dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13832
share rss forum feed

i2Fuzzy

join:2009-02-25
Fort Worth, TX

[Config] New ISP, same router (Cisco 1711)

So I changed from AT&T to charter recently when I moved, now I'm missing something in my config again:

Router#sh run                                                                   
Building configuration...                                                       
                                                                                
Current configuration : 4564 bytes                                              
!                                                                               
version 12.4                                                                    
service timestamps debug datetime msec                                          
service timestamps log datetime msec                                            
no service password-encryption                                                  
!                                                                               
hostname Router                                                                 
!                                                                               
boot-start-marker                                                               
boot-end-marker                                                                 
!                                                                               
enable secret 5 $1$G8.a$Q9hoP7qTVXRGs8jrDBEHo0                                  
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa authentication login default local                                          
aaa authorization network default if-authenticated                              
!                                                                               
!                                                                               
aaa session-id common                                                           
clock timezone EST -5                                                           
clock summer-time edt recurring                                                 
mmi polling-interval 60                                                         
no mmi auto-configure                                                           
no mmi pvc                                                                      
mmi snmp-timeout 180                                                            
!                                                                               
crypto pki trustpoint TP-self-signed-2917893099                                 
 enrollment selfsigned                                                          
 subject-name cn=IOS-Self-Signed-Certificate-2917893099                         
 revocation-check none                                                          
 rsakeypair TP-self-signed-2917893099                                           
!                                                                               
!                                                                               
crypto pki certificate chain TP-self-signed-2917893099                          
 certificate self-signed 01                                                     
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030       
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274       
  69666963 6174652D 32393137 38393330 3939301E 170D3039 30363138 30353132       
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649       
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39313738       
  39333039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281       
  8100B35A 94C9A798 E9B99BBB 6D7EA3DD D23A3165 FD97A9AF C5F81F8D 47A8204E       
  C668E892 366C85F0 08C2985B 1EF8EE59 208F6127 3A4A4CC0 A9963BA5 01D4EFC9       
  3199CC9F 36454D04 75101326 AAA47476 1FAEF5A5 57C476A7 B33EB196 1B62D025       
  CDBFEF35 125ED574 EA164604 3362C8D2 70699C5E FA865DBA 35444402 7ECE9E83       
  06190203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603       
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 7577FCF1       
  CD496F72 94DC75EE D6266AF1 0560D85E 301D0603 551D0E04 16041475 77FCF1CD       
  496F7294 DC75EED6 266AF105 60D85E30 0D06092A 864886F7 0D010104 05000381       
  81001670 027C848E D3D6A9C1 4C49A741 60A47325 02BA495B 8F389092 2F4AFC87       
  BDF76367 957B4BFF CACAC343 53568261 40754B03 86B24B28 D401246F 5F0769E2       
  8321D861 41B2D8FD EA4B1F43 CCAAB5F0 692880A6 99F8CAAA 41207AEF 88AB5AC7       
  C6E3CC7F B6DFD8F1 F69F20E2 717ECDBD 7DC7B3DB 3970F110 C0F2C520 407D09EF 56BE  
        quit                                                                    
!                                                                               
!                                                                               
no ip dhcp use vrf connected                                                    
ip dhcp excluded-address 192.168.1.1 192.168.1.9                                
!                                                                               
ip dhcp pool home                                                               
   network 192.168.1.0 255.255.255.0                                            
   default-router 192.168.1.1                                                   
   domain-name home.local                                                       
   dns-server 208.67.222.222 208.67.220.220                                     
   lease 7                                                                      
!                                                                               
ip dhcp pool PC                                                                 
   host 192.168.1.10 255.255.255.0                                              
   hardware-address 00e0.4cfb.08ea                                              
!                                                                               
!                                                                               
ip cef                                                                          
ip ddns update method ddns                                                      
 HTTP                                                                           
  add http://<user>:<pass>@updates.dnsomatic.com/nic/update?hostname=<user>.myv 
 interval maximum 1 0 0 0                                                       
!                                                                               
ip dhcp-server 192.168.1.1                                                      
!                                                                               
multilink bundle-name authenticated                                             
!                                                                               
username afazel privilege 15 secret 5 $1$X9g9$gMMtw9HdN08ARJSTeNDvY0            
username alifazel secret 5 $1$u.7f$QrS0qklZ8HOsL88/1zPbj1                       
!                                                                               
!                                                                               
archive                                                                         
 log config                                                                     
  hidekeys                                                                      
!                                                                               
!                                                                               
ip ssh port 8022 rotary 1                                                       
!                                                                               
!                                                                               
!                                                                               
interface FastEthernet0                                                         
 description WAN Interface                                                      
 mac-address 000b.cd53.cd20                                                     
 ip ddns update hostname <hostname>.myvnc.com                                       
 ip ddns update No-IP                                                           
 ip ddns update ddns host updates.dnsomatic.com                                 
 ip address dhcp                                                                
 no ip redirects                                                                
 no ip unreachables                                                             
 no ip proxy-arp                                                                
 ip nat outside                                                                 
 ip virtual-reassembly                                                          
 no ip mroute-cache                                                             
 duplex auto                                                                    
 speed auto                                                                     
 no cdp enable                                                                  
!                                                                               
interface FastEthernet1                                                         
!                                                                               
interface FastEthernet2                                                         
!                                                                               
interface FastEthernet3                                                         
!                                                                               
interface FastEthernet4                                                         
!                                                                               
interface Vlan1                                                                 
 ip address 192.168.1.1 255.255.255.0                                           
 no ip redirects                                                                
 no ip unreachables                                                             
 no ip proxy-arp                                                                
 ip nat inside                                                                  
 ip virtual-reassembly                                                          
 no ip mroute-cache                                                             
!                                                                               
interface Async1                                                                
 no ip address                                                                  
 encapsulation slip                                                             
!                                                                               
ip forward-protocol nd                                                          
ip http server                                                                  
ip http authentication local                                                    
ip http secure-server                                                           
!                                                                               
ip nat inside source static tcp 192.168.1.10 44546 interface FastEthernet0 44546
ip nat inside source static tcp 192.168.1.10 22 interface FastEthernet0 22      
ip nat inside source static tcp 192.168.1.10 8282 interface FastEthernet0 8282  
ip nat inside source static tcp 192.168.1.10 5800 interface FastEthernet0 5800  
ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0 5900  
ip nat inside source list 102 interface FastEthernet0 overload                  
!                                                                               
!                                                                               
!                                                                               
ip access-list extended vty                                                     
 permit tcp any any eq 8022                                                     
 deny   tcp any any eq 22 log                                                   
 deny   tcp any any eq telnet log                                               
access-list 102 permit ip 192.168.1.0 0.0.0.255 any                             
no cdp run                                                                      
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
control-plane                                                                   
!                                                                               
!                                                                               
line con 0                                                                      
line 1                                                                          
 stopbits 1                                                                     
 speed 115200                                                                   
 flowcontrol hardware                                                           
line aux 0                                                                      
line vty 0 4                                                                    
 access-class vty in                                                            
 privilege level 15                                                             
 rotary 1                                                                       
 transport input ssh                                                            
!                                                                               
ntp clock-period 17179974                                                       
ntp server 68.216.79.113                                                        
end 
 

Basically I think the reason it isn't working is that it's not getting a DHCP address from the cable modem, but I suppose it's that I'm not passing something correctly to fa0.

Anyone see anything incorrect for a cable connection?

P.S. I realize some of that looks funny in the code snippet above, but that's what Minicom makes it look like in the output :(

--
Ali Fazel
i2Telecom Representative

ladino

join:2001-02-24
USA
kudos:1
Is that the correct Mac-Address you are trying to clone?
Remove it, & shut down the router & the cable model. Wait about 5 min. Turn the cable modem back on, once it has booted up then turn on the router & verify that the router received a DHCP address.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
No good....still didn't receive an address. When I plugged it back into the laptop, however, it wouldn't work until rebooting the modem, so I feel like it's my configuration.
--
Ali Fazel
i2Telecom Representative

aryoba
Premium,MVM
join:2002-08-22
kudos:4
For some ISP that is using DHCP to provide IP address to their customer, specific MAC address is needed to tie to the IP address. If the ISP does not recognize the MAC address of your equipment (in this case, the FastEthernet0 interface of your router), then the equipment will never receive IP address.

Since you are trying to clone a MAC address into your FastEthernet0 interface, make sure that such MAC address is the one that is recognized by your ISP. You may have to confirm with your ISP about that.

cooldude9919

join:2000-05-29
kudos:5

1 edit
reply to i2Fuzzy
as far as i know charter doesnt tie anything to a mac address account wise. Sure the modem will learn the CPE mac address and require a reboot if it changes, but thats it. You shouldnt really even need to clone any mac address.

Honestly it shouldnt take much config wise to get an ip address on an interface via dhcp. Maybe play with the port speed/duplex settings, could be some funky mismatch stuff going on not allowing traffic to pass. Find the right dhcp debug command and turn it on and see if you see anything at all comming from that interface.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
reply to i2Fuzzy
I'm pretty sure it's something with my config because when I connect it to the router and reboot the modem, and then change it back to the laptop when it doesn't work, I have to reboot the modem again before the laptop can get a connection. That tells me the modem is trying to do it's job correctly.

Starting to drive myself crazy with this.
--
Ali Fazel
i2Telecom Representative

ImpetusEra
Premium
join:2004-05-19
00000
reply to i2Fuzzy
Shouldn't need to clone a mac with charter for a dynamic address. You of course can do that if you want, it works fine. Make sure to power cycle the modem between devices. From the router turn on dhcp debugging to see what is happening.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
Hah. Just about ready to kick myself. Somewhere in my router config I improperly used a DHCP server command.

I used the command:

ip dhcp-server 192.168.1.1

incorrectly believing that was setting the DHCP server for my internal network to be that of the inside interface of the router. What that actually does, however, is enters IP addresses into a list of approved DHCP servers to receive DHCP updates from. Because the Charter DHCP server obviously does not share an IP address with my inside LAN interface, this was causing the conflict. As a matter of fact, the second I reversed the command I saw it accept the DHCP offer and get an IP address.
--
Ali Fazel
i2Telecom Representative

i2Fuzzy

join:2009-02-25
Fort Worth, TX
Maybe another problem now. According to this:

»shopper.cnet.com/routers/cisco-1···l#info-5

VPN throughput (3DES IPSec) : 15 Mbps
Firewall throughput : 20 Mbps
VPN throughput (AES IPSec) : 4.5 Mbps
Intrusion detection throughput : 20 Mbps

It looks like I should be able to use my full 20Mbps connection from Charter. It looks like I'm just getting 10, though. My connection or my config? Or did I read the specs incorrectly?
--
Ali Fazel
i2Telecom Representative


kamikatze

join:2007-11-02
kudos:2

1 edit
No idea how CNET came up with those numbers, the 1700 platform is _SLOW_ (i'm talking 50Mhz), even the 1760 is slow as hell.

However you should be able to tweak it a bit for more throughput.

See this recent thread:
»how much throughput can I expect?

i2Fuzzy

join:2009-02-25
Fort Worth, TX
Those are the same numbers from Cisco's site as well. I don't think anything from the other thread was helpful to me, unfortunately.

»www.cisco.com/en/US/products/hw/···#wp41226
--
Ali Fazel
i2Telecom Representative


kamikatze

join:2007-11-02
kudos:2
Let's start with the basics, put it under heavy load and post the output of
show proc cpu sorted | e 0.00%__0.00
 

elnino

join:2006-08-27
Akron, OH
reply to i2Fuzzy
said by i2Fuzzy:

Those are the same numbers from Cisco's site as well. I don't think anything from the other thread was helpful to me, unfortunately.

»www.cisco.com/en/US/products/hw/···#wp41226
Those numbers are well overstated. I was never able to get more than 6-7mbps on mine with CBAC and NAT enabled.

The Cisco performance PDF has much more realistic numbers at 6.91Mbps for the 1711.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
I suppose, then, that I'm doing rather well getting 9.6Mbps out of it. I guess I'll just use my old Linksys. Any ideas for what to do with the Cisco?
--
Ali Fazel
i2Telecom Representative


kamikatze

join:2007-11-02
kudos:2
eBay it, get a bigger one.

3725/3745/1811/1841/2811 they can all chew a 40-50meg pipe.

cooldude9919

join:2000-05-29
kudos:5
said by kamikatze:

eBay it, get a bigger one.

3725/3745/1811/1841/2811 they can all chew a 40-50meg pipe.
2811 with even a few services will only get about ~20mbit total in+out. Bit more or less depending on what all you are doing.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
Hmm...I got this one for $60. I'm not sure how much bigger of a router I can afford, but I can look into it.

I have some experience with the 2811s and 1841s, I used to load and troubleshoot configurations on 20-30 of them per day at a previous job. It turned out to not be as much of a learning experience as I hoped it would be
--
Ali Fazel
i2Telecom Representative

i2Fuzzy

join:2009-02-25
Fort Worth, TX
3725/3745/1811/1841/2811 are pretty much all too expensive for me right now, but maybe in a few months I can snap up a 2811.

Thanks for all the help, everyone.
--
Ali Fazel
i2Telecom Representative


kamikatze

join:2007-11-02
kudos:2

2 edits
Get a 1811 if you can. It's cheaper and faster than the 2811. NAT + PPPoE + a few ACLs = ~70 Mbps with 60% CPU load. I have one at home, i don't talk trash
The CPU is a custom made Freescale (Motorola) SC8517 (MPC8500 family) clocked @ over 1GHz. Yes i cracked it open

The 2811 is powered by a modest RM5261A RISC @350MHz.

cooldude9919

join:2000-05-29
kudos:5
said by kamikatze:

Get a 1811 if you can. It's cheaper and faster than the 2811. NAT + PPPoE + a few ACLs = ~70 Mbps with 60% CPU load. I have one at home, i don't talk trash
The CPU is a custom made Freescale (Motorola) SC8517 (MPC8500 family) clocked @ over 1GHz. Yes i cracked it open

The 2811 is powered by a modest RM5261A RISC @350MHz.
well thats some good information. Why would you even get the 2811 then, mainly for the WIC and NME slots? Anything else the 2811 can do that the 1811 cant?


kamikatze

join:2007-11-02
kudos:2
Voice

cooldude9919

join:2000-05-29
kudos:5
Well i guess we messed up by going with the 2811 then because we dont even use it for voice. We only use the wic slots for t1's in only around 1/4 of our locations. I need to get a 1811 in house and start messing with it because i have a few sites with 15mb metro-e and the 2811 cant max it out full duplex


kamikatze

join:2007-11-02
kudos:2
What kind of services are you running on the 2811? I have one at work that can easily push 20Mbps and there's a lot going on inside that box besides routing.

cooldude9919

join:2000-05-29
kudos:5

1 edit
reply to i2Fuzzy
Click for full size
Click for full size
Nothing special really. Our sites are dmvpn spokes, but the traffic im talking about is just direct internet traffic at the site, not going through the dmvpn network. Using zbfw but our "internet zone" and the main traffic "zone" are in the same zone, with just a route-map blocking a few virus ports.

Also doing qos which i have seen affect throughput with it just being APPLIED on the interface, but it is less than 10% from what i have seen.

Check out these graphs. Peaks at around 20mbit total throughput and the cpu is at 87%.

i2Fuzzy

join:2009-02-25
Fort Worth, TX
reply to kamikatze
Can the 1811 do VPN?


kamikatze

join:2007-11-02
kudos:2

2 edits
reply to cooldude9919
Yes, it has a crypto engine built into the Freescale CPU, Motorola SEC 2.0, can't really find a meaningful datasheet for it.

Captain-Fast#sh crypto engine br
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                FW Version:  1
              Time running:  1121190 seconds
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
 

However i don't think it's as fast as the AIM-VPN/SSL2 that you can add to a 2811.

cooldude9919

join:2000-05-29
kudos:5
yea if i generate some wan traffic it is, should it not be or something? What should i check if so?

CPU utilization for five seconds: 31%/28%; one minute: 13%; five minutes: 10%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
106 1284 35115 36 0.98% 0.59% 0.23% 514 Virtual Exec
102 1198264 1955241 612 0.49% 0.36% 0.26% 0 IP Input
277 86060 16582011 5 0.32% 0.27% 0.25% 0 PPP manager
229 441556 168211 2625 0.16% 0.10% 0.05% 0 Crypto PAS Proc
298 176740 1275385 138 0.16% 0.14% 0.14% 0 IP-EIGRP: HELLO
101 48036 16554757 2 0.16% 0.09% 0.08% 0 IP ARP Retry Age
97 48676 16554761 2 0.16% 0.16% 0.16% 0 ACCT Periodic Pr
43 328620 531000 618 0.16% 0.11% 0.10% 0 Per-Second Jobs
278 47104 16582014 2 0.08% 0.11% 0.10% 0 PPP Events
88 1084 530914 2 0.08% 0.00% 0.00% 0 linktest
134 18180 893953 20 0.08% 0.04% 0.06% 0 CEF process
274 74124 468724 158 0.08% 0.00% 0.00% 0 traffic_shape
112 7648 2074025 3 0.08% 0.02% 0.00% 0 SSS Feature Time
164 20020 5305298 3 0.08% 0.06% 0.08% 0 RBSCP Background
279 1484 530878 2 0.08% 0.00% 0.00% 0 Multilink PPP
18 314248 511124 614 0.08% 0.04% 0.06% 0 ARP Input
166 4780 1036786 4 0.08% 0.01% 0.00% 0 Inspect process
17 0 1 0 0.00% 0.00% 0.00% 0 IPC BackPressure
19 4068 553713 7 0.00% 0.01% 0.00% 0 ARP Background
21 0 3 0 0.00% 0.00% 0.00% 0 AAA high-capacit
20 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
23 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager


kamikatze

join:2007-11-02
kudos:2

4 edits
cooldude9919,
show interface stats

Maybe you're process switching a lot of packets for some reason.

Haha check this out guys:

2811's CPU PMC-Sierra RM5261A:
said by datasheet :
Features
Up to 420 Dhrystone 2.1 MIPS

181x CPU Freescale MPC8500:
said by datasheet :
Features:
* Embedded e500 core, initial offerings up to 667 MHz, targeting up to 1.0 GHz
* 2,240 MIPS at 1.0 GHz (estimated Dhrystone 2.1)

Shocking

cooldude9919

join:2000-05-29
kudos:5
reply to i2Fuzzy
F1120001#show interface stats
Async1
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor         30      13142         50       3192
             Route cache          0          0          0          0
                   Total         30      13142         50       3192
FastEthernet0/0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor    1347323  137737860    4428564  327262159
             Route cache   62651286 3060804998   71021618 3016503779
                   Total   63998609 3198542858   75450182 3343765938
FastEthernet0/1
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor     632723   60509055     625056  151841388
             Route cache   73591004 3048920849   61936543 2631506637
                   Total   74223727 3109429904   62561599 2783348025
NVI0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0          0          0
             Route cache          0          0          0          0
                   Total          0          0          0          0
Loopback0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor          0          0     115266    7607556
             Route cache          0          0          0          0
                   Total          0          0     115266    7607556
Tunnel1
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor     422503   41222672     440806   54921096
             Route cache    4031556 1390812052    4244639  750221868
                   Total    4454059 1432034724    4685445  805142964
 
 


kamikatze

join:2007-11-02
kudos:2
Looks alright. Probably ZBFW + QoS is enought to cripple more than 10Mbps.

I'm using old-school reflexive ACLs and some LLQ on a 2Mbps E1 line.

Bottom line, 2811 is underpowered for any job over 10Mbps with light services.