07-15-2018 06:37 AM - edited 03-08-2019 03:40 PM
I'm strugling to achieve desired network throughput in my network. Something is limiting it to 100mbps and I have no idea what can cause such behaviour. All devices and NICs run at full duplex, 1000mbps.
Scenario: I want to transfer large file from NAS (vlan 50) to PC1 (vlan 10), max transfer is 13MB/s, however when I transfer file from NAS to PC2, transfer jump to roughly 70MB/s.
I read that inter-vlan routing can help to bypass router in router-on-a-stick configurations, but I'm not sure how to implement it to my network as connection between switch and server is set as trunk.
Please find uploaded topology. Any help will be appreciated.
Router#sh interfaces gigabitEthernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 80e0.1d29.87e0 (bia 80e0.1d29.87e0) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full Duplex, 1Gbps, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 50/75/11/18 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 3000 bits/sec, 4 packets/sec 5 minute output rate 29000 bits/sec, 2 packets/sec 96360153 packets input, 3553073172 bytes, 0 no buffer Received 105823 broadcasts (0 IP multicasts) 0 runts, 0 giants, 4 throttles 3977 input errors, 0 CRC, 0 frame, 3977 overrun, 0 ignored 0 watchdog, 7784 multicast, 0 pause input 107607202 packets output, 238547386 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 7794 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out
version 15.4 service timestamps debug datetime msec service timestamps log datetime localtime service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! enable secret 5 ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 10.0.0.29 ! ip dhcp pool wifi network 10.0.0.24 255.255.255.248 default-router 10.0.0.30 dns-server 8.8.8.8 ! ip dhcp pool wifiguest network 10.0.0.32 255.255.255.248 default-router 10.0.0.38 dns-server 8.8.8.8 ! ! ! ip domain name z.local ip cef login on-failure log login on-success log no ipv6 cef ! multilink bundle-name authenticated ! ! password encryption aes cts logging verbose ! ! license udi pid CISCO1941/K9 license accept end user agreement license boot module c1900 technology-package securityk9 license boot module c1900 technology-package datak9 ! ! username z privilege 15 secret 5 z ! redundancy ! ! ! ! no cdp run ! ! class-map type inspect match-any SDM_BOOTPC match access-group name SDM_BOOTPC class-map type inspect match-all sdm-nat-http-1 match access-group name dmz-traffic match protocol http class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any ccp-skinny-inspect match protocol skinny class-map type inspect match-any sdm-cls-bootps match protocol bootps class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access match protocol icmp class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any ccp-cls-insp-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-any ccp-dmz-protocols match protocol http match protocol https class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-all sdm-nat-https-1 match access-group name dmz-traffic match protocol https class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect match-any SDM_DHCP_CLIENT_PT match class-map SDM_BOOTPC class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-dmz-traffic match access-group name dmz-traffic match class-map ccp-dmz-protocols class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC ! policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect inspect class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop policy-map type inspect ccp-permit-dmzservice class type inspect ccp-dmz-traffic inspect class type inspect sdm-nat-http-1 inspect class type inspect sdm-nat-https-1 inspect class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log policy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1 inspect class type inspect sdm-nat-https-1 inspect class class-default drop policy-map type inspect ccp-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect SDM_DHCP_CLIENT_PT pass class class-default drop policy-map type inspect ccp-permit-icmpreply class type inspect sdm-cls-bootps pass class type inspect ccp-icmp-access inspect class class-default pass ! zone security in-zone zone security out-zone zone security dmz-zone zone security ezvpn-zone zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1 zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone service-policy type inspect ccp-permit-dmzservice zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group z key z domain z pool SDM_POOL_1 max-users 3 netmask 255.255.255.248 banner z crypto isakmp profile ciscocp-ike-profile-1 match identity group z client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set z esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile CiscoCP_Profile1 set transform-set z set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! ! interface Loopback0 no ip address ! interface Loopback1 ip address 10.0.0.70 255.255.255.248 ! interface Loopback3 no ip address ipv6 address 1010::1/128 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.10 description LAN$FW_INSIDE$ encapsulation dot1Q 10 ip address 10.0.0.14 255.255.255.240 ip nat inside ip virtual-reassembly in zone-member security in-zone ! interface GigabitEthernet0/0.20 description LAN2$FW_INSIDE$ encapsulation dot1Q 20 ip address 10.0.0.22 255.255.255.248 ip nat inside ip virtual-reassembly in zone-member security in-zone ! interface GigabitEthernet0/0.30 description WIFI$FW_INSIDE$ encapsulation dot1Q 30 ip address 10.0.0.30 255.255.255.248 ip nat inside ip virtual-reassembly in zone-member security in-zone ! interface GigabitEthernet0/0.40 description WIFIGUEST$FW_INSIDE$ encapsulation dot1Q 40 ip address 10.0.0.38 255.255.255.248 ip nat inside ip virtual-reassembly in zone-member security in-zone ! interface GigabitEthernet0/0.50 description NAS$FW_INSIDE$ encapsulation dot1Q 50 ip address 10.0.0.46 255.255.255.248 zone-member security in-zone ! interface GigabitEthernet0/0.60 description DMZ$FW_DMZ$ encapsulation dot1Q 60 ip address 10.0.0.54 255.255.255.248 ip nat inside ip virtual-reassembly in zone-member security dmz-zone ! interface GigabitEthernet0/1 description WAN$FW_OUTSIDE$ mac-address 1cbd.b930.4a99 ip address dhcp ip nat outside ip virtual-reassembly in zone-member security out-zone duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 zone-member security ezvpn-zone tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 10.0.0.57 10.0.0.60 ip forward-protocol nd ! no ip http server ip http authentication local no ip http secure-server ip flow-export version 9 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ip nat inside source list 2 interface GigabitEthernet0/1 overload ip nat inside source list 3 interface GigabitEthernet0/1 overload ip nat inside source list 4 interface GigabitEthernet0/1 overload ip nat inside source list 6 interface GigabitEthernet0/1 overload ip nat inside source static tcp 10.0.0.49 80 interface GigabitEthernet0/1 80 ip nat inside source static tcp 10.0.0.49 443 interface GigabitEthernet0/1 443 ip route 0.0.0.0 0.0.0.0 dhcp ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_BOOTPC remark CCP_ACL Category=0 permit udp any any eq bootpc ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark CCP_ACL Category=1 permit ip any any ip access-list extended dmz-traffic remark CCP_ACL Category=1 permit ip any host 10.0.0.49 ! logging host 192.168.1.10 ! ! access-list 1 permit 10.0.0.0 0.0.0.15 access-list 2 permit 10.0.0.16 0.0.0.7 access-list 3 permit 10.0.0.24 0.0.0.7 access-list 4 permit 10.0.0.32 0.0.0.7 access-list 6 permit 10.0.0.48 0.0.0.7 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 10.0.0.48 0.0.0.7 any ! !
SW1#sh run config-file-header SW1 v1.4.8.6 / R800_NIK_1_4_202_008 CLI v1.0 set system mode router file SSD indicator encrypted @ ssd-control-start ssd config ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e44300 ! vlan database vlan 10,20,30,40,50,60 exit voice vlan oui-table add 0001e3 Siemens_AG_phone________ voice vlan oui-table add 00036b Cisco_phone_____________ voice vlan oui-table add 00096e Avaya___________________ voice vlan oui-table add 000fe2 H3C_Aolynk______________ voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone voice vlan oui-table add 00d01e Pingtel_phone___________ voice vlan oui-table add 00e075 Polycom/Veritel_phone___ voice vlan oui-table add 00e0bb 3Com_phone______________ port-channel load-balance src-dst-mac-ip bonjour interface range vlan 1 hostname SW1 username z password encrypted z privilege 15 ip ssh server line ssh no history exit ! interface vlan 10 name static ip address 10.0.0.13 255.255.255.240 ! interface vlan 20 name static-other ! interface vlan 30 name wifi ! interface vlan 40 name wifi-guest ! interface vlan 50 name NAS ip address 10.0.0.45 255.255.255.248 ! interface vlan 60 name DMZ ! interface gigabitethernet1 switchport trunk allowed vlan add 10,20,30,40,50,60 ! interface gigabitethernet2 switchport mode access switchport access vlan 10 ! interface gigabitethernet3 switchport mode access switchport access vlan 10 ! interface gigabitethernet4 switchport trunk allowed vlan add 10,20,50,60 ! interface gigabitethernet5 switchport trunk allowed vlan add 50 ! interface gigabitethernet6 switchport trunk allowed vlan add 30,40 ! interface gigabitethernet10 switchport mode access switchport access vlan 10 ! interface Port-channel4 description server ! exit
Solved! Go to Solution.
07-15-2018 08:17 AM
Hi,
Yes, add a default route in your switch to point the router IP and remove subinterfaces, add router on the router so you can access the internet as well.
If so, will I have to sacrifice my zone firewall?
I am looking that both interfaces are in the same zone so there is no much benefit of the zone-firewall. But keep in mind that your router is having limitation and this is not an ISFW.
Regards,
Deepak Kumar
07-15-2018 07:10 AM
Hi,
As I am looking your SG300 is working as L2 but You can convert in the L3 mode so you will get better switching speed. Please keep in mind, you will lose all configuration when you will change mode in SG300 switch.
I think your first optimization tips is the use SG300 as L3 mode and all Intervlan routing must be happening on SG300 only.
Regards,
Deepak Kumar
07-15-2018 07:18 AM
07-15-2018 07:24 AM - edited 07-15-2018 07:25 AM
Hi,
What is default gateway on your NAS and PC1 (VLAN 10)?
I am sure that you have default gateway IPs, which you configured on the router. If yes, then this switch is still working as L2 mode because as I mentioned that VLAN routing must happen on the switch.
Regards,
Deepak Kumar
07-15-2018 07:33 AM
07-15-2018 08:17 AM
Hi,
Yes, add a default route in your switch to point the router IP and remove subinterfaces, add router on the router so you can access the internet as well.
If so, will I have to sacrifice my zone firewall?
I am looking that both interfaces are in the same zone so there is no much benefit of the zone-firewall. But keep in mind that your router is having limitation and this is not an ISFW.
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide