cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6651
Views
5
Helpful
9
Replies

Cisco 2901 throughput question

jkay18041
Level 3
Level 3

Let me start out by saying I know this router can't do the theoretical limit of 3Gbps and that asking it to even do 500Mbps is asking a lot.

 

With that being said I currently have one and was upgraded to fiber Gb internet and it actually saved me money so I did it. I am currently getting about 285Mbps on the download and 300Mbps on the upload. I was hoping someone could look at my router config and suggest a few things to get me an extra 20 or 30 Mbps. I was at a 50Mbps connection so I'm already better than where I was but if I can get more might as well.

 


Current configuration : 6619 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router2901
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M9.bin
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name Home
ip cef
ipv6 unicast-routing
ipv6 dhcp pool Cox
prefix-delegation pool Cox-ipv6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
!
ipv6 inspect name traffic ftp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 cef
ipv6 cef accounting per-prefix
!
multilink bundle-name authenticated
!
!
!
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29
revocation-check none
rsakeypair TP-self-signed-296
!
!
crypto pki certificate chain TP-self-signed-2
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393636 32333630 3334301E 170D3137 30363330 30363234
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39363632
33363033 3430819F 224E F703FE00 DCE306A6 A1D0581F 67DE7EE5
13E8C323 EB0C719A C541DA3B 20DD2421 17D165B9 A33CA027 9BEBD768 29EB5D4E
6AD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14663156 2E307285 DDC26FCE CDD40179 D30BC947 CD301D06
03551D0E 04160414 6631562E 307285DD C26FCECD D40179D3 0BC947CD 300D0609
2A864886 F70D0101
quit
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn 
!
!
vtp domain HOME
vtp mode transparent
username admin privilege 15 password 7 
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop
!
zone security Trusted
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
!
!
!
!
!
buffers tune automatic
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd Cox-ipv6
ipv6 verify unicast reverse-path
ipv6 inspect traffic out
ipv6 traffic-filter wan-in in
ipv6 traffic-filter wan-out out
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description LAN
encapsulation dot1Q 1 native
ip address 10.10.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address Cox-ipv6 ::/64 eui-64
ipv6 address autoconfig
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server Cox
!
interface GigabitEthernet0/1.2
description Wireless
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip access-group wifi_block in
ip access-group wifi_block out
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static udp 10.10.1.249 1194 interface GigabitEthernet0/0 1194
ip nat inside source static udp 10.10.1.249 1195 interface GigabitEthernet0/0 1195
ip nat inside source static tcp 10.10.1.249 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.10.1.249 22 interface GigabitEthernet0/0 1022
ip nat inside source static tcp 10.10.1.247 42365 interface GigabitEthernet0/0 42365
ip nat inside source static tcp 10.10.1.247 5500 interface GigabitEthernet0/0 5500
ip nat inside source static tcp 10.10.1.247 5501 interface GigabitEthernet0/0 5501
ip route 10.28.0.0 255.255.255.0 10.10.1.249
ip route 10.29.0.0 255.255.255.0 10.10.1.249
ip route 10.30.0.0 255.255.255.0 10.10.1.249
ip ssh time-out 70
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended NAT
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip any any
ip access-list extended wifi_block
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
!
ip sla 1
http get http://freedns.afraid.org/xxxxx
ip sla schedule 1 life forever start-time now
!
!
snmp-server community fast_stats RO 5
snmp-server host 10.10.1.249 version 2c fast_stats
access-list 5 permit 10.10.1.249
access-list 5 deny any
access-list 122 deny tcp any eq 22 any
access-list 122 permit tcp 10.0.0.0 0.255.255.255 any
!
!
!
ipv6 access-list wan-in
permit icmp any any
permit udp any any eq 546
permit tcp any any established
sequence 100 deny ipv6 any any
!
ipv6 access-list wan-out
permit icmp any any
permit tcp any any
permit udp any any
sequence 100 deny ipv6 any any
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
no vstack join-window mode auto
no vstack
!
line con 0
privilege level 15
password 7 
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 122 in
privilege level 15
password 7 
transport input ssh
!
scheduler allocate 20000 1000
!
end

 

 

Thank you!

9 Replies 9

e.ciollaro
Level 4
Level 4

Hi

could you post a cpu usage history ?

 

In any case you have many service active, data sheet states that  2901 with full service has a 75 Mbps throughput, if you use NAT + QoS + ACL 77Mbps (see attached file). Obviously the "real" maximum performance in your network depends on many things but generally speaking I suggest you to swap to a new 4000 series router

 

Bye

Enrico

 

PS: please rate if useful

Hello,

 

I do not see a default route for IPv6, are you actually using IPv6 ? There is no default route for IP traffic either. The ZBF (zone based firewall) will definitely slow things down, do you need that at all ?

I do use ipv6, it's dhcp from my isp. What would you recommend I change on
the config for ipv6? Just remove the firewall rules?

Hello,

 

I took the ZBF stuff out, changed your NAT access list, and added a default route, check if that makes a difference:

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router2901
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M9.bin
boot-end-marker
!
no logging console
!
aaa new-model
!
aaa session-id common
!
no ip bootp server
no ip domain lookup
ip domain name Home
ip cef
ipv6 unicast-routing
ipv6 dhcp pool Cox
prefix-delegation pool Cox-ipv6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
!
ipv6 inspect name traffic ftp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 cef
ipv6 cef accounting per-prefix
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-29
revocation-check none
rsakeypair TP-self-signed-296
!
crypto pki certificate chain TP-self-signed-2
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393636 32333630 3334301E 170D3137 30363330 30363234
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39363632
33363033 3430819F 224E F703FE00 DCE306A6 A1D0581F 67DE7EE5
13E8C323 EB0C719A C541DA3B 20DD2421 17D165B9 A33CA027 9BEBD768 29EB5D4E
6AD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14663156 2E307285 DDC26FCE CDD40179 D30BC947 CD301D06
03551D0E 04160414 6631562E 307285DD C26FCECD D40179D3 0BC947CD 300D0609
2A864886 F70D0101
quit
voice-card 0
!
license udi pid CISCO2901/K9 sn
!
vtp domain HOME
vtp mode transparent
username admin privilege 15 password 7
!
redundancy
!
no cdp run
!
buffers tune automatic
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd Cox-ipv6
ipv6 verify unicast reverse-path
ipv6 inspect traffic out
ipv6 traffic-filter wan-in in
ipv6 traffic-filter wan-out out
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description LAN
encapsulation dot1Q 1 native
ip address 10.10.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address Cox-ipv6 ::/64 eui-64
ipv6 address autoconfig
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server Cox
!
interface GigabitEthernet0/1.2
description Wireless
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip access-group wifi_block in
ip access-group wifi_block out
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static udp 10.10.1.249 1194 interface GigabitEthernet0/0 1194
ip nat inside source static udp 10.10.1.249 1195 interface GigabitEthernet0/0 1195
ip nat inside source static tcp 10.10.1.249 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.10.1.249 22 interface GigabitEthernet0/0 1022
ip nat inside source static tcp 10.10.1.247 42365 interface GigabitEthernet0/0 42365
ip nat inside source static tcp 10.10.1.247 5500 interface GigabitEthernet0/0 5500
ip nat inside source static tcp 10.10.1.247 5501 interface GigabitEthernet0/0 5501
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip route 10.28.0.0 255.255.255.0 10.10.1.249
ip route 10.29.0.0 255.255.255.0 10.10.1.249
ip route 10.30.0.0 255.255.255.0 10.10.1.249
ip ssh time-out 70
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended NAT
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 any

permit 192.168.2.0 0.0.0.255 any
ip access-list extended wifi_block
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
!
ip sla 1
http get http://freedns.afraid.org/xxxxx
ip sla schedule 1 life forever start-time now
!
!
snmp-server community fast_stats RO 5
snmp-server host 10.10.1.249 version 2c fast_stats
access-list 5 permit 10.10.1.249
access-list 5 deny any
access-list 122 deny tcp any eq 22 any
access-list 122 permit tcp 10.0.0.0 0.255.255.255 any
!
ipv6 access-list wan-in
permit icmp any any
permit udp any any eq 546
permit tcp any any established
sequence 100 deny ipv6 any any
!
ipv6 access-list wan-out
permit icmp any any
permit tcp any any
permit udp any any
sequence 100 deny ipv6 any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
no vstack join-window mode auto
no vstack
!
line con 0
privilege level 15
password 7
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 122 in
privilege level 15
password 7
transport input ssh
!
scheduler allocate 20000 1000
!
end

Thank you! I will give that a try later today and see how it goes.

Much appreciated!

Made the changes, didn't really seem to make much difference. To be honest it might of made it go slower? Not sure as I tested it and was getting around 280Mbps then after getting around 250Mbps but could be my isp or other factor.

 

Here is my current config after I made the changes.

 


Current configuration : 6394 bytes
!
! Last configuration change at 17:17:16 UTC Sat May 19 2018 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router2901
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M9.bin
boot-end-marker
!
!
no logging console
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name Home
ip cef
ipv6 unicast-routing
ipv6 dhcp pool Cox
prefix-delegation pool Cox-ipv6
dns-server 2001:4860:4860::8888
dns-server 2001:4860:4860::8844
!
ipv6 inspect name traffic ftp
ipv6 inspect name traffic udp
ipv6 inspect name traffic icmp
ipv6 cef
ipv6 cef accounting per-prefix
!
multilink bundle-name authenticated
!
!
!
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39363632
33363033 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008B87 DBD2A584 E77CCC71 5CBB29A7 B743D0BC 432C6CE2 34FF5CE7 9555E4DA
F89A9CD5 D23B3E3A D4C706C7 41B2033A 1A58DF45 87D4E673 935D8C2C CD31FC0A
DEA3EC46 3B7D21B6 4F5634C9 AAA2224E F703FE00 DCE306A6 A1D0581F 67DE7EE5
13E8C323 EB0C719A C541DA3B 20DD2421 17D165B9 A33CA027 9BEBD768 29EB5D4E
6AD10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14663156 2E307285 DDC26FCE CDD40179 D30BC947 CD301D06
03551D0E 04160414 6631562E 307285DD C26FCECD D40179D3 0BC947CD 300D0609
2A864886 F70D0101 050
quit
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn 
!
!
vtp domain HOME
vtp mode transparent
username admin privilege 15 password 7 
!
redundancy
!
!
!
!
no cdp run
!
!
!
!
!
!
buffers tune automatic
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
ipv6 address autoconfig default
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd hint ::/60
ipv6 dhcp client pd Cox-ipv6
ipv6 verify unicast reverse-path
ipv6 inspect traffic out
ipv6 traffic-filter wan-in in
ipv6 traffic-filter wan-out out
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description LAN
encapsulation dot1Q 1 native
ip address 10.10.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address Cox-ipv6 ::/64 eui-64
ipv6 address autoconfig
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server Cox
!
interface GigabitEthernet0/1.2
description Wireless
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip access-group wifi_block in
ip access-group wifi_block out
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static udp 10.10.1.249 1194 interface GigabitEthernet0/0 1194
ip nat inside source static udp 10.10.1.249 1195 interface GigabitEthernet0/0 1195
ip nat inside source static tcp 10.10.1.249 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.10.1.249 22 interface GigabitEthernet0/0 1022
ip nat inside source static tcp 10.10.1.247 42365 interface GigabitEthernet0/0 42365
ip nat inside source static tcp 10.10.1.247 5500 interface GigabitEthernet0/0 5500
ip nat inside source static tcp 10.10.1.247 5501 interface GigabitEthernet0/0 5501
ip route 10.28.0.0 255.255.255.0 10.10.1.249
ip route 10.29.0.0 255.255.255.0 10.10.1.249
ip route 10.30.0.0 255.255.255.0 10.10.1.249
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh time-out 70
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended NAT
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 10.10.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wifi_block
deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
!
ip sla 1
http get http://freedns.afraid.org/dynamic/update
!
!
snmp-server community fast_stats RO 5
snmp-server host 10.10.1.249 version 2c fast_stats
access-list 5 permit 10.10.1.249
access-list 5 deny any
access-list 122 deny tcp any eq 22 any
access-list 122 permit tcp 10.0.0.0 0.255.255.255 any
!
!
!
ipv6 access-list wan-in
permit icmp any any
permit udp any any eq 546
permit tcp any any established
sequence 100 deny ipv6 any any
!
ipv6 access-list wan-out
permit icmp any any
permit tcp any any
permit udp any any
sequence 100 deny ipv6 any any
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
no vstack join-window mode auto
no vstack
!
line con 0
privilege level 15
password 7 
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 122 in
privilege level 15
password 7 
transport input ssh
!
scheduler allocate 20000 1000
!
end

Hello,

 

by all means, if it is slower now, put the 'old' config back in there...

 

Can you post the output of 'show interface gigabitethernet0/0 ?

 

I think it was just my ISP as I ran another speed test and got roughly the same speeds as before.

 

Here is the output

 

Description: WAN
Internet address is x.x.x.x/23
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 6908000 bits/sec, 780 packets/sec
5 minute output rate 7667000 bits/sec, 956 packets/sec
3354307 packets input, 3815028127 bytes, 0 no buffer
Received 3958 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 20 multicast, 0 pause input
3910459 packets output, 3871526644 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
3280 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 3886551 pause output
0 output buffer failures, 0 output buffers swapped out

Hello,

 

the '3886551 pause output' could mean that the interface buffers are filling up...

 

Either way, try and change the access list used for NAT. A standard access list uses less CPU than an extended one, and the extended one is not needed:

 

ip nat inside source list 1 interface GigabitEthernet0/0 overload

!

access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco