Solved

Cisco IOS config to manage newly installed T1

Posted on 2008-10-15
14
1,212 Views
Last Modified: 2012-05-05
I currently work at a recreational facility that houses a ~25 PC lab, WiFi access, wired laptop docking stations, as well as Xbox Live! (online) gaming.

Recently we upgraded our internet connection to a T1. Physical config of the network is as follows.

T1 --> 2811 Router -- fa0/0  --> Windows Server 2003 (running Websense) --> Cisco 2950 (VLan 1) -- > Computer lab, WiFi, Docking stations

fa0/1 ---> Cisco 2950 (Vlan 2) --> Xbox online gaming

Cisco router/switch config is pretty basic. Just NAT/DHCP to get clients connected and online.

Websense on the Windows Server is primarily setup to block p2p/bittorent activity.

PROBLEM:

When the number of users increases, network performance suffers. Loading web pages takes a considerable amount of time, online gaming is impossible due to lag/high latency.

QUESTION:

Is there additional configuration(s) that can be done to the Cisco equipment to better manage network traffic, thus increasing performance under load? From what I've read some sort of QoS/packet prioritization for UTP online gaming packets needs to be implemented as well.

My knowledge of the Cisco IOS is limited. We have purchased Smartnet, but unfortunately have had limited success. Originally we were told the issue is because we don't have a gigabit switch. Secondly, we were told a T1 isn't sufficient for our needs. My hope is that this isn't the case.

I'll attach the config in a couple minutes,  just need to make it over to that facility.

Thanks for the help!
Beeman#sh run

Building configuration...
 

Current configuration : 1812 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Beeman

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$tN1J$PDJ/70vIMMNLKtRT6krFy.

!

no network-clock-participate aim 0

no network-clock-participate aim 1

no aaa new-model

ip subnet-zero

!

!

ip cef

!

ip dhcp pool BEEMAN

   network 172.25.1.0 255.255.255.0

   default-router 172.25.1.1

   dns-server 72.235.80.12 72.235.80.4

!

ip dhcp pool SERVER3

   host 172.25.1.5 255.255.255.0

   client-identifier 0100.173f.ce07.1c

   default-router 172.25.1.1

   dns-server 72.235.80.12 72.235.80.4

!

ip dhcp pool gaming

   network 172.25.2.0 255.255.255.0

   default-router 172.25.2.1

   dns-server 72.235.80.12 72.235.80.4

!

!

ip name-server 72.253.80.12

ip name-server 72.253.80.4

no ftp-server write-enable

!

!

!

!

interface FastEthernet0/0

 ip address 172.25.1.1 255.255.255.0

 ip nat inside

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 172.25.2.1 255.255.255.0

 ip nat inside

 duplex auto

 speed auto

!

interface Serial0/0/0

 ip address XXXXXXXXXXXXXX 255.255.255.248

 ip nat outside

 encapsulation ppp

 custom-queue-list 1

 service-module t1 timeslots 1-24

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip dns server

ip http server

ip nat inside source list 191 interface Serial0/0/0 overload

!

!

access-list 191 permit ip 172.25.1.0 0.0.0.255 any

access-list 191 permit ip 172.25.2.0 0.0.0.255 any

queue-list 1 protocol ip 1 udp 88

queue-list 1 protocol ip 1 udp 3074

queue-list 1 protocol ip 1 tcp 3074

queue-list 1 default 3

queue-list 1 queue 1 byte-count 19300

queue-list 1 queue 2 byte-count 19300

queue-list 1 queue 3 byte-count 19300

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 login

!

scheduler allocate 20000 1000

!

end

Open in new window

0
Comment
Question by:thorpez
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 22725364
I think your latency problem is the server.
As you have it set up, everything goes through it.
0
 
LVL 10

Assisted Solution

by:cstosgale
cstosgale earned 75 total points
ID: 22726162
Ok,

a couple of points. If all you want to do is block p2p, you can do this on the cisco router and take the server out of the equation. The cisco can detect p2p traffic such as kazaa and block it. Also, the simplest way to control this is to use an access list on the inside interface of the router to only allow the traffic you want. Something I noticed is there is some custom queuing configured on the router. This is very old qos technology and I would recommend removing it. If you want to prioritise certain types of traffic, use the modular qos interface (mqc). This is done by classifying traffic into classes, then saying how you want to deal with that traffic.

However, fundamentally you may well be struggling with a T1. Depending on where you are, you should be able to pick up a pretty cheap ADSL line they may be able to provide more bandwith.

The first thing i'd do is remove the custom queueing and ensure that fair queuing is enabled:-


interface Serial0/0/0
no custom-queue-list 1
fair-queue

Fair queueing will balance the traffic between different traffic flows, preventing a single flow from taking all the bandwith.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 22726197
First place to look will be error counters on the T1 serial interface.
Use "show interface serial 0/0/0" and look for increasing error counters. All zeros is good.
Next place to look is interface utilization. Once you hit about 70% on a serial interface, it is all downhill from there. There is inherent serialization delay on T1's.

Think of it this way. The speed limit on the highway is 1.5MBH, but the on-ramp can only handle one lane of packets. Sure they can go fast once they get on, but there's going to be a bottleneck getting on to start with. You've got 100Mb traffic all trying to get down to the 1Mb pipe.

Compare to something like a T3 that has a 20-lane wide on-ramp with 45MBH speed limit. A whole lot more packets can get on and get moving a lot faster.
Or another Ethernet connection with 1000MPH and 1000 lanes. Zero delay.

You've got 5000 packets going 100MBH hitting that one-lane highway onramp to the 1.5Mb T1.
Your custom queueing will only affect how packets get prioritized to get through that 1 lane onramp.

0
 

Author Comment

by:thorpez
ID: 22727252
A couple clarifications

The Windows server integration is primarily for AD/Group Policy for all the lab computers. I previously had the server as just another device connected to the 2950, but as far as I could determine, internet has to run through a computer monitoring activity for Websense to work. Is this true?

Everything is not running through the Win server, gaming is separated.

How do I block all p2p (ie. limewire) and bittorrent applications on the Cisco router? This isn't simply port based is it?

@ Irmoore,

Bottom line our internet connection is insufficient?

I'll run sh int serial0/0/0 and post results tomorrow.

Thanks for the help guys
0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 75 total points
ID: 22727533
In a business environment, a T1 for <30 users is good.
However, in a 'recreational facility' with gaming, all bets are off.
You'll probably have to monitor your bandwidth usage to get a better idea of what's going on.

Use something like WireShark to capture all traffic during peak times.
0
 

Author Comment

by:thorpez
ID: 22728073
Tried running Wireshark. Set it up to end capture after 12 hours. Needless to say, the thing was frozen when I came in the next day. Any way to have the program intermittently monitor? or start and end at certain hours?

0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 75 total points
ID: 22731116
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:thorpez
ID: 22734526
Alright I updated my config. Below is the new confit + showing serial interface. Looks like quite a few dropped packets? Anything else this data shows?

I'll take a look at NetFlow and see if I can set it up. What will we be able to do with data collected?

Thanks,
Zach


Beeman#sh run

Building configuration...
 

Current configuration : 1560 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Beeman

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$tN1J$PDJ/70vIMMNLKtRT6krFy.

!

no network-clock-participate aim 0

no network-clock-participate aim 1

no aaa new-model

ip subnet-zero

!

!

ip cef

!

ip dhcp pool BEEMAN

   network 172.25.1.0 255.255.255.0

   default-router 172.25.1.1

   dns-server 72.235.80.12 72.235.80.4

!

ip dhcp pool SERVER3

   host 172.25.1.5 255.255.255.0

   client-identifier 0100.173f.ce07.1c

   default-router 172.25.1.1

   dns-server 72.235.80.12 72.235.80.4

!

ip dhcp pool gaming

   network 172.25.2.0 255.255.255.0

   default-router 172.25.2.1

   dns-server 72.235.80.12 72.235.80.4

!

!

ip name-server 72.253.80.12

ip name-server 72.253.80.4

no ftp-server write-enable

!

!

!

!

interface FastEthernet0/0

 ip address 172.25.1.1 255.255.255.0

 ip nat inside

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 172.25.2.1 255.255.255.0

 ip nat inside

 duplex auto

 speed auto

!

interface Serial0/0/0

 ip address 72.253.72.82 255.255.255.248

 ip nat outside

 encapsulation ppp

 fair-queue

 fair-queue

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

ip dns server

ip http server

ip nat inside source list 191 interface Serial0/0/0 overload

!

!

access-list 191 permit ip 172.25.1.0 0.0.0.255 any

access-list 191 permit ip 172.25.2.0 0.0.0.255 any

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 login

!

scheduler allocate 20000 1000

!

end
 

Beeman#

Beeman#sh int se0/0/0

Serial0/0/0 is up, line protocol is up

  Hardware is GT96K with integrated T1 CSU/DSU

  Internet address is 72.253.72.82/29

  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 9/255

  Encapsulation PPP, LCP Open

  Listen: CDPCP

  Open: IPCP, loopback not set

  Keepalive set (10 sec)

  Last input 00:00:09, output 00:00:09, output hang never

  Last clearing of "show interface" counters 4w3d

  Input queue: 0/75/56/0 (size/max/drops/flushes); Total output drops: 38092

  Queueing strategy: weighted fair

  Output queue: 0/1000/64/18819 (size/max total/threshold/drops)

     Conversations  0/12/256 (active/max active/max total)

     Reserved Conversations 0/0 (allocated/max allocated)

     Available Bandwidth 1152 kilobits/sec

  5 minute input rate 56000 bits/sec, 5 packets/sec

  5 minute output rate 10000 bits/sec, 3 packets/sec

     154075314 packets input, 3510277551 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     109655563 packets output, 752522951 bytes, 0 underruns

     0 output errors, 0 collisions, 4 interface resets

     0 output buffer failures, 0 output buffers swapped out

     1 carrier transitions

     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Open in new window

0
 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 75 total points
ID: 22734754
With NetFlow, you can monitor: source, destination, protocol, application, etc.
Basically full traffic analysis.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22734813
Error counters are not a problem. Dropped packets are from the queue
Try disabling fair-queue on the serial interface

0
 

Author Comment

by:thorpez
ID: 22735477
How do you reset those stats?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22735857
clear counter serial 0/0/0

0
 

Author Comment

by:thorpez
ID: 22761117
Here's an updated show of the serial interface. This is from over the weekend. 508 output drops. That's not too bad is it?
Beeman#sh int se0/0/0

Serial0/0/0 is up, line protocol is up

  Hardware is GT96K with integrated T1 CSU/DSU

  Internet address is 72.253.72.82/29

  MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation PPP, LCP Open

  Listen: CDPCP

  Open: IPCP, loopback not set

  Keepalive set (10 sec)

  Last input 00:00:03, output 00:00:03, output hang never

  Last clearing of "show interface" counters 2d23h

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 508

  Queueing strategy: weighted fair

  Output queue: 0/1000/64/508 (size/max total/threshold/drops)

     Conversations  0/101/256 (active/max active/max total)

     Reserved Conversations 0/0 (allocated/max allocated)

     Available Bandwidth 1152 kilobits/sec

  5 minute input rate 1000 bits/sec, 1 packets/sec

  5 minute output rate 1000 bits/sec, 1 packets/sec

     14096794 packets input, 4208991668 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     9538856 packets output, 995083118 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

     0 carrier transitions

     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
 

Beeman#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22761325
As a ratio to the number of packets output the small number of drops is insignificant. More indicative of problems would be CRC or frame errors. It appears that the T1 line is as efficient as it can be. There's just so much data you can push/pull down a 1.5M pipe.

Since this is an Internet connection, there is no QoS available to prioritize traffic once it leaves your router, or as it comes in. The best you could hope for is to set priority queues to decide the order in which it leaves your router. But remember, QoS and queueing means to give priority to some traffic, to the detrement of all other traffic. You have to very carefully decide what traffic you don't care about and what you want to give priority to.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now