Limit the rate of packed transmission on a virtual interface...

[JPFSanders]

Hi all,

I have an 877w Cisco router which is hanging from time to time and when it does
it doesn't respond to ping or process any traffic at all. The lights blink from
time to time and that is all that it does when the trouble appears.

When I check the console using the serial cable the terminal is filled with the
following error message:

%C870_FE-4-QUEUE_FULL: Ethernet Switch Module transmit queue is full

I have done some googling and the only thing I found is this doc in cisco's website

The url: is

http://www.ciscosystems.co.nz/en/US/docs/ios/12_4t/system/messages/sm_ht01.html

Inside it can be read:

---8<---

Error Message

%C870_FE-4-QUEUE_FULL : Ethernet Switch Module transmit queue is full

Explanation The switch module's transmit queue is full and packets are being dropped.

Recommended Action Reduce the rate of packet transmission to the Switched Virtual Interfaces to be less than 9 Mbps.

---8<---

That is cool because 9mps in this particular situation is fine as the router
sits on the internet border and I do not require it to do any switching other
than to route to the internet.

However how does one limit the rate of packed transmission on a virtual
interface? Or on any interface at all.

I'm banging my head against the wall with this and I would welcome any help.

Many thanks in advance.

 

[burtsbees]

On the SVI, just do the rate-limit command, or policy map.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

@burtsbees

Hi,

Thanks for your reply, I never had to use such a thing before, I'm not a Cisco expert by the way.

When I try to configure the interface rate-limit requires "input" or "output" besides the rate, what should I use?

By the way, do you know why could this problem be happening?

I'm connecting a non-managed gigabit switch to the router's port, could it be the reason?

 

[North323]

this is happening because your router interface is set at 100mb and your ISP has a rate limit or police policy for 10mb so there is a bottle neck. i would put the rate limit output because its already coming 'in' at a lower mb rate. you can also fix this by setting your router interface (virtual) to half duplex

 

[JPFSanders]

@North323,

I think I get it now reading your explanation; the virtual interface is not the Vlan, but the WAN virtual interface...

So the problem lies in my external link and not on the inside part of the lan...

That makes sense, I was wondering why the 100mb switch built-in the router could not cope with the 100mb traffic.

Many thanks I will try this tonight and see how it goes.

I'm wondering why is this happening from time to time only.

 

[JPFSanders]

Hi,

As I have a 6mb/1mb ADSL line I issued the rate-limit command in my Dialer interface as follows:

rate-limit output 8496000 90000 100000 conform-action transmit exceed-action drop

8496000 because cisco says less than 9 megabits and 90000, 100000 because I have a megabit upload speed.

Is this right? The router does not complain so far, however the issue appears to be kind of random so after a few days go by I won't be sure it does the trik...

what do you guys think?

 

[North323]

i would have used the srr_qos method, something like
config t
int whatever
duplex half (to set this interface to 10mb)
srr-queue bandwidth limit 60

The 60 sets the outbound bandwidth limit on the port to 60 percent of the port speed.
Since this is a 10-Mb port, this should limit the outbound traffic from the port to 6 Mb

 

[JPFSanders]

Nope, the router still has trouble even if I limit the output rate of the interfaces...

The topology is as follows, there are two workstations plus a laptop which is on sometimes.

The laptop connects wireless to the router, the workstations connect to a 8 port 3com gb unmanaged switch.

The 3com switch connects to one of the switch ports in the 877w router.

The connection to the internet is ADSL 6mb downstream and 1mb upstream.

I think there is something fundamentally wrong here, the router should just drop the traffic in case of excess, at the end of the day there is only a couple of workstations behind the router which even has 256mb RAM

Besides the continuous stream of messages saying: "%C870_FE-4-QUEUE_FULL: Ethernet Switch Module transmit queue is full"

I did a "enable debug sanity" last time and I can see there is a large number of old buffers hanging there.

Also the "atm 0" interface show a huge number of drops in just 3 days: "Total output drops: 11197" the "vlan 2" interface (bound to the wireless) also shows some unusual drops: "Total output drops: 483"

I'm really puzzled, I'm starting to think the ios release has something to do with this, I'm using Version 12.4(24)T1.

 

[burtsbees]

int atm0
clock rate aal5 6144000
clock rate aal2 1024000

Also, put the rate-limit inbound as well as outbound.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

@burtsbees

Hi, there is no "clock" command under the atm configuration, however I modified my dialer to include rate-limit outbound and inbound.

This is what it looks like now:

interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
end

interface ATM0.1 point-to-point
pvc 8/35
vbr-nrt 1000 1000
tx-ring-limit 3
encapsulation aal5snap
service-policy output QoS
max-reserved-bandwidth 90
pppoe-client dial-pool-number 1
!
end

interface Dialer1
bandwidth 1024
bandwidth receive 6877
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1478
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect fw-inbound in
ip inspect fw-outbound out
ip virtual-reassembly
rate-limit input 8496000 700000 800000 conform-action transmit exceed-action drop
rate-limit output 8496000 700000 800000 conform-action transmit exceed-action drop
encapsulation ppp
ip tcp adjust-mss 1300
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname (xxxx)
ppp chap password 7 (xxxx)
crypto map (xxx)
max-reserved-bandwidth 90
end

Let's see what happens in a day or two...

 

[burtsbees]

You said,

"8496000 because cisco says less than 9 megabits and 90000, 100000 because I have a megabit upload speed."

No---100000=100Kbps. That is the max burst rate. It can burst to 8600000, and average (before retransmitting packets because of the drops after the limit is reached) of 90K.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

@burtsbees

Hi, thanks, seems I missed a "0"

 

[burtsbees]

I was not trying to point that part out, but it seems you may have been confused at max burst limits vs. upload speed...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

@Burtsbees,

Hi, thanks, I realize that I need to read how the rate-limit command works. As you pointed out I misinterpreted what the parameters are for.

So far uptime is 1 day, 23 hours, 27 minutes without any strange incidents except for those in the logs which happened just now.

%SYS-6-BLKINFO: 0x8580DA10 poison over BLOCKMAGIC 0x8580DBEC len 0x404

blk 8580D9E0, words 514, alloc 821B8110, Free, dealloc F08BA6BE, rfcnt 0, -Traceback= 0x800257A0z 0x800272F4z 0

%SYS-6-MEMDUMP: 0x8580D9E0: 0xAB1234CD 0xAC0000 0xAC 0x82A20C38

%SYS-6-MEMDUMP: 0x8580D9F0: 0x821B8110 0x8580DE14 0x8580D3E4 0x202

%SYS-6-MEMDUMP: 0x8580DA00: 0x0 0x8115BCB8 0xB3 0x84A95244

%SYS-6-BLKINFO: 0x8580DA10 poison over BLOCKMAGIC 0x8580DBEC len 0x404

blk 8580DBEC, words 14, alloc 819F609C, InUse, dealloc 0, rfcnt 1, -Traceback= 0x800257A0z 0x8002733Cz 0x80028A

%SYS-6-MEMDUMP: 0x8580DBEC: 0xAB1234CD 0xFFFE0000 0x0 0x82B842E0

%SYS-6-MEMDUMP: 0x8580DBFC: 0x819F609C 0x846A5768 0x846A281C 0x8000000E

%SYS-6-MEMDUMP: 0x8580DC0C: 0x1 0x0 0x1 0x83BB9FD4

Have you seen anything like this before?

 

[JPFSanders]

Nah, crashed again today... the same symptoms lots of drops and lots of:

"%C870_FE-4-QUEUE_FULL: Ethernet Switch Module transmit queue is full"

Back to square one, this time got a lot of dumps from the #debug sanity command.

I'll feed the dumps into a spreadsheet to see what I find.

 

[burtsbees]

You're putting the rate limit on the wrong interface. Post a complete config.

FE4 is Fastethernet 4, part of Ethernet 0 or 1...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

Hi, here is my config, but I think that %C870_FE-4-QUEUE_FULL stands for: "870 series router fast ethernet module error number 4 Queue full".

There is only a single port being used on the router and that is FastEthernet 0 not 4.

-----------------8<------------------------

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
logging rate-limit 30 except warnings
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_AUTHENT none
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone GMT 1
clock summer-time BST recurring
!
crypto pki trustpoint TP-self-signed-2707961938
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2707961938
revocation-check none
rsakeypair TP-self-signed-2707961938
!
!
crypto pki certificate chain TP-self-signed-xxxxx

dot11 mbssid
dot11 syslog
!
dot11 ssid domain_MB2
vlan 2
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 046428091F387F612F2D51474B5D
!
no ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address x.x.x.240 x.x.x.249
ip dhcp excluded-address x.x.x.80 x.x.x.81
ip dhcp excluded-address x.x.x.1 x.x.x.21
ip dhcp excluded-address y.y.y.1 y.y.y.21
!
ip dhcp pool BRUTUS
host x.x.x.80 255.255.255.0
client-identifier 0100.1d7d.e978.72
client-name BRUTUS
!
ip dhcp pool LAPTIE
host x.x.x.81 255.255.255.0
client-identifier 0100.10c6.e3e3.b8
client-name laptie
!
ip dhcp pool LAPTIE-WIRELESS
host y.y.y.21 255.255.255.0
client-identifier 0100.14a4.81d8.fb
client-name laptie
!
ip dhcp pool x.x.x.0/24
network x.x.x.0 255.255.255.0
domain-name domain.org
dns-server x.x.x.10 62.14.63.145 80.58.61.254 212.73.32.67
netbios-name-server x.x.x.10
netbios-node-type h-node
default-router x.x.x.2
lease 7
!
ip dhcp pool vlan2
network y.y.y.0 255.255.255.0
domain-name domain.org
dns-server x.x.x.10 62.14.63.145 80.58.61.254 212.73.32.67
netbios-name-server x.x.x.10
netbios-node-type h-node
default-router x.x.x.2
lease 7
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name domain.org
ip host ntp-server-1 147.83.123.136
ip host ntp-server-2 195.10.6.126
ip host barask10 x.x.x.10
ip host members.dyndns.org 204.13.248.112
ip name-server x.x.x.10
ip name-server 62.14.63.145
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 20
ip inspect hashtable-size 2048
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 50 block-time 0
ip inspect tcp reassembly queue length 32
ip inspect tcp reassembly timeout 10
ip inspect tcp reassembly alarm on
ip inspect name fw-outbound ftp alert on
ip inspect name fw-outbound tcp alert on
ip inspect name fw-outbound udp alert on
ip inspect name fw-outbound imap alert on
ip inspect name fw-outbound imaps alert on
ip inspect name fw-outbound dns alert on
ip inspect name fw-outbound ssh alert on
ip inspect name fw-outbound telnet alert on
ip inspect name fw-outbound icmp alert on
ip inspect name fw-outbound pop3 alert on
ip inspect name fw-outbound edonkey alert on
ip inspect name fw-outbound bittorrent alert on
ip inspect name fw-outbound ntp alert on
ip inspect name fw-outbound isakmp alert on
ip inspect name fw-outbound esmtp alert on
ip inspect name fw-outbound https alert on timeout 900
ip inspect name fw-inbound udp alert on
ip inspect name fw-inbound tcp alert on
ip inspect name fw-inbound https alert on timeout 900
ip inspect name fw-inbound ssh alert on
ip inspect name fw-inbound isakmp alert on
ip inspect name fw-inbound ftp alert on
ip ddns update method DynDNS
HTTP
add

http://xxxxxx:xxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 10 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxx secret 5 xxxxx
username xxxx privilege 15 secret 5 xxxxx
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group xxxxxx
key xxxxx
dns x.x.x.10
wins x.x.x.10
domain domain.org
pool pool-ip-vpn
acl 110
!
!
crypto ipsec transform-set domain-vpn-set esp-3des esp-sha-hmac
!
crypto dynamic-map domain-dyn-map 10
description A dynamic crypto map for VPN users
set transform-set domain-vpn-set
!
!
crypto map domain-map client authentication list userauthen
crypto map domain-map isakmp authorization list groupauthor
crypto map domain-map client configuration address respond
crypto map domain-map 10 ipsec-isakmp dynamic domain-dyn-map
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map match-any class2
match access-group name QOS-WEB-TRAFFIC
class-map match-any class1
match access-group name QOS-PRIORITY-TRAFFIC
match protocol skype
!
!
policy-map QoS
class class1
bandwidth percent 50
class class2
bandwidth percent 35
random-detect
class class-default
bandwidth percent 5
fair-queue
random-detect
!
!
bridge irb
!
!
interface Loopback0
ip address 192.168.248.1 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 512 in
!
interface ATM0.1 point-to-point
pvc 8/35
vbr-nrt 1000 1000
tx-ring-limit 3
encapsulation aal5snap
service-policy output QoS
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 2 mode ciphers tkip
!
broadcast-key vlan 2 change 45
!
!
ssid domain_MB2
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
no cdp enable
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
ip address x.x.x.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
interface Vlan2
no ip address
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Dialer1
bandwidth 1024
bandwidth receive 6877
ip address negotiated
ip access-group 102 in
no ip redirects
no ip proxy-arp
ip mtu 1478
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect fw-inbound in
ip inspect fw-outbound out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxadsl
ppp chap password 7 xxxxxxxx
crypto map domain-map
max-reserved-bandwidth 90
!
interface BVI2
description Bridge to Internal Network
ip address y.y.y.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
!
ip local pool pool-ip-vpn w.w.w.1 w.w.w.14
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 8443
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export source Vlan1
ip flow-export version 9
ip flow-export template timeout-rate 3
ip flow-export destination x.x.x.10 2055
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 7200
!
ip nat inside source static tcp x.x.x.10 44010 interface Dialer1 44010
ip nat inside source static tcp x.x.x.10 80 interface Dialer1 80
ip nat inside source static tcp x.x.x.10 443 interface Dialer1 443
ip nat inside source static tcp x.x.x.10 8183 interface Dialer1 8183
ip nat inside source route-map nonat interface Dialer1 overload
!
ip access-list extended QOS-PRIORITY-TRAFFIC
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq 3389
permit tcp any eq 3389 any
permit tcp any any eq 443
permit tcp any eq 443 any
permit tcp any any eq 44322
permit tcp any eq 44322 any
permit tcp any any range 22 telnet
permit tcp any range 22 telnet any
permit tcp any any eq 44010
permit tcp any eq 44010 any
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit tcp any any eq 52814
permit tcp any eq 52814 any
permit tcp any any eq 6129
permit tcp any eq 6129 any
ip access-list extended QOS-WEB-TRAFFIC
permit tcp any any eq www
permit tcp any eq

http://www any

permit tcp any any eq smtp
permit tcp any eq smtp any
permit tcp any any eq 995
permit tcp any eq 995 any
permit tcp any any eq pop3
permit tcp any eq pop3 any
permit tcp any any eq 465
permit tcp any eq 465 any
permit tcp any any eq 993
permit tcp any eq 993 any
permit tcp any any eq 143
permit tcp any eq 143 any
!
logging trap debugging
logging x.x.x.10
access-list 2 permit x.x.x.0 0.0.0.255
access-list 2 deny any log
access-list 2 remark Restrict Router's Telnet access to local IP's Only
access-list 100 deny ip x.x.x.0 0.0.0.255 w.w.w.0 0.0.0.15
access-list 100 deny ip y.y.y.0 0.0.0.255 w.w.w.0 0.0.0.15
access-list 100 permit ip x.x.x.0 0.0.0.255 any
access-list 100 permit ip y.y.y.0 0.0.0.255 any
access-list 102 deny ip 0.0.0.0 1.255.255.255 any
access-list 102 deny ip 2.0.0.0 0.255.255.255 any
access-list 102 deny ip 5.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 14.0.0.0 0.255.255.255 any
access-list 102 deny ip 23.0.0.0 0.255.255.255 any
access-list 102 deny ip 27.0.0.0 0.255.255.255 any
access-list 102 deny ip 31.0.0.0 0.255.255.255 any
access-list 102 deny ip 36.0.0.0 1.255.255.255 any
access-list 102 deny ip 39.0.0.0 0.255.255.255 any
access-list 102 deny ip 42.0.0.0 0.255.255.255 any
access-list 102 deny ip 100.0.0.0 3.255.255.255 any
access-list 102 deny ip 104.0.0.0 3.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 169.254.0.0 0.0.255.255 any
access-list 102 deny ip 172.16.0.0 0.0.255.255 any
access-list 102 deny ip 176.0.0.0 1.255.255.255 any
access-list 102 deny ip 181.0.0.0 0.255.255.255 any
access-list 102 deny ip 185.0.0.0 0.255.255.255 any
access-list 102 deny ip 192.0.2.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 198.18.0.0 0.1.255.255 any
access-list 102 deny ip 224.0.0.0 31.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 remark * Bogon *
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any packet-too-big
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any traceroute
access-list 102 permit icmp any any source-quench
access-list 102 permit icmp any any administratively-prohibited
access-list 102 permit icmp any any ttl-exceeded
access-list 102 permit icmp any any parameter-problem
access-list 102 deny icmp any any log
access-list 102 remark * ICMP *
access-list 102 permit udp any any eq non500-isakmp log
access-list 102 permit udp any any eq isakmp log
access-list 102 permit esp any any log log
access-list 102 permit tcp any any eq 1723 log
access-list 102 permit gre any any log log
access-list 102 permit tcp any any eq

http://www log

access-list 102 permit tcp any any eq 443 log
access-list 102 permit tcp any any eq 44010 log
access-list 102 permit udp host 147.83.123.136 eq ntp any
access-list 102 permit udp host 195.10.6.126 eq ntp any
access-list 102 remark DynDNS
access-list 102 permit tcp host 204.13.248.112 eq

http://www any

log
access-list 102 deny ip any any
access-list 110 permit ip x.x.x.0 0.0.0.255 w.w.w.0 0.0.0.15
access-list 110 remark Defines what traffic gets tunneled through the VPN
no cdp run

!
!
!
!
route-map nonat permit 10
match ip address 100
!
!
control-plane
!
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
login authentication NO_AUTHENT
no modem enable
full-help
stopbits 1
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
sntp server 147.83.123.136
sntp server 195.10.6.126
sntp source-interface Dialer1
end

 

[burtsbees]

Put the rate limit on vlan 1

And why so low on the MSS on the dialer interface? I'd raise that to 1460...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[JPFSanders]

@burtsbees

The reason for the low MSS is that I found that when lowering it a bit I get less disconnections from certain sites, you know those cases when transfer speed is good then degrades quickly and then the connection breaks and you have to keep retrying the transfer all the time.

For the time being I'm testing what happens if I make fastethernet 0 "10mb full duplex", once I'm done with that I try limiting the vlan interface.

 

[burtsbees]

The MTU must be 1492, or MSS 1460 (same thing)...

"Per RFC 2516, the maximum receive unit (MRU) option must not be negotiated to a size larger
than 1492 bytes, because Ethernet has a maximum payload size of 1500 octets. The PPPoE
header is 6 octets and the PPP protocol ID is 2 octets, so the PPP maximum transmission unit
(MTU) must not be greater than (1500 – 8 =) 1492 bytes.
"

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!