| [Config] Subnet Routing Maxing out CPU of Cisco 3725I have a quick question, My network is split into three subnets (10.0.0.x(Default), 10.0.1.x(DMZ FA1/0), 10.0.2.x(Voice on VLAN)) Usually my router sits at about 9% CPU usage, when I copy files from my Internal Network to my DMZ I seem to peg the CPU at 99% and I am only getting about 5MB/second transfer using windows file sharing. I have looked at the loads on the interfaces and its only about 45% so they are not maxed out. Do I have a bad route in my configuration that is causing my CPU to max out?
Below is my configuration, I have removed the voice and VPN sections.
Current configuration : 26253 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXXXXX
enable password XXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
no network-clock-participate slot 1
!
(**SSL Certificates Removed**)
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.200 10.0.0.254
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 10.0.2.2 10.0.2.99
!
ip dhcp pool MainPool
import all
network 10.0.0.0 255.255.255.0
domain-name XXXX
default-router 10.0.0.1
option 150 ip 10.0.0.1
dns-server 10.0.1.100 8.8.8.8 8.8.4.4
!
ip dhcp pool DMZPool
import all
network 10.0.1.0 255.255.255.0
domain-name XXXX
default-router 10.0.1.1
dns-server 8.8.8.8 8.8.4.4
option 150 ip 10.0.1.1
!
ip dhcp pool Voice
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
option 150 ip 10.0.2.1
dns-server 8.8.8.8
!
!
ip domain name XXXX
ip host XXXXX 10.0.1.100 XXXX
ip host hnweb01 10.0.1.100
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
!
!
(**Voice Removed**)
!
!
!
username xx privilege 15 password 0 xxxx
username xxx password 0 xxx
!
!
(**IPSEC VPN **)
!
!
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
description WAN interface
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description LAN interface$ETH-LAN$
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.10
description Router Interface for Voice VLAN
encapsulation dot1Q 10
ip address 10.0.2.1 255.255.255.0
ip access-group 102 in
no ip route-cache
!
interface FastEthernet1/0
description DMZ interface $ETH-LAN$
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 10.10.10.0 10.10.10.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
!
ip http server
no ip http secure-server
ip http path flash:
ip dns server
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.1.100 80 interface FastEthernet0/0 80
ip nat inside source static tcp 10.0.1.100 443 interface FastEthernet0/0 443
ip nat inside source static tcp 10.0.1.100 9001 interface FastEthernet0/0 9001
ip nat inside source static tcp 10.0.1.100 9002 interface FastEthernet0/0 9002
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 12 permit 10.0.0.0 0.255.255.255
access-list 100 remark Restricted Inside network Access
access-list 100 remark SDM_ACL Category=17
access-list 100 permit ip any host 10.0.0.1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq domain
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established
access-list 101 permit udp 10.0.1.0 0.0.0.255 eq domain 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 101 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 9001
access-list 101 permit tcp any any eq 9002
access-list 102 remark Restricted Inside network Access
access-list 102 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit udp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 eq domain
access-list 102 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 102 permit tcp host 199.30.56.199 any range 5060 5061
access-list 102 permit udp host 199.30.56.199 any range 5060 5061
access-list 102 permit udp any any gt 1024
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 10.0.0.0 0.0.3.255 any
snmp-server community public RO
!
!
!
!
(**TFTP Removed**)
!
control-plane
!
!
!
!
!
!
!
(**More CCME Phone**)
!
!
banner login ^CPlease Exit now unless you are authorized.^C
!
line con 0
line aux 0
line vty 0 4
access-class 12 in
password XXXXX
line vty 5 15
!
ntp server 64.90.182.55
!
!
webvpn install svc flash:/webvpn/svc.pkg
end
|
|
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | Try to move the 10.0.0.0/24 into its own VLAN. Make sure the switch configuration matches the router configuration. |
|
| said by aryoba:Try to move the 10.0.0.0/24 into its own VLAN. Make sure the switch configuration matches the router configuration.
I will give that a shot, I assume you mean set the Native VLAN on all ports to the newly created VLAN so that everything will continue to work.
Should I move the DMZ into a VLAN too or is it ok on its own interface card? |
|
nosx
join:2004-12-27
00000
kudos:5 | no ip route-cache cef
no ip route-cache
You turned off CEF. Turn it back on and get high speed packet forwarding. |
|
| said by nosx:no ip route-cache cef
no ip route-cache
You turned off CEF. Turn it back on and get high speed packet forwarding.
Thanks that did it, no idea why I had turn that off. |
|
| reply to bhawkins
Also, why do you have ACL100 on FE0/1 and ACL102 on FE0/1.10?
Honestly I'd leave FE0/1 unconfigured, and put the VLANs on the respective subinterfaces.
Just my 00000010bits
Regards |
|
| said by HELLFIRE:Also, why do you have ACL100 on FE0/1 and ACL102 on FE0/1.10?
Honestly I'd leave FE0/1 unconfigured, and put the VLANs on the respective subinterfaces.
Just my 00000010bits
Regards
I did the ACLs from this article, If I take the ACL off wouldn't that allow the DMZ into the other interface and prevent my DNS server, which is in the DMZ from working?
»Cisco Forum FAQ »Configure DMZ on routers |
|
| The examples in the links are involving several physical interfaces, but you're using 3 physicals with one subint.
I wasn't suggesting removing all the config, just cleaning it up as follows :
- FE0/0 -- leave as it
- FE0/1 -- remove all config
- add FE0/1.1 -- apply FE0/1's config of IP address, access group, and NAT config.
- FE0/1.10 -- leave as is
- FE1/0 -- leave as is.
Regards |
|
| said by HELLFIRE:The examples in the links are involving several physical interfaces, but you're using 3 physicals with one subint.
I wasn't suggesting removing all the config, just cleaning it up as follows :
- FE0/0 -- leave as it
- FE0/1 -- remove all config
- add FE0/1.1 -- apply FE0/1's config of IP address, access group, and NAT config.
- FE0/1.10 -- leave as is
- FE1/0 -- leave as is.
Regards
Makes sense, I will implement the changes for the vlans, one quick question, and maybe this is the tradeoff and a reason to get a second router or use my PIX that I have sitting in the trash pile, but I am seeing internal speeds are faster which is great and its no longer maxing the CPU, but I am seeing that internet routing is slower and pages seem to take a bit longer to load the first time. Is this related to caching the IP route?
Thanks Again |
|
| reply to bhawkins
said by bhawkins :but I am seeing that internet routing is slower and pages seem to take a bit longer to load the first time. Can you quantify / baseline this at all? Seriously, "routing slower and pages seem to take longer" is so generic
in terms of a problem description. If your cpu speeds are lower and if speedtests are hitting near or at the
rated speeds of your internet package, I'd say "job's done" and move onto the next thing.
As for what the config "route cache" does, it is simply a way a packet is forwarded within the router itself -- the
three main ones are process switched, fast switched (aka route cache), and CEF, in order of least preferred / most
impact to CPU to most preferred / least impact to CPU. It has very little to do with "caching the route."
Regards |
|
| I think I have figured it out, somehow in the process of everything I managed to cause an issue reaching my DNS server. (Figured that out when I could no longer access websites I host from the inside, I kept getting the Level 15 login for the router.) Sorry about that, I have corrected the issues by promoting the router back as the primary DNS server. |
|
