od niedawna migruje niektorych uzytkownikow z adsl na vdsl. Wczesniejsze routery 877 sa zastepowane przez 887. Pojawil sie jednak problem, z ktorym walcze i niestety przegrywam. Stad prosba o pomoc.
Routery sa skonfigurowane na mieszane polaczenie - jeden vlan prosto do internetu, pozostale przez vpn. VPN koncentruje sie na firewallu od Palo Alto. Tak 887 jak i 877 korzystaja z identycznych ustawien do vpn, mimo to na 887 predkosc DO uzytkownika jest limitowana do 4-5mbit. Upload jest ok (w sensie blisko predkosci lacza). Na adsl (czyli na starym 877) problem nie wystepuje, pomimo identycznych ustawien. Probowalem MSS, MTU w kazdym mozliwym miejscu. Probowalem roznych vdsl firmware. Nic nie robi roznicy i predkosc zdaje sie byc sztucznie limitowana do tych 4-5 mbit. Testowane iperfem i niezadowolonymi uzytkownikami. Polaczenie bezposrednio z internetu dziala prawidlowo i mam normalne predkosci. Tylko vpn i tylko w jedna strone i tylko po vdsl na 887. Byc moze ktos z szanownych kolegow spotkal sie z podobnym problemem lub moze mnie pokierowac w odpowiednia strone. Polaczenie z 887 po sieci lokalnej przez vpn dziala poprawnie, tylko ten nieszczesny vdsl.
Oto wycinki z configu, ktore moga pomoc w rozwiazaniu problemu:
887 (tutaj gdzies jest problem)
Kod: Zaznacz cały
vtp mode transparent
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname HOSTNAME
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
!
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 172.17.xxx.126
ip dhcp excluded-address 172.17.xxx.190
ip dhcp excluded-address 172.17.xxx.254
!
ip dhcp pool Home
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
domain-name homepc.co.uk
dns-server 212.23.3.100 212.23.6.100
!
ip dhcp pool Corp
network 172.17.xxx.0 255.255.255.128
dns-server
default-router 172.17.xxx.126
domain-name
!
ip dhcp pool Corp_VoIP
network 172.17.xxx.128 255.255.255.192
default-router 172.17.xxx.190
ip dhcp pool Corp_Spare
network 172.17.xxx.192 255.255.255.192
default-router 172.17.xxx.254
!
!
ip cef
no ip bootp server
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key THEKEY address IP_ADDRESS
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer IP_ADDRESS
set transform-set AES
match address 106
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
ip address 172.17.200.xxx 255.255.255.255
!
interface ATM0
no ip address
shutdown
!
interface Ethernet0
no ip address
no shutdown
interface Ethernet0.101
encapsulation dot1q 101
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 40
switchport mode trunk
no ip address
no shutdown
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan40
no shutdown
!
!
interface Vlan1
description Home Computer Vlan
no ip address
bridge-group 10
!
interface Vlan20
description Corporate Laptop Vlan
no ip address
bridge-group 20
!
interface Vlan30
description Corporate_VoIP Vlan
no ip address
bridge-group 30
!
interface Vlan40
description Corporate_Spare Vlan
no ip address
bridge-group 40
!
vlan 20
name Corp
vlan 30
name Corp_VoIP
vlan 40
name Corp_Spare
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp ipcp address accept
crypto map CRYPTO
!
interface BVI10
description Home Computer BridgeGroup
ip address 192.168.0.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI20
description Corporate Laptop BridgeGroup
ip address 172.17.xxx.126 255.255.255.128
ip access-group 103 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI30
description Corporate_VoIP BridgeGroup
ip address 172.17.xxx.190 255.255.255.192
ip access-group 104 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI40
description Corporate_Spare BridgeGroup
ip address 172.17.xxx.254 255.255.255.192
ip access-group 105 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip tacacs source-interface Loopback0
!
logging trap debugging
access-list 1 remark NAT Home PC's to internet
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 99 permit 172.17.xxx.0 0.0.0.255
access-list 99 deny any any
access-list 101 remark Access List to control access from internet in
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 172.17.xxx.0 0.0.0.255 any
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 deny ip any any
access-list 102 remark Access list for public vlan in
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 127.0.0.0 0.255.255.255
access-list 102 deny ip any any
access-list 103 remark Access list for corporate vlan in
access-list 103 permit udp any any eq bootps
access-list 103 deny ip any 192.168.0.0 0.0.0.255
access-list 103 permit ip 172.17.xxx.0 0.0.0.127 any
access-list 103 deny ip any any
access-list 104 remark Access list for corporate VoIP vlan in
access-list 104 permit udp any any eq bootps
access-list 104 deny ip any 192.168.0.0 0.0.0.255
access-list 104 permit ip 172.17.xxx.128 0.0.0.63 any
access-list 104 deny ip any any
access-list 105 remark Access list for corporate VoIP vlan in
access-list 105 permit udp any any eq bootps
access-list 105 deny ip any 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.17.xxx.192 0.0.0.63 any
access-list 105 deny ip any any
access-list 106 permit ip 172.17.xxx.0 0.0.0.255 any
access-list 106 permit ip host 172.17.200.xxx any
dialer-list 1 protocol ip permit
!
!
!
!
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip
!
Kod: Zaznacz cały
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname HOSTNAME
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
!
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 172.17.xxx.126
ip dhcp excluded-address 172.17.xxx.190
ip dhcp excluded-address 172.17.xxx.254
!
ip dhcp pool Home
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
domain-name homepc.co.uk
dns-server 212.23.3.100 212.23.6.100
!
ip dhcp pool Corp
network 172.17.xxx.0 255.255.255.128
default-router 172.17.xxx.126
!
ip dhcp pool Corp_VoIP
network 172.17.xxx.128 255.255.255.192
default-router 172.17.xxx.190
!
ip dhcp pool Corp_Spare
network 172.17.xxx.192 255.255.255.192
dns-server
default-router 172.17.xxx.254
domain-name
!
!
ip cef
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key THEKEY address IP_ADDRESS
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer IP_ADDRESS
set transform-set AES
match address 106
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
ip address 172.17.200.xxx 255.255.255.255
!
interface ATM0
no shutdown
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Link to ISP
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
switchport voice vlan 30
spanning-tree portfast
!
!
!
!
!
interface Vlan1
description Home Computer Vlan
no ip address
bridge-group 10
!
interface Vlan20
description Corporate Laptop Vlan
no ip address
bridge-group 20
!
interface Vlan30
description Corporate_VoIP Vlan
no ip address
bridge-group 30
!
interface Vlan40
description Corporate_Spare Vlan
no ip address
bridge-group 40
!
vlan 20
name Corp
vlan 30
name Corp_VoIP
vlan 40
name Corp_Spare
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
crypto map CRYPTO
!
interface BVI10
description Home Computer BridgeGroup
ip address 192.168.0.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI20
description Corporate Laptop BridgeGroup
ip address 172.17.xxx.126 255.255.255.128
ip access-group 103 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI30
description Corporate_VoIP BridgeGroup
ip address 172.17.xxx.190 255.255.255.192
ip access-group 104 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI40
description Corporate_Spare BridgeGroup
ip address 172.17.xxx.254 255.255.255.192
ip access-group 105 in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip tacacs source-interface Loopback0
!
logging trap debugging
access-list 1 remark NAT Home PC's to internet
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 remark Access List to control access from internet in
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 172.17.xxx.0 0.0.0.255 any
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 deny ip any any
access-list 102 remark Access list for public vlan in
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 127.0.0.0 0.255.255.255
access-list 102 deny ip any any
access-list 103 remark Access list for corporate vlan in
access-list 103 permit udp any any eq bootps
access-list 103 deny ip any 192.168.0.0 0.0.0.255
access-list 103 permit ip 172.17.xxx.0 0.0.0.127 any
access-list 103 deny ip any any
access-list 104 remark Access list for corporate VoIP vlan in
access-list 104 permit udp any any eq bootps
access-list 104 deny ip any 192.168.0.0 0.0.0.255
access-list 104 permit ip 172.17.xxx.128 0.0.0.63 any
access-list 104 deny ip any any
access-list 105 remark Access list for corporate VoIP vlan in
access-list 105 permit udp any any eq bootps
access-list 105 deny ip any 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.17.xxx.192 0.0.0.63 any
access-list 105 deny ip any any
access-list 106 permit ip 172.17.xxx.0 0.0.0.255 any
access-list 106 permit ip host 172.17.200.xxx any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip