Wifo
asked on
2610 and two T-1 lines
Hi,
We have a 2610 and two T-1's that are from the same service provider and we have recently ugraded them to full lines from the fractional lines we were using. Our line change also included setting the two T-1's up in a load balanced configuration.
After rolling this around in my head and watching the traffic I don't think we are truly using the lines correctly. Here's why: the router only has a 10-base Ethernet port.
Since the 2610 is connected to a Firebox2 (which has a 10/100 interface) at 10Mb, can we really make use of the two lines? Right now bottlenecks happen at the threshold of a single T-1. Or is this more of an configuration issue? I have checked our router config against a sample from or ISP and it seems to be OK. Is there anything I can do to check this? Our monthly reports show only very tiny inbound traffic on the second line. Under load balancing I would expect the two lines to be even despite the ethernet connection.
Right now I think we need to go with a router that has a 10/100 interface (2620?) in order to fix this. Any help is greatly appreciated.
We have a 2610 and two T-1's that are from the same service provider and we have recently ugraded them to full lines from the fractional lines we were using. Our line change also included setting the two T-1's up in a load balanced configuration.
After rolling this around in my head and watching the traffic I don't think we are truly using the lines correctly. Here's why: the router only has a 10-base Ethernet port.
Since the 2610 is connected to a Firebox2 (which has a 10/100 interface) at 10Mb, can we really make use of the two lines? Right now bottlenecks happen at the threshold of a single T-1. Or is this more of an configuration issue? I have checked our router config against a sample from or ISP and it seems to be OK. Is there anything I can do to check this? Our monthly reports show only very tiny inbound traffic on the second line. Under load balancing I would expect the two lines to be even despite the ethernet connection.
Right now I think we need to go with a router that has a 10/100 interface (2620?) in order to fix this. Any help is greatly appreciated.
Two T1s is a combined total of only 3Mbps. 10BT at 10Mbps is more than adequate to saturate two T1s. There is no need for a 100Mbps connection for getting to the ISP from your internal network.
The load balanced aspect of the two T1s is another question altogether. How have you attempted so far to load balance the T1s?
The load balanced aspect of the two T1s is another question altogether. How have you attempted so far to load balance the T1s?
There are a couple of things to look at here. First off - the load balancing scenario. You mention that one of the T1's is not experiencing much inbound traffic. Load balancing is a two-way operation. In other words, it has to be configured in both directions to work properly. You are load balancing outbound, but is your ISP load balancing traffic flowing towards you? From the sound of things, probably not. I would talk with them about it.
As to your bandwidth issue - you may have somewhat of a point. Mmedwid's answer sounds good in theory, but isn't entirely accurate. A T1 is full duplex - 1.5Mb in and 1.5Mb out. So you have a total of 3Mb in and 3Mb out. A 10Mb interface on a 2610 has no option to be full duplex (even though the new IOS puts the commands to change it, the hardward doesn't have the ability - silly Cisco). Therefore, you only have 5Mb in and 5 Mb out. Still looks like enough, but let's look closer. Ethernet is considered maxed out around 40-45%. You may get up to 50%. Taking this you only have 2.5Mb in max and 2.5Mb out max. Now it looks like you don't have enough. But serial lines are considered maxed at 80%. This means you only use a total of 2.4Mb in and 2.4 out. Therefore you are skimming extremely close - and that is if you are maxing out Ethernet usage.
So - do you need to rush out and buy a new card (you don't need a new router)? Probably not. I would keep a close eye on your usage, if it seems you are getting close to using a very high percentage of the T1's on a consistent basis, you may want to think about stepping up and buying a 10/100 card. Other than that, I would probably leave it for now.
As to your bandwidth issue - you may have somewhat of a point. Mmedwid's answer sounds good in theory, but isn't entirely accurate. A T1 is full duplex - 1.5Mb in and 1.5Mb out. So you have a total of 3Mb in and 3Mb out. A 10Mb interface on a 2610 has no option to be full duplex (even though the new IOS puts the commands to change it, the hardward doesn't have the ability - silly Cisco). Therefore, you only have 5Mb in and 5 Mb out. Still looks like enough, but let's look closer. Ethernet is considered maxed out around 40-45%. You may get up to 50%. Taking this you only have 2.5Mb in max and 2.5Mb out max. Now it looks like you don't have enough. But serial lines are considered maxed at 80%. This means you only use a total of 2.4Mb in and 2.4 out. Therefore you are skimming extremely close - and that is if you are maxing out Ethernet usage.
So - do you need to rush out and buy a new card (you don't need a new router)? Probably not. I would keep a close eye on your usage, if it seems you are getting close to using a very high percentage of the T1's on a consistent basis, you may want to think about stepping up and buying a 10/100 card. Other than that, I would probably leave it for now.
Both Scraig84 and mmedwid have good points. I would argue Scraig's point about the 10Mb port being maxed out at 40-45% utilization. While that would be true if it were plugged into a hub that is shared media along with many workstations (a larger collision domain), the contention and collisions on the wire are what reduces the max throughput. If you have your router's ethernet port only talking to your firewall either with crossover cable or a switch port, then you have more room on that 10Mb link. Closer to 90%.
The only way to really know where the bottleneck is (if there even is one) is to monitor the total inOctets/outOctects on 4 interfaces:
Router S0/0, S0/1, Eth 0/0 and firewall outside.
Using MRTG or What's up, or some other SNMP console you can get real-time or historical bandwidth utilzation.
If all your inbound traffic does come down one pipe, then as Scraig said, talk to the ISP because they may not be load balancing correctly at their end.
You never did answer the question of how are you doing the load balancing on your end? Do you simply have two default routes with equal cost? Are you pointing your routes to the interface or to an upstream IP address?
The only way to really know where the bottleneck is (if there even is one) is to monitor the total inOctets/outOctects on 4 interfaces:
Router S0/0, S0/1, Eth 0/0 and firewall outside.
Using MRTG or What's up, or some other SNMP console you can get real-time or historical bandwidth utilzation.
If all your inbound traffic does come down one pipe, then as Scraig said, talk to the ISP because they may not be load balancing correctly at their end.
You never did answer the question of how are you doing the load balancing on your end? Do you simply have two default routes with equal cost? Are you pointing your routes to the interface or to an upstream IP address?
ASKER
I spoke with our provider and they did make some changes on their end and claim the lines are configured correctly. Not sure how I test this. Based on the config they gave me our router should be good to go as well. There are three routes, one per serial card with no cost and one for the ethernet. I did notice they have "no cdp enable" where I don't, if that helps.
As for monitoring, all I really have to go on is the Firewall. Long story on the SNMP. I have been watching the "external" meter and when we hit around 1.3 Kbp/s outbound, latency outbound jumps way up. Doing this with traceroute.
Just to mix things up (and add points), when the above event happens our monitor computer (LAN) can't ping through (DMZ). This makes me think our Firewall is the real problem. It is a FireBox 2 and traffic/load is well within its specs. I can understand internal/external bottlenecks but not a LAN/DMZ (10/100) bottleneck.
As for monitoring, all I really have to go on is the Firewall. Long story on the SNMP. I have been watching the "external" meter and when we hit around 1.3 Kbp/s outbound, latency outbound jumps way up. Doing this with traceroute.
Just to mix things up (and add points), when the above event happens our monitor computer (LAN) can't ping through (DMZ). This makes me think our Firewall is the real problem. It is a FireBox 2 and traffic/load is well within its specs. I can understand internal/external bottlenecks but not a LAN/DMZ (10/100) bottleneck.
problems after 1.3Kbp/s?? That's nothing - do you mean Mbp/s?
Traceroute isn't exactly the best tool to monitor latency.
I would start out by looking at the serial interfaces on your Internet router from time to time and look at the "show int" counters to see how much traffic is passing (bits per sec). You should expect that one T1 is typically going to be used heavier than the other (route caching causes imperfect load balancing), but you can usually tell if things are at least being somewhat balanced.
I don't fully understand your scenario with the firewall. If it is having problems, I would look at its error log first if it has one. Also, make sure duplex settings on the switch and Ethernet interfaces are correct so you don't have issues there.
Traceroute isn't exactly the best tool to monitor latency.
I would start out by looking at the serial interfaces on your Internet router from time to time and look at the "show int" counters to see how much traffic is passing (bits per sec). You should expect that one T1 is typically going to be used heavier than the other (route caching causes imperfect load balancing), but you can usually tell if things are at least being somewhat balanced.
I don't fully understand your scenario with the firewall. If it is having problems, I would look at its error log first if it has one. Also, make sure duplex settings on the switch and Ethernet interfaces are correct so you don't have issues there.
ASKER
Sorry, I do mean 1.3 Mbp/s. Watching the counters one line is 248000 incoming 0 outgoing (5 min snapshot) and the other is 83000 in and 417000 out. We normally have much more out than in.
I think the Firewall question was something I should have left out until the line problem is fixed. The help is still worth the extra points. Any idea of the proper way to test this or should I just start seeing outbound packets on the line that hasn't had any?
I think the Firewall question was something I should have left out until the line problem is fixed. The help is still worth the extra points. Any idea of the proper way to test this or should I just start seeing outbound packets on the line that hasn't had any?
OK - looks like your provider is load balancing inbound properly, but you aren't load balancing out properly. This would definitely cause problems over 1.3Mbs as it doesn't look like you are using the second T1. How are you routing outbound? Should be two equal cost static default routes usually. It may help if you post in your configurations - IP addresses changed and passwords removed to protect the innocent.
ASKER
Here is a version of our configuration file that may help.
!
version 12.0
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
!
hostname XXXXXXXXXXXXXXXXX
!
boot system flash 1:XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip name-server <Primary DNS Resolver>
!
process-max-time 200
!
interface Ethernet0/0
ip address <LAN IP> <LAN Subnet mask>
no ip directed-broadcast
!
interface Serial0/0
ip address <Our 1st WAN IP> <WAN Subnet mask>
no ip directed-broadcast
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay map ip <ISP's 1st WAN IP> 16 broadcast IETF
frame-relay lmi-type ansi
!
interface Serial0/1
ip address <Our 2nd WAN IP> <WAN Subnet mask>
no ip directed-broadcast
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay map ip <ISP's 2nd WAN IP> 16 broadcast IETF
frame-relay lmi-type ansi
!
ip classless
ip route 0.0.0.0 0.0.0.0 <ISP's 1st WAN IP>
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP> 254
ip route <LAN route ie 121.12.12.0> 255.255.255.0 <Firwall IP>
no ip http server
!
access-list 101 permit ip XXXXXXXXXXXXXXXXX any
access-list 101 permit ip XXXXXXXXXXXXXXXXX any
snmp-server engineID local XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server enable traps snmp
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
!
line con 0
exec-timeout 0 0
history size 50
transport input none
line aux 0
transport input all
line vty 0 4
access-class 101 in
exec-timeout 20 0
password XXXXXXXXXXXXXXXXX
login
history size 50
!
end
!
version 12.0
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
!
hostname XXXXXXXXXXXXXXXXX
!
boot system flash 1:XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip name-server <Primary DNS Resolver>
!
process-max-time 200
!
interface Ethernet0/0
ip address <LAN IP> <LAN Subnet mask>
no ip directed-broadcast
!
interface Serial0/0
ip address <Our 1st WAN IP> <WAN Subnet mask>
no ip directed-broadcast
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay map ip <ISP's 1st WAN IP> 16 broadcast IETF
frame-relay lmi-type ansi
!
interface Serial0/1
ip address <Our 2nd WAN IP> <WAN Subnet mask>
no ip directed-broadcast
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay map ip <ISP's 2nd WAN IP> 16 broadcast IETF
frame-relay lmi-type ansi
!
ip classless
ip route 0.0.0.0 0.0.0.0 <ISP's 1st WAN IP>
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP> 254
ip route <LAN route ie 121.12.12.0> 255.255.255.0 <Firwall IP>
no ip http server
!
access-list 101 permit ip XXXXXXXXXXXXXXXXX any
access-list 101 permit ip XXXXXXXXXXXXXXXXX any
snmp-server engineID local XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server community XXXXXXXXXXXXXXXXX
snmp-server enable traps snmp
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
snmp-server host XXXXXXXXXXXXXXXXX-trap
!
line con 0
exec-timeout 0 0
history size 50
transport input none
line aux 0
transport input all
line vty 0 4
access-class 101 in
exec-timeout 20 0
password XXXXXXXXXXXXXXXXX
login
history size 50
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, "show ip route" remove the 254, enter configure select terminal, paste new config and "show ip route". That it?
Basically. The "show ip route" is more so you can see what I'm telling you - you don't have to do it to make it work.
for the config part, it would just be:
conf t
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP>
exit
then you can do a "show ip route" to see that the new route is in the table. You should also see the outbound numbers start to change from 0 on that interface.
for the config part, it would just be:
conf t
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP>
exit
then you can do a "show ip route" to see that the new route is in the table. You should also see the outbound numbers start to change from 0 on that interface.
Edit this and cut/paste:
no ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP> 254
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP>
no ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP> 254
ip route 0.0.0.0 0.0.0.0 <ISP's 2nd WAN IP>
lrmoore's will work too. I'm about 99.9% sure that you don't need to do the "no" line first. You should be able to just put the route in without admin distance.
ASKER
I removed the "254" from a text copy, pasted the whole thing back in and the lines seem to be working correctly. I now have inbound and outbound traffic on both interfaces. Better yet I don't take the latency hit like I mentioned before when we hit 1.3 (+/-). That and the routes change when I traceroute. You guys rock!
Cool. Glad that worked for you!
The load balanced aspect of the two T1s is another question altogether. How have you attempted so far to load balance the T1s?