How To disable 2901 Router Cisco Traffic Inspection to increase download Speed

lucianparvu · ‎02-25-2020

Hello,

Recently we have updated our internet and :

- if i connect the laptop / server direct to internet provider i get download & upload speed : 800 - 1000 MB / s,

- if i connect the laptop / server in Router Cisco 2901 I get maximum Download Speed: 80 MB /s and Max Upload: 140 MB /s

I know that there the router has some limitations because is an OLD router and there are some recommandations for encrypted traffic and Inspections, but i don't need encrypted or inspected traffic and i need to disable the firewall inspection from Cisco Configuration Professional, by the way I have an old version of cisco configuration professional.

Right now I have used the create Firewall Basic and I get the next firewall configuration :

In my opinion the problems should be on :

- self to out zone any, any, service: icmp, tcp, udp , INSPECT

- in zone to out zone : any, any, http: INSPECT or any any ccp-cls-insp-traffic INSPECT

I have tried to edit the rules above and change them from INSPECT to ALLOW, but the internet is not working .

How can i disable through cisco configuration professional ? I am not sure i can operate in other mode through Editor.

Thank's

Georg Pauwen · ‎02-25-2020

Hello,

even with the most basic configuration you will not come close to 800 - 1000 MB speeds. That said, do you have access to the command line ? If so, post the running configuration (sh run) of the router. The ZBF slows things down for sure, and there might be other things in there that you don't need.

lucianparvu · ‎02-25-2020

Hi,

Thank's for your answer .

Please find attached the running configuration.

What I need in this Router is just :

- Authentification To The Router ( already there )

- DHCP ( already There )

- 3 adress pool dhpc ( already there )

- interface GigabitEthernet0/0 ( already there )

- interface GigabitEthernet0/1 ( already there ) ( you will find IP hidden )

+ configuration to match internet access : http, https, email, video, messaging, etc , I don't know if this happens automatically if you exclude Inspect, or must define other matches ... but don't want restrictions

I don't need anything from :

- signatures from IPS - Intrustion Prevension but I think are expired , I don't need that ( We have use it 4 years ago when we had some public servers)

- Inspect Traffic

- Logs

- Anything else that can decrease speed .

Now, we are a team with 15 members and we just need access to internet at maximum possible speed with this router.

Thank's

Georg Pauwen · ‎02-25-2020

Hello,

below is a basic, stripped down version that will get your clients connected to the Internet with no restrictions. Check if that (significantly) improves your up and download speeds...

version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname hostirtr
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.152-4.M4.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
enable secret 5 $1$..aB$64ySefOmiLkhD3ts35G7o/
enable password 7 11081D081E1C5A
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no process cpu extended history
no process cpu autoprofile hog
clock timezone Romania 2 0
clock summer-time Romania date Mar 30 2003 3:00 Oct 26 2003 4:00
!
no ip source-route
ip cef
!
ip dhcp excluded-address 192.168.1.101 192.168.1.254
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 193.231.252.1 213.154.124.1
default-router 192.168.1.1
!
ip dhcp pool Hosti01
host 192.168.1.2 255.255.255.0
client-identifier 01d4.ae52.8889.3f
!
ip dhcp pool work1
host 192.168.1.4 255.255.255.0
client-identifier 01b8.ac6f.9907.df
!
ip dhcp pool ext1
host 192.168.1.5 255.255.255.0
client-identifier 0100.2219.d50c.c6
!
!
!
no ip bootp server
ip name-server 193.231.252.1
ip name-server 213.154.124.1
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1599122921
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1599122921
revocation-check none
rsakeypair TP-self-signed-1599122921
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki certificate chain TP-self-signed-1599122921
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353939 31323239 3231301E 170D3133 30393032 31353536
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35393931
32323932 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A20F B60C84AE 93EA56D8 B2AA3E26 491B4640 BBA28A73 3C086797 41C09E6D
2C7FFC05 7FBEA959 CD6139C9 9DE34AF1 6B6F3CAF EC4C8681 9356089E A6A16BCD
52C2967A 69441691 6C91963A 944508EC 783FD7D4 C31C45DB 8A9EA37B 57DC513A
6275B24D 1C9F2B31 DFA441D4 E37A3429 6ED1B022 C70DD609 4A15B93C 03038927
1A9D0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D686F73 74696D70 65726172 7472301F 0603551D 23041830
16801481 81C95CB2 1ABF7800 6FA5040A 63DA2DC9 8EDE6130 1D060355 1D0E0416
04148181 C95CB21A BF78006F A5040A63 DA2DC98E DE61300D 06092A86 4886F70D
01010405 00038181 007D1A5A 0400EC2F 19DC03BA 7EE3226F 44195F8A 9F89ED84
EC5E1107 5D1BC74B C26665A2 B5C87E4F 75CCD956 23F9958F 32A5C197 C4381EE1
7D4CCAD2 6BC29DE3 E0923B3E AFA6B13F 285748F3 CF45341A E0BF5A7D 9C996751
BBAB6D1A 2D97EB55 9898EDE0 49664A57 D1C39D25 680ECE3C 439D8BB0 6101F88F
66DE9A5F 9EB86462 6C
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO2901/K9 sn FCZ1636924X
license boot module c2900 technology-package securityk9
!
username admin1 privilege 15 secret 5 $1$916P$jMPLb.ZRmI5IjTzHJ8eRu0
username admin2 privilege 15 secret 5 $1$0gtW$M.l9fsMNqlj45Ikd39A2E0
username admin privilege 15 secret 5 $1$ZwXz$iYEljk7qZ0lGahdp9lsBq.
!
redundancy
notification-timer 60000
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
ip tcp synwait-time 10
no ip ftp passive
!
csdb tcp synwait-time 100
csdb tcp finwait-time 50
csdb tcp reassembly max-memory 16384
csdb tcp reassembly max-queue-length 128
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 5.2.hhh.hhh 255.255.248.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 5.2.192.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAccess Denied ! ^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 104D000A0618
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

lucianparvu · ‎02-25-2020

Hi,

Thanks

With your configuration I have now

- Upload and Download : 300 MB / s for direct conected devices into a gigabit cisco switch .

- Upload and Download : 240 MB / s for wiresless devices conected to a WAP Cisco

Thanks

Georg Pauwen · ‎02-25-2020

Hello,

I am afraid that is the maximum you can get out of this router. The speeds listed are a lot lower actually, so you are hitting the higher limit...

lucianparvu · ‎02-25-2020

What new Router we must choose to get the maximum 1 GB using for example your configuration into a network with 15 members?

We are a software company, we access Cloud a lot for databases, etc

Thank's

Georg Pauwen · ‎02-25-2020

Hello,

the ISR1000 would be an option...

https://www.cisco.com/c/en/us/products/routers/1000-series-integrated-services-routers-isr/index.html