Bandwidth issues with NAT on Cisco 877W router

SteveThing

Hey gang,

I'm currently using this router with my cable modem and routing from Vlan1 (inside) to Vlan2 (outside) since I can't use the ADSL port. I've noticed that I get a maximum of 1.7Mb/s throughput and curious if it is due to my config or the hardware. When I bypass the router, I get 10.98 Mb/s. Here is my config:

version 15.1
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ****
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096 informational
enable secret ****
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
aaa authorization network default local if-authenticated
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
clock save interval 8
crypto pki token default removal timeout 0
!
!
dot11 syslog
!
dot11 ssid ****
 vlan 1
 max-associations 3
 authentication open
 authentication key-management wpa
 wpa-psk ascii 7 ****
!
ip source-route
!
!
!
ip cef
ip cef accounting non-recursive
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT icmp
ip inspect name INSPECT fragment maximum 256 timeout 1
no ip bootp server
ip domain name ****
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
archive
 path flash:/Backups
!
username ******
!
!
vlan 2
 name Outside
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Vlan1
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 description Link to Cable Modem
 switchport access vlan 2
 duplex full
 speed 100
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1
 description Tower
 duplex full
 speed 100
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet2
 description PS3
 duplex full
 speed 100
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet3
 shutdown
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 ! Temporarily shutdown
 no dot11 extension aironet
 !
 encryption vlan 1 mode ciphers aes-ccm tkip
 !
 !
 broadcast-key change 60 membership-termination
 !
 !
 ssid ****
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 ip address 10.0.10.1 255.255.255.240
 ip virtual-reassembly in
 shutdown
 ! Temporarily shutdown
!
interface Vlan1
 description Inside (+WiFi)
 ip address 10.0.0.1 255.255.255.240
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description Outside (ISP)
 ip address dhcp hostname dNET
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map NAT_LAN interface Vlan2 overload
!
ip access-list standard IPs_LAN
 permit 10.0.0.0 0.0.0.15
ip access-list standard IPs_WiFi
 permit 10.0.10.0 0.0.0.15
ip access-list extended Management
 permit tcp host **** eq 22 log
 deny   ip any any log
!
!
!
!
route-map NAT_LAN permit 10
 match ip address IPs_LAN
 match interface Vlan2 FastEthernet0
route-map NAT_WiFi permit 10
 match ip address IPs_WiFi
 match interface Vlan2 FastEthernet0
!
!
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 logging synchronous
 login ctrlc-disable
 no modem enable
line aux 0
line vty 0 1
 access-class Management in
 exec-timeout 5 0
 logging synchronous
 transport preferred ssh
 transport input ssh
 transport output ssh
line vty 2 4
 exec-timeout 0 0
 no exec
 transport preferred none
 transport input none
 transport output none
!
scheduler max-task-time 5000
ntp server 132.163.4.101 prefer
ntp server 132.163.4.102
ntp server 132.163.4.103
end

Output from show version:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 16-Nov-10 04:45 by prod_rel_team
 
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
 
**** uptime is 1 day, 18 hours, 17 minutes
System returned to ROM by reload at 05:30:11 CDT Sun Mar 20 2011
System restarted at 05:31:08 CDT Sun Mar 20 2011
System image file is "flash:c870-advsecurityk9-mz.151-3.T.bin"
Last reload reason: Reload Command
 
 
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
Cisco 877W (MPC8272) processor (revision 2.0) with 118784K/12288K bytes of memory.
Processor board ID FHK111211D4
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 Virtual Private Network (VPN) Module
1 802.11 Radio
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
 
 
 
Configuration register is 0x2102

Output from show ip route:
* is masked ISP addresses

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
 
Gateway of last resort is *.*.4.1 to network 0.0.0.0
 
S*    0.0.0.0/0 [254/0] via *.*.4.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/28 is directly connected, Vlan1
L        10.0.0.1/32 is directly connected, Vlan1
      *.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        *.*.4.0/22 is directly connected, Vlan2
L        *.*.4.10/32 is directly connected, Vlan2
      172.31.0.0/32 is subnetted, 1 subnets
S        172.31.251.29 [254/0] via *.*.4.1, Vlan2

Output from show ip nat statistics:

Total active translations: 13 (0 static, 13 dynamic; 13 extended)
Peak translations: 193, occurred 14:53:36 ago
Outside interfaces:
  Vlan2
Inside interfaces:
  Vlan1
Hits: 20272144  Misses: 0
CEF Translated packets: 20266700, CEF Punted packets: 5444
Expired translations: 9692
Dynamic mappings:
-- Inside Source
[Id: 1] route-map NAT_LAN interface Vlan2 refcount 13
 
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Output from show processes cpu history during speedtest.net runs:

****   11:51:27 PM Monday Mar 21 2011 CDT
 
 
 
 
                                                     11111
      224444422222333331111133333222222222222222555553333311111333
  100
   90
   80
   70
   60
   50
   40
   30
   20
   10                                           **********
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)
 
 
 
 
      111 1211 11 111211  1 1111  111 11 111   111111 1 111 11  11
      333930428227224035842431138714581295228873222327096129329923
  100
   90
   80
   70
   60
   50
   40
   30
   20      *         * *            *    *              *
   10 ***************#*** * **************************************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%
 
 
 
 
      113223911112212222112222222222121111122342
      667236284948565554654430362453648755527314
  100
   90       *
   80       *
   70       *
   60       *
   50       *
   40   *  **                                 *
   30   *  **    ** ***        *  *         ***
   20 ******** * *******************************
   10 **#*##*****#***##***##**#####**#*****#####
     0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
               0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

Spike is from reload I would imagine...

Finally, the most confusing is show int fa0:

FastEthernet0 is up, line protocol is up
  Hardware is Fast Ethernet, address is *.*.c9d3 (bia *.*.c9d3)
  Description: Link to Cable Modem
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 33000 bits/sec, 36 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     16367368 packets input, 3511780220 bytes, 0 no buffer
     Received 6048989 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     627922 input errors, 312998 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     10044152 packets output, 876371092 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

That is alot of errors for a little over a day of uptime. Didn't think to try another port till just now... Will attempt tomorrow.

Any suggestions or ideas?

SteveThing

So I tried another port, no change. Tried a Router-On-A-Stick with my 3640 and my 2960 and still had the same problem (albeit a little better). So i booted up my pfsense livecd on a Core2Duo laptop (overkill for NAT and routing). I setup the laptop as a router on a stick, created 2 vlans on it, and trunked it to the switch. The cable modem was pluged into vlan10 on the switch and my PC was on vlan 20. The modem gave an IP to the lappy (vlan 10) and everything was going well. No input errors, no CRC errors, nothing bad. Still no decent bandwidth.

I ran a couple runs on a few websites for speed tests and then the switch started alternating green and amber on the cable modem interface. Sure enough, input errors started flowing in when I pushed the connection beyond simple e-mail/surfing. Double checked all my settings. Little me has always been in the train of thought that auto-negotiation is bad ("You auto not use it"?).

So I monkied around with a few speed/duplex settings. Finally I gave up and tried auto. Sure enough, my problems were solved. ANNOYING!

Anyways, thanx for reading and I hope this helps someone else in the future.

SteveO86

Maybe changing the MTU settings on the outside interface.

What is the MTU? DSL FAQ | DSLReports.com, ISP Information