cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1092
Views
5
Helpful
4
Replies

limited speed in inter-vlan transfer

Ipefixe
Level 1
Level 1

Hello,

In my infra, I have a QNAP server allowing me to transfer files (especially movies). This server is on VLAN 20.
For my user devices, I use VLAN 100.

When I try to transfer a file from the NAS to my PC, the speed does not exceed 400 Mb / s whereas if I put my PC on the vlan 20, I reach 1 Gb / s without problem.

So the file goes through Intervlan routing, but why is the speed so low?

Thank you in advance and good day.

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Ipefixe ,

you have a software based router performing inter Vlan routing

>>

c800-universalk9-mz.SPA.157-3.M4a.bin

I think for a branch router of this type 400 Mbps can be an expected result.

 

Things would change if you had a multi layer switch that can perform wire speed inter vlan routing with tens of Gbps of performance capabilties.

 

Hope to help

Giuseppe

 

Hello,

 

looking at your configuration, it appears that your router is behind another device ? Do you really need the reflexive access lists (which can be taxing CPU) ? Try and make the changes marked in bold, and check if the performance between Vlan 20 and Vlan 100 improves:

 

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R891F
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.157-3.M4a.bin
boot-end-marker
!
aqm-register-fnf
!
no logging console
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
clock timezone CEST 2 0
!
ip dhcp excluded-address 10.0.10.1 10.0.10.100
ip dhcp excluded-address 10.0.30.1 10.0.30.100
ip dhcp excluded-address 10.0.60.1 10.0.60.100
ip dhcp excluded-address 10.0.110.1 10.0.110.100
ip dhcp excluded-address 10.0.100.1 10.0.100.200
!
ip dhcp pool LAN
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
domain-name LAN_
dns-server 192.168.1.1
option 42 ip 10.0.20.2
!
ip dhcp pool WLAN
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
domain-name WLAN_
dns-server 192.168.1.1
option 42 ip 10.0.20.2
!
ip dhcp pool ADMINISTRATION
network 10.0.110.0 255.255.255.0
default-router 10.0.110.1
dns-server 192.168.1.1
domain-name ADMINISTRATION
option 42 ip 10.0.20.2
!
ip dhcp pool VIDEOSURVEILLANCE
network 10.0.60.0 255.255.255.0
domain-name VIDEOSURVEILLANCE
default-router 10.0.60.1
option 42 ip 10.0.20.2
!
ip dhcp pool Centreon
host 10.0.20.3 255.255.255.0
hardware-address 5254.00b4.8d67
!
ip dhcp pool INTERCO
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server 192.168.1.1
option 42 ip 10.0.20.2
domain-name INTERCO
!
ip dhcp pool SERVICES
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 192.168.1.1
domain-name SERVICES
option 42 ip 10.0.20.2
!
ip domain name domain
ip name-server 192.168.1.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
archive
path tftp://10.0.20.2/R891F/$t
write-memory
time-period 1440
vtp version 2
redundancy
!
interface Port-channel1
no ip address
hold-queue 300 in
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description Interco_R891F/2960L
switchport mode trunk
no ip address
!
interface GigabitEthernet1
description Interco_R891F/WLC
switchport mode trunk
no ip address
!
interface GigabitEthernet2
switchport access vlan 40
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 60
no ip address
duplex full
speed 1000
spanning-tree portfast
!
interface GigabitEthernet5
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
description Interco_WAN-R891F/2960L
ip address 192.168.1.2 255.255.255.0
ip access-group BOX_IN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description LAN
ip address 10.0.10.1 255.255.255.0
ip access-group VLAN10_IN in
--> no ip helper-address 10.0.10.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description SERVICES
ip address 10.0.20.1 255.255.255.0
--> no ip access-group VLAN20_IN in
--> no ip helper-address 10.0.20.1
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
!
interface Vlan30
description WLAN
ip address 10.0.30.1 255.255.255.0
ip access-group VLAN30_IN in
--> no ip helper-address 10.0.30.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
description WAN_SFR
no ip address
ip helper-address 192.168.1.1
!
interface Vlan50
description QUARANTAINE
no ip address
!
interface Vlan60
description VIDEOSURVEILLANCE
ip address 10.0.60.1 255.255.255.0
ip access-group VLAN60_IN in
--> no ip helper-address 10.0.60.1
ip virtual-reassembly in
!
interface Vlan70
description WAN_ONT
no ip address
!
interface Vlan100
description INTERCO
ip address 10.0.100.1 255.255.255.0
--> no ip access-group VLAN100_IN in
--> no ip helper-address 10.0.100.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan110
description ADMINISTRATION
ip address 10.0.110.1 255.255.255.0
ip access-group VLAN110_IN in
--> no ip helper-address 10.0.110.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan600
no ip address
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source static 10.0.20.2 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip ssh version 2
!
ip access-list extended BOX
permit ip any host 192.168.1.1
ip access-list extended BOX_IN
permit ip host 192.168.1.1 any
deny ip 192.168.1.0 0.0.0.255 any
permit ip any any
ip access-list extended VLAN100_IN
permit ip any any reflect MIRROR timeout 300
ip access-list extended VLAN10_IN
evaluate MIRROR
evaluate NAS-
evaluate CENTREON
permit udp 10.0.10.0 0.0.0.255 host 192.168.1.1 eq domain
deny ip any 10.0.0.0 0.0.255.255
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended VLAN110_IN
permit ip any any reflect MIRROR timeout 300
ip access-list extended VLAN20_IN
evaluate MIRROR
permit ip host 10.0.20.2 any reflect NAS- timeout 300
permit ip host 10.0.20.3 any reflect CENTREON timeout 300
permit udp 10.0.20.0 0.0.0.255 host 192.168.1.1 eq domain
deny ip any 10.0.0.0 0.0.255.255
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended VLAN30_IN
evaluate MIRROR
evaluate NAS-
evaluate CENTREON
permit udp 10.0.30.0 0.0.0.255 host 192.168.1.1 eq domain
deny ip any 10.0.0.0 0.0.255.255
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended VLAN60_IN
evaluate MIRROR
evaluate NAS-
evaluate CENTREON
permit ip 10.0.60.0 0.0.0.255 host 10.0.20.2
deny ip any 10.0.0.0 0.0.255.255
deny ip any 192.168.1.0 0.0.0.255
!
ipv6 ioam timestamp
!
snmp-server community -ro RO
snmp-server community RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps flowmon
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps xgcp
snmp-server enable traps license
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps dsp video-usage
snmp-server enable traps dsp video-out-of-resource
snmp-server enable traps stun
snmp-server enable traps bstun
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps c3g
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps mac-notification
snmp-server enable traps energywise
snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down oper-nodeid-change binding-conflict
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps dlsw
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bfd
snmp-server enable traps bgp cbgp2
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps mpls rfc ldp
snmp-server enable traps mpls ldp
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps ipmobile
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps waas
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps mpls vpn
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 1 permit 10.0.20.0 0.0.0.255
access-list 1 permit 10.0.30.0 0.0.0.255
access-list 1 permit 10.0.110.0 0.0.0.255
access-list 1 permit 10.0.100.0 0.0.0.255
access-list 1 permit 10.0.60.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
password 7 130616101919082F3F36272374
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.0.20.2 prefer
!
end

Hello

Thanks a lot for your help.

My reflective rules allow me to communicate from VLAN 100 to VLAN 20 but not from VLAN 20 to VLAN 100:
VLAN 20 -> VLAN 100 = impossible
VLAN 100 -> VLAN 20 = possible

I changed the configuration and the speed goes to 750 Mb / s so it's much better, but my rules no longer apply ...
How to find an alternative?

Perhaps if your ACL VLAN100_IN's first ACE allowed TCP with ACK bit set.(?)
Review Cisco Networking for a $25 gift card