Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
0
Helpful
6
Replies

Cisco router: net bandwith decrease

an_ho
Level 1
Level 1

‎10-27-2021 04:43 AM

Hi everyone,

 

I finally have managed to set up my Cisco C1111X-8P router for production use (thanks to everyone involved!). However, when I perform a speed test (www.speedtest.net) on my 1Gbit/s line, I can only manage to get around 500-600 Mbit/s. The ISP says the line is fine and my old router (Ubiquiti) easily managed to get ahold of 940Mbit/s. During the speedtest, the QFP processing load goes up to 20%, so I do think the hardware should be able to handle that.

 

I will post my running-config below, maybe there is something there that is misconfigured (the whole DSCP stuff was added by the WebGUI, maybe remove that?)

 

Thanks!

 

 

 

version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
login on-success log
!

!
!
subscriber templating
!
multilink bundle-name authenticated
!

!
!
no license feature hseck9
license udi pid C1111X-8P sn XXXXXX
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 73242
!
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
match dscp af41
class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
match protocol attribute traffic-class broadcast-video
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-NBAR
match protocol attribute traffic-class voip-telephony
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-BULK_DATA-NBAR
match protocol attribute traffic-class bulk-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-NBAR
match protocol attribute traffic-class signaling
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_CONTROL-DSCP
match dscp cs6
class-map match-all WEBUI-SCAVENGER-NBAR
match protocol attribute business-relevance business-irrelevant
class-map match-all WEBUI-SCAVENGER-DSCP
match dscp cs1
class-map match-all WEBUI-NETWORK_CONTROL-NBAR
match protocol attribute traffic-class network-control
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-DSCP
match dscp cs3
class-map match-all WEBUI-BULK_DATA-DSCP
match dscp af11
class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
match dscp cs5
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class multimedia-conferencing
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-DSCP
match dscp ef
class-map type inspect match-any DHCP_app
match protocol udp
match protocol bootpc
class-map type inspect match-any Allow_DHCP_app
match protocol udp
class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
match protocol attribute traffic-class ops-admin-mgmt
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
match dscp af31
class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
match protocol attribute traffic-class real-time-interactive
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
match dscp af21
class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
match dscp cs4
class-map type inspect match-any IN-TO-OUT
match access-group name IN-TO-OUT_acl
match protocol http
match protocol ftp
match protocol icmp
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all INSIDE_TO_OUTSIDE
match access-group name INSIDE_TO_OUTSIDE_acl
class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
match protocol attribute traffic-class transactional-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
match dscp cs2
class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
match protocol attribute traffic-class multimedia-streaming
match protocol attribute business-relevance business-relevant
class-map match-any DHCP_nbar_app
match protocol dhcp
class-map match-any Allow_DHCP_nbar_app
match protocol dhcp
class-map type inspect match-all Allow_DHCP
match class-map Allow_DHCP_app
match access-group name Allow_DHCP_acl
class-map type inspect match-all DHCP
match class-map DHCP_app
match access-group name DHCP_acl
!
policy-map WEBUI-MARKING-IN
class WEBUI-VOICE-NBAR
set dscp ef
class WEBUI-BROADCAST_VIDEO-NBAR
set dscp cs5
class WEBUI-REALTIME_INTERACTIVE-NBAR
set dscp cs4
class WEBUI-MULTIMEDIA_CONFERENCING-NBAR
set dscp af41
class WEBUI-MULTIMEDIA_STREAMING-NBAR
set dscp af31
class WEBUI-SIGNALING-NBAR
set dscp cs3
class WEBUI-NETWORK_CONTROL-NBAR
set dscp cs6
class WEBUI-NETWORK_MANAGEMENT-NBAR
set dscp cs2
class WEBUI-TRANSACTIONAL_DATA-NBAR
set dscp af21
class WEBUI-BULK_DATA-NBAR
set dscp af11
class WEBUI-SCAVENGER-NBAR
set dscp cs1
class class-default
set dscp default
policy-map type inspect avc Allow_DHCP_app_policy
class Allow_DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect avc DHCP_app_policy
class DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
inspect
service-policy avc DHCP_app_policy
class class-default
drop log
policy-map WEBUI-QUEUING-OUT
class WEBUI-VOICE-DSCP
priority percent 10
class WEBUI-BROADCAST_VIDEO-DSCP
priority percent 10
class WEBUI-REALTIME_INTERACTIVE-DSCP
priority percent 13
class WEBUI-NETWORK_CONTROL-DSCP
bandwidth percent 2
class WEBUI-SIGNALING-DSCP
bandwidth percent 2
class WEBUI-NETWORK_MANAGEMENT-DSCP
bandwidth percent 3
class WEBUI-MULTIMEDIA_CONFERENCING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-MULTIMEDIA_STREAMING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-TRANSACTIONAL_DATA-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-BULK_DATA-DSCP
bandwidth percent 4
fair-queue
random-detect dscp-based
class WEBUI-SCAVENGER-DSCP
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue
random-detect dscp-based
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect INSIDE_TO_OUTSIDE
inspect
class class-default
drop log
policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect Allow_DHCP
inspect
service-policy avc Allow_DHCP_app_policy
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended Allow_DHCP_acl
10 permit ip any any
ip access-list extended DHCP_acl
10 permit ip any any
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
ip access-list extended INSIDE_TO_OUTSIDE_acl
10 permit ip any any
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-27-2021 06:04 AM - edited ‎10-27-2021 06:05 AM

Try fast.com do you have any performance License on this router.

 

i would suggest to test plain vanilla config, rather more QOS config.

 

here some testing Cisco post :

 

image.png

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

an_ho
Level 1
Level 1
In response to balaji.bandi

‎10-27-2021 07:15 AM

Thanks! I have removed all the DSCP stuff (see running-config below) and now I get around 750 Mbit/s at some servers, fast.com only gives me 680 Mbit/s. I have an IP Base and SEC license installed, no high performance.
Could maybe the layer 7 firewalling cause the problem? Essentially, I only want all clients (NAT) to be able to access the internet (and allow all responses back in), deny all unsolicited traffic on the WAN interface with the exception of DHCP (since that is the way I get my routable IP). Is it possible to tweak this?
Thanks for your help!

version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.05.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any DHCP_app
match protocol udp
match protocol bootpc
class-map type inspect match-any Allow_DHCP_app
match protocol udp
class-map type inspect match-all INSIDE_TO_OUTSIDE
match access-group name INSIDE_TO_OUTSIDE_acl
class-map match-any DHCP_nbar_app
match protocol dhcp
class-map match-any Allow_DHCP_nbar_app
match protocol dhcp
class-map type inspect match-all Allow_DHCP
match class-map Allow_DHCP_app
match access-group name Allow_DHCP_acl
class-map type inspect match-all DHCP
match class-map DHCP_app
match access-group name DHCP_acl
!
policy-map type inspect avc Allow_DHCP_app_policy
class Allow_DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect avc DHCP_app_policy
class DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
inspect
service-policy avc DHCP_app_policy
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect INSIDE_TO_OUTSIDE
inspect
class class-default
drop log
policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect Allow_DHCP
inspect
service-policy avc Allow_DHCP_app_policy
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
[...]
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended Allow_DHCP_acl
10 permit ip any any
ip access-list extended DHCP_acl
10 permit ip any any
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
ip access-list extended INSIDE_TO_OUTSIDE_acl
10 permit ip any any
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to an_ho

‎10-27-2021 07:37 AM

sure try torrents see if you get more bandwidth.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP
In response to an_ho

‎10-27-2021 12:58 PM

Hello

throughput restrictions is usually down to licensing-

show platform hardware throughput level

show platform hardware throughput-monitor parameters


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

an_ho
Level 1
Level 1
In response to paul driver

‎10-27-2021 08:51 PM

Thanks! Well, I can't deactivate ZBF right now (as it is in production mode), but to be honest, a router like that should have no problem with both ZBF and routing for a 1Gbit/s line. The output of the commands is below:
#show platform hardware throughput-monitor parameters
Throughput monitor parameters
Throughput monitor threshold: 95 percent
Throughput monitor interval: 300 seconds
Throughput monitor status: enabled
#show platform hardware throughput level
The current throughput level is unthrottled

0 Helpful

Georg Pauwen
VIP
VIP

‎10-27-2021 12:27 PM

Hello,

 

the ZBF definitely impacts the throughput. What do you get when you disable it ?

 

--> no zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
--> no zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY

interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
--> no zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/1/0
--> no zone-member security INSIDE
!
[...]
!
interface GigabitEthernet0/1/7
--> no zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
--> no zone-member security INSIDE

 

 

0 Helpful
Customers Also Viewed These Support Documents