Slow VLAN trunking performance

Wolf-R1_2 · ‎08-19-2013

We have configured a new VLAN to segregate a higher security zone in our organization however response to/from it is slow.

VLAN1 is where most of our internal network sits and accesses data across a WAN line that is fairly quick, 10Mb link and the data is lightweight web pages. We introduced VLAN3 connected via a GigE port on a 2960G switch, trunked and routed via an 1841 router. The port on the 1841 is FastE.

Even with no ACLs on the 1841 access to data across the WAN link takes 5-6 times longer than with VLAN1 despite all that's different between them is the 1841 trunking router.

Is there something that can be done to alleviate this?

Network:

WAN(1841)VLAN1 ----------- 2960G ---- Trunk ---- 1841

|

VLAN3

2960G Switch:

interface GigabitEthernet0/7
switchport access vlan 3
spanning-tree portfast
!
interface GigabitEthernet0/8
switchport access vlan 3
spanning-tree portfast
!
interface GigabitEthernet0/9
switchport access vlan 3
spanning-tree portfast
!
interface GigabitEthernet0/10
switchport access vlan 3
spanning-tree portfast
!
interface GigabitEthernet0/11
switchport access vlan 3
spanning-tree portfast
!
interface GigabitEthernet0/12
switchport mode trunk

1841 router:

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.253 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 3

ip address 192.168.5.1 255.255.255.240

If more of each config is needed I will post it however this seems to be the relevant parts.

Karsten Iwen · ‎08-19-2013

Is the non-WAN 1841 only used for routing between VLAN1 and VLAN3? If yes, then you could use your 2960G for that purpose (supported with a lan-base image starting with 12.2(55)SE).

There you can activate the routing SDM:

switch(config)# sdm prefer lanbase-routing

After a reload you can configure ip routing and add an SVI for VLAN3. That will be much faster then using the 1841 for that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jawad-mukhtar · ‎08-19-2013

Can u check router and switch cpu at that time.

also post ping results.

Jawad

jawad-mukhtar · ‎08-19-2013

enable cef on router too

Jawad

Joseph W. Doherty · ‎08-20-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

An 1841 is a 75 Kpps rourter, i.e. is not really suitable for much beyond 10 Mbps.

If you can use the 2960G as Karsten suggests, it should be able to route 100 Mbps or gig.

Wolf-R1_2 · ‎08-20-2013

I did not suspect the 2960s were capable of internally VLANing. I have a WS-C2960S-48TS-S that has that has c2960s-universalk9-mz.122-55.SE5 loaded on it. Will that still support VLAN routing internally? I could definitely move this operation to that switch.

The current VLAN3 switch now is a WS-C2960G-48TC-L running c2960-lanbase-mz.122-25.SEE1. I assume with a software update it too could run VLAN routing internally, yes?

Karsten Iwen · ‎08-20-2013

The "TS-S"-switch only has LAN Lite and though no routing. And they are not upgradable to LANBase.

Always follow the rule "Never buy LAN Lite unless forced by really dark forces" ... ;-)

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wolf-R1_2 · ‎08-20-2013

So I would have to update the WS-C2960G-48TC-L to get this ability then, yes? Looking at the IOS update choices I am limited to lanlite on the "TS-S" verion and lanbase on the "TC-L" version.

Karsten Iwen · ‎08-20-2013

Yes, if there are no new features that you would like to have, my preferrred version would be 12.2.55-SE8. I also started with IOS 15.0 on production systems (without any bigger problems) some time ago, and there the actual version is 15.0.2-SE4. Pick your favorite ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wolf-R1_2 · ‎08-20-2013

Thanks, it would appear all I can get is c2960-lanbasek9-mz.150-2.SE4.bin so it will have to be upgraded to that.

Before I go Googling how to VLAN route internally on a 2960 do you have any documentation handy for this?

Karsten Iwen · ‎08-20-2013

That is not much different then on a router. After chnaging the SDM (my first answer) your config should look like that:

ip routing

!

interface Vlan1

ip address 192.168.1.253 255.255.255.0

!

interface Vlan3

ip address 192.168.5.1 255.255.255.240

!

ip route 0.0.0.0 0.0.0.0 192.168.1.254 name INTERNET ! or whatever your gateway is ...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Wolf-R1_2 · ‎08-20-2013

Great, thanks! I won't be able to get to any of this until after hours tonight but I'll let you know how it goes.

Wolf-R1_2 · ‎08-28-2013

Sorry for the delay. Wasn't able to reload this switch until recently.

Access has improved across the VLANs but not much but it does work at the switch level with the 1841 removed from the equation.

Thanks for all the help. If anyone has any performance related ideas to add I'm open.