Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2556
Views
0
Helpful
12
Replies

Catalyst 2901 stucked at 50 mbps throughput

Go to solution
brcruz001
Level 1
Level 1

‎04-26-2019 06:08 AM

Hi There!

I have a Catalyst 2901 as my border router, connecting to my ISP modem in bridge mode. Right behind it, I have a couple of SG200 for end devices. My ISP gives me 75 mbps of download and 30 mbps of upload speed. If I connect directly on the modem, I can reach even higher throughput. However, as soon as I go behind my 2901, my download throughput seems to be capped at 50 mbps, and I can't find what's wrong on my config.

 

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime year
service password-encryption
no service password-recovery
!
hostname R2901
!
boot-start-marker
boot-end-marker
!
!
no logging console
no logging monitor
enable secret *
enable password *
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
process cpu threshold type total rising 80 interval 5 falling 60 interval 5
!
no ipv6 source-route
no ipv6 cef
no ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
ip dhcp bootp ignore
!
!
no ip bootp server
ip domain name *
ip host <HOSTNAME> *
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method DYNDNS
HTTP
add *
interval minimum 0 0 1 0
!
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn <SN>
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
!
!
memory reserve critical 10000
memory reserve console 4096
memory free low-watermark processor 333000
memory free low-watermark IO 41000
username * password *
username secret *
!
redundancy
!
!
!
!
ip ssh time-out 60
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map ipnetconfig-map 10
set nat demux
set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
interface Loopback0
ip address * 255.255.255.0
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description ***** WAN  *****
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description LAN
ip address * 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip unnumbered Dialer1
ip virtual-reassembly in
peer default ip address pool poolvpn
no keepalive
ppp encrypt mppe 40
ppp authentication ms-chap-v2
!
interface Dialer1
ip ddns update hostname *
ip ddns update DYNDNS
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no ip route-cache same-interface
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname *
ppp chap password *
ppp pap sent-username * password *
no cdp enable
crypto map cisco
!
ip local pool test *
ip local pool poolvpn *
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server queue limit forwarder 10000
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging *
access-list 1 permit <IP> 0.0.0.255
access-list 160 deny tcp any any established
access-list 160 permit tcp any any syn
dialer-list 1 protocol ip permit
!
no cdp run

!
!
!
route-map * permit 10
match ip address 10
match interface Dialer1
!
!
snmp-server enable traps cpu threshold
!
!
control-plane
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
banner exec Entering EXEC mode on R2901...
!
line con 0
line aux 0
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
password *
transport input ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp server 200.160.7.186
ntp server 200.186.125.195
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alan Ng'ethe
Level 3
Level 3

‎04-26-2019 08:26 PM

As Jaderson says..."you'll want to ensure items like CEF are enabled..", and i agree with his observations. Looking at your config, i see it could be one of the reasons your throughput is affected.

 

How to Verify Cisco Express Forwarding

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎04-26-2019 06:50 AM

@brcruz001 hello,

 

 

What this tells us, a 2901's performance is very variable - much depends on your config and the nature of your traffic.

To obtain the maximum forwarding performance out of a ISR you'll want to use the minimal possible configuration.

For example, if you're using a dynamic protocol like EIGRP, replacing it with static routes would save a few CPU cycles, that can be used for forwarding packets.  (Oh, and the fewer routes, the better to.  For example, using a default for all off-site routes.)

Not using any ACLs, also saves CPU cycles.

Deactivating CDP should save a few CPU cycles.

Deactivating NTP should save a few CPU cycles.

Etc., etc., etc.

However, before you go down the road trying to saving a microsecond of CPU here or there, yes, you'll want to insure items like CEF are enabled and/or your buffer management is optimal, i.e. all hits without buffer list trims/creates, etc.  And/or, you might want to minimize hitting up this router with SNMP queries, etc., etc.

Again, the closer the config is to only doing basic packet forwarding, you'll maximize the ISR's performance.

 

 

 

Here original post:

https://community.cisco.com/t5/switching/2901-router-throughput-increase/td-p/3011864

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
brcruz001
Level 1
Level 1
In response to Jaderson Pessoa

‎04-26-2019 02:18 PM

Jaderson,

Thanks for your post. I'm not using the 2901 for any impressive traffic flow, it's just a home environment. I'm already removed CDP, and left the bare minimum ACLs. I see other posts talking about 150 Mbps throughput on the same router, that's why I raised this question.

I will try a write erase, and configure everything from scratch again.
0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to brcruz001

‎04-27-2019 07:53 AM

well.. i said what is it :)
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎04-26-2019 07:40 AM

Hello,

 

you have a crypto map configured on your dialer interface, is that on purpose ? IPSec will inevitably slow everything down...

0 Helpful

Go to solution
brcruz001
Level 1
Level 1
In response to Georg Pauwen

‎04-26-2019 02:14 PM

Hey, thanks for noticing! 

 

I've just removed the crypto map association with the Dialer1 interface, however, I didn't see any improvements.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to brcruz001

‎04-26-2019 11:58 PM

Hello,

 

there is a lot of redundant stuff configured on your router. What is this router used for ? You don't use the IPSec part, what about tthe VPDN, is that being used ?

0 Helpful

Go to solution
brcruz001
Level 1
Level 1
In response to Georg Pauwen

‎04-27-2019 06:17 AM

Hi Georg,

It's a home environment. Could you point out what are the redundant configs you're talking about? I have a L2TP VPDN that I use to dial in, and I'm trying to configure VPDN to use certificates instead of shared secret, that's the reason for IPSec. Although I didn't have any luck to get it right though...

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to brcruz001

‎04-27-2019 06:43 AM

Hello

You originally asked the question regards throughput when directly or indirectly connected to your router ( which you still have no verified)

Are you experiencing this issue when attached to the router or behind it residing on the switch's?

 

Are you still requiring a solution to this or now seeking assistance in setting up ipsecurity and remote vpn access -  naturally applying the above to your router as others have mentioned will only increase the burden of your router which subsequently could a have bearing on the traffic throughput.  


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to brcruz001

‎04-27-2019 10:50 AM

Hello,

 

I have cleaned up your config a bit and added some stuff for the VPDN, check if you get it to work. Below is the config I have come up with (changes and additions marked in bold):

 

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime year
service password-encryption
no service password-recovery
!
hostname R2901
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret *
enable password *
!
aaa new-model
aaa local authentication attempts max-fail 3
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
process cpu threshold type total rising 80 interval 5 falling 60 interval 5
!
no ipv6 source-route
no ipv6 cef
no ip source-route
no ip icmp rate-limit unreachable
ip cef
!
ip dhcp bootp ignore
!
no ip bootp server
ip domain name *
ip host <HOSTNAME> *
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method DYNDNS
HTTP
add *
interval minimum 0 0 1 0
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group PPTP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
lcp renegotiation always
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
voice-card 0
!
license udi pid CISCO2901/K9 sn <SN>
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
memory reserve critical 10000
memory reserve console 4096
memory free low-watermark processor 333000
memory free low-watermark IO 41000
username * password *
username secret *
!
redundancy
!
ip ssh time-out 60
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map ipnetconfig-map 10
--> no set nat demux
set transform-set ipnetconfig
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
interface Loopback0
ip address * 255.255.255.0
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description ***** WAN *****
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description LAN
ip address * 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip unnumbered Dialer1
ip virtual-reassembly in
peer default ip address pool PPTP_POOL
no keepalive
ppp mtu adaptive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Dialer1
ip virtual-reassembly in
peer default ip address pool L2TP_POOL
no keepalive
ppp mtu adaptive
ppp authentication ms-chap-v2
!
interface Dialer1
ip ddns update hostname *
ip ddns update DYNDNS
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no ip route-cache same-interface
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *
ppp chap password *
ppp pap sent-username * password *
no cdp enable
crypto map cisco
!
ip local pool L2TP_POOL 10.10.10.1 10.10.10.254
ip local pool PPTP_POOL 10.10.11.1 10.10.11.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server queue limit forwarder 10000
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging *
access-list 1 permit <IP> 0.0.0.255
access-list 160 deny tcp any any established
access-list 160 permit tcp any any syn
dialer-list 1 protocol ip permit
!
no cdp run
!
snmp-server enable traps cpu threshold
!
control-plane
!
gatekeeper
shutdown
!
banner exec Entering EXEC mode on R2901...
!
line con 0
line aux 0
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
password *
transport input ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
scheduler allocate 20000 1000
ntp server 200.160.7.186
ntp server 200.186.125.195
end

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3

‎04-26-2019 08:26 PM

As Jaderson says..."you'll want to ensure items like CEF are enabled..", and i agree with his observations. Looking at your config, i see it could be one of the reasons your throughput is affected.

 

How to Verify Cisco Express Forwarding

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful

Go to solution
brcruz001
Level 1
Level 1
In response to Alan Ng'ethe

‎04-27-2019 06:38 AM

Alan,
Thanks for your post. You and Jaderson were right! CEF was enabled globally but not on the interface level. As soon as I enabled CEF on Dialer and Gb0/1 interfaces I could reach almost 70 Mbps.

Thanks for the link!
0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-27-2019 03:00 AM

Hello

@brcruz001 wrote:

Hi There!

I have a Catalyst 2901 as my border router, connecting to my ISP modem in bridge mode. Right behind it, I have a couple of SG200 for end devices. My ISP gives me 75 mbps of download and 30 mbps of upload speed. If I connect directly on the modem, I can reach even higher throughput. However, as soon as I go behind my 2901,

When you say you go behind the 2901 do you mean connected directly to the 2901 or via the SG200's ?

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card