Cisco 1711 Throughput 5

[STick170]

Hi all, I'm in need of some help.
I have a Cisco 1711 which I've used to maintain two VPN tunnels for several years. It is currently connected to my ISP's ADSL modem via the 10/100 ethernet port and into my network switch via the integrated 4 port switch.
I currently use a 512kb DSL connection which is soon to be upgraded to a 10mb line, my ISP will supply a new router to replace the modem which I assumed I could just plug into the Cisco 1711 and continue to use my two VPN tunnels as normal. (My external IP address will remain the same)
The people who set up the VPN's on (and supplied) the Cisco 1711 are telling me the 1711 will not be sufficient to route and encrypt the full 10Mbps of internet traffic and thus it will be necessary to install a new router of a specification that is suitable for this type and size of circuit.
They say I need to purchase a Cisco 2821(?) to replace the 1711. I thought as the ethernet port and integral switch both claim to support 10/100 it would do the job just fine. Do you guys see any reason why the 1711 won't work with the faster internet connection or do you think my VPN people are just trying to make some easy cash out of me?
Thanks in advance for any help

 

[Bubbalouie]

wow, 1 second apart on those responses!

so the Enterprise image has less than the AdvEnterprise, but would still contain 3DES for my VPN and the ability to hook up to my bonded T1?

i was reading a doc that said something like 'the 1841 provides 5 times the performance of the 1700 series routers'. i always take such pronouncements with a grain of salt but, could i tell the boss 'we'll have a 50% performance boost' to help sell the purchase of the 1841?

Thanks so much for all your help today!

 

[STick170]

Many thanks again ISPKing

 

[ISPKing]

Yes you could, it is true. The ISR's have built in vpn modules already. With aim additions for even more throughput, and all sorts of other performance enhancing asics that id not exits when the 1700 was built.

But that Cisco 1841 you posted above will not do VPN. Only Adventservices, Advipservices, advsecurity have Vpn (ipsec) features on the 1800's/

CCNP

 

[Bubbalouie]

Whew! I'm glad I asked you that then!

That version only requires 128 DRAM and 32 FL memory.

I'll think I'll spring for the memory so I can get a unit with 256/64 and be able to run the AdvEntService.

Thanks Yet Again!

 

[Bubbalouie]

OK, I know I earlier said 'one more question' but...

two more and i promise i'll go away!!!

I can pick up a vpn module for the 1841 (part number AIM-VPN/BPII-PLUS) for less than $150 used. On the 1751 all I had to do was plug it in with no configuration needed. Is it that same for the 1841 and is it worth it? A page I'm reading on Cisco's website says:

"The IPSec and SSL VPN AIM modules (AIM-VPN-BPII-PLUS and AIM-VPN/SSL-1) offer more than double the performance of the onboard cryptographic accelerator and more than five times the number of remote VPN tunnels."

Sounds pretty cool...

Also, and I promise lastly, how do I supply another ethernet port on the 1841? On the 17xx I installed a WIC-1ENET but see that is not supported on the 1841. Is it the HWIC-1FE?

 

[ISPKing]

Unless your expecting to push over 30 mbps of encrypted traffic, it's not worth the purchase. Plus the 1841 can only push a maximum of 35-40 mpbs of traffic anyway. I've never run into a vpn performance problem with either the 1841,2801, or 2811, All three have built in vpn modules that are 'suppose' to push encrypted traffic at whatever the routers pps rate is. The only benefit of the card is some more advanced features which most people never use, and the ability to add over a hundred tunnels (which nobody does), but Most companies start to hit the asa's up when they are going to push butt loads of encrypted traffic anyway.

CCNP

 

[Bubbalouie]

Well, 3 is a nice round number so I'll try one more...

I got the router and it is running Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)

Copying the running config from the 1750 went well except I had to manually enter the darn ip nat pool for some reason. There were a couple of unsupported commands as well, but I don't think they will be a big deal.

I do notice a couple of new commands like 'no ip dhcp use vrf connected', 'ip auth-proxy max-nodata-conns 3',
'ip admission max-nodata-conns 3', ' ip virtual-reassembly' on my FastEthernet interfaces, 'ip forward-protocol nd' and 'control-plane' which were not in the configuration on the 1750.

Googling the 'no ip dhcp use vrf connected' has produced severe confusion in my head and I can't seem to figure out what exactly it's purpose is.

I'm going to try and throw the router into production tomorrow. Are those new commands going to 'break' anything?

Thanks Again

Current configuration : 3096 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Greenwood_1750
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$j8JE$xNUHANH3/rbNfK8wzi3jv.
enable password WouldntULike2Know
!
no aaa new-model
memory-size iomem 25
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.9.1 192.168.9.20
!
ip dhcp pool 1
   network 192.168.9.0 255.255.255.0
   dns-server 208.67.222.222 208.67.220.220
   domain-name GREENWOOD
   default-router 192.168.9.1
   netbios-name-server 192.168.1.222
   netbios-node-type h-node
!
!
ip name-server xx.xxx.xx.xx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key SomeSecretKey address xxx.xxx.xx.xx no-xauth
!
!
crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
!
crypto map towash 11 ipsec-isakmp
 set peer xxx.xxx.xx.xx
 set transform-set s1s2trans
 match address 121
!
!
!
interface Loopback0
 ip address 10.10.240.1 255.255.255.252
!
interface FastEthernet0/0
 description connected to ATT Cisco 2801 FE0/0
 ip address xxx.xxx.xx.xx 255.255.255.248
 ip access-group 16 in
 ip verify unicast source reachable-via rx allow-default 100
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 speed 10
 full-duplex
 no keepalive
 crypto map towash
!
interface FastEthernet0/1
 description Connected to Cisco2924XL
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 ip policy route-map letmego
 no ip mroute-cache
 speed 100
 full-duplex
!
router rip
 version 2
 network 192.168.9.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.33.205.41
!
!
no ip http server
no ip http secure-server
ip nat pool Greenwood_1750-natpool-1 192.168.9.21 192.168.9.254 netmask 255.255.
255.0
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.9.0 0.0.0.255
access-list 10 deny   any
access-list 16 deny   192.168.9.0 0.0.0.255
access-list 16 permit any
access-list 17 permit 192.168.9.0 0.0.0.255
access-list 17 deny   any
access-list 100 permit ip any any
access-list 112 deny   ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 deny   ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 permit ip 192.168.9.0 0.0.0.255 any
access-list 120 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 permit ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 125 permit ip host 192.168.9.11 192.168.1.0 0.0.0.255
access-list 125 permit tcp host 192.168.9.11 192.168.1.0 0.0.0.255
snmp-server community greenin1750 RO
!
route-map nonat permit 10
 match ip address 112
!
route-map letmego permit 10
 match ip address 125
 set ip next-hop 10.10.240.2
!
!
!
control-plane
!
!
!
line con 0
 password JustCantTellYou
 speed 115200
line aux 0
line vty 0 4
 password ItsASecret
 login
!
scheduler allocate 20000 1000

 

[ISPKing]

No they are default commands, don't worry about them.
Try show run full. You'll see lots of stuff there that's usually hidden.

CCNP

 

[Bubbalouie]

went off without a hitch.

my users still complain about their rdp sessions though.

i think i'll explore the MTU on the Terminal Services Server, try and match it up with the values I set in the router and PIX and see if I can help it out that way.

I think I saw 1272 being the value earlier when I was dorking around with it. Would I set the PIX, Router and server to 1272 or 1300?

 

[ISPKing]

If it is an Ethernet Handoff. It should be 1500


CCNP

 

[Bubbalouie]

I'd read somewhere that sometimes RDP issues could be fixed by tinkering with the MTU.

Pinging from my central location (where all servers are located) to a remote location I came up with a MTU of 1272 using the ping command:

ping 192.168.9.29 -f -l 1272

and from the remote location to a server at the central location I got a MTU value of 1414 using the same procedure.

Does this mean I should change the MTU on my Terminal servers or is there something I have to do special to make a change for RDP?

 

[Bubbalouie]

I got this response from an 'Ask The Experts' session on Cisco yesterday and guess I'll try it:

Re: ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM

Refer this link below:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517601

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes



In your case the calculation would be 1272+20TCP+20IP+24ESP_CIPHER+12 ESP_AUTH+20 IP=1348. May be a layer 3 device in the path has a lower MTU configured and the huge packets may be sent by the RDP server with a DF bit set which may be dropped along the way. If lowering it to 1272 still doesn't resolve the issue try to lower it further.



When you say people are only complaining about RDP sluggishness (I am assuming internet traffic and other site to site traffic - loading a web page or e-mail is working fine), then the problem may very well be related to MSS.

 

[VinceWhirlwind]

Be wary of advice about changing MTU sizes - it's usually wrong. You should not tinker with MTU sizes if you can help it.

The RFC says that the router must return an ICMP packet type "Destination Unreachable" code F"ragmentation needed" and includes "MTU size for next hop" if the MTU size is too big on an unfragmentable packet.

You can tell if a router is misconfigured by pinging (as you have been doing above) with increasing sizes until you get the "fragmentation required" message. If you get no response, then that indicates a router on your path is configured in a non-RFC-compliant way.

Here is an example of the pings you should get when the router is correctly configured:

MAXIMUM MTU SIZE

C:\>ping 10.4.1.91 -l 1472 -f
Pinging 10.4.1.91 with 1472 bytes of data:
Reply from 10.4.1.91: bytes=1472 time=42ms TTL=122
Reply from 10.4.1.91: bytes=1472 time=43ms TTL=122
Reply from 10.4.1.91: bytes=1472 time=38ms TTL=122
Reply from 10.4.1.91: bytes=1472 time=48ms TTL=122

EXCESSIVE MTU SIZE

C:\>ping 10.4.1.91 -l 1473 -f
Pinging 10.4.1.91 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.