cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
0
Helpful
4
Replies

871W significantly drops speed on WAN int as soon as ZBF is on

vlitovchenko
Level 1
Level 1

Hi,

As soon as I add the interfaces of the router to security zones it significantly drops speed on WAN interface, below 1  Mbs. I noted this because I wasn't able to watch youtube. Moreover the bandwidth test from speedtest.net hangs and doesn't come to a result. Here below is the diagnostic example while doing that test. The question is what is going on? I have two iPhones and three computers in my network, that's it. My ISP bandwidth is 10 Mbs, so is this the router hardware limitations, or kind of malfunction or some misconfiguration down here? What could be done here?

Thanks!

warpgate#sh int fa4 sum

*: interface is up

IHQ: pkts in input hold queue     IQD: pkts dropped from input queue

OHQ: pkts in output hold queue    OQD: pkts dropped from output queue

RXBS: rx rate (bits/sec)          RXPS: rx rate (pkts/sec)

TXBS: tx rate (bits/sec)          TXPS: tx rate (pkts/sec)

TRTL: throttle count

  Interface              IHQ   IQD  OHQ   OQD  RXBS RXPS  TXBS TXPS TRTL

------------------------------------------------------------------------

* FastEthernet4            0   153    0     0 309000   54 344000   59   52

warpgate#sh processes cpu his

warpgate   04:32:13 PM Thursday May 6 2010 MSD

    777722222

    888866666222226666622222333332222222222555552222255555888882

100

90

80 ****

70 ****

60 ****

50 ****

40 ****

30 *********

20 *********

10 *********     *****                    *****     **********

   0....5....1....1....2....2....3....3....4....4....5....5....6

             0    5    0    5    0    5    0    5    0    5    0

               CPU% per second (last 60 seconds)

     11111 111111111 11111111181 1111 111111 11 1111117 16112731

    844244944233522222224218306482104814432392392202301886350943

100

90                           *

80                           *                              *

70                           *                       *  *   *

60                           *                       *  *   *

50                           *                       *  *   *

40                           *                       *  *   *

30                           *                       *  *   #*

20             *          *  #                       # *# **#*

10 **************** ***##*#**#***********************#*##**###*

   0....5....1....1....2....2....3....3....4....4....5....5....6

             0    5    0    5    0    5    0    5    0    5    0

               CPU% per minute (last 60 minutes)

              * = maximum CPU%   # = average CPU%

    812212211211111111111283122221124219111111111311111112111118111111111111

    688080459265595644558385831338963395222223227828242520226228222222223523

100                                    *

90 *                     *            *                       *

80 *                     *            *                       *

70 *                     *            *                       *

60 *                     *            *                       *

50 *                     *            *                       *

40 *                     **        *  *         *             *

30 * *                   **       **  *         *             *

20 ****************  *****************#        ** *   * *  *  *         *

10 ******#***************##############************************************

   0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..

             0    5    0    5    0    5    0    5    0    5    0    5    0

                   CPU% per hour (last 72 hours)

                  * = maximum CPU%   # = average CPU%

The router 871W runs c870-advipservicesk9-mz.124-24.T4.bin, the config is pretty simple:

Current configuration : 4353 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname warpgate

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone MSK 3

clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00

!

!

dot11 syslog

!

dot11 ssid Aiur

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 0 ***********

!

ip source-route

!

!

ip dhcp excluded-address 192.168.13.1 192.168.13.20

ip dhcp excluded-address 192.168.14.1 192.168.14.20

!

ip dhcp pool Aiur

   network 192.168.13.0 255.255.255.0

   default-router 192.168.13.1

   dns-server 192.168.14.2 91.100.1.3 94.19.255.2

   netbios-node-type h-node

   netbios-name-server 192.168.14.2

!

ip dhcp pool Wired

   network 192.168.14.0 255.255.255.0

   default-router 192.168.14.1

   dns-server 192.168.14.2 91.100.1.3 94.19.255.2

   netbios-node-type h-node

   netbios-name-server 192.168.14.2

!

!

ip cef

no ip domain lookup

ip domain name **********

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username user privilege 15 secret 5 $1$WfPZ$uFsxCSnBccnLdYslWgUM3/

!

!

!

archive

log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh version 2

!

class-map type inspect match-all PPTP-Pass-Through-Traffic

match access-group name PPTP-PASS-THROUGH

class-map type inspect match-any ALL-TRAFFIC

match protocol tcp

match protocol udp

match protocol icmp

!

!

policy-map type inspect OUT-IN-POLICY

class type inspect PPTP-Pass-Through-Traffic

  pass

class class-default

  drop

policy-map type inspect IN-OUT-POLICY

class type inspect PPTP-Pass-Through-Traffic

  pass

class type inspect ALL-TRAFFIC

  inspect

class class-default

  drop

!

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect IN-OUT-POLICY

zone-pair security outside-inside source outside destination inside

service-policy type inspect OUT-IN-POLICY

!

bridge irb

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly

zone-member security outside

speed 100

full-duplex

no cdp enable

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

ssid Aiur

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

ip address 192.168.14.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security inside

!

interface BVI1

ip address 192.168.13.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security inside

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

no ip http secure-server

!

!

ip nat inside source list nat interface FastEthernet4 overload

!

ip access-list extended PPTP-PASS-THROUGH

permit gre any any

!

ip access-list extended nat

!

permit ip 192.168.13.0 0.0.0.255 any

permit ip 192.168.14.0 0.0.0.255 any

!

access-list 1 permit 192.168.13.0 0.0.0.255

access-list 1 permit 192.168.14.0 0.0.0.255

!

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 60 0

privilege level 15

transport input ssh

!

scheduler max-task-time 5000

end

2 Accepted Solutions

Accepted Solutions

paolo bevilacqua
Hall of Fame
Hall of Fame

That is a known fact. Not a big problem considering that ZBFW doesn't really add any real secuirty, as one has NAT already, so just remove it.

View solution in original post

Hi,

Is there any possibility to do http filtering without using ZBF?

Yes there is :  you can use NBAR   http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

That is a known fact. Not a big problem considering that ZBFW doesn't really add any real secuirty, as one has NAT already, so just remove it.

Thanks for the replay Paolo,

it wasn't known fact for me though. So your replay means that this is hardware limitations, and nothing can be done here apart from refusing ZBF. What about guides that describe such a configuration? Here's the example:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080ab7073.shtml

They all are not supposed to be implemented, aren't they? Feeling myself kind a cheated. Anyway. I still need to be able to block some http sites.

Is there any possibility to do http filtering without using ZBF?

Tanks in advance.

Hi,

Is there any possibility to do http filtering without using ZBF?

Yes there is :  you can use NBAR   http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm

Regards.

Alain.

Don't forget to rate helpful posts.

You are welcome. Please remember to rate useful posts clicking on the stars below.

Review Cisco Networking for a $25 gift card