Cisco IOS config to manage newly installed T1
I currently work at a recreational facility that houses a ~25 PC lab, WiFi access, wired laptop docking stations, as well as Xbox Live! (online) gaming.
Recently we upgraded our internet connection to a T1. Physical config of the network is as follows.
T1 --> 2811 Router -- fa0/0 --> Windows Server 2003 (running Websense) --> Cisco 2950 (VLan 1) -- > Computer lab, WiFi, Docking stations
fa0/1 ---> Cisco 2950 (Vlan 2) --> Xbox online gaming
Cisco router/switch config is pretty basic. Just NAT/DHCP to get clients connected and online.
Websense on the Windows Server is primarily setup to block p2p/bittorent activity.
PROBLEM:
When the number of users increases, network performance suffers. Loading web pages takes a considerable amount of time, online gaming is impossible due to lag/high latency.
QUESTION:
Is there additional configuration(s) that can be done to the Cisco equipment to better manage network traffic, thus increasing performance under load? From what I've read some sort of QoS/packet prioritization for UTP online gaming packets needs to be implemented as well.
My knowledge of the Cisco IOS is limited. We have purchased Smartnet, but unfortunately have had limited success. Originally we were told the issue is because we don't have a gigabit switch. Secondly, we were told a T1 isn't sufficient for our needs. My hope is that this isn't the case.
I'll attach the config in a couple minutes, just need to make it over to that facility.
Thanks for the help!
Recently we upgraded our internet connection to a T1. Physical config of the network is as follows.
T1 --> 2811 Router -- fa0/0 --> Windows Server 2003 (running Websense) --> Cisco 2950 (VLan 1) -- > Computer lab, WiFi, Docking stations
fa0/1 ---> Cisco 2950 (Vlan 2) --> Xbox online gaming
Cisco router/switch config is pretty basic. Just NAT/DHCP to get clients connected and online.
Websense on the Windows Server is primarily setup to block p2p/bittorent activity.
PROBLEM:
When the number of users increases, network performance suffers. Loading web pages takes a considerable amount of time, online gaming is impossible due to lag/high latency.
QUESTION:
Is there additional configuration(s) that can be done to the Cisco equipment to better manage network traffic, thus increasing performance under load? From what I've read some sort of QoS/packet prioritization for UTP online gaming packets needs to be implemented as well.
My knowledge of the Cisco IOS is limited. We have purchased Smartnet, but unfortunately have had limited success. Originally we were told the issue is because we don't have a gigabit switch. Secondly, we were told a T1 isn't sufficient for our needs. My hope is that this isn't the case.
I'll attach the config in a couple minutes, just need to make it over to that facility.
Thanks for the help!
Beeman#sh run
Building configuration...
Current configuration : 1812 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Beeman
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tN1J$PDJ/70vIMMNLKtRT6krFy.
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool BEEMAN
network 172.25.1.0 255.255.255.0
default-router 172.25.1.1
dns-server 72.235.80.12 72.235.80.4
!
ip dhcp pool SERVER3
host 172.25.1.5 255.255.255.0
client-identifier 0100.173f.ce07.1c
default-router 172.25.1.1
dns-server 72.235.80.12 72.235.80.4
!
ip dhcp pool gaming
network 172.25.2.0 255.255.255.0
default-router 172.25.2.1
dns-server 72.235.80.12 72.235.80.4
!
!
ip name-server 72.253.80.12
ip name-server 72.253.80.4
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 172.25.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.25.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address XXXXXXXXXXXXXX 255.255.255.248
ip nat outside
encapsulation ppp
custom-queue-list 1
service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip dns server
ip http server
ip nat inside source list 191 interface Serial0/0/0 overload
!
!
access-list 191 permit ip 172.25.1.0 0.0.0.255 any
access-list 191 permit ip 172.25.2.0 0.0.0.255 any
queue-list 1 protocol ip 1 udp 88
queue-list 1 protocol ip 1 udp 3074
queue-list 1 protocol ip 1 tcp 3074
queue-list 1 default 3
queue-list 1 queue 1 byte-count 19300
queue-list 1 queue 2 byte-count 19300
queue-list 1 queue 3 byte-count 19300
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A couple clarifications
The Windows server integration is primarily for AD/Group Policy for all the lab computers. I previously had the server as just another device connected to the 2950, but as far as I could determine, internet has to run through a computer monitoring activity for Websense to work. Is this true?
Everything is not running through the Win server, gaming is separated.
How do I block all p2p (ie. limewire) and bittorrent applications on the Cisco router? This isn't simply port based is it?
@ Irmoore,
Bottom line our internet connection is insufficient?
I'll run sh int serial0/0/0 and post results tomorrow.
Thanks for the help guys
The Windows server integration is primarily for AD/Group Policy for all the lab computers. I previously had the server as just another device connected to the 2950, but as far as I could determine, internet has to run through a computer monitoring activity for Websense to work. Is this true?
Everything is not running through the Win server, gaming is separated.
How do I block all p2p (ie. limewire) and bittorrent applications on the Cisco router? This isn't simply port based is it?
@ Irmoore,
Bottom line our internet connection is insufficient?
I'll run sh int serial0/0/0 and post results tomorrow.
Thanks for the help guys
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried running Wireshark. Set it up to end capture after 12 hours. Needless to say, the thing was frozen when I came in the next day. Any way to have the program intermittently monitor? or start and end at certain hours?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright I updated my config. Below is the new confit + showing serial interface. Looks like quite a few dropped packets? Anything else this data shows?
I'll take a look at NetFlow and see if I can set it up. What will we be able to do with data collected?
Thanks,
Zach
I'll take a look at NetFlow and see if I can set it up. What will we be able to do with data collected?
Thanks,
Zach
Beeman#sh run
Building configuration...
Current configuration : 1560 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Beeman
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tN1J$PDJ/70vIMMNLKtRT6krFy.
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool BEEMAN
network 172.25.1.0 255.255.255.0
default-router 172.25.1.1
dns-server 72.235.80.12 72.235.80.4
!
ip dhcp pool SERVER3
host 172.25.1.5 255.255.255.0
client-identifier 0100.173f.ce07.1c
default-router 172.25.1.1
dns-server 72.235.80.12 72.235.80.4
!
ip dhcp pool gaming
network 172.25.2.0 255.255.255.0
default-router 172.25.2.1
dns-server 72.235.80.12 72.235.80.4
!
!
ip name-server 72.253.80.12
ip name-server 72.253.80.4
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 172.25.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.25.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 72.253.72.82 255.255.255.248
ip nat outside
encapsulation ppp
fair-queue
fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip dns server
ip http server
ip nat inside source list 191 interface Serial0/0/0 overload
!
!
access-list 191 permit ip 172.25.1.0 0.0.0.255 any
access-list 191 permit ip 172.25.2.0 0.0.0.255 any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
end
Beeman#
Beeman#sh int se0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is 72.253.72.82/29
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 9/255
Encapsulation PPP, LCP Open
Listen: CDPCP
Open: IPCP, loopback not set
Keepalive set (10 sec)
Last input 00:00:09, output 00:00:09, output hang never
Last clearing of "show interface" counters 4w3d
Input queue: 0/75/56/0 (size/max/drops/flushes); Total output drops: 38092
Queueing strategy: weighted fair
Output queue: 0/1000/64/18819 (size/max total/threshold/drops)
Conversations 0/12/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1152 kilobits/sec
5 minute input rate 56000 bits/sec, 5 packets/sec
5 minute output rate 10000 bits/sec, 3 packets/sec
154075314 packets input, 3510277551 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
109655563 packets output, 752522951 bytes, 0 underruns
0 output errors, 0 collisions, 4 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=upSOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Error counters are not a problem. Dropped packets are from the queue
Try disabling fair-queue on the serial interface
Try disabling fair-queue on the serial interface
ASKER
How do you reset those stats?
clear counter serial 0/0/0
ASKER
Here's an updated show of the serial interface. This is from over the weekend. 508 output drops. That's not too bad is it?
Beeman#sh int se0/0/0
Serial0/0/0 is up, line protocol is up
Hardware is GT96K with integrated T1 CSU/DSU
Internet address is 72.253.72.82/29
MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Listen: CDPCP
Open: IPCP, loopback not set
Keepalive set (10 sec)
Last input 00:00:03, output 00:00:03, output hang never
Last clearing of "show interface" counters 2d23h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 508
Queueing strategy: weighted fair
Output queue: 0/1000/64/508 (size/max total/threshold/drops)
Conversations 0/101/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1152 kilobits/sec
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
14096794 packets input, 4208991668 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
9538856 packets output, 995083118 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Beeman#
As a ratio to the number of packets output the small number of drops is insignificant. More indicative of problems would be CRC or frame errors. It appears that the T1 line is as efficient as it can be. There's just so much data you can push/pull down a 1.5M pipe.
Since this is an Internet connection, there is no QoS available to prioritize traffic once it leaves your router, or as it comes in. The best you could hope for is to set priority queues to decide the order in which it leaves your router. But remember, QoS and queueing means to give priority to some traffic, to the detrement of all other traffic. You have to very carefully decide what traffic you don't care about and what you want to give priority to.
Since this is an Internet connection, there is no QoS available to prioritize traffic once it leaves your router, or as it comes in. The best you could hope for is to set priority queues to decide the order in which it leaves your router. But remember, QoS and queueing means to give priority to some traffic, to the detrement of all other traffic. You have to very carefully decide what traffic you don't care about and what you want to give priority to.
As you have it set up, everything goes through it.