Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
5
Helpful
5
Replies

Help with optimizing network

Go to solution
thasak
Level 1
Level 1

‎07-15-2018 06:37 AM - edited ‎03-08-2019 03:40 PM

I'm strugling to achieve desired network throughput in my network. Something is limiting it to 100mbps and I have no idea what can cause such behaviour. All devices and NICs run at full duplex, 1000mbps.

 

Scenario: I want to transfer large file from NAS (vlan 50) to PC1 (vlan 10), max transfer is 13MB/s, however when I transfer file from NAS to PC2, transfer jump to roughly 70MB/s.

 

I read that inter-vlan routing can help to bypass router in router-on-a-stick configurations, but I'm not sure how to implement it to my network as connection between switch and server is set as trunk.

 

Please find uploaded topology. Any help will be appreciated.

Router#sh interfaces gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
  Hardware is CN Gigabit Ethernet, address is 80e0.1d29.87e0 (bia 80e0.1d29.87e0)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.1Q Virtual LAN, Vlan ID  1., loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1Gbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 50/75/11/18 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 3000 bits/sec, 4 packets/sec
  5 minute output rate 29000 bits/sec, 2 packets/sec
     96360153 packets input, 3553073172 bytes, 0 no buffer
     Received 105823 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 4 throttles
     3977 input errors, 0 CRC, 0 frame, 3977 overrun, 0 ignored
     0 watchdog, 7784 multicast, 0 pause input
     107607202 packets output, 238547386 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     7794 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

version 15.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.0.0.29
!
ip dhcp pool wifi
 network 10.0.0.24 255.255.255.248
 default-router 10.0.0.30
 dns-server 8.8.8.8
!
ip dhcp pool wifiguest
 network 10.0.0.32 255.255.255.248
 default-router 10.0.0.38
 dns-server 8.8.8.8
!
!
!
ip domain name z.local
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
password encryption aes
cts logging verbose
!
!
license udi pid CISCO1941/K9
license accept end user agreement
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username z privilege 15 secret 5 z
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-any SDM_BOOTPC
 match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-http-1
 match access-group name dmz-traffic
 match protocol http
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any sdm-cls-bootps
 match protocol bootps
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-dmz-protocols
 match protocol http
 match protocol https
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-nat-https-1
 match access-group name dmz-traffic
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-any SDM_DHCP_CLIENT_PT
 match class-map SDM_BOOTPC
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-dmz-traffic
 match access-group name dmz-traffic
 match class-map ccp-dmz-protocols
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
!
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit-dmzservice
 class type inspect ccp-dmz-traffic
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect SDM_DHCP_CLIENT_PT
  pass
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect sdm-cls-bootps
  pass
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
!
zone security in-zone
zone security out-zone
zone security dmz-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
 service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group z
 key z
 domain z
 pool SDM_POOL_1
 max-users 3
 netmask 255.255.255.248
 banner z
crypto isakmp profile ciscocp-ike-profile-1
   match identity group z
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set z esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set z
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Loopback1
 ip address 10.0.0.70 255.255.255.248
!
interface Loopback3
 no ip address
 ipv6 address 1010::1/128
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description LAN$FW_INSIDE$
 encapsulation dot1Q 10
 ip address 10.0.0.14 255.255.255.240
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/0.20
 description LAN2$FW_INSIDE$
 encapsulation dot1Q 20
 ip address 10.0.0.22 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/0.30
 description WIFI$FW_INSIDE$
 encapsulation dot1Q 30
 ip address 10.0.0.30 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/0.40
 description WIFIGUEST$FW_INSIDE$
 encapsulation dot1Q 40
 ip address 10.0.0.38 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
interface GigabitEthernet0/0.50
 description NAS$FW_INSIDE$
 encapsulation dot1Q 50
 ip address 10.0.0.46 255.255.255.248
 zone-member security in-zone
!
interface GigabitEthernet0/0.60
 description DMZ$FW_DMZ$
 encapsulation dot1Q 60
 ip address 10.0.0.54 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security dmz-zone
!
interface GigabitEthernet0/1
 description WAN$FW_OUTSIDE$
 mac-address 1cbd.b930.4a99
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.57 10.0.0.60
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip flow-export version 9
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.0.49 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 10.0.0.49 443 interface GigabitEthernet0/1 443
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_BOOTPC
 remark CCP_ACL Category=0
 permit udp any any eq bootpc
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended dmz-traffic
 remark CCP_ACL Category=1
 permit ip any host 10.0.0.49
!
logging host 192.168.1.10
!
!
access-list 1 permit 10.0.0.0 0.0.0.15
access-list 2 permit 10.0.0.16 0.0.0.7
access-list 3 permit 10.0.0.24 0.0.0.7
access-list 4 permit 10.0.0.32 0.0.0.7
access-list 6 permit 10.0.0.48 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.0.0.48 0.0.0.7 any
!
!

SW1#sh run
config-file-header
SW1
v1.4.8.6 / R800_NIK_1_4_202_008
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e44300
!
vlan database
vlan 10,20,30,40,50,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
bonjour interface range vlan 1
hostname SW1
username z password encrypted z privilege 15
ip ssh server
line ssh
no history
exit
!
interface vlan 10
 name static
 ip address 10.0.0.13 255.255.255.240
!
interface vlan 20
 name static-other
!
interface vlan 30
 name wifi
!
interface vlan 40
 name wifi-guest
!
interface vlan 50
 name NAS
 ip address 10.0.0.45 255.255.255.248
!
interface vlan 60
 name DMZ
!
interface gigabitethernet1
 switchport trunk allowed vlan add 10,20,30,40,50,60
!
interface gigabitethernet2
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet3
 switchport mode access
 switchport access vlan 10
!
interface gigabitethernet4
 switchport trunk allowed vlan add 10,20,50,60
!
interface gigabitethernet5
 switchport trunk allowed vlan add 50
!
interface gigabitethernet6
 switchport trunk allowed vlan add 30,40
!
interface gigabitethernet10
 switchport mode access
 switchport access vlan 10
!
interface Port-channel4
 description server
!
exit

 

 

Labels:
Preview file
12 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to thasak

‎07-15-2018 08:17 AM

Hi,

Yes, add a default route in your switch to point the router IP and remove subinterfaces, add router on the router so you can access the internet as well.

 

If so, will I have to sacrifice my zone firewall?

I am looking that both interfaces are in the same zone so there is no much benefit of the zone-firewall. But keep in mind that your router is having limitation and this is not an ISFW. 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

5 Replies 5

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎07-15-2018 07:10 AM

Hi,

As I am looking your SG300 is working as L2 but You can convert in the L3 mode so you will get better switching speed. Please keep in mind, you will lose all configuration when you will change mode in SG300 switch. 

I think your first optimization tips is the use SG300 as L3 mode and all Intervlan routing must be happening on SG300 only.

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
thasak
Level 1
Level 1
In response to Deepak Kumar

‎07-15-2018 07:18 AM

Hi, actually it is working in L3 mode, thanks

CLI v1.0
set system mode router
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to thasak

‎07-15-2018 07:24 AM - edited ‎07-15-2018 07:25 AM

Hi,

What is default gateway on your NAS and PC1 (VLAN 10)?

I am sure that you have default gateway IPs, which you configured on the router.  If yes, then this switch is still working as L2 mode because as I mentioned that VLAN routing must happen on the switch.

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
thasak
Level 1
Level 1
In response to Deepak Kumar

‎07-15-2018 07:33 AM

Hi, ok I get your point.
PC1 GW is 10.0.0.14/28 nad NAS is 10.0.0.46/29
So if I will remove them from router interfaces and apply on vlan interfaces, switch will start working in L3?
If so, will I have to sacrifice my zone firewall?
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to thasak

‎07-15-2018 08:17 AM

Hi,

Yes, add a default route in your switch to point the router IP and remove subinterfaces, add router on the router so you can access the internet as well.

 

If so, will I have to sacrifice my zone firewall?

I am looking that both interfaces are in the same zone so there is no much benefit of the zone-firewall. But keep in mind that your router is having limitation and this is not an ISFW. 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card