QoS - Router on a stick

[stre1026]

Hi All -

I have a network with 4 VLANs. The switch is a 2950 and the router is a 2621. The router is doing DHCP, NAT, firewall, inter-VLAN routing, and it's a dynamic VPN endpoint. Everything works fine. However, when I copy a very large ISO (gigs in size) across the network to a different VLAN, the network slows to a screeching halt. I think it's because everything has to go through the trunk on the router. Do I need to take some of the services off of this router or do I have to do some QoS here? I know a layer-3 switch would be ideal but unfortunately this is not in my budget at the moment. I am willing to buy another 2600 series router if using a dedicated router for the inter-VLAN routing would help. This is what I like to call an overkill home/lab environment and I'm sure I'm not the only one here with a network like this at home!

If it would be helpful to see some configs, I'd be glad to post them.

Thanks in advance for any suggestions...

 

[brianinms]

The router isn't overloading, you are merely saturating the 100mb link to the router. You could use some qos policies to slow the transfer speed down.

 

[stre1026]

OK, good that's what I thought. I tried applying some QoS (limiting the bandwidth port 445 for filesharing was taking) to the f0/1 port on the router that has the trunk sub-interfaces on it because I found out sub-interfaces only support some QoS features and applying it to the f0/1 port didn't work. The traffic was hitting the policy though so I'm not sure what I did wrong.

Do you happen to have a sample config of what I could do to slow the transfer speeds down to the router? I don't mind if I have to slow all transfers down if that's necessary.

Here is my router config cleaned of passwords, etc. and some things like my DHCP pools are missing to shorten the post a little...

Thanks!

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot system flash:c2600-ik9o3s3-mz.123-25.bin
boot-end-marker
!
aaa session-id common
ip subnet-zero
ip cef
!
!
ip inspect name firewall rcmd
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall udp
ip inspect name firewall tcp timeout 43200
ip inspect name firewall realaudio
ip inspect name firewall vdolive
ip inspect name firewall netshow
ip audit po max-events 100
!
!
!
class-map match-all netbios-traffic
match access-group 160
!
!
policy-map netbios-qos
class netbios-traffic
shape average percent 30
class class-default
fair-queue
!
!
!
crypto isakmp policy 5
authentication pre-share
group 2
crypto isakmp key mykey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!
!
!
!
interface Tunnel0
description Dynamic Tunnel
bandwidth 1000
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 70.167.100.242
ip nhrp map multicast “mypublic IP”
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!
interface FastEthernet0/0
ip address dhcp hostname Router
ip access-group 100 in
no ip unreachables
ip nat outside
ip inspect firewall out
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
ip nat inside
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Data
encapsulation dot1Q 100
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.2
description VOIP
encapsulation dot1Q 200
ip address 10.0.5.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.3
description FIOS
encapsulation dot1Q 300
ip address 10.0.6.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.4
description Test
encapsulation dot1Q 400
ip address 10.0.7.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.5
encapsulation dot1Q 1 native
ip address 10.0.9.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 10.0.5.0 0.0.0.255
network 10.0.7.0 0.0.0.255
network 172.16.0.0 0.0.0.255
no auto-summary
!
ip nat inside source route-map nonat interface FastEthernet0/0 overloadip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 100 permit icmp 10.0.0.0 0.0.255.255 any
access-list 100 permit tcp 10.0.0.0 0.0.255.255 any eq telnet
access-list 100 deny icmp any any echo
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.5.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.0.8.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 any
access-list 150 permit ip 10.0.5.0 0.0.0.255 any
access-list 150 permit ip 10.0.6.0 0.0.0.255 any
access-list 150 permit ip 10.0.7.0 0.0.0.255 any
access-list 160 permit tcp any any eq 445
!
route-map nonat permit 10
match ip address 150
!