Добрый день.
Проблема состоит в следующем,имеется Cisco 2801, к которой коннектятся пользователи по VPN, сейчас скорость скачки с FTP составляет 512KB в сек, при увеличении до 1MB возникают проблемы, подпрыгивает пинг, абоненты не могут соединиться с Cisco-ой.
Например,при одновременной скачке и закачке со скоростью до 1500 Кбайт/сек, пинг подпрыгивает до 4000 и теряется. НО на работу интернета уже подключённых пользователей это никак не влияет.
Схема подключения: Cisco2801 Fa0/1-->Catalyst2950-->FTP сервер.
|
пользователи
FTP доступен только через VPN. Думаю что копать надо в сторону приоретизации трафика.
Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M)Version 12.4(3d),RELEASE SOFTWARE (fc3)
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
System image file is "flash:c2801-advipservicesk9-mz.124-3d.bin"
Cisco 2801 (revision 6.0) with 354304K/38912K bytes of memory.
Processor board ID FCZ102222ZU
6 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Буду рад любой помощи, спасибо.
на загрузку процессора смотрели?
Включай трафик шэйпер на нужном интерфейсе.
https://www.opennet.ru/tips/sml/97.shtml
Например для ftp зажать до 128 кбит:
traffic-shape group 157 128000 7936 7936 1000
access-list 157 permit tcp any 10.134.0.0 0.0.255.255 eq ftpУправление приоритетом трафика на Cisco
https://www.opennet.ru/tips/info/430.shtml
CPU utilization for five seconds: 99%/96%; one minute: 80%; five minutes: 62%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
213 10402348 635515 16368 0.55% 1.10% 1.24% 0 DNS Server
6 36192 6035 5997 0.55% 0.21% 0.15% 0 Pool Manager
64 15424436 12575285 1226 0.37% 0.97% 1.25% 0 IP Input
34 464708 416468 1115 0.09% 0.08% 0.12% 0 Per-Second Jobs
201 1813308 2200998 823 0.09% 0.21% 0.36% 0 PPTP Data
193 555936 83907 6625 0.09% 0.08% 0.12% 0 Compute load avg
7 0 2 0 0.00% 0.00% 0.00% 0 Timers
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
9 300 13847 21 0.00% 0.00% 0.00% 0 Environmental mo
8 0 1 0 0.00% 0.00% 0.00% 0 OIR Handler
5 1458844 87811 16613 0.00% 0.09% 0.22% 0 Check heaps
12 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
3 75240 621253 121 0.00% 0.01% 0.00% 0 Spanning Tree
2 93596 83093 1126 0.00% 0.04% 0.02% 0 Load Meter
10 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
11 3297924 6168786 534 0.00% 0.07% 0.10% 0 ARP Input
15 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
18 10960 72225 151 0.00% 0.00% 0.00% 0 EEM ED Syslog
19 37304 103690 359 0.00% 0.01% 0.00% 0 HC Counter Timer
20 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
21 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
--More--
Мда...., процессор не тянет.
Но проблемы не в шейпировании, а в том чтобы предоставить пользователям 1 Мбайт канал с FTP.
>[оверквотинг удален]
>0.00% 0.00% 0.00% 0 Serial Backgroun
> 21
> 0 1
> 0
>0.00% 0.00% 0.00% 0 RO Notify Timers
>
> --More--
>Мда...., процессор не тянет.
>Но проблемы не в шейпировании, а в том чтобы предоставить пользователям 1
>Мбайт канал с FTP.кинфиг киски в студию
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging console warnings
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization commands 8 default local
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
ip domain name xxxxxxxxxxxx
ip name-server xxxxxxxxxxxxxxx
ip name-server xxxxxxxxxxxxxxx
no ip rcmd domain-lookup
ip rcmd rsh-enable
----------////----------
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ----------////----------
username ----------////----------
username ----------////----------
!
!
!
!
!
!
interface FastEthernet0/0
description #Inet TTK#
ip address 217.150.XX.XX 255.255.255.252
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/1
ip address 62.33.XX.XX 255.255.255.192 secondary
ip address 10.1.1.1 255.0.0.0
ip access-group 103 in
ip access-group 104 out
ip accounting output-packets
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
Дальше идут сабинтерфейсы для арендаторов реальных IP,
для примера привожу один:interface FastEthernet0/1.14
description #Abonent#
encapsulation dot1Q 14
ip address 62.33.XX.XX 255.255.255.252
no snmp trap link-statusinterface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip access-group 105 in
ip access-group 106 out
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp header-compression
ip mroute-cache
no peer default ip address
traffic-shape group 107 32000 1000 1000 2000
traffic-shape group 108 32000 1000 1000 2000
traffic-shape group 109 64000 1000 1000 2000
traffic-shape group 110 64000 1000 1000 2000
traffic-shape group 111 160000 10000 10000 2000
traffic-shape group 112 160000 10000 10000 2000
ppp authentication ms-chap-v2 chap
!
interface Vlan1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 217.150.XX.XX
ip route 83.234.XX.XX 255.255.254.0 172.1.1.1
!
ip dns server
ip flow-export version 5
ip flow-export destination 10.0.0.1 9996
!
no ip http server
no ip http secure-server
ip nat translation timeout 120
ip nat translation tcp-timeout 180
ip nat translation pptp-timeout 180
ip nat translation udp-timeout 120
ip nat pool inet 62.33.XX.XX 62.33.XX.XX prefix-length 28
ip nat pool piring 62.33.XX.XX 62.33.XX.XX prefix-length 28
ip nat inside source list 121 pool inet overload
ip nat inside source list 122 pool piring overload
!
logging history size 300
logging trap debugging
logging facility local3
logging 10.0.0.1
access-list 103 permit ip 10.0.0.0 0.255.255.255 host 10.1.1.1
access-list 103 permit ip host 10.0.0.1 any
access-list 103 permit ip host 62.33.XX.XX (FTP сервер) any
access-list 103 permit ip host 10.0.0.1 10.0.0.0 0.255.255.255
access-list 103 permit ip 10.0.0.0 0.255.255.255 host 10.0.0.1
access-list 103 permit ip 10.0.0.0 0.255.255.255 host 62.33.XX.XX (FTP сервер)
(Далее идут правила для Real IP арендаторов, вырезал)
access-list 104 permit ip host 10.1.1.1 10.0.0.0 0.255.255.255
access-list 104 permit ip any host 10.0.0.1
access-list 104 permit ip any host 62.33.XX.XX (FTP сервер)
access-list 104 permit ip 10.0.0.0 0.255.255.255 host 62.33.XX.XX(FTP сервер)
access-list 104 permit ip 10.0.0.0 0.255.255.255 host 10.0.0.1
access-list 104 permit ip host 10.0.0.1 10.0.0.0 0.255.255.255
access-list 104 permit ip host 62.33.XX.XX (FTP сервер) 10.0.0.0 0.255.255.255
access-list 104 permit ip 172.16.0.0 0.0.255.255 any
access-list 105 dynamic in permit ip any any
access-list 106 dynamic out permit ip any any
access-list 107 dynamic shape-in-32 permit ip any any
access-list 108 dynamic shape-out-32 permit ip any any
access-list 109 dynamic shape-in-64 permit ip any any
access-list 110 dynamic shape-out-64 permit ip any any
access-list 111 dynamic shape-in-128 permit ip any any
access-list 112 dynamic shape-out-128 permit ip any any
access-list 120 remark #nat#
access-list 120 permit ip any 172.16.0.0 0.0.255.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
access-list 120 remark #nat#
access-list 121 remark # ALL NAT #
access-list 121 permit ip 172.16.0.0 0.0.255.255 any
access-list 121 deny ip 172.16.0.0 0.0.255.255 83.234.148.0 0.0.2.255
access-list 121 deny ip any any
access-list 122 remark # Piring NAT #
access-list 122 permit ip 172.16.0.0 0.0.255.255 83.234.XX.XX 0.0.2.255
access-list 122 deny ip 172.16.0.0 0.0.255.255 any
access-list 122 remark # Piring NAT #
access-list 140 deny ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.0.255
snmp-server community ---//--- RO
snmp-server community ---//--- RW
!
!
!
radius-server host 10.0.0.1 auth-port XXXX acct-port XXXX
radius-server key ---//---
!
control-plane
!
!
!
!
!
!
!
!
privilege exec level 8 access-enable
privilege exec level 8 access-template
privilege exec level 8 access-profile
privilege exec level 8 clear access-template
privilege exec level 8 clear
!
line con 0
line aux 0
line vty 0
access-class 21 in
exec-timeout 180 0
transport input telnet
line vty 1 2
access-class 21 in
exec-timeout 180 0
transport input telnet
line vty 3
access-class 21 in
exec-timeout 180 0
transport input telnet
line vty 4
exec-timeout 180 0
transport input ssh
transport output ssh
line vty 5 15
exec-timeout 60 0
transport input ssh
transport output ssh
!
end
>[оверквотинг удален]
>line vty 4
> exec-timeout 180 0
> transport input ssh
> transport output ssh
>line vty 5 15
> exec-timeout 60 0
> transport input ssh
> transport output ssh
>!
>endЯ конешно есчо тот спец по кискам, но насколько я читал использование ip cef без использования ip route-cache - не дает особой производительности или девайса действительно не хвататет уже (неизвестно какой поток разруливает)
уберите
ip virtual-reassembly
ip tcp header-compression
ip accounting output-packets
>уберите
>ip virtual-reassembly
>ip tcp header-compression
>ip accounting output-packetsУбрал с Fa0/1 и Virtual-Template1, не помогло.
>>уберите
>>ip virtual-reassembly
>>ip tcp header-compression
>>ip accounting output-packets
>
>Убрал с Fa0/1 и Virtual-Template1, не помогло.теперь покажите sh run
и sh proc cpu sort 5min
В конфиге изменилось:
interface FastEthernet0/1
ip address 62.33.XX.XX 255.255.255.192 secondary
ip address 10.1.1.1 255.0.0.0
ip access-group 103 in
ip access-group 104 out
ip nat inside
no ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip access-group 105 in
ip access-group 106 out
ip flow ingress
ip flow egress
ip nat inside
no ip virtual-reassembly
ip mroute-cache
no peer default ip address
traffic-shape group 107 32000 1000 1000 2000
traffic-shape group 108 32000 1000 1000 2000
traffic-shape group 109 64000 1000 1000 2000
traffic-shape group 110 64000 1000 1000 2000
traffic-shape group 111 160000 10000 10000 2000
traffic-shape group 112 160000 10000 10000 2000
ppp authentication ms-chap-v2 chapПеред закачкой:
CPU utilization for five seconds: 32%/25%; one minute: 34%; five minutes: 32%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
213 21440124 1223391 17525 3.78% 3.38% 2.46% 0 DNS Server
64 24996748 21600050 1157 1.15% 1.08% 1.05% 0 IP Input
5 4268900 225917 18895 0.00% 0.43% 0.55% 0 Check heaps
201 3463808 4098627 845 0.24% 0.31% 0.32% 0 PPTP Data
209 1372704 24640348 55 0.24% 0.28% 0.25% 0 PPP Events
208 750948 24460854 30 0.24% 0.24% 0.24% 0 PPP manager
57 1378812 9751388 141 0.16% 0.17% 0.16% 0 L2X Data Daemon
221 533592 23981535 22 0.16% 0.17% 0.16% 0 RADIUS
34 879788 818122 1075 0.16% 0.14% 0.14% 0 Per-Second Jobs
193 1152040 165206 6973 0.08% 0.12% 0.14% 0 Compute load avg
203 1260396 2619833 481 0.08% 0.13% 0.10% 0 IP NAT Ager
27 460 155 2967 0.49% 0.38% 0.10% 198 SSH Process
118 2340040 34204 68414 0.00% 0.20% 0.10% 0 VTEMPLATE Backgr
87 659624 1285860 512 0.16% 0.09% 0.08% 0 CEF process
214 869472 1007714 862 0.08% 0.10% 0.08% 0 DNS Server Input
116 195268 7860989 24 0.08% 0.06% 0.08% 0 RBSCP Background
11 4897412 9283968 527 0.08% 0.07% 0.08% 0 ARP Input
200 1008768 1865375 540 0.08% 0.08% 0.08% 0 PPTP Mgmt
220 1453080 10684027 136 0.08% 0.08% 0.08% 0 NAT MIB Helper
104 204028 1632337 124 0.00% 0.04% 0.05% 0 DHCPD Receive
2 184696 163291 1131 0.08% 0.03% 0.02% 0 Load Meter
Во время закачки, примерно 5 мин прошло:
PU utilization for five seconds: 99%/89%; one minute: 99%; five minutes: 85%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
213 21747908 1224255 17764 0.91% 3.52% 3.17% 0 DNS Server
201 3494404 4103334 851 4.42% 2.05% 0.95% 0 PPTP Data
64 25053988 21606703 1159 0.83% 0.66% 0.66% 0 IP Input
6 149928 14650 10233 1.16% 0.91% 0.32% 0 Pool Manager
5 4275860 226138 18908 0.00% 0.33% 0.22% 0 Check heaps
118 2347812 34268 68513 0.75% 0.29% 0.16% 0 VTEMPLATE Backgr
209 1382808 24651353 56 0.33% 0.18% 0.16% 0 PPP Events
193 1163708 165406 7035 0.08% 0.14% 0.13% 0 Compute load avg
34 888468 818734 1085 0.16% 0.11% 0.11% 0 Per-Second Jobs
203 1267104 2620817 483 0.16% 0.12% 0.11% 0 IP NAT Ager
57 1387996 9755412 142 0.16% 0.10% 0.10% 0 L2X Data Daemon
200 1011472 1866551 541 0.16% 0.11% 0.06% 0 PPTP Mgmt
11 4902044 9285067 527 0.08% 0.05% 0.06% 0 ARP Input
214 874128 1008391 866 0.00% 0.06% 0.06% 0 DNS Server Input
208 754040 24471921 30 0.00% 0.03% 0.05% 0 PPP manager
2 188984 163448 1156 0.00% 0.04% 0.04% 0 Load Meter
221 534528 23992136 22 0.08% 0.03% 0.03% 0 RADIUS
220 1455512 10688277 136 0.08% 0.03% 0.02% 0 NAT MIB Helper
104 204692 1633350 125 0.00% 0.02% 0.01% 0 DHCPD Receive
101 175536 1073161 163 0.00% 0.03% 0.01% 0 TCP Timer
194 375104 14336 26165 0.00% 0.03% 0.00% 0 Per-minute Jobs
102 204484 213628 957 0.08% 0.01% 0.00% 0 TCP Protocols
116 196064 7864868 24 0.00% 0.01% 0.00% 0 RBSCP Background
85 38160 20096 1898 0.08% 0.01% 0.00% 0 PPP IP Route
87 660560 1286503 513 0.00% 0.01% 0.00% 0 CEF process
23 16224 816213 19 0.08% 0.00% 0.00% 0 GraphIt
19 71280 203847 349 0.08% 0.00% 0.00% 0 HC Counter Timer
63 26572 99078 268 0.08% 0.00% 0.00% 0 CDP Protocol
83 61760 96932 637 0.08% 0.00% 0.00% 0 IP Background
74 76972 3179054 24 0.08% 0.00% 0.00% 0 SSS Feature Time
206 176776 982177 179 0.00% 0.01% 0.00% 0 TCP Driver
195 125144 28505 4390 0.00% 0.01% 0.00% 0 CEF Scanner
86 12272 32445 378 0.08% 0.00% 0.00% 0 PPP IPCP
165 13964 410459 34 0.00% 0.00% 0.00% 0 PM Callback
88 21032 816447 25 0.00% 0.00% 0.00% 0 Socket Timers
35 0 1 0 0.00% 0.00% 0.00% 0 AggMgr Process
36 0 1 0 0.00% 0.00% 0.00% 0 Token Daemon
37 36 8 4500 0.00% 0.00% 0.00% 0 ESWPPM
38 0 2 0 0.00% 0.00% 0.00% 0 Eswilp Storm Con
40 0 1 0 0.00% 0.00% 0.00% 0 dev_device_inser
39 648 284 2281 0.00% 0.00% 0.00% 0 Exec
42 0 2 0 0.00% 0.00% 0.00% 0 SM Monitor
41 0 1 0 0.00% 0.00% 0.00% 0 dev_device_removИ ещё высыпалось вот это:
-Process= "L2X SSS manager", ipl= 0, pid= 77
-Traceback= 0x60EFE6C8 0x616537E0 0x61654EDC 0x6202C3E8 0x6202DA24 0x6202DBD0 0C
*Apr 29 00:36:17.071: %TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "L2X SSS manager", ipl= 0, pid= 77
-Traceback= 0x60EFE6C8 0x616537E0 0x61654EDC 0x6202C3E8 0x6202BDE8 0x6202C0F0 0C
*Apr 29 00:36:17.071: %TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "L2X SSS manager", ipl= 0, pid= 77
-Traceback= 0x60EFE6C8 0x616537E0 0x61654EDC 0x6202C3E8 0x6202DA24 0x6202DBD0 0C
*Apr 29 00:36:17.075: %TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "L2X SSS manager", ipl= 0, pid= 77
-Traceback= 0x60EFE6C8 0x616537E0 0x61654EDC 0x6202C3E8 0x6202BDE8 0x6202C0F0 0C
*Apr 29 00:36:17.107: %LINK-3-UPDOWN: Interface Virtual-Access40, changed staten
*Apr 29 00:36:17.107: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state n
*Apr 29 00:36:17.107: %LINK-3-UPDOWN: Interface Virtual-Access17, changed staten
*Apr 29 00:36:17.107: %LINK-3-UPDOWN: Interface Virtual-Access124, changed statn
DNS server не много кушает ?
no ip domain lookup
no ip dns server