01-17-2011 12:37 PM - edited 03-04-2019 11:07 AM
Hi,
As soon as I add the interfaces of the router to security zones it significantly drops speed on WAN interface, below 1 Mbs. I noted this because I wasn't able to watch youtube. Moreover the bandwidth test from speedtest.net hangs and doesn't come to a result. Here below is the diagnostic example while doing that test. The question is what is going on? I have two iPhones and three computers in my network, that's it. My ISP bandwidth is 10 Mbs, so is this the router hardware limitations, or kind of malfunction or some misconfiguration down here? What could be done here?
Thanks!
warpgate#sh int fa4 sum
*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
------------------------------------------------------------------------
* FastEthernet4 0 153 0 0 309000 54 344000 59 52
warpgate#sh processes cpu his
warpgate 04:32:13 PM Thursday May 6 2010 MSD
777722222
888866666222226666622222333332222222222555552222255555888882
100
90
80 ****
70 ****
60 ****
50 ****
40 ****
30 *********
20 *********
10 ********* ***** ***** **********
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
11111 111111111 11111111181 1111 111111 11 1111117 16112731
844244944233522222224218306482104814432392392202301886350943
100
90 *
80 * *
70 * * * *
60 * * * *
50 * * * *
40 * * * *
30 * * * #*
20 * * # # *# **#*
10 **************** ***##*#**#***********************#*##**###*
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
812212211211111111111283122221124219111111111311111112111118111111111111
688080459265595644558385831338963395222223227828242520226228222222223523
100 *
90 * * * *
80 * * * *
70 * * * *
60 * * * *
50 * * * *
40 * ** * * * *
30 * * ** ** * * *
20 **************** *****************# ** * * * * * *
10 ******#***************##############************************************
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
The router 871W runs c870-advipservicesk9-mz.124-24.T4.bin, the config is pretty simple:
Current configuration : 4353 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname warpgate
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
!
dot11 ssid Aiur
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 ***********
!
ip source-route
!
!
ip dhcp excluded-address 192.168.13.1 192.168.13.20
ip dhcp excluded-address 192.168.14.1 192.168.14.20
!
ip dhcp pool Aiur
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 192.168.14.2 91.100.1.3 94.19.255.2
netbios-node-type h-node
netbios-name-server 192.168.14.2
!
ip dhcp pool Wired
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.14.2 91.100.1.3 94.19.255.2
netbios-node-type h-node
netbios-name-server 192.168.14.2
!
!
ip cef
no ip domain lookup
ip domain name **********
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username user privilege 15 secret 5 $1$WfPZ$uFsxCSnBccnLdYslWgUM3/
!
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
class-map type inspect match-all PPTP-Pass-Through-Traffic
match access-group name PPTP-PASS-THROUGH
class-map type inspect match-any ALL-TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect OUT-IN-POLICY
class type inspect PPTP-Pass-Through-Traffic
pass
class class-default
drop
policy-map type inspect IN-OUT-POLICY
class type inspect PPTP-Pass-Through-Traffic
pass
class type inspect ALL-TRAFFIC
inspect
class class-default
drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect IN-OUT-POLICY
zone-pair security outside-inside source outside destination inside
service-policy type inspect OUT-IN-POLICY
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
speed 100
full-duplex
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid Aiur
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
interface BVI1
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat interface FastEthernet4 overload
!
ip access-list extended PPTP-PASS-THROUGH
permit gre any any
!
ip access-list extended nat
!
permit ip 192.168.13.0 0.0.0.255 any
permit ip 192.168.14.0 0.0.0.255 any
!
access-list 1 permit 192.168.13.0 0.0.0.255
access-list 1 permit 192.168.14.0 0.0.0.255
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 60 0
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
01-17-2011 01:00 PM
That is a known fact. Not a big problem considering that ZBFW doesn't really add any real secuirty, as one has NAT already, so just remove it.
01-18-2011 12:14 AM
Hi,
Is there any possibility to do http filtering without using ZBF?
Yes there is : you can use NBAR http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm
Regards.
Alain.
01-17-2011 01:00 PM
That is a known fact. Not a big problem considering that ZBFW doesn't really add any real secuirty, as one has NAT already, so just remove it.
01-17-2011 10:50 PM
Thanks for the replay Paolo,
it wasn't known fact for me though. So your replay means that this is hardware limitations, and nothing can be done here apart from refusing ZBF. What about guides that describe such a configuration? Here's the example:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml
They all are not supposed to be implemented, aren't they? Feeling myself kind a cheated. Anyway. I still need to be able to block some http sites.
Is there any possibility to do http filtering without using ZBF?
Tanks in advance.
01-18-2011 12:14 AM
Hi,
Is there any possibility to do http filtering without using ZBF?
Yes there is : you can use NBAR http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm
Regards.
Alain.
01-18-2011 06:11 AM
You are welcome. Please remember to rate useful posts clicking on the stars below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide