Cpu utilization is not averaging very high. We're not routing between the VLANs so "router on a stick" doesn't really apply does it?
It's only 1-2 mbps in on the 10mbps Ethernet interface for their IP access and then parsed out to the appropriate VLAN via the FastEthernet sub-interfaces. Intra-(V)LAN traffic should stay on the 3550 unless headed out the gateway, yes? I see what you're saying about putting the 3550 in full L3 operation and using (I presume) "ip helper-address" looks like it can be configured on each VLAN. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Gristina Sent: Friday, June 06, 2008 11:47 PM To: Sean Shepard Cc: [email protected] Subject: Re: [c-nsp] NAT randomly stops after a few hours 1721/3550 vlan arrangement Check "show proc cpu hist" after it happens. A 1721 should not be doing router on a stick for a 100Mb network. It can barely forward 12Mb/s Cef switched. Much less NAT, ACL, QOS, DHCP and whatever else it is doing. Make the 3550 a L3 switch, if you have to keep DHCP on the 1721 use DHCP forwarder, use a choke network. They can't forward stuff on their lan because of the router on a stick config. And open a TAC case. On Fri, Jun 6, 2008 at 6:37 PM, Sean Shepard <[EMAIL PROTECTED]> wrote: > SCENARIO: > > > > Customer was blaming us (service provider) for their IP phones > (Linksys 942 > models) resetting, sometimes in the middle of a call dropping both the > call and their "back of the phone" connected PC. Customer's IT > support/VAR was not aggressive in resolving the issue (we suspected > some kind of LAN issue) and so, to prove it wasn't us we stepped a > little bit beyond what we normally do ourselves at the customer > location. We dropped in a 3550 SMI switch, set up VLANs and trunked > to their 1721 where all DHCP activity is now happening via two DHCP pools. > > > > Devices appear to be showing up in the correct VLAN and are pulling > DHCP from the right pools. Could not get the Linksys phones to talk > through the VLAN/NAT combination (Polycom worked ok it seemed) so we > temporarily dropped them onto a public IP scheme which is working fine > - we will fix this once everything else is stable. > > > > What is happening is that DNS resolution through NAT (and possibly other NAT > translations) fails after several hours (or has twice). This is only > affecting hosts/windows server on VLAN 1. Their Windows 2003 server > acts as the DNS for their data network (it refers outside requests to > ours). When this happens, customer's IT consultant can still remote > terminal into their server (via static port mapping) but can't ping > out of their network from it. Reloading the router restores service. > > > > Customer is also complaining that data transfer speeds are much slower > between devices on their LAN (they pass around a lot of CAD files). I'm > certain this must not be set up properly or we're missing something. > any guidance is appreciated. > > > > RTP isn't breaking up so we didn't bother with priority queue settings > on the switch. Error counts, drops and resets are ZERO on every > single "show int" counters. I'd prefer not to go back to them and > recommend the brute force fix of just physically separating the networks. > > > > > > ROUTER "SHOW VER" RELEVANT OUTPUT: > > (note: I've been thinking about downgrading to a stable 12.3 release > we like > - 12.4(1a) can't be good ?????) > > > > Router#show ver > > Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1a), > RELEASE SOFTWARE (fc2) > > > > ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) > > > > Router uptime is 5 hours, 34 minutes > > System returned to ROM by reload at 17:29:46 UTC Fri Jun 6 2008 > > System restarted at 17:32:00 UTC Fri Jun 6 2008 > > System image file is "flash:c1700-ipbase-mz.124-1a.bin" > > > > Cisco 1721 (MPC860P) processor (revision 0x500) with 58405K/7131K > bytes of memory. > > Processor board ID FOC09246Q0T (879918233), with hardware revision > 0000 > > MPC860P processor: part number 5, mask 2 > > 1 Ethernet interface > > 1 FastEthernet interface > > 32K bytes of NVRAM. > > 32768K bytes of processor board System flash (Read/Write) > > > > > > ROUTER CONFIGURATION: > > > > version 12.4 > > ! > > resource policy > > ! > > mmi polling-interval 60 > > no mmi auto-configure > > no mmi pvc > > mmi snmp-timeout 180 > > ip subnet-zero > > ip cef > > ! > > no ip dhcp use vrf connected > > no ip dhcp conflict logging > > ip dhcp excluded-address 10.0.0.254 > > ip dhcp excluded-address xx.xx.xx.97 > > ip dhcp excluded-address xx.xx.xx.98 > > ip dhcp excluded-address 10.0.0.1 10.0.0.10 > > ip dhcp excluded-address 10.0.0.100 10.0.0.110 > > ! > > ip dhcp pool phones > > network xx.xx.xx.96 255.255.255.224 > > default-router xx.xx.xx.97 > > dns-server xx.xx.xx.xx xx.xx.xx.xx > > option 66 ascii "xxxx.xxxxxxxxx.com" > > lease 30 > > ! > > ip dhcp pool data > > network 10.0.0.0 255.255.255.0 > > default-router 10.0.0.1 > > dns-server 10.0.0.100 [cust. Windows server] > > lease 30 > > ! > > ip name-server xx.xx.xx.xx > > ip name-server xx.xx.xx.xx > > ! > > class-map match-all smtp-filter > > match access-group 102 > > class-map match-all voip-sip > > match access-group 101 > > class-map match-all voip-rtp > > match access-group 100 > > ! > > ! > > policy-map voip > > class voip-rtp > > priority 960 > > class voip-sip > > bandwidth 56 > > class class-default > > fair-queue > > policy-map inbound > > class smtp-filter > > ! > > interface Ethernet0 > > ip address xx.xx.xx.238 255.255.255.252 > > ip nat outside > > load-interval 60 > > full-duplex > > no cdp enable > > service-policy input inbound > > service-policy output voip > > ! > > interface FastEthernet0 > > no ip address > > speed 100 > > full-duplex > > ! > > interface FastEthernet0.1 > > encapsulation dot1Q 1 native > > ip address 10.0.0.1 255.255.255.0 > > ip nat inside > > no snmp trap link-status > > ! > > interface FastEthernet0.2 > > encapsulation dot1Q 2 > > ip address xx.xx.xx.97 255.255.255.224 > > no snmp trap link-status > > ! > > ip classless > > ip route 0.0.0.0 0.0.0.0 xx.xx.xx.237 > > ! > > no ip http server > > ip nat inside source list 10 interface Ethernet0 overload > > ip nat inside source static tcp 10.0.0.100 25 interface Ethernet0 25 > > ip nat inside source static tcp 10.0.0.100 3389 interface Ethernet0 > 3389 > > ip nat inside source static tcp 10.0.0.100 443 interface Ethernet0 443 > > ip nat inside source static tcp 10.0.0.100 80 interface Ethernet0 80 > > ! > > access-list 10 permit 10.0.0.0 0.0.0.255 > > access-list 100 permit ip any any dscp ef > > access-list 101 permit ip any any dscp af31 > > access-list 102 permit tcp xx.xx.0.0 0.0.255.255 any eq smtp > > access-list 102 deny tcp any any eq smtp > > access-list 102 permit ip any any > > ! > > control-plane > > ! > > end > > > > > > > > CISCO 3550 SWITCH INFORMATION: > > > > SWITCH#show ver > > Cisco IOS Software, C3550 Software (C3550-IPBASE-M), Version > 12.2(25)SEB4, RELEASE SOFTWARE (fc1) > > Copyright (c) 1986-2005 by Cisco Systems, Inc. > > Compiled Tue 30-Aug-05 13:14 by yenanh > > > > ROM: Bootstrap program is C3550 boot loader > > > > SWITCH uptime is 3 days, 1 hour, 33 minutes > > System returned to ROM by power-on > > System image file is > "flash:c3550-ipbase-mz.122-25.SEB4/c3550-ipbase-mz.122-25.SEB4.bin" > > > > Cisco WS-C3550-24 (PowerPC) processor (revision R0) with 65526K/8192K > bytes of memory. > > Processor board ID CAT0946N39P > > Last reset from warm-reset > > Running Layer2/3 Switching Image > > > > 384K bytes of flash-simulated NVRAM. > > > > > > CISCO 3550 SWITCH CONFIGURATION: > > > > version 12.2 > > mls qos > > ip subnet-zero > > ip name-server xx.xx.xx.xx > > ip name-server xx.xx.xx.xx > > ! > > ! > > no file verify auto > > spanning-tree mode pvst > > spanning-tree extend system-id > > ! > > vlan internal allocation policy ascending > > ! > > interface FastEthernet0/1 > > switchport mode access > > switchport voice vlan 2 > > mls qos trust dscp > > spanning-tree portfast > > ! > > ! [ports 1-11 configured identically] > > ! > > interface FastEthernet0/12 > > description WINDOWS 2003 SERVER > > switchport mode access > > mls qos trust dscp > > spanning-tree portfast > > ! > > interface FastEthernet0/13 > > switchport mode access > > switchport voice vlan 2 > > mls qos trust dscp > > spanning-tree portfast > > ! > > ! [ports 13-23 configured identically] > > ! > > interface FastEthernet0/24 > > description UPLINK TO 1721 ROUTER > > switchport trunk encapsulation dot1q > > switchport mode trunk > > duplex full > > speed 100 > > ! > > interface Vlan1 > > ip address 10.0.0.254 255.255.255.0 > > ! > > interface Vlan2 > > ip address xx.xx.xx.98 255.255.255.224 > > ! > > ip classless > > ! > > control-plane > > > > > > > > ! > > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
