| |
[Config] New ISP, same router (Cisco 1711)So I changed from AT&T to charter recently when I moved, now I'm missing something in my config again: Router#sh run
Building configuration...
Current configuration : 4564 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$G8.a$Q9hoP7qTVXRGs8jrDBEHo0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default if-authenticated
!
!
aaa session-id common
clock timezone EST -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
crypto pki trustpoint TP-self-signed-2917893099
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2917893099
revocation-check none
rsakeypair TP-self-signed-2917893099
!
!
crypto pki certificate chain TP-self-signed-2917893099
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393137 38393330 3939301E 170D3039 30363138 30353132
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39313738
39333039 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B35A 94C9A798 E9B99BBB 6D7EA3DD D23A3165 FD97A9AF C5F81F8D 47A8204E
C668E892 366C85F0 08C2985B 1EF8EE59 208F6127 3A4A4CC0 A9963BA5 01D4EFC9
3199CC9F 36454D04 75101326 AAA47476 1FAEF5A5 57C476A7 B33EB196 1B62D025
CDBFEF35 125ED574 EA164604 3362C8D2 70699C5E FA865DBA 35444402 7ECE9E83
06190203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 7577FCF1
CD496F72 94DC75EE D6266AF1 0560D85E 301D0603 551D0E04 16041475 77FCF1CD
496F7294 DC75EED6 266AF105 60D85E30 0D06092A 864886F7 0D010104 05000381
81001670 027C848E D3D6A9C1 4C49A741 60A47325 02BA495B 8F389092 2F4AFC87
BDF76367 957B4BFF CACAC343 53568261 40754B03 86B24B28 D401246F 5F0769E2
8321D861 41B2D8FD EA4B1F43 CCAAB5F0 692880A6 99F8CAAA 41207AEF 88AB5AC7
C6E3CC7F B6DFD8F1 F69F20E2 717ECDBD 7DC7B3DB 3970F110 C0F2C520 407D09EF 56BE
quit
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.9
!
ip dhcp pool home
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name home.local
dns-server 208.67.222.222 208.67.220.220
lease 7
!
ip dhcp pool PC
host 192.168.1.10 255.255.255.0
hardware-address 00e0.4cfb.08ea
!
!
ip cef
ip ddns update method ddns
HTTP
add http://<user>:<pass>@updates.dnsomatic.com/nic/update?hostname=<user>.myv
interval maximum 1 0 0 0
!
ip dhcp-server 192.168.1.1
!
multilink bundle-name authenticated
!
username afazel privilege 15 secret 5 $1$X9g9$gMMtw9HdN08ARJSTeNDvY0
username alifazel secret 5 $1$u.7f$QrS0qklZ8HOsL88/1zPbj1
!
!
archive
log config
hidekeys
!
!
ip ssh port 8022 rotary 1
!
!
!
interface FastEthernet0
description WAN Interface
mac-address 000b.cd53.cd20
ip ddns update hostname <hostname>.myvnc.com
ip ddns update No-IP
ip ddns update ddns host updates.dnsomatic.com
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.1.10 44546 interface FastEthernet0 44546
ip nat inside source static tcp 192.168.1.10 22 interface FastEthernet0 22
ip nat inside source static tcp 192.168.1.10 8282 interface FastEthernet0 8282
ip nat inside source static tcp 192.168.1.10 5800 interface FastEthernet0 5800
ip nat inside source static tcp 192.168.1.10 5900 interface FastEthernet0 5900
ip nat inside source list 102 interface FastEthernet0 overload
!
!
!
ip access-list extended vty
permit tcp any any eq 8022
deny tcp any any eq 22 log
deny tcp any any eq telnet log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class vty in
privilege level 15
rotary 1
transport input ssh
!
ntp clock-period 17179974
ntp server 68.216.79.113
end
Basically I think the reason it isn't working is that it's not getting a DHCP address from the cable modem, but I suppose it's that I'm not passing something correctly to fa0. Anyone see anything incorrect for a cable connection? P.S. I realize some of that looks funny in the code snippet above, but that's what Minicom makes it look like in the output :( |
|
| |
ladino
Member
2009-Aug-1 1:51 am
Is that the correct Mac-Address you are trying to clone?
Remove it, & shut down the router & the cable model. Wait about 5 min. Turn the cable modem back on, once it has booted up then turn on the router & verify that the router received a DHCP address. |
|
| |
No good....still didn't receive an address. When I plugged it back into the laptop, however, it wouldn't work until rebooting the modem, so I feel like it's my configuration. |
|
|
| |
For some ISP that is using DHCP to provide IP address to their customer, specific MAC address is needed to tie to the IP address. If the ISP does not recognize the MAC address of your equipment (in this case, the FastEthernet0 interface of your router), then the equipment will never receive IP address.
Since you are trying to clone a MAC address into your FastEthernet0 interface, make sure that such MAC address is the one that is recognized by your ISP. You may have to confirm with your ISP about that. |
|
1 edit |
to i2Fuzzy
as far as i know charter doesnt tie anything to a mac address account wise. Sure the modem will learn the CPE mac address and require a reboot if it changes, but thats it. You shouldnt really even need to clone any mac address.
Honestly it shouldnt take much config wise to get an ip address on an interface via dhcp. Maybe play with the port speed/duplex settings, could be some funky mismatch stuff going on not allowing traffic to pass. Find the right dhcp debug command and turn it on and see if you see anything at all comming from that interface. |
|
| |
I'm pretty sure it's something with my config because when I connect it to the router and reboot the modem, and then change it back to the laptop when it doesn't work, I have to reboot the modem again before the laptop can get a connection. That tells me the modem is trying to do it's job correctly.
Starting to drive myself crazy with this. |
|
| |
to i2Fuzzy
Shouldn't need to clone a mac with charter for a dynamic address. You of course can do that if you want, it works fine. Make sure to power cycle the modem between devices. From the router turn on dhcp debugging to see what is happening. |
|
| |
Hah. Just about ready to kick myself. Somewhere in my router config I improperly used a DHCP server command.
I used the command:
ip dhcp-server 192.168.1.1
incorrectly believing that was setting the DHCP server for my internal network to be that of the inside interface of the router. What that actually does, however, is enters IP addresses into a list of approved DHCP servers to receive DHCP updates from. Because the Charter DHCP server obviously does not share an IP address with my inside LAN interface, this was causing the conflict. As a matter of fact, the second I reversed the command I saw it accept the DHCP offer and get an IP address. |
|
| i2Fuzzy |
Maybe another problem now. According to this: » shopper.cnet.com/routers ··· l#info-5VPN throughput (3DES IPSec) : 15 Mbps Firewall throughput : 20 Mbps VPN throughput (AES IPSec) : 4.5 Mbps Intrusion detection throughput : 20 Mbps It looks like I should be able to use my full 20Mbps connection from Charter. It looks like I'm just getting 10, though. My connection or my config? Or did I read the specs incorrectly? |
|
1 edit |
No idea how CNET came up with those numbers, the 1700 platform is _SLOW_ (i'm talking 50Mhz), even the 1760 is slow as hell. However you should be able to tweak it a bit for more throughput. See this recent thread: » how much throughput can I expect? |
|
| |
Those are the same numbers from Cisco's site as well. I don't think anything from the other thread was helpful to me, unfortunately. » www.cisco.com/en/US/prod ··· #wp41226 |
|
| |
Let's start with the basics, put it under heavy load and post the output of show proc cpu sorted | e 0.00%__0.00
|
|
elnino
join:2006-08-27
Akron, OH |
to i2Fuzzy
Those numbers are well overstated. I was never able to get more than 6-7mbps on mine with CBAC and NAT enabled. The Cisco performance PDF has much more realistic numbers at 6.91Mbps for the 1711. |
|
| |
I suppose, then, that I'm doing rather well getting 9.6Mbps out of it. I guess I'll just use my old Linksys. Any ideas for what to do with the Cisco? |
|
| |
eBay it, get a bigger one.
3725/3745/1811/1841/2811 they can all chew a 40-50meg pipe. |
|
| |
said by kamikatze:eBay it, get a bigger one. 3725/3745/1811/1841/2811 they can all chew a 40-50meg pipe. 2811 with even a few services will only get about ~20mbit total in+out. Bit more or less depending on what all you are doing. |
|
| |
Hmm...I got this one for $60. I'm not sure how much bigger of a router I can afford, but I can look into it. I have some experience with the 2811s and 1841s, I used to load and troubleshoot configurations on 20-30 of them per day at a previous job. It turned out to not be as much of a learning experience as I hoped it would be  |
|
| i2Fuzzy |
3725/3745/1811/1841/2811 are pretty much all too expensive for me right now, but maybe in a few months I can snap up a 2811.
Thanks for all the help, everyone. |
|
2 edits |
Get a 1811 if you can. It's cheaper and faster than the 2811. NAT + PPPoE + a few ACLs = ~70 Mbps with 60% CPU load. I have one at home, i don't talk trash  The CPU is a custom made Freescale (Motorola) SC8517 (MPC8500 family) clocked @ over 1GHz. Yes i cracked it open The 2811 is powered by a modest RM5261A RISC @350MHz. |
|
| |
said by kamikatze:Get a 1811 if you can. It's cheaper and faster than the 2811. NAT + PPPoE + a few ACLs = ~70 Mbps with 60% CPU load. I have one at home, i don't talk trash The CPU is a custom made Freescale (Motorola) SC8517 (MPC8500 family) clocked @ over 1GHz. Yes i cracked it open The 2811 is powered by a modest RM5261A RISC @350MHz. well thats some good information. Why would you even get the 2811 then, mainly for the WIC and NME slots? Anything else the 2811 can do that the 1811 cant? |
|
| |
Voice |
|
| |
Well i guess we messed up by going with the 2811 then because we dont even use it for voice. We only use the wic slots for t1's in only around 1/4 of our locations. I need to get a 1811 in house and start messing with it because i have a few sites with 15mb metro-e and the 2811 cant max it out full duplex |
|
| |
What kind of services are you running on the 2811? I have one at work that can easily push 20Mbps and there's a lot going on inside that box besides routing. |
|
1 edit |
to i2Fuzzy
Nothing special really. Our sites are dmvpn spokes, but the traffic im talking about is just direct internet traffic at the site, not going through the dmvpn network. Using zbfw but our "internet zone" and the main traffic "zone" are in the same zone, with just a route-map blocking a few virus ports. Also doing qos which i have seen affect throughput with it just being APPLIED on the interface, but it is less than 10% from what i have seen. Check out these graphs. Peaks at around 20mbit total throughput and the cpu is at 87%. |
|
| |
to kamikatze
Can the 1811 do VPN? |
|
2 edits |
to cooldude9919
Yes, it has a crypto engine built into the Freescale CPU, Motorola SEC 2.0, can't really find a meaningful datasheet for it. Captain-Fast#sh crypto engine br
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 1
Time running: 1121190 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
However i don't think it's as fast as the AIM-VPN/SSL2 that you can add to a 2811. |
|
| |
yea if i generate some wan traffic it is, should it not be or something? What should i check if so?
CPU utilization for five seconds: 31%/28%; one minute: 13%; five minutes: 10%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
106 1284 35115 36 0.98% 0.59% 0.23% 514 Virtual Exec
102 1198264 1955241 612 0.49% 0.36% 0.26% 0 IP Input
277 86060 16582011 5 0.32% 0.27% 0.25% 0 PPP manager
229 441556 168211 2625 0.16% 0.10% 0.05% 0 Crypto PAS Proc
298 176740 1275385 138 0.16% 0.14% 0.14% 0 IP-EIGRP: HELLO
101 48036 16554757 2 0.16% 0.09% 0.08% 0 IP ARP Retry Age
97 48676 16554761 2 0.16% 0.16% 0.16% 0 ACCT Periodic Pr
43 328620 531000 618 0.16% 0.11% 0.10% 0 Per-Second Jobs
278 47104 16582014 2 0.08% 0.11% 0.10% 0 PPP Events
88 1084 530914 2 0.08% 0.00% 0.00% 0 linktest
134 18180 893953 20 0.08% 0.04% 0.06% 0 CEF process
274 74124 468724 158 0.08% 0.00% 0.00% 0 traffic_shape
112 7648 2074025 3 0.08% 0.02% 0.00% 0 SSS Feature Time
164 20020 5305298 3 0.08% 0.06% 0.08% 0 RBSCP Background
279 1484 530878 2 0.08% 0.00% 0.00% 0 Multilink PPP
18 314248 511124 614 0.08% 0.04% 0.06% 0 ARP Input
166 4780 1036786 4 0.08% 0.01% 0.00% 0 Inspect process
17 0 1 0 0.00% 0.00% 0.00% 0 IPC BackPressure
19 4068 553713 7 0.00% 0.01% 0.00% 0 ARP Background
21 0 3 0 0.00% 0.00% 0.00% 0 AAA high-capacit
20 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
23 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager |
|
4 edits |
cooldude9919,show interface stats Maybe you're process switching a lot of packets for some reason. Haha check this out guys: 2811's CPU PMC-Sierra RM5261A: said by datasheet :
Features
• Up to 420 Dhrystone 2.1 MIPS
181x CPU Freescale MPC8500: said by datasheet :
Features:
* Embedded e500 core, initial offerings up to 667 MHz, targeting up to 1.0 GHz
* 2,240 MIPS at 1.0 GHz (estimated Dhrystone 2.1)
Shocking |
|
| |
to i2Fuzzy
F1120001#show interface stats
Async1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 30 13142 50 3192
Route cache 0 0 0 0
Total 30 13142 50 3192
FastEthernet0/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 1347323 137737860 4428564 327262159
Route cache 62651286 3060804998 71021618 3016503779
Total 63998609 3198542858 75450182 3343765938
FastEthernet0/1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 632723 60509055 625056 151841388
Route cache 73591004 3048920849 61936543 2631506637
Total 74223727 3109429904 62561599 2783348025
NVI0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Loopback0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 115266 7607556
Route cache 0 0 0 0
Total 0 0 115266 7607556
Tunnel1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 422503 41222672 440806 54921096
Route cache 4031556 1390812052 4244639 750221868
Total 4454059 1432034724 4685445 805142964
|
|
| |
Looks alright. Probably ZBFW + QoS is enought to cripple more than 10Mbps.
I'm using old-school reflexive ACLs and some LLQ on a 2Mbps E1 line.
Bottom line, 2811 is underpowered for any job over 10Mbps with light services. |
|
