Author Topic: More Cisco Config Help Please ?? (Read 5782 times)

Mardoni · **Reply #15 on:** November 21, 2006, 14:46:43 PM

More Cisco Config Help Please ??

Reply #15 on: November 21, 2006, 14:46:43 PM

Ok, next question

I am getting crappy download throughput on the public interface. I have traced the problem and it is on the public interface, giving large numbers of CRC errors.

I believe this is being caused by a mismatch of the bandwidth and duplex settings on the interface; my problem is that I cannot get them to sync up correctly.

I have an external Cable modem that provides me with around a 4mb link. The CM provides a 10/100mbit Full Duplex CAT5e interface. I am plugging the CM directly into ETH0/0 on the router using a straight through patch cable.

Here are my faults/findings when running the dslguide speedtest through the router:

Eth0/0 Settings: No Bandwidth - full-duplex
Result: 778.2 Kbps download; hundreds of CRC errors

Eth0/0 Settings: Bandwidth = 10240 - full-duplex
Result: ~900kbps download reported; hundreds of CRC errors

Eth0/0 Settings: Bandwidth = 10240 - half-duplex
Result: 1,841.4 Kbps download reported; 0 CRC errors

Eth0/0 Settings: Bandwidth = 4096 - full-duplex
Result: 897.3 Kbps download reported; hundreds of CRC errors

Eth0/0 Settings: Bandwidth = 4096 - half-duplex
Result: 1,772.4 Kbps download reported; 0 CRC errors

Now those results make it look like it has to be half-duplex but if I set to half duplex I lose 50% of my download capacity ?!?! Any ideas ??

I tried running a speedtest with a bandwidth of 8mb / Half-duplex but it came out about the same as 4mb Half-duplex !?

Eth0/0 Settings: Bandwidth = 8192 - half-duplex
Result: 1,608.7 Kbps download reported; 0 CRC errors

If I plug the modem into a SMC router I get speedtest results between 3.8 and 4mb...so it is definatley the router/modem config holding me back.

Mardoni · **Reply #16 on:** November 21, 2006, 15:05:40 PM

More Cisco Config Help Please ??

Reply #16 on: November 21, 2006, 15:05:40 PM

Ive just done a:

no bandwidth / no duplex and run the test:

Eth0/0 Settings: no bandwidth - no duplex (run shows half-duplex)
Result: 1,760.1 Kbps download reported; 0 CRC errors

Eth0/0 Settings: no bandwidth - full-duplex
Result: 820.5 Kbps download reported; hundreds CRC errors

I am really confused; It seems that when I whack the interface into full-duplex I suddenly get loads of CRC errors and the throughput drops. What does this signify ? (Faulty interface ?)

Full-duplex is supported by modem and router but when engaged I get loads of CRC.

Half duplex works fie but I see, at most, 50% of my expected download capacity.

edit: Tried both a Xover and Patch cable, makes no difference...I think the modem auto-detects...

Mardoni · **Reply #17 on:** November 21, 2006, 20:35:12 PM

More Cisco Config Help Please ??

Reply #17 on: November 21, 2006, 20:35:12 PM

Ok a little bit more...

I am certain that there is an issue of sorts with the router but I am not sure what it is. I hooked an old lappy up to the modem @ 10mbit half-duplex and it still managed consistant download rates of around 4mbit.

I have been *playing* with the bandwidth settings, mtu, mss, queue sizes and timeouts on ip inspect and nat...
All of these things appear to effect the overall throughput of the interface but I have not been able to get the connection to stablise at anywhere near 100% capacity.

I am still seeing massive flucations between 300kbit and 3mbits; not seen 3mbit+ results yet.

I was advised by NTL to use the following speed test as it is the "only one" they will accept results from:

http://homepage.ntlworld.com/robin.d.h.walker/speedtest.html

These are how the tests havebeen panning out:

Quote

Tue, 21 Nov 2006 20:33:39 GMT
1st 128K took 461 ms = 284321 Bytes/sec = approx 2366 kbits/sec
2nd 128K took 440 ms = 297891 Bytes/sec = approx 2478 kbits/sec
3rd 128K took 972 ms = 134848 Bytes/sec = approx 1122 kbits/sec
4th 128K took 370 ms = 354249 Bytes/sec = approx 2947 kbits/sec

and then

Quote

Tue, 21 Nov 2006 20:33:53 GMT
1st 128K took 1612 ms = 81310 Bytes/sec = approx 676 kbits/sec
2nd 128K took 982 ms = 133475 Bytes/sec = approx 1111 kbits/sec
3rd 128K took 400 ms = 327680 Bytes/sec = approx 2726 kbits/sec
4th 128K took 1432 ms = 91531 Bytes/sec = approx 762 kbits/sec

Approx. 2mins later from DSLGuide speedtest: 1,328.1 Kbps

Porch Monkey · **Reply #18 on:** November 22, 2006, 08:47:03 AM

More Cisco Config Help Please ??

Reply #18 on: November 22, 2006, 08:47:03 AM

Once again, the bandwidth setting does nothing so dont worry about that.

If the modem auto detects then your best bet is going to be to leave the router on auto detect too. When you force the router to a specific duplex it will stop sending the auto negociate signals and youll see errors.

CRC errors are typically from a duplex mis-match.

Your router only has a 10 Mbit interface so its conceiveable that the modem is trying to auto detect the speed setting also but cant.

When you plug the laptop in directly what speed do you see on the interface (Reported not actual)?

Mardoni · **Reply #19 on:** November 22, 2006, 12:26:11 PM

More Cisco Config Help Please ??

Reply #19 on: November 22, 2006, 12:26:11 PM

Youre going to like this, not a lot

Youre comment on mis-matched duplexs got me checking the reported connections on the switches, where everything tied up as expected. BUT...as I turned around and out of the corner of my eye I thought I saw all of the connection lights on the switch die and relight, so I sat and watched...

...sure enough the switch was dying !
So I replaced it like for like and went back thinking all was solved but no ! Still the connection was slow.

So I started from the beginning...
Laptop into Modem = fine
Laptop into Router via freshly made XOver = FINE !
Laptop into Switch into Route = problems !

But that was a new switch so it makes no sense.
After some exhaustive throughput testing it turns out that all three of the 8 port Netgear switches I have appear to cause a bottleneck, even when they are only hooked up to the router (10mb) and the laptop (100mb) !
Switching the 8port for a 5port Netgear vastly improves the throughput (almost twice the throughput) ! So for now, I have replaced my 2 * 8 ports with 2 * 5port uplinked and even with the laptop at the bottom of the heirarchy (most switching required) I still see much better network throughput.

Now that I know that the network is stable, I am seeing different results from speed tests. i.e. consistant @ around 4mb

I have been using NTLs recommended speedtest so that if I could not solve the problem I could bitch at them

http://homepage.ntlworld.com/robin.d.h.walker/speedtest.html

Next up is playing with nbar and QoS so prepare yourself for some grief

(thanks for being my muse on this problem)

Porch Monkey · **Reply #20 on:** November 22, 2006, 12:31:20 PM

More Cisco Config Help Please ??

Reply #20 on: November 22, 2006, 12:31:20 PM

No worries, as an aside, if you can, get yourself a manageable switch, you may find itll be most stable if you hard code the port connected to the router to 10/full and do likewise on the router side.

Mardoni · **Reply #21 on:** November 22, 2006, 12:34:30 PM

More Cisco Config Help Please ??

Reply #21 on: November 22, 2006, 12:34:30 PM

I still cannot get the router to modem link to go 10 full, it starts spitting CRCs like theres no tomorrow. I am not that worried now though, as I am getting the throughput at half-duplex.

I do have a 24port 10/100 Cisco switch here; Ive just not managed to get around to plugging it in yet. I thought Id get the router up and running first

Mardoni · **Reply #22 on:** November 24, 2006, 12:43:35 PM

More Cisco Config Help Please ??

Reply #22 on: November 24, 2006, 12:43:35 PM

Well, guess what...
Another day and another problem !
This one has me truely stumped and I dont know where (or how) to start...

I have a machine on a static IP address (192.168.1.1) that can access HTTP, MSN etc but it will not connect to my NNTP server !
I have stuck debuging on and also made a temporary ACL entry that allows all IP traffic from that server w/ log but I only receive (and permit) ICMP packets, I dont get any messages for tcp/udp traffic received (or dropped). Ive also dumped out the NAT translations for the NNTP service and I can see them being created !

Here is my running config:

Code: [Select]



!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7Six2600
!
no logging buffered
no logging console
enable secret 5 
enable password 
!
clock timezone GMT 0
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp mss 1460
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.239 192.168.1.244
!
ip dhcp pool 7sixLAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.3 
   domain-name 7six
   dns-server 4.2.2.1 4.2.2.2 
   netbios-node-type h-node
   lease 5
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect udp idle-time 600
ip inspect dns-timeout 30
ip inspect tcp finwait-time 300
ip inspect tcp synwait-time 300
ip inspect name Ethernet0_0 realaudio
ip inspect name Ethernet0_0 sqlnet
ip inspect name Ethernet0_0 ftp
ip inspect name Ethernet0_0 fragment maximum 256 timeout 1
ip inspect name Ethernet0_0 tcp
ip inspect name Ethernet0_0 udp
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
 description WAN Connection (NTL)
 mac-address 0004.e22a.99f9
 bandwidth 10240
 ip address dhcp
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect Ethernet0_0 out
 half-duplex
 no cdp enable
 hold-queue 16 in
 hold-queue 4 out
!
interface Ethernet0/1
 description LAN Connection
 bandwidth 10240
 ip address 192.168.1.3 255.255.255.0
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 full-duplex
 no cdp enable
 hold-queue 0 in
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 600
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static udp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 88 interface Ethernet0/0 88
ip classless
no ip http server
!
logging trap debugging
logging source-interface Ethernet0/0
logging 192.168.1.11
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark permit anything from NNTP server and display it
access-list 101 permit ip 216.196.109.144 0.0.0.0 any log
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc log
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any log
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc log
access-list 101 permit icmp host 62.253.96.20 any log
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit tcp any any eq 88
access-list 101 permit tcp any any eq 3074
access-list 101 permit udp any any eq 3074
access-list 101 permit tcp any eq 88 any
access-list 101 permit tcp any eq 3074 any
access-list 101 permit udp any eq 3074 any
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo
access-list 101 deny   icmp any any information-request log
access-list 101 permit icmp any any
access-list 101 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 169.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny   ip any any log
access-list 102 permit tcp any any established
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit icmp any 192.168.1.0 0.0.0.255
access-list 102 permit gre any 192.168.1.0 0.0.0.255
access-list 102 deny   ip any any log
no cdp run
!
line con 0
line aux 0
line vty 0 4
 session-timeout 15 
 access-class 1 in
 password 
 login
!
ntp server 207.46.232.189
end

Here is the NAT dump

Code: [Select]


7Six2600#show ip nat trans | inc 119
tcp 82.19.70.78:2321   192.168.1.1:2321   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2322   192.168.1.1:2322   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2324   192.168.1.1:2324   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2329   192.168.1.1:2329   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2330   192.168.1.1:2330   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2331   192.168.1.1:2331   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2333   192.168.1.1:2333   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2334   192.168.1.1:2334   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2336   192.168.1.1:2336   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2337   192.168.1.1:2337   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2341   192.168.1.1:2341   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2342   192.168.1.1:2342   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2344   192.168.1.1:2344   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2347   192.168.1.1:2347   216.196.109.144:119 216.196.109.144:119

Here is a dump of the active CBAC rules for the machine with the static IP. There is nothing for port 119 (nntp) ?

Code: [Select]


7Six2600#show ip inspect sess | inc 192.168.1.1:
 Session 8135B0D8 (192.168.1.1:1964)=>(207.46.110.44:1863) tcp SIS_OPEN
 Session 81246140 (192.168.1.1:2201)=>(66.225.235.36:80) tcp SIS_OPEN
 Session 81302228 (192.168.1.1:2320)=>(66.225.235.36:80) tcp SIS_OPEN
 Session 812334E4 (192.168.1.1:2254)=>(216.196.100.135:80) tcp SIS_OPEN
 Session 81090FF4 (192.168.1.1:2240)=>(216.196.100.135:80) tcp SIS_OPEN
 Session 81291F28 (192.168.1.1:2217)=>(213.220.100.1:80) tcp SIS_CLOSING
 Session 810964BC (192.168.1.1:2218)=>(213.220.100.1:80) tcp SIS_CLOSING

Finally, here are the stats from Eth0/0 (the WAN connection):

Code: [Select]


7Six2600#show int eth0/0
Ethernet0/0 is up, line protocol is up 
  Hardware is AmdP2, address is 0004.e22a.99f9 (bia 0002.b912.fb20)
  Description: WAN Connection (NTL)
  Internet address is 82.19.70.78/22
  MTU 1500 bytes, BW 10240 Kbit, DLY 1000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:08, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:10:40
  Input queue: 0/16/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/4 (size/max)
  5 minute input rate 12000 bits/sec, 8 packets/sec
  5 minute output rate 2000 bits/sec, 14 packets/sec
     11526 packets input, 2463125 bytes, 0 no buffer
     Received 13 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     13237 packets output, 1099205 bytes, 0 underruns
     0 output errors, 8 collisions, 0 interface resets
     0 babbles, 0 late collision, 138 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
7Six2600#

Any ideas ??

Mark · **Reply #23 on:** November 24, 2006, 14:51:34 PM

Re:More Cisco Config Help Please ??

Reply #23 on: November 24, 2006, 14:51:34 PM

Hi,

Would you not get away with

access-list 101 permit tcp host 216.196.109.144 host 192.168.1.1 eq nntp ?

Sorry for the slow reply - am in the midst of setting up a new call centre!

Mardoni · **Reply #24 on:** November 24, 2006, 14:58:47 PM

More Cisco Config Help Please ??

Reply #24 on: November 24, 2006, 14:58:47 PM

Yeah I think that would be a more secure ACL entry than the one I am using. Ive just tried it and it makes no difference...

Ive been debugging CBAC and I see loads of segment retransmissions and rejections due to 0byte ack packets. I think CBAC is stopping the traffic passing to the ACL.

Ive done some searching and I think I might be suffering from the known CBAC fragmentation bug; fixed later with the introduction of ip virtual fragmentation assembly.

Ive ordered some more memory for my router, so I will hopefully be able to get a newer IOS on there at some point

Setting up a call centre !! Certainly makes the problems I am having setting up my home look stupid !

/me dons n00b hat

Serious · **Reply #25 on:** November 24, 2006, 15:20:06 PM

Re:More Cisco Config Help Please ??

Reply #25 on: November 24, 2006, 15:20:06 PM

Were all noobs when it comes to new toys

Mardoni · **Reply #26 on:** November 24, 2006, 15:46:36 PM

More Cisco Config Help Please ??

Reply #26 on: November 24, 2006, 15:46:36 PM

indeed

I cannot believe this though...

It was the NNTP client application that was causing the problem; even though it *worked* with my previous router, the Cisco was blocking the conversation as the application was generating malformed / wrong ordered tcp packets !

Ive changed client and its working fine !!

Sometimes debugging networking issues is a bit like shooting in the dark

Mark · **Reply #27 on:** November 24, 2006, 16:38:31 PM

Re:More Cisco Config Help Please ??

Reply #27 on: November 24, 2006, 16:38:31 PM

At least on my checkpoint cluster I can quickly diagnose issues like that - its a tad more frustrating in the IOS!

BigSoy · **Reply #28 on:** November 24, 2006, 16:38:31 PM

More Cisco Config Help Please ??

Reply #28 on: November 24, 2006, 16:38:31 PM

Quote from: Nimrod

indeed

Sometimes debugging networking issues is a bit like shooting in the dark

This is why all the cool kids do apps, not infrastructure

;)

Mark · **Reply #29 on:** November 24, 2006, 17:48:50 PM

Re:More Cisco Config Help Please ??

Reply #29 on: November 24, 2006, 17:48:50 PM

The majority of which wont work without a network!

News:

Author Topic: More Cisco Config Help Please ?? (Read 5782 times)