cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
0
Helpful
9
Replies

Cisco 2851 Router cannot get to 95mbps download

Cisco 2851 Router I know the throughput is only 112mbps....

I had 20mbps service and everything was working fine.

I upgraded to 100mbps service and I get only 27mbps down and 10mbps upload

 

Here are the things I tried:

I shutdown the IPS module and that made no difference

I connected straight to my computer and I get 95mbps/10mbps everytime

I have a SB6183 modem going to the Cisco 2851Router going to a Netgear GS724Tv4 ProSafe Switch

Everything on the net work runs a Gigiabit Speeds

 

So I am stumped...I thank you all in advance for any help ...

Here is my config file:


!
! Last configuration change at 13:59:01 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname **************
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
no logging buffered
no logging rate-limit
enable secret 5 **********************
enable password 7 *************************
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
!
no ip bootp server
ip domain name *****************
ip host ************** ***********
ip name-server **************
ip name-server **************
ip name-server ***************
ip name-server ****************
ip inspect name protocol dns
ip inspect name protocol ftp
ip inspect name protocol http
ip inspect name protocol https
ip inspect name protocol icmp
ip inspect name protocol tcp
ip inspect name protocol udp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
license udi pid CISCO2851 sn ********
username ******* privilege 15 secret 5 ************
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
ip ssh port ******* rotary 1
ip ssh rsa keypair-name ******
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
!
!
!
buffers tune automatic
!
!
!
!
!
interface GigabitEthernet0/0
 description INSIDE
 ip address ************** ****************
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface GigabitEthernet0/1
 description OUTSIDE
 ip address dhcp hostname **********
 ip access-group 101 in
 ip mask-reply
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect protocol out
 ip virtual-reassembly in
 duplex auto
 speed auto
 ids-service-module monitoring inline access-list 101
 ntp disable
 no cdp enable
 no mop enabled
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface IDS-Sensor1/0
 ip address *********** ***********
 service-module fail-open
 service-module heartbeat-reset disable
 hold-queue 60 out
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip flow-export version 5
ip flow-export destination ************* ****
ip flow-top-talkers
 top 200
 sort-by bytes
 cache-timeout 250
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip access-list extended DenyStdSSH
 deny   tcp any any eq 22
 permit tcp any any eq **** log
!
logging trap debugging
logging source-interface GigabitEthernet0/0
logging ******
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark *** GigabitEthernet0/0 SCORPNET ***
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark *******************************
access-list 101 remark *** GigabitEthernet0/1 SPECTRUM ***
access-list 101 remark --- SPECTRUM DHCP ---
access-list 101 permit udp any eq bootps any eq bootpc log
access-list 101 remark *******************************
access-list 101 remark --- DNS ---
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq domain any
access-list 101 remark *******************************
access-list 101 remark --- CISCO IPS MONITORING ---
access-list 101 permit tcp any eq www any
access-list 101 remark *******************************
access-list 101 remark --- SSH ALTERNATE PORT ---
access-list 101 permit tcp any any eq ***** log
access-list 101 remark *******************************
access-list 101 remark --- PLEX MEDIA SERVER ---
access-list 101 permit tcp any any eq ***** log
access-list 101 remark *******************************
access-list 101 remark --- FTPS Explicit (Passive) ---
access-list 101 permit tcp any any eq ***** log
access-list 101 permit tcp any any eq *****
access-list 101 permit tcp any any eq *****
access-list 101 permit tcp any any eq *****
access-list 101 permit tcp any any eq *****
access-list 101 permit tcp any any eq *****
access-list 101 permit tcp any any eq *****
access-list 101 remark *******************************
access-list 101 remark --- SFTP (SSH) ---
access-list 101 permit tcp any any eq ***** log
access-list 101 remark *******************************
access-list 101 remark --- SOFTETHER VPN ---
access-list 101 permit tcp any any eq ***** log
access-list 101 permit udp any any eq ***** log
access-list 101 remark *******************************
access-list 101 remark --- DAMEWARE ---
access-list 101 permit tcp any any eq ***** log
access-list 101 remark *******************************
access-list 101 remark --- XBOX LIVE ---
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 3074
access-list 101 permit udp any any eq 88
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 3074
access-list 101 permit udp any any eq 3544
access-list 101 permit udp any any eq non500-isakmp
access-list 101 remark *******************************
access-list 101 remark --- ICMP ---
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any ttl-exceeded
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo
access-list 101 deny   icmp any any log
access-list 101 remark *******************************
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any log
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 60 0
 login local
 transport preferred none
 transport output telnet
line aux 0
 exec-timeout 0 1
 no exec
line 66
 no activation-character
 no exec
 transport preferred none
 transport input telnet ssh
 transport output telnet
 stopbits 1
 speed 115200
line vty 0 4
 access-class DenyStdSSH in
 exec-timeout 20 0
 privilege level 15
 password 7 ***************
 login local
 rotary 1
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp update-calendar
ntp server ************ prefer source GigabitEthernet0/0
end

1 Accepted Solution

Accepted Solutions

Hello,

 

try the extremely simplified config below. Since the 2851 is not an edge device, you don't need a lot of the security stuff.

 

Important parts are marked in bold:

 

! Last configuration change at 13:59:01 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname **************
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
no logging buffered
no logging rate-limit
enable secret 5 **********************
enable password 7 *************************
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
ip source-route
no ip gratuitous-arps
!
ip cef
!
no ip bootp server
ip domain name *****************
ip host ************** ***********
ip name-server **************
ip name-server **************
ip name-server ***************
ip name-server ****************
!
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
license udi pid CISCO2851 sn ********
username ******* privilege 15 secret 5 ************
!
redundancy
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
ip ssh port ******* rotary 1
ip ssh rsa keypair-name ******
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
!
buffers tune automatic
!
interface GigabitEthernet0/0
description INSIDE
ip address ************** ****************
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description OUTSIDE
ip address dhcp
ip mask-reply
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ntp disable
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface IDS-Sensor1/0
ip address *********** ***********
service-module fail-open
service-module heartbeat-reset disable
hold-queue 60 out
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip access-list extended DenyStdSSH
deny tcp any any eq 22
permit tcp any any eq **** log
!
logging trap debugging
logging source-interface GigabitEthernet0/0
logging ******
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
mgcp profile default
!
line con 0
exec-timeout 60 0
login local
transport preferred none
transport output telnet
line aux 0
exec-timeout 0 1
no exec
line 66
no activation-character
no exec
transport preferred none
transport input telnet ssh
transport output telnet
stopbits 1
speed 115200
line vty 0 4
access-class DenyStdSSH in
exec-timeout 20 0
privilege level 15
password 7 ***************
login local
rotary 1
transport preferred ssh
transport input ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp update-calendar
ntp server ************ prefer source GigabitEthernet0/0
end

View solution in original post

9 Replies 9

Hello,

 

I assume your SurfBoard is doing the NAT ? What if you connect the Cisco directly to the Internet (that is, leaving the SB out) ?

Yes the SB6183 is doing the nat...

I can't do that because the Router does not have a coax cable module in it

 

I double checked everything again and it is all ok....I just dont understand this

Hello,

 

try the extremely simplified config below. Since the 2851 is not an edge device, you don't need a lot of the security stuff.

 

Important parts are marked in bold:

 

! Last configuration change at 13:59:01 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
! NVRAM config last updated at 13:59:07 CDT Fri Mar 30 2018 by scorpion
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname **************
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
no logging buffered
no logging rate-limit
enable secret 5 **********************
enable password 7 *************************
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
ip source-route
no ip gratuitous-arps
!
ip cef
!
no ip bootp server
ip domain name *****************
ip host ************** ***********
ip name-server **************
ip name-server **************
ip name-server ***************
ip name-server ****************
!
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto pki token default removal timeout 0
!
license udi pid CISCO2851 sn ********
username ******* privilege 15 secret 5 ************
!
redundancy
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
ip ssh port ******* rotary 1
ip ssh rsa keypair-name ******
ip ssh logging events
ip ssh version 2
ip ssh dh min size 4096
!
buffers tune automatic
!
interface GigabitEthernet0/0
description INSIDE
ip address ************** ****************
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description OUTSIDE
ip address dhcp
ip mask-reply
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ntp disable
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface IDS-Sensor1/0
ip address *********** ***********
service-module fail-open
service-module heartbeat-reset disable
hold-queue 60 out
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp
!
ip access-list extended DenyStdSSH
deny tcp any any eq 22
permit tcp any any eq **** log
!
logging trap debugging
logging source-interface GigabitEthernet0/0
logging ******
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255
!
control-plane
!
mgcp profile default
!
line con 0
exec-timeout 60 0
login local
transport preferred none
transport output telnet
line aux 0
exec-timeout 0 1
no exec
line 66
no activation-character
no exec
transport preferred none
transport input telnet ssh
transport output telnet
stopbits 1
speed 115200
line vty 0 4
access-class DenyStdSSH in
exec-timeout 20 0
privilege level 15
password 7 ***************
login local
rotary 1
transport preferred ssh
transport input ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp logging
ntp update-calendar
ntp server ************ prefer source GigabitEthernet0/0
end

Ok...I followed your instructions and I got 104mbps...103mbps.....105mbps...105mbps

 

So I will be the first to admit that I am still learning my way around Cisco Routers...expecially when it comes to config files...do you have a suggestion as to where I should proceed from here.

 

I am curious about these two lines, should they both be in there?

 

ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp (this is the dfault route then?)

Hello,

 

glad that you got the speed up. Basically, anything (like access llists, IDS, etc.) you configure the router with that goes on top of basic connectivity slows it down, since it has to be processed. 

 

ip nat inside source list 1 interface GigabitEthernet0/1 overload

 

--> this just means that everything defined in access list 1 gets translated to the IP address of interface GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp

 

--> this sends all traffic to the SurfBoard. The 'dhcp' keyword is basically the same as putting an IP address as the next hop in the static route statement, but since you don't know the address, 'dhcp' is used. Defining an IP address as the next hop is usually faster than defining an interface, since in the latter case, the router has to ARP for the next hop...

 

ok...I did some reading and I understand that thanks for the explaination....

Now I tried to add just a little of my access list and it broke everything I added just the following :

 

access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark *** GigabitEthernet0/0 SCORPNET ***
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *******************************
access-list 101 remark *** GigabitEthernet0/1 SPECTRUM ***
access-list 101 remark --- SPECTRUM DHCP ---
access-list 101 permit udp any eq bootps any eq bootpc log

 

I have been doing more reading but I don't know why this would break it..

It need the SPECTRUM DHCP ..well so it allows port 67/68 to do the dhcp

Hello,

 

basically, an access list has an implicit 'deny', so anything you do not explicitly allow will be blocked.

Where is the Spectrum located, that is, what is the IP address ?

You can also use the Cisco as DHCP server, by adding the below:

 

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool LAN

network 192.168.0.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.0.1

lease 3

Hi...

I use fixed IP Address on my LAN because I only have a few devices...

 

As far as the few things I did add I just dont know why they break everything...The config I had sent here was working fine when I had the 20mps/1mps service...then when I upgraded to the 100mbps/10mbps everything went nuts....thankfully you pointed me in the right direction...with the basic config file I got the speeds back...

But when I add the just this part it all dies....

The Spectrum part allows "them" to do dhcp ports 67/68 but if I add it ...no good

The *** GigiabitEthernet0/0 Scorpnet *** is for my internal network which also breaks it

access-list 100 remark *** GigabitEthernet0/0 SCORPNET ***
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark *******************************
access-list 101 remark *** GigabitEthernet0/1 SPECTRUM ***
access-list 101 remark --- SPECTRUM DHCP ---
access-list 101 permit udp any eq bootps any eq bootpc log

 

 

I have everything running again I get a consistant 118Mbps down and 12Mbps up !!!

Thanks alot for the help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: