cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3051
Views
0
Helpful
8
Replies

Testing Throughput to find bottleneck

dan hale
Level 3
Level 3

Hi All, I have a new 100Mbps internet circuit and I'm getting no where near the speeds expected. I know that the 2911 is not rated for 100Mpbs but the 5510 is. Is there an easy way to find out where my bottle neck is?

I thought about setting up a Jperf on each segment and push traffic through to see where the bottle neck is:

ISP-----> Cisco 2911 (running firewall and L2L VPN services) -------Cisco ASA 5510 --------> Cisco 2921 Core router -----> Stack of Cisco 3560 layer 2 Switches

Thanks,

Dan

8 Replies 8

Hello,

IPSec throughput for the 2911 is 170Mbps, so under normal circumstances that shouldn't be a problem. MTU settings can have an impact...can you post the config of the 2911 ?

Attached is the sanitized config. The throughput for the 2911 I was looking thru the below two documents:

https://supportforums.cisco.com/sites/default/files/legacy/2/5/7/111752-routerperformance.pdf

https://supportforums.cisco.com/sites/default/files/legacy/3/7/7/111773-white_paper_c11_595485.pdf

The first shows that the 2911 can do 180 Mbps but, I'm assuming that is not under any load such as QOS, VPN, and Firewall services running.

The second document says that 33Mbps is expected. I'm assuming that is a total of 66Mbps since its half on each interface?

Thanks,

Dan

Hello,

try to add the mtu and tcp values (in bold) to your interface.

interface GigabitEthernet0/2
ip address xxxxxxxxxxxxxxx
ip access-group 105 in
ip nat outside
ip mtu 1400
tcp adjust-mss 1360
ip virtual-reassembly in
duplex auto

Should this be on the outside interface facing the ISP or inside interface facing the LAN?

Thanks,

Dan

Hello,

apply it on the outside interface, the one where the crypto map is applied to:

interface GigabitEthernet0/2
ip address xxxxxxxxxxxxxxx
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
ip mtu 1400
tcp adjust-mss 1360
duplex auto
speed auto
crypto map VPNXAuth

I'm unfamiliar with this kind of crypto setup, but normally the settings Georg is suggesting would be applied on a VPN tunnel, not the outside physical interface.

I can certainly add this but, this interface is not my default route interface...that would be interface Gig0/1

Gig 0/2 is a secondary internet interface being used by the L2L VPN.

Thanks,

Dan

The first shows that the 2911 can do 180 Mbps but, I'm assuming that is not under any load such as QOS, VPN, and Firewall services running.

Correct, but without anything beyond the most basic packet forwarding, however it's also for minimal size packets.

The second document says that 33Mbps is expected. I'm assuming that is a total of 66Mbps since its half on each interface?

Almost.  It means the router can handle up to 70 Mbps of traffic forwarding, with multiple services enabled, with typical packets sizes and with a CPU cushion of 25%.

BTW, if you Internet circuit is 100 Mbps, duplex, the second document would recommend a 3925 (or a small 4K ISR would do).