konstantin Dunaev · ‎11-03-2011

oh, I'd suggest to ask a network administartor (may be external) to check the configuration, I wouldn't do any changes yourself. Of course we can help you and give you a couple of commnads but without information about infrustructure it would be not so good idea to apply them

John Blakley · ‎11-03-2011

Yes. If it can't find a specific route, it will go back to Europe for a route. You'd need to have a default gateway on your switch to point to your ISP outbound or point to your proxy server. If your switch/router doesn't know about a specific route in its routing table, it will always forward to a default route....

HTH, John *** Please rate all useful posts ***

darren.g · ‎11-03-2011

Numan mastana wrote:

You wont believe it, this is actually our BT router for communication towards Europe. So does it mean that if a user type in a adress in his internet explorer, it will first try to route thru 10.145.193.193? how can i do it so it does not route to this adress when using internet. But remember that this connection is still essential as we need to have connection to our branches in Europe.

If you don't understand your routing table, then don't fiddle with it. Find someone who does.

Basically, your default route should point to your Internet gateway (the proxy or router which conencts you to your local internet), and all the routes to the European destinations should be manually specified (you can probably do it quite simply by just specifying a large enough subnet in the routing statement).

If you have access to the Cisco switch, can you post a copy of your configuration - you can get this by typing "show running-configuration" from the switch# prompt - make sure you edit out any lines which refer to passwords, and obfuscate any "live" IP addresses by removign the last couple of octets before you post it.

Also, it'd be helpful if you could find the address of your proxy or internet access address (I.E. the address of the device you have *local* internet access via) and post it.

Cheers.

Ricohit123 · ‎11-04-2011

Oki guys, im sorry for a delayed response. I will figure it out and post the information. Thanks a ton so far.

Ricohit123 · ‎11-04-2011

Our ISP router which we are suppose to get internet thru has the following IP address: 172.17.187.254

Here is the configuration of our network, Please let me know if i have something sensitive in the text below, i have alredy cleared the passwords.

Building configuration...

Current configuration : 6815 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
!
!
!
no aaa new-model
clock timezone UTC 1
clock summer-time UTC recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-24ts-1u

system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
switchport access vlan 2
!
interface GigabitEthernet1/0/2
switchport access vlan 2
!
interface GigabitEthernet1/0/3
switchport access vlan 2
!
interface GigabitEthernet1/0/4
switchport access vlan 2
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 2
!
interface GigabitEthernet1/0/6
switchport access vlan 2
!
interface GigabitEthernet1/0/7
switchport access vlan 100
!
interface GigabitEthernet1/0/8
switchport access vlan 100
!
interface GigabitEthernet1/0/9
switchport access vlan 100
!
interface GigabitEthernet1/0/10
switchport access vlan 100
!
interface GigabitEthernet1/0/11
switchport access vlan 100
!
interface GigabitEthernet1/0/12
switchport access vlan 100
!
interface GigabitEthernet1/0/13
switchport access vlan 100
!
interface GigabitEthernet1/0/14
switchport access vlan 100
!
interface GigabitEthernet1/0/15
switchport access vlan 101
!
interface GigabitEthernet1/0/16
switchport access vlan 101
!
interface GigabitEthernet1/0/17
switchport access vlan 101
!
interface GigabitEthernet1/0/18
switchport access vlan 101
!
interface GigabitEthernet1/0/19
switchport access vlan 101
!
interface GigabitEthernet1/0/20
switchport access vlan 101
!
interface GigabitEthernet1/0/21
switchport access vlan 101
!
interface GigabitEthernet1/0/22
switchport access vlan 101
!
interface GigabitEthernet1/0/23
switchport access vlan 900
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
switchport access vlan 100
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/26
switchport access vlan 100
!
interface GigabitEthernet1/0/27
switchport access vlan 101
switchport trunk encapsulation dot1q
!
interface GigabitEthernet1/0/28
switchport access vlan 101
switchport trunk encapsulation dot1q
!
interface Vlan1
ip route 0.0.0.0 0.0.0.0 10.145.193.193
ip route 10.144.0.0 255.252.0.0 10.145.193.193
ip route 10.144.3.96 255.255.255.224 172.17.187.254
ip route 10.144.3.128 255.255.255.224 172.17.187.254
ip route 10.144.5.32 255.255.255.224 172.17.187.254
ip route 10.144.5.160 255.255.255.224 172.17.187.254
ip route 10.144.130.0 255.255.255.224 172.17.187.254
ip route 10.144.130.32 255.255.255.224 172.17.187.254
ip route 10.144.133.32 255.255.255.224 172.17.187.254
ip route 10.144.133.128 255.255.255.224 172.17.187.254
ip route 10.144.133.160 255.255.255.248 172.17.187.254
ip route 10.144.133.192 255.255.255.224 172.17.187.254
ip route 10.144.133.224 255.255.255.224 172.17.187.254
ip route 10.144.224.32 255.255.255.224 172.17.187.254
ip route 10.144.224.64 255.255.255.224 172.17.187.254
ip route 10.144.224.96 255.255.255.224 172.17.187.254
ip route 10.144.232.160 255.255.255.240 172.17.187.254
ip route 10.144.248.0 255.255.255.224 172.17.187.254
ip route 10.144.248.128 255.255.255.224 172.17.187.254
ip route 10.144.248.160 255.255.255.224 172.17.187.254
ip route 10.144.248.192 255.255.255.224 172.17.187.254
ip route 10.145.235.32 255.255.255.224 172.17.187.254
ip route 10.145.235.64 255.255.255.224 172.17.187.254
ip route 10.145.235.96 255.255.255.224 172.17.187.254
ip route 10.145.235.224 255.255.255.224 172.17.187.254
ip route 10.145.249.8 255.255.255.248 172.17.187.254
ip route 10.145.249.32 255.255.255.248 172.17.187.254
ip route 10.145.249.40 255.255.255.248 172.17.187.254
ip route 10.146.13.64 255.255.255.192 172.17.187.254
ip route 10.146.13.128 255.255.255.192 172.17.187.254
ip route 10.146.13.192 255.255.255.192 172.17.187.254
ip route 10.148.0.0 255.255.0.0 10.145.193.193
ip route 10.192.4.56 255.255.255.248 172.17.187.249
ip route 62.50.18.209 255.255.255.255 10.145.193.193
ip route 172.16.0.0 255.240.0.0 10.145.193.193
ip route 172.17.195.8 255.255.255.248 172.17.187.249
ip route 172.17.195.16 255.255.255.248 172.17.187.249
ip route 192.168.242.0 255.255.255.0 10.145.193.193
ip route 212.17.129.83 255.255.255.255 172.17.187.249
ip http server
!
!
control-plane
!
banner login

***********************************************************************

THIS NETWORK AND THE MATERIAL CONTAINED WITHIN IT,IS PROPRIETARY

AND IS THEREFORE RESTRICTED TO AUTHORISED PERSONNEL ONLY. THIS

SYSTEM MAY NOT BE MODIFIED IN ANY MANNER EXCEPT BY AUTHORISED PERSONNEL

OR REPRESENTATIVES OF THE ADDRESSED FIRM THAT IS DIRECTLY RESPONSIBLE

FOR THE MAINTENANCE OF THE NETWORK.

ANY UNAUTHORISED ACCESS, OR MODIFICATIONS IN ANY FORM IS

STRICTLY PROHIBITED.

***********************************************************************
^C
!
line con 0
password
login
length 0
password
login
!
end

John Blakley · ‎11-04-2011

Without knowing your true topology (you mentioned having a proxy server), your default gateway should be set to

172.17.187.254. I'm putting a disclaimer out there that I don't know how you're set up and making this change could very well break routing.

ip route 0.0.0.0 0.0.0.0 172.17.187.254

You'd need to get rid of your other 0.0.0.0 route if you don't want to go back through Europe. If the above address is in fact local to your ISP and that's who you should be getting internet access from, then this should speed up internet access.

John

HTH, John *** Please rate all useful posts ***

Ricohit123 · ‎11-04-2011

Yes we do have a proxy server. Internet uses the proxy server and the communication for a web browser is going thru the proxy and does not go thru the default gateway setup in IP route lits on our Core Cisco switch. According to my senior IT Consultant, whenever a user opens a page in a web browser, the request is done thru the proxy. It should bypass the Europe. In the IP route table, it does tell it to route all requests to proxy thru our firewall.

darren.g · ‎11-09-2011

Numan mastana wrote:

Yes we do have a proxy server. Internet uses the proxy server and the communication for a web browser is going thru the proxy and does not go thru the default gateway setup in IP route lits on our Core Cisco switch. According to my senior IT Consultant, whenever a user opens a page in a web browser, the request is done thru the proxy. It should bypass the Europe. In the IP route table, it does tell it to route all requests to proxy thru our firewall.

This line

ip route 0.0.0.0 0.0.0.0 10.145.193.193

in the configuration is your problem.

It sends all "unknown' routable traffic to 10.145.193.193 which, as you've mentioned, is your link to Europe.

You need to change this line to read

ip route 0.0.0.0 0.0.0.0 172.17.187.249

*assuming* that 172.17.187.249 is your Internet proxy/gateway. If this IP address is *NOT* your proxy/gateway, do NOT make this change, or chances are you'll break everything.

Your config snippet above mentions three specific destinations for networks

172.17.187.254

10.145.193.193

172.17.187.249

can you identify what device and purpose each of these IP addresses has?

Also, I've noticed that you *don't* have an IP address configured for any of the defined VLAN's (2, 100 and 102) - where are the routing devices for these VLAN's located? If there's no local router connected to this device anywhere it's possible that your routing is taking all decisions back to Europe, then back to you, which would make *everything* slow.

Can you post a more accurate indication of your topology including IP addressing (internal - don;t care about your Internet link)?

Cheers

Ricohit123 · ‎11-10-2011

I thought that was the problem until i gathered some more information about my network. First of all i want to make clear what these different IPs are:

172.17.187.254 is our ISP router

10.145.193.193 is our router for communication towards Europe

172.17.187.249 is our Firewall

It works like this:

When a user types in www.cisco.com on his computer (with proxy enabled) , the following happens:

The request is send to our Core switch (3750G) which uses its route list and sends the request to our Firewall. Firewall and the proxy server has its own Vlan configured thru another switch where they are connected. Firewall sends request to proxy, and proxy does its job and sends the request back to Firewall, and then out to internet to resolve the DNS request and then back to Firewall. Now how the request goes back to the computer that sends the request to start with, is important here. In our Firewall, it is configured to use the ISP router as default gateway. We do not have the permision to change anything in the Firewall so we have asked our department in England to look at it, and change the default gateway to our Core Cisco switch.

I hope the explanation above gives you a picture of how our topology is.

Vlans dont have IP adrdress? I dont think they have local router, so they are using the routing list to find there way out.

By the way is there a software that can trace the traffic thru proxy and not our network? So if i tracert www.cisco.com it shows its way to internet and then back to the computer.