cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1423
Views
5
Helpful
23
Replies

Performance Issue with Router

ronald.ramzy
Level 1
Level 1

Hi,

I have performance Issue once I have Router between Internet and Microsoft ISA.

If I connect Internet directly with additional NIC on Microsoft_ISA it works great...

I didnt find any communication issue between router and ISA.

Can someone advice, here is router configuration**

interface FastEthernet0/0

description Connected to service-provider

ip address 10.10.10.2 255.255.255.252

ip nat outside

!

interface FastEthernet0/1

description Connection to LAN

ip address 192.168.1.100 255.255.255.0

ip nat inside

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip nat inside source list 99 interface FastEthernet0/0 overload

access-list 99 permit ip host 192.168.1.200 any

23 Replies 23

Joseph W. Doherty
Hall of Fame
Hall of Fame

What model router and how much FastEthernet bandwidth is possible?

The Router is 2811 with 2 fastEthernet.

There is no bandwidth command configured on Interfaces.

Interfaces dont have any error.

Will it make a difference if I NAT public to private IP instead of NAT Overload.

Although a 2811 comes with two FastEthernet interfaces, its forwarding performance isn't really capable of delivering 100 Mbps, even discounting NAT load, which is why I asked how much of the FastEthernet bandwidth might be used.

PS:

If 10 Mbps is acceptable throughput, you might reconfigure your FastEthernet interfaces to run at that setting and see how the 2811 performs for you.

Hi,

I have tested with Speed and Duplex as auto. My Service Provider bandwidth is 5MB only.

You (PS) is to change bandwidth to 10mbps you mean.

Do you think NAT_Overload is causing issue, any other recommendation.

With the info you've presented I don't see this being a NAT issue. It sounds like you have two NICs on your ISA Server. Do you get the same results with both NICs? How about testing without the ISA Server in the mix?

Hi,

With ISA having Two NIC ; it works great, but when with natted IP on Router and ISA one nic it has performance problem.

Now I removed ISA and plugged BLUECOAT but still performance issue.

Without Router NAT all seems working...

So both ISA NIC's produced the same problem? How about my suggestion to remove the ISA from the equation?

Are you doing any NAT on the ISA?

Hi,

With Two NIC on ISA and no router it works great. I define public IP on one interface and private IP on another interface.

I am not sure where is the issue.

From your responses it does not seem that you understand what I'm asking / suggesting.

"You (PS) is to change bandwidth to 10mbps you mean. "

I mean to run the interfaces physically at 10 Mbps, if running at 100 Mbps.

"Do you think NAT_Overload is causing issue, any other recommendation. "

It might, but reading http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa7, can't be sure (there's also the overload issue).

Other issues that come to my mind have been 100 Mbps bursts, packet fragmentation, interface drops, and CPU load.

If you could provide interface and CPU stats when router is running "slow" but with what you believe its maximum performance, it might provide additional clues.

"Although a 2811 comes with two FastEthernet interfaces, its forwarding performance isn't really

capable of delivering 100 Mbps, even discounting NAT load, which is why I asked how much of the

FastEthernet bandwidth might be used."

I would like to challenge josephdoherty's assertion on this. How did you come up with this assumption?

As seen below, the cisco 2811 can push almost 100Mbps with some NAT load using Iperf:

c2811#sh int f0/1

FastEthernet0/1 is up, line protocol is up

Hardware is MV96340 Ethernet, address is 001e.7a6d.8149 (bia 001e.7a6d.8149)

Description: LAB_INTERFACE

Internet address is 192.168.15.246/24

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 242/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/4025/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

30 second input rate 95050000 bits/sec, 7871 packets/sec

30 second output rate 7000 bits/sec, 8 packets/sec

14988854 packets input, 2349426431 bytes

Received 13806683 broadcasts, 0 runts, 0 giants, 2125 throttles

38010 input errors, 0 CRC, 0 frame, 0 overrun, 38010 ignored

0 watchdog

0 input packets with dribble condition detected

406395 packets output, 65459960 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

c2811#

c2811#sh process cpu | i five

CPU utilization for five seconds: 79%/75%; one minute: 61%; five minutes: 34%

c2811#

c2811# sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Tue 28-Apr-09 13:09 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

c2811 uptime is 3 weeks, 2 days, 20 hours, 14 minutes

System returned to ROM by reload at 17:45:33 UTC Fri Jun 26 2009

System image file is "flash:c2800nm-advipservicesk9-mz.124-15.T9.bin"

"I would like to challenge josephdoherty's assertion on this. How did you come up with this assumption?"

Challenge away ;)

Seriously, though, assumption is based on PPS rating as published within Cisco's Portable Product Sheet - Router Perf which notes "Fast/CEF Switching PPS" as 120,000 for a 2811. Beginning of document also notes "Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled."

Knowing that wire-rate Ethernet, at 100 Mbps, for 64 byte sized packets, requires 148,809.6 PPS, the 120,000 PPS seems to be unable to guarantee 100 Mbps. (NB: The Cisco performance sheet actually computes bandwidth for 120,000 as 61.44 Mbps, but they also don't seem to take into account all L2 overhead.)

So assuming Cisco's reference performance numbers are correct, also assuming, when we think, today, of any bandwidth, we're assuming its full duplex, I assume a 2811 can not guarantee 100 Mbps. (NB: RE: "full duplex", perhaps you don't assume this, since I see your example iperf test was only pushing 100 Mbps in one direction.)

Beyond assumptions, I've also stressed tested a 2811 and I hit 100% CPU before reaching 100 Mbps throughput, even unidirectional. (NB: I also noticed, your output stats showing arrival bandwidth utilization, but not also egress bandwidth utilization?)

Also looking at your posted stats, did you notice?

"Input queue: 0/75/4025/0 (size/max/drops/flushes"

I don't know about you, but I expect a device that can handle 100 Mbps shouldn't be dropping any packets. You might note the drop rate is low, but why is the router dropping any packets? Load perhaps?

Also we see:

Received 13806683 broadcasts, 0 runts, 0 giants, 2125 throttles

38010 input errors, 0 CRC, 0 frame, 0 overrun, 38010 ignored

Perhaps more symptoms of a router that can't sustain 100 Mbps load?

Given the above, to be more precise, I assert a 2811 can't always guarantee 100 Mbps, especially duplex. However, for larger packets, and unidirectional, a 2811 might provide 100 Mbps throughput. This is also why I wrote "really capable of delivering 100 Mbps" rather than a simple "incapable", "unable" or "never". I do apologize if my original imprecision was misleading, but sometimes I'm intentionally not precise since I don't believe such precision always assists. If there are questions, they can be followed up in additional questions, such as David's post to which I'm responding; and this I think is good!

Hello Joseph, David

>> Received 13806683 broadcasts, 0 runts, 0 giants, 2125 throttles

38010 input errors, 0 CRC, 0 frame, 0 overrun, 38010 ignored

Perhaps more symptoms of a router that can't sustain 100 Mbps load?

Absolutely yes

(rethoric question I suppose)

Hope to help

Giuseppe

"(rethoric question I suppose) "

It was (as was the preceeding question).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco