Solved

bandwidth reduced to 15% after passing Cisco 3550. Maybe PIX VPN related question.

Posted on 2006-10-24
9
471 Views
Last Modified: 2008-01-09
I have a application server network that has a Cisco 3550 used for inter-vlan and policy routing.
Please see the figure from the link below.
http://www.pcs1.net/vlan.gif
The requirements in the network are
1.      vlan 1 can access vlan 88 and vlan 97.
2.      vlan 88 and vlan 97 must use their own dedicated gateway to access internet.
I have 3 MB upload and download bandwidth for every internet connection. Vlan 97 and Vlan 88 have exactly the same configuration except Vlan 88’s PIX also handles 10 remote access VPN clients.
My main problem here is that the upload speed of Vlan 88 is decreased considerably after switch 3550. It goes down from average 2500kbps to less than 900kbps constantly. The download bandwidth is always above 2200kbps.
However, Vlan 97 does not have this problem!
The only difference I can think of is the Cisco remote access VPN clients in Vlan 88. There are about 10 computers access the network by VPN client but can that cause such considerable loss of bandwidth? If so, then why the bandwidth from the PIX firewall’s inside interface can reach 2400 kbps?
Please help. I will post the sh run in my next post.
0
Comment
Question by:Vartana
  • 6
  • 3
9 Comments
 
LVL 1

Author Comment

by:Vartana
ID: 17799425
Here is the sh run from my 3550


version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3550_Switch
!
enable secret 5 $1$Mu8i$lbZuG34XzO1pWdV9l6sT90
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
interface FastEthernet0/1
 switchport mode access
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport mode dynamic desirable
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport mode dynamic desirable
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport mode dynamic desirable
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport mode dynamic desirable
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport mode access
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport mode access
 no ip address
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport mode dynamic desirable
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/10
 switchport mode dynamic desirable
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport mode dynamic desirable
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport mode dynamic desirable
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/13
 switchport access vlan 80
 switchport mode access
 no ip address
 duplex full
 speed 10
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/15
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/16
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/17
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/18
 switchport mode access
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport access vlan 97
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/20
 switchport mode access
 no ip address
!
interface FastEthernet0/21
 switchport access vlan 90
 switchport mode access
 no ip address
 duplex full
 speed 10
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport mode dynamic desirable
 no ip address
!
interface FastEthernet0/23
 switchport access vlan 88
 switchport trunk encapsulation dot1q
 switchport mode access
 no ip address
!
interface FastEthernet0/24
 switchport mode dynamic desirable
 no ip address
!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
 no ip address
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
 no ip address
!
interface Vlan1
 ip address 10.0.100.5 255.255.0.0
 no ip redirects
 no ip route-cache
 no ip mroute-cache
!
interface Vlan12
 ip address 66.209.104.51 255.255.255.248
 ip policy route-map vlan12
 shutdown
!
interface Vlan80
 ip address 10.8.80.1 255.255.255.0
!
interface Vlan88
 ip address 10.8.88.1 255.255.255.0
 ip policy route-map vlan88
!
interface Vlan90
 ip address 10.9.90.1 255.255.255.0
!
interface Vlan97
 ip address 10.9.97.1 255.255.255.0
 ip policy route-map vlan97
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!
access-list 100 deny   ip 66.209.104.48 0.0.0.7 66.209.104.48 0.0.0.7
access-list 100 deny   ip 66.209.104.48 0.0.0.7 10.0.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 101 deny   ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 101 deny   ip 10.0.0.0 0.0.255.255 10.8.88.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.255.255 10.9.97.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.255.255 10.1.124.0 0.0.0.255
access-list 101 permit ip any any
access-list 188 deny   ip 10.8.88.0 0.0.0.255 10.8.88.0 0.0.0.255
access-list 188 deny   ip 10.8.88.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 188 permit ip any any
access-list 197 deny   ip 10.9.97.0 0.0.0.255 10.9.97.0 0.0.0.255
access-list 197 deny   ip 10.9.97.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 197 permit ip any any
no cdp run
route-map vlan88 permit 10
 match ip address 188
 set ip next-hop 10.8.80.9
!
route-map vlan12 permit 10
 match ip address 100
 set ip next-hop 66.209.104.49
!
route-map vlan97 permit 10
 match ip address 197
 set ip next-hop 10.9.90.9
!
route-map vlan1 permit 10
 match ip address 101
 set ip next-hop 10.8.80.9

monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/7 ingress vlan 1
end

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17799766
It depends on how many of these 10 VPN users are active at any one time, and how they use the connection. For instance, does a vpn user use Outlook with a PST residing on a server in vlan 88? If yes, this can certainly cause some extraneous traffic between the networks, then yes, this can certainly eat up the bandwidth and I would expect a lower performance metric than from the VLAN97 PIX

I also see this little netgear switch between the 3550 and the PIX. Why is it there? Could this be a bottleneck? Have you checked interfaces for duplex mismatches between the pix and the netgear and between the netgear and the 3550, and the pix and it's WAN router?
0
 
LVL 1

Author Comment

by:Vartana
ID: 17800004
The netgear switch is there to test bandwidth. It does not effect the bandwidth because the reading still gets average 2400k.
The question here is that why the bandwidth is 2400k before 3550 switch. If the VPN users are generating traffic, then the bandwidth should be slow right after the PIX firewall as well.
I will check CRC and collision of every interface involved now. Thank you very much for your suggestions.
0
 
LVL 1

Author Comment

by:Vartana
ID: 17800650
I checked the ISP and we set the router and firewall to have half-duplex on both sides. Then the upload bandwidth becomes 2400kbps. Now the question is why does the duplex setting only effects upload speed? Moreover, why the speed was not decreased behind the firewall but gets so much worse after layer 3 switch?
Basically, why the firewall's outside int and router's ethernet int's duplext setting can effect only the upload bandwidth behind the 3550 switch? Any suggestion is welcome.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:Vartana
ID: 17813850
After 2 days of observation, I still see collisions from the outside interface of my PIX firewall. Is that normal? I had to run half-duplex because the 2601 router has only a ethnet connection which can only connect to my PIX with half-duplex without more CRC error and speed reduction. Is there any more settings that I can change so there will be no collision? thank you for your help.  

Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
        MAC address 0017.9514.4c92, MTU 1500
        IP address 67.153.180.21, subnet mask 255.255.255.240
        4617513 packets input, 2301071458 bytes, 0 no buffer
        Received 2310 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        4036868 packets output, 1603604822 bytes, 0 underruns
        0 output errors, 51331 collisions, 0 interface resets      ----------------------------Collisions grows as time goes on.
        0 babbles, 0 late collisions, 66733 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/64)
        output queue (curr/max blocks): hardware (0/31) software (0/1)
  Traffic Statistics for "outside":
        4630142 packets input, 2226987576 bytes
        4047590 packets output, 1531733448 bytes
        224676 packets dropped
      1 minute input rate 52 pkts/sec,  45702 bytes/sec
      1 minute output rate 43 pkts/sec,  28895 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 52 pkts/sec,  16779 bytes/sec
      5 minute output rate 43 pkts/sec,  23418 bytes/sec
      5 minute drop rate, 1 pkts/sec
Interface Ethernet1 "inside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)
        MAC address 0017.9514.4c93, MTU 1500
        IP address 10.8.80.9, subnet mask 255.255.255.0
        4185388 packets input, 1602906255 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        4572679 packets output, 2219509700 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/16)
        output queue (curr/max blocks): hardware (0/62) software (0/1)
  Traffic Statistics for "inside":
        4196079 packets input, 1534857881 bytes
        4572679 packets output, 2140348652 bytes
        3508 packets dropped
      1 minute input rate 38 pkts/sec,  21335 bytes/sec
      1 minute output rate 44 pkts/sec,  7047 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 43 pkts/sec,  23433 bytes/sec
      5 minute output rate 50 pkts/sec,  15741 bytes/sec
      5 minute drop rate, 0 pkts/sec
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17814591
Collisions are normal and expected in any half-duplex configuration. As long as the ratio of collisions to packets is so very low and there are no CRC errros, then you have nothing to worry about there, and nothing will really improve it short of upgrading the 2600 to support full-duplex and putting a small switch in between.

What's on the outer side of the 2600 router giving you the 3Mb speed? SDSL? T1? 2xT1? What version IOS?
Look at the router's interfaces for error counters, too, especially CRC errors
0
 
LVL 1

Author Comment

by:Vartana
ID: 17815606
There are CRC errors on the router's side. The router gets bounded T1 and uses a multilink interface. The bandwidth is 3MB up and download. The ethernet interface shows CRC error. The router is running IOS 12.3
Below is the sh int of the router.

Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0004.c05b.6680 (bia 0004.c05b.6680)
  Internet address is 67.153.180.17/28
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 3/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:10:24, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 123000 bits/sec, 18 packets/sec
  5 minute output rate 61000 bits/sec, 21 packets/sec
     10935097 packets input, 947426342 bytes, 0 no buffer
     Received 69089 broadcasts, 0 runts, 0 giants, 0 throttles
     148637 input errors, 148636 CRC, 33998 frame, 0 overrun, 1 ignored   ------------------------------CRC error!
     0 input packets with dribble condition detected
     12707845 packets output, 2305466444 bytes, 0 underruns
     55 output errors, 77828 collisions, 3 interface resets
     0 babbles, 0 late collision, 53407 deferred
     55 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Serial0/0 is up, line protocol is up
  Hardware is PQUICC with Fractional T1 CSU/DSU
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 8/255, rxload 4/255
  Encapsulation PPP, LCP Open, multilink Open, loopback not set
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 25000 bits/sec, 9 packets/sec
  5 minute output rate 54000 bits/sec, 13 packets/sec
     9706629 packets input, 3305202432 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     7983564 packets output, 2609682490 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Serial0/1 is up, line protocol is up
  Hardware is PQUICC with Fractional T1 CSU/DSU
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 8/255, rxload 4/255
  Encapsulation PPP, LCP Open, multilink Open, loopback not set
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 25000 bits/sec, 9 packets/sec
  5 minute output rate 54000 bits/sec, 13 packets/sec
     9706610 packets input, 3305223758 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 1 abort
     7983609 packets output, 2609696604 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 output buffer failures, 0 output buffers swapped out
     3 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Multilink2216081 is up, line protocol is up
  Hardware is multilink group interface
  Internet address is 67.155.235.142/30
  MTU 1500 bytes, BW 3088 Kbit, DLY 100000 usec,
     reliability 255/255, txload 9/255, rxload 4/255
  Encapsulation PPP, LCP Open, multilink Open
  Open: IPCP, loopback not set
  DTR is pulsed for 2 seconds on reset
  Last input 00:00:00, output never, output hang never
  Last clearing of "show interface" counters 1w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 82
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 59000 bits/sec, 20 packets/sec
  5 minute output rate 117000 bits/sec, 17 packets/sec
     12711333 packets input, 2184320834 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     10942531 packets output, 795447931 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions

 
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17815659
Those CRC errors are definately not good.
Suggest clearing the counters since you nailed up the PIX interface side.
If they continue to increase, suggest putting a small switch between the PIX and the 2600 router - and look into upgrading the router IOS to support full-duplex.
0
 
LVL 1

Author Comment

by:Vartana
ID: 17815849
Thank you for the suggestion. I put a switch between the 2 devices and no CRC error so far. I will upgrade or maybe add a new fast  ethernet interface in the router.
I still cannot figure out why a connection error between firewall and router can effect the upload bandwidth after the layer 3 switch. The upload bandwidth between firewall and layer 3 switch was good, too. Anyway, I suppose this is one of those mysterise that I better not to bother too much to get my head hurt.  
Thank you for your help Irmoore.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now