cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2629
Views
9
Helpful
9
Replies

2611 Slow Throughput

cbalmer
Level 1
Level 1

Hi,

I have a 2611 set up with NAT and the throughput is under 1mbit/s. Is this normal for this router? If I plug in my laptop directly to the WAN I get an 11-12mbit/s connection.

Config:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname apt-router-1

!

boot-start-marker

boot-end-marker

!

enable secret 5 ****

enable password 7 ****

!

aaa new-model

!

!

aaa authentication login default enable

aaa authentication login ssh-authent local

aaa authentication login console-authent local

aaa authentication login ra-authent local

aaa authorization network ra-authori local

aaa session-id common

ip subnet-zero

ip cef

!

!

ip domain name mydomain.local

ip name-server 192.168.0.1

!

ip inspect name basic-firewall tcp

ip inspect name basic-firewall udp

ip audit po max-events 100

ip ssh time-out 60

!

!

!

!

!

!

!

!

!

!

!

!

username **** privilege 15 password 7 ****

!

!

!

crypto isakmp keepalive 30 3

crypto isakmp xauth timeout 15

!

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

!

!

!

!

!

!

interface Ethernet0/0

ip address 192.168.50.254 255.255.255.0

ip nat inside

full-duplex

no keepalive

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet0/1

ip address dhcp

ip access-group 151 in

ip nat outside

full-duplex

no keepalive

!

ip nat inside source route-map nat-map-block-vpn interface Ethernet0/1 overload

ip http server

no ip http secure-server

ip classless

!

!

access-list 109 permit ip 192.168.50.0 0.0.0.255 any

access-list 110 permit ip host 192.168.100.50 any

access-list 110 deny ip any any

no cdp run

!

route-map nat-map-block-vpn permit 10

match ip address 109

!

!

!

!

!

!

line con 0

login authentication console-authent

line aux 0

line vty 0 4

access-class 110 in

login authentication ssh-authent

transport input ssh

!

!

end

Is it the router or am I doing something horribly wrong?

Thanks,

Chris

9 Replies 9

scottmac
Level 10
Level 10

More than likely, it's the firewall processes that are choking your connection.

The firewall works, but is very processor intensive, the 2611 just doesn't have the guts to really crank the traffic through.

The new IOS firewall on the X800 (1800, 2800, 3800...) series really rocks, but it's got a much beefier processor and more RAM.

Try it without the firewalland I'll bet you get much better performance.

Good Luck

Scott

The firewall wasn't applied to any interfaces but I removed the two commands anyways.

apt-router-1(config)#no ip inspect name basic-firewall tcp

apt-router-1(config)#no ip inspect name basic-firewall udp

However it still runs under 1mbit/s. I don't really need this router for my internet as it is for studying but it would be nice to use it for my ISP as well. 11mbit down to 1mbit is a big hit when it comes to downloads/xbox though. Any other ideas?

Thanks,

Chris

HI,

Can you let us know how your outgoing link is connected to Ethernet 0/1 ?

Do you observe any errors on Ethernet0/1 (show int e0/1 statistics..)

I could see a access-group command under this interface, but the access-list is not present..? (ip access-group 151 in)

-VJ

It is using an Ethernet Wireless Adapter to connect to a wireless network which connects to Comcast cable. The ethernet wireless adapter connected to the ethernet port on my laptop gives the full throughput just not with the router.

apt-router-1#show int e0/1 stat

Ethernet0/1

Switching path Pkts In Chars In Pkts Out Chars Out

Processor 215 53987 540 36242

Route cache 5487 3884200 3496 1596073

Total 5702 3938187 4036 1632315

apt-router-1#show int e0/1

Ethernet0/1 is up, line protocol is up

Hardware is AmdP2, address is 0030.94d8.ff01 (bia 0030.94d8.ff01)

Internet address is 192.168.0.107/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:01:39, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 1000 bits/sec, 1 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5806 packets input, 3992356 bytes, 0 no buffer

Received 27 broadcasts, 0 runts, 0 giants, 0 throttles

177 input errors, 177 CRC, 100 frame, 0 overrun, 0 ignored

0 input packets with dribble condition detected

4072 packets output, 1636758 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

I originally had an access-list applied to interface e0/1 but removed the access-list while forgetting to remove the access-group. I just removed that and still have the issue.

Chris

Hi Chris,

Thanks for the update.

Can you check an extended ping from the ethernet0/1 of the router to the ethernet interface ip of your wireless adapter and see if there are any packet drops observed.

While initiating the extended ping, you can also specify a datagram size, use something like 1000 bytes there to observe the performance.

Repeat the extended ping tests with the ethernet 0/1 as source and the destination as the outside ips (which are reachable via your wireless adapter.)

Also, check the speed/duplex settings of the ethernet interface of your wireless adapter.

-VJ

ilya.varlashkin
Level 3
Level 3

According to Cisco router performance datasheet, this router can do upto 7.68Mbps with CEF and 0.768Mbps at process switching. This are best figures you will ever able to squeeze out of this box using minimal configuration and 'ideal' packet size. On many models of that range 'ideal' packet happens to be 512Byte.

As you start adding features (access lists, NAT, firewall inspection rules etc.) performance will degrade.

If you say it's under 1Mbps looks like the router is doing mostly process switching.

Just for the test, try disabling absolutely everything, leave only IP address on the WAN-facing interface and try download something from the internet directly from the router (use 'copy ftp null:' command). See what performance you achieve. If it's higher, then you can start adding features one by one to see how performance follows.

If even with minimal configuration you still get extremely low performance, then look at your WAN interface - there are some errors there.

cbalmer
Level 1
Level 1

I found a solution to the speed issue. I dropped the E0/1 interface to half-duplex and the speed jumped to 4Mbit download. Then I switched E0/0 to half-duplex and the speed jumped up to 6Mbit+ which is close to the max the router will do according to one of the other posts.

Possible explaination to this is that systems connected to E0/0 and E0/1 were configured for auto-negotiation. On the router you had strict 10Mbps/full-duplex. Auto-negotiation procedure requires system to fall-back to half-duplex if it hears no auto-negotiation sequence from the other side.

So result in your initial case probably was: router full-duplex, but other systems (switches?) - half-duplex. Effect of it: on your router you've probably seen noticible number of input errors, while remote system operating in half-duplex had collisions. Your laptop is likely configured for auto-negotiation, that explains why you had good performance with it.

I could suggest you to check other systems where the router is connected to and set them explicitly to 10Mbps/full-duplex operations and set your router to the same 10Mbps/full-duplex.

In Additonal to Ilya's feedback, most old Ethernet is using 10Mpbs half-duplex. So please ensure your point-to-point connected equipment is using the same duplex mode to avoid the problem.

Hope this helps.