Solved

Slow network using an MPLS router to point internet traffic to a juniper firewall

Posted on 2009-05-06
3
788 Views
Last Modified: 2012-06-27
I have a site that is one of a dozen MPLS connected sites. All MPLS traffic is great. At this site there is also a Juniper firewall connected to a T1 provided by another ISP. This external T is used for internet access and some VPN tunnels.

All computers and devices at this site use the MPLS router as the default gateway. The router has an appropriate default route pointing to the firewall.

When computers use the MPLS router as the gateway and get pointed out the firewall for external traffic the connection is extremely slow.

When computers use the firewall as the gateway, traffic is very fast. There is obviously some less than ideal configuration between the firewall and the router. The router is a cisco 3400 and the running config is attached.

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname REDACTED
 

boot-start-marker

boot-end-marker

!

card type t1 0 0

card type t1 0 1

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 200480

logging console critical

enable secret 5 

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

clock calendar-valid

no network-clock-participate wic 0

no network-clock-participate wic 1

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

!

ip cef

!

!

no ip bootp server

no ip domain lookup

ip name-server REDACTED

ip name-server REDACTED

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

voice-card 0

 no dspfarm

!

!

modemcap entry mt56k:MSC=&f1s0=1

!

!
 

!

!

username REDACTED privilege 15 secret 5 REDACTED

archive

 log config

  hidekeys

!

!

!

!

controller T1 0/0/0

 framing esf

 linecode b8zs

!

controller T1 0/0/1

 framing esf

 linecode b8zs

!

controller T1 0/1/0

 framing esf

 linecode b8zs

!

controller T1 0/1/1

 framing esf

 linecode b8zs

!

ip tcp synwait-time 10

!

!

!

!

interface GigabitEthernet0/0

 description BST-NSSP-01 GigabitEthernet11/0/0

 ip address XXX.XXX.127.54 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no ip mroute-cache

 duplex auto

 speed auto

 media-type rj45

!

interface GigabitEthernet0/1

 description customer LAN

 ip address XXX.XXX.0.1 255.255.0.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no ip mroute-cache

 duplex auto

 speed auto

 media-type rj45

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FIREWALL IP ADDRESS

ip route XXx.1.0.0 255.255.0.0 FIREWALL IP ADDRESS - VPN TUNNEL

ip route XXx.7.0.0 255.255.0.0 Router Serial Address

ip route XXx.13.0.0 255.255.0.0 Router Serial Address

ip route XXX.14.0.0 255.255.0.0 Router Serial Address

ip route xxx.15.0.0 255.255.0.0 Router Serial Address

ip route XXX.30.0.0 255.255.0.0 FIREWALL IP ADDRESS - VPN TUNNEL

ip route XXX.31.0.0 255.255.0.0 Router Serial Address

ip route XXX.50.0.0 255.255.0.0 Router Serial Address

ip route XXX.51.0.0 255.255.0.0 Router Serial Address

ip route XXX.52.0.0 255.255.0.0 Router Serial Address

ip route XXX.53.0.0 255.255.0.0 Router Serial Address

ip route XXX.14.0.0 255.255.0.0 XXX.134.127.53 name End-2-End

!

!

no ip http server

no ip http secure-server

!

access-list 97 remark ACL for NTP servers

access-list 97 permit XXX.XXX.XXX.XXX

access-list 97 permit XXX.XXX.XXX.XXX

snmp-server host XXX.XXX.XXX.XXX mns--access

snmp-server host XXX.XXX.XXX.XXX mns-access

snmp-server host XXX.XXX.XXX.XXX mns-access

snmp-server host XXX.XXX.XXX.XXX nms-access

snmp-server host XXX.XXX.XXX.XXX nms-access

snmp-server host XXX.XXX.XXX.XXX nms-access

!

!!

!

control-plane

!

!

!

line con 0

 login local

line aux 0

 session-timeout 10

 login local

 modem InOut

 modem autoconfigure type mt56k

 autohangup

 flowcontrol hardware

line vty 0 4

 session-timeout 10

 login local

 transport input all

!

scheduler allocate 20000 1000

ntp authenticate

ntp source GigabitEthernet0/0

ntp access-group peer 97

ntp update-calendar

ntp server xxx.xxx.xxx.xxx

ntp server xxx.xxx.xxx.xxx prefer

!

end

Open in new window

0
Comment
Question by:Wayneagostino
3 Comments
 
LVL 10

Expert Comment

by:voipman
ID: 24315915
change speed and duplex to 100 full on the router and the firewall instead of auto it may not be negotiating correctly.
0
 

Author Comment

by:Wayneagostino
ID: 24316318
I now believe I left out something important. Both the router and firewall are patched into the same switch. There are another 180 devices also plugged into the same switch. I can try setting the connestions to 1000/full, however, performance is not an issue when traffic goes dirctly from the switch to the firewall, and directly from the switch to the MPLS router. It is only slow when the traffic goes accross the switch to the MPLS router, and then back across the switch to the firewall and finally out to the internet.
0
 
LVL 1

Accepted Solution

by:
alamow earned 500 total points
ID: 24317404
I don't think that having those other 180 devices on the same switch will lower the communications performance, I think there is something going on with the way the communication is flowing on the net.  What voipman suggested is actually the first thing that crossed my mind, and for a connection like this you want to have that set ASAP.

I'm not sure what switch you have between the FW, MPLS and the other 180 deivces.  But it sounds like you have all those three pointing to the same subnet, for example 192.168.1.0; correct me if I'm wrong.

If this is the case, then you have 2 default gateways to the OUTSIDE CLOUD for the local network but you configure only one for each device.  Use a different subnet between the MPLS and the FW, if you don't want to expend money on a small switch connect them directly using a crossover cable, change your routing and it should work fine.  Else, create a VLAN on the current switch, configure a different subnet for the MPLS to FW connection and set aside 2 ports for the new VLAN that will host this connections.  Re-configure your routing.  At the end you should have communication this way.

DEVICE to MPLS across (new switch OR crossover cable OR VLAN) to FW to OUTSIDE CLOUD
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now