The Cisco dance.
In the game of life it appears there is a need to continue the quest (Quest!!! but I’m already on a quest!) of more skills or up skilling . In doing so, I’ve returned to what got me started in IT: data communication.
Whilst Cisco isn’t the only path one could take to up skill, is would appear to be a road well traveled ( google cisco certifcation for greater understanding). I’ve had a Cisco 1720 with VPN module and second ethernet card lying around at the office to sometime now and thought since is a quiet time, I’d install it as the router into the office. Since I didn’t have an ADSL WIC for this machine, I’ve used a another DSL modem in Bridge mode to send straight pppoe command to the cisco. I pulled the basis of the config from cisco.com so I know is a supported idea…
Requirments appeared to be simple: route a 8mbit DSL connection to a NAT’ed LAN network with some stateful packet management.
This is typically at 20 min job in linux. 8 hours later in writing a config that is syntactically correct (because my IOS experience is low), I finally started to see some results for a hard days work trawling through cisco.com website(if this sounds lame try finding stuff at cisco.com) for config examples of different lumps of code. A couple hours more and I have what appears to be a working system. Dialer works and a PPPoE session is created. Fantastic! Internet appears to work and statefull packet management is working.. All in all I was quite happy with my own abilities.
Came into the office the next day to “how come we only get downloads at 16kbps… This has to best head snap I’ve had in while. Whilst I’d research QoS I hadn’t actually done any configuration for it.
Started the usual diagnostics… Reproduce the problem: check, check configuration for anything obvious: check, Check RAM requirements:check, check CPU usage: umm not check.. This is what I was greated with:
337777744444 11111 11111
100
90
80
70
60
50
40
30
20
10 *****
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
1
2 9 0 3
112 1212 24 13 338401212 1323333113121 1115 4465243522
100 * *
90 * *
80 * *
70 * *
60 * *
50 * *
40 * * *
30 * * *
20 * * # *
10 * # # * ** * *
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1 1 11 1 1 1 1
769798890997038007980909870998909
949728690256037009960309360965909
100 * ** * * ** * * ** *** ***
90 * ******* * *** ****** *******
80 * *********** *******************
70 * *********** *******************
60 ************* *******************
50 ************* *******************
40 ************* *******************
30 *********************************
20 *********************************
10 *********************************
0….5….1….1….2….2….3….3….4….4….5….5….6….6….7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
( It was across a weekend) hmm… CPU appears to be a bit spikey… Not good. So I remove the CBAC config and access-lists. One reload later and now I’m gettting 24kbps…
Here’s the config edited for security sake.
Current configuration : 4850 bytes
!
version 12.3
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxx
clock timezone AEST 10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local enable
aaa session-id common
ip subnet-zero
no ip source-route
no ip rcmd domain-lookup
!
!
ip domain name example.com
ip name-server 10.2.1.1
ip name-server 10.2.1.253
ip name-server 10.2.1.3
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name CBAC1 tcp timeout 3600
ip inspect name CBAC1 udp timeout 30
ip inspect name CBAC1 icmp timeout 30
ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC1 http timeout 3600
ip inspect name CBAC1 smtp timeout 3600
ip inspect name CBAC1 tftp timeout 30
ip inspect name CBAC1 h323
ip inspect name CBAC1 realaudio
ip inspect name CBAC1 rtsp
ip inspect name CBAC2 tcp timeout 3600
ip inspect name CBAC2 udp timeout 30
ip inspect name CBAC2 icmp timeout 30
ip inspect name CBAC2 ftp timeout 3600
ip audit po max-events 100
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
ipv6 unicast-routing
no ftp-server write-enable
!
!
interface Loopback0
description Local loopback
no ip address
!
interface Ethernet0
ip address 10.2.254.253 255.255.255.252
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 10.2.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect CBAC1 in
speed auto
!
interface Serial0
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxxxxxx
ppp pap sent-username xxxxxx password 7 xxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.1.4 22 interface Dialer0 22
ip nat inside source static tcp 10.2.1.4 21 interface Dialer0 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
!
access-list 1 remark NAT ACL
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 2 remark Permit SSH traffic for 10.2.0.0/16 and deny everything else
access-list 2 permit 10.2.0.0 0.0.255.255
access-list 101 remark traffic in FE/0
access-list 101 permit tcp 10.2.0.0 0.0.255.255 any
access-list 101 permit udp 10.2.0.0 0.0.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 111 remark traffic entering D/0
access-list 111 permit tcp any 10.2.0.0 0.0.255.255 established
access-list 111 permit ip any 10.2.0.0 0.0.255.255
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any host 10.2.1.4 eq 22
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 time-exceeded
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 packet-too-big
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 traceroute
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 unreachable
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny ip any host 127.0.0.1 log
access-list 111 deny ip 0.0.0.0 255.255.0.0 any log
access-list 111 deny tcp any any eq 22222 log
access-list 111 deny tcp any any range 60000 60020 log
access-list 111 deny udp any any eq snmp log
access-list 111 deny ip any any
access-list 112 remark traffic exiting D/0
access-list 112 permit ip any any
access-list 112 deny ip any any
dialer-list 1 protocol ip permit
!
banner login ^CCAuthorised Access only
This system is the property of example.com.
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged and violations of of this policy result
in disciplinary action/Criminal Proceedings.^C
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password 7 xxxxxxxxxxxxx
transport input ssh
transport output ssh
!
ntp server 198.142.76.162
ntp server 203.209.212.99
ntp server 60.242.56.98
!
end
Surely A Cisco 1720 can router 8mbit/s connection without causing the CPU to burn away. I’ve run this config past a couple of cisco nuts and they can’t seem to find anything stupid. If you can help with problem please drop me a line. I’m happy to reciprocate with either a beer or Unix help.
Discussion Area - Leave a Comment