cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
430
Views
0
Helpful
2
Replies

Stuck and not sure where to look - I think its routing

kpulford123
Level 1
Level 1

Hi everyone,

I have created several vlan's on my 3750 switch and successfully been able to pass all of my traffic to the firewall with no apparent delay... except... my last vlan.  The differences between the vlans are that all of my current working vlans are not using any acl's.  I am not using vlan ACL's yet, still trying to figure them out, so I am using an interface ACL at the moment.

So what is happening is that the vlan in question (110) has a pretty extensive acl on it as follows:

access-list 103 permit udp any any eq bootpc
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit tcp any any eq domain
access-list 103 permit tcp any eq domain any
access-list 103 permit udp any eq domain host 10.131.10.1
access-list 103 permit tcp any eq domain host 10.131.10.1
access-list 103 permit udp any eq domain host 10.131.10.14
access-list 103 permit tcp any eq domain host 10.131.10.14
access-list 103 permit ip any host 10.131.10.3
access-list 103 permit ip host 10.131.10.3 any
access-list 103 permit ip any host 10.131.10.202
access-list 103 permit ip host 10.131.10.202 any
access-list 103 permit ip any 10.131.251.0 0.0.0.255
access-list 103 permit ip 10.131.251.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip any 10.0.0.0 0.255.255.255
access-list 103 permit ip any any

So I think what I have here is allowing DHCP to both of my dhcp servers, and DNS to both of my DNS servers.  I also allow traffic to my mail servers, but I am denying all other traffic to the 10.0.0.0 subnet, with the additional exception of the 10.131.251.0 subnet (which goes to my firewall.)

The issue is odd here.  I can eventually get all Internet traffic to work, but there is a noticeable lag in getting between web sites on the Internet.  When I ping a fqdn the conversion to ip seems pretty quick, but again I am sort of lost as to what about my ACL or if there is another place to look could be causing the slow web site display on this one vlan.

So as you can see I have an issue, but it appears to be a "Slow" issue, which tells me that my routes seem to be working okay because I eventually get to the desired site.  I am just stumped on where to check next to identify the slow issue on this one particular vlan.  By slow I mean noticeably slow.

So comparatively on a normal vlan I can bring up www.msn.cominstantly, or within a couple of seconds.  On the mentioned vlan it could take 30 - 60 seconds to come up.

Any help on this would be much appreciated.

Sincerely,

Kevin Pulford

2 Replies 2

rtjensen4
Level 4
Level 4

To rule out the ACL, have you tried to remove the ACL from the SVI and trying the internet access?

BUT if it were an ACL issue, it would either work or not work, not just be slow sooo....

can you verify if there are any routing loops that may have formed? On the 3750 (or wherever you have the ACL applied), check CPU usage while you're trying to access the web. Do you have cef enabled?

Is your spanning-tree formed as expected for this VLAN? Could there be a Layer 2 loop?

Are there anyother switches involved here?

HTH

kpulford123
Level 1
Level 1

Thank you for your time and response.

I have removed the acl and still have the delay.  As near as I can tell it is the same sort of time delay as well.

Odd thing is if I run a speedtest for my ISP the page loads quite slow, but when running the speed test I get what I would expect for up and down bandwidth.  So I would think this might also rule out the route, but...

Yes I do have a few switches between my end point and the 3750 and the 3750 is connected directly to the firewall via 10.131.251.0 network.

I am unsure how to determine the routing loop existence.  We use a protocol EIGRP and it is setup on a router in my network, and not on the 3750, but the 3750 does participate in the EIGRP protocol.  When I list the routes I don't see anything that looks out of place.

When I do a show processes cpu it looks like I am at about 6 % across the board.  No major spikes when I try to get to a page with or without the acl on the vlan.

I am not sure about cef, I have not purposely enabled it. Is there a command to check for that?

Also, I have Spanning tree enabled, but I am not sure how to tell if it is formed correctly.

There are switches involved, in my test case I am going to an AP->2950->2975 (Stack)->3750->asa5520

I have vlan statements in each switch, but only my 3750 is also L3 routing vlan's.

I have ping ability through to the 3750 and the asa.

Now as far as the L2 Loop, I have BPguard on the 2975 stack and when I have a connected (Wired) computer on , it doesn't shut the port down.  So I would guess the L2 Loop may not be an issue, but I am happy to try to look further, I am just not sure how to do this.

I hope this provided some answers, but as you can probably tell I haven't had some very in depth troubleshooting of these devices before.

I really appreciate your time in looking this over and your suggestions.

Sincerely,

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: