Jump to content
Калькуляторы

cisco7301 низкая производительность Захлёбывается 7301 на 100 PPPoE сессиях

Поставили cisco 7301 в качестве PPPoE терминатора и немного разочаровались в не ахти какой производительности.

Конкретнее - при трафике 30 in / 25 out на 1 интерфейсе и противоположно на другом, 7kpss на одном и 7 на другом видим загрузку cpu 95-99%. Сессий в этот момент где-то в районе 100. При этом начинаются потери на интерфейсах, соответственно юзвери ноют.

На ней крутится весь набор сервера доступа - pppoe, netflow, dynamic acl, nat, ripv2.

Я так понимаю необходимо выносить NAT на отдельный писюк? Поможет ли это общей картине?

Конфиг циски:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname vpn-15
!
boot-start-marker
boot-end-marker
!
logging console emergencies
enable password pass
!
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting network default start-stop group radius
!
aaa session-id common
clock timezone MSK 3
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host netup 10.0.7.100 root enable
ip rcmd remote-host netup 10.0.7.100 netup enable
ip rcmd remote-host backup 10.0.7.7 root enable
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
!
!
ip cef
ip ftp username backup
ip ftp password pass
ip domain name blablabla
ip name-server 10.0.7.1
!
!
!
!
key chain ripkey
key 1
 key-string ripkey
!
!
!
!
!
!
!
!
!
!
username root privilege 15 password 0 pass
username netup privilege 8 password 0 pass
!
!
!
bba-group pppoe PPPoE
virtual-template 1
sessions per-mac limit 1
sessions per-vlan limit 1000
sessions auto cleanup
!
!
interface Loopback0
description PPPoE users
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address 10.0.7.15 255.255.255.0
ip rip send version 2
ip rip receive version 2
ip rip authentication mode md5
ip rip authentication key-chain ripkey
duplex auto
speed 1000
media-type rj45
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
no ip redirects
no ip proxy-arp
ip virtual-reassembly
pppoe enable group PPPoE
no cdp enable
!
interface GigabitEthernet0/1
ip address *.*.*.* 255.255.255.192
ip rip send version 2
ip rip receive version 2
ip rip authentication mode md5
ip rip authentication key-chain ripkey
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed 1000
media-type rj45
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
ip access-group 105 in
ip access-group 106 out
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no peer default ip address
ppp authentication ms-chap-v2 chap
!
router rip
version 2
redistribute connected
network 10.0.0.0
network *.*.0.0
neighbor *.*.*.*
distribute-list 10 out GigabitEthernet0/1
distribute-list 1301 in
no auto-summary
!
ip default-gateway *.*.*.*
ip route 0.0.0.0 0.0.0.0 *.*.*.*
ip route *.*.*.0 255.255.255.0 Null0 254
ip route *.*.*.0 255.255.255.0 Null0 254
ip route *.*.*.0 255.255.255.0 Null0 254
ip route *.*.*.0 255.255.255.0 Null0 254
ip flow-export version 5
ip flow-export destination 10.0.7.100 9996
!
no ip http server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
!
ip access-list standard TELNET
permit 10.0.7.7
permit 10.0.7.1
permit 10.11.1.83
permit 10.22.6.66
permit 10.0.7.100
ip radius source-interface GigabitEthernet0/0
access-list 1 permit 192.168.96.0 0.0.31.255
access-list 10 permit any
access-list 1301 permit 10.0.0.0 0.255.255.255
access-list 1301 permit *.*.*.* 0.0.3.255
access-list 1301 deny   any
access-list 105 dynamic test1 permit ip any any
access-list 106 dynamic test2 permit ip any any
access-list 135 deny   ip 10.0.0.0 0.255.255.255 any
access-list 135 deny   ip any 10.0.0.0 0.255.255.255
access-list 135 deny   ip 172.16.0.0 0.15.255.255 any
access-list 135 deny   ip any 172.16.0.0 0.15.255.255
access-list 135 permit ip any any
snmp-server community community RO
snmp-server location ciscovpn
snmp-server contact admin@blablabla.ru
snmp-server host 10.0.7.7 community
!
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute 31 mac format ietf
radius-server configure-nas
radius-server host 10.0.7.100 auth-port 1812 acct-port 1813 key rfwpassword
radius-server retransmit 0
radius-server timeout 15
radius-server key rfwpassword
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
!
!
gatekeeper
shutdown
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class TELNET in
exec-timeout 5 0
password blablabla
line vty 5 15
access-class TELNET in
exec-timeout 5 0
password blablabla
!
ntp clock-period 17179745
ntp server 10.0.7.1
!
end

Edited by newbiegb

Share this post


Link to post
Share on other sites

ip nat inside source list 1 interface GigabitEthernet0/1 overload

 

натит оно херова... Выности

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this