config help

[gangaskan]

ok, i'm trying to optimise my config for my 1760 so any help would rock



Building configuration...

Current configuration : 5332 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname peanutbutter
!
boot-start-marker
boot system flash c1700-entbasek9-mz.124-25d.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
enable password 7 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 4
!
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 209.142.152.253
ip name-server 207.230.192.254
ip ddns update method ccp_ddns1
HTTP
add http://ssssss:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
ip ddns update method ccpddns1
!
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-754190214
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-754190214
revocation-check none
rsakeypair TP-self-signed-754190214
!
!
username xxxx privilege 15 password 7 xxxxxx
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip ddns update ccp_ddns1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password 7 xxxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list Internal_Net interface Dialer0 overload
ip nat inside source static tcp 192.168.1.50 3389 interface Dialer0 3389
!
ip access-list extended Internal_Net
remark internal network
remark CCP_ACL Category=2
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^Cillegal usage of this router is prohibited by law. please disconnect if unauthorized ^C
!
line con 0
password 7 xxxxxxxxxx
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 xxxxxxxx
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17208560
ntp source Dialer0
ntp server 63.240.161.99 source dialer0 prefer
end



i know in my config, i do want to set aux0 for no transport mode, i want to gussy up the banner a little ( i have a pre made one i'll put on soon), and clean up a few things here and there, however, in regards to my PPPoE setup how does that look?

 

[DreamerBrian]

Your PPPoE interface is Dialer0, right? If so, why is the MTU at 1492? Shouldn't it be at 1518 for Ethernet? That could be forcing your router's CPU to work harder to create more packets because less data fits in each packet. Also, if Dialer0 is an Ethernet interface that is point-to-point you could kill your pap authentication (which is pretty useless anyway) to save yourself some CPU cycles.

There's so much in your config - I'm sorry if I strayed off on the wrong path.

Brian

 

[gangaskan]

Your PPPoE interface is Dialer0, right? If so, why is the MTU at 1492? Shouldn't it be at 1518 for Ethernet? That could be forcing your router's CPU to work harder to create more packets because less data fits in each packet. Also, if Dialer0 is an Ethernet interface that is point-to-point you could kill your pap authentication (which is pretty useless anyway) to save yourself some CPU cycles.

There's so much in your config - I'm sorry if I strayed off on the wrong path.

Brian

its ATM brian, my setup is ADSL2 1492 iirc is the most i can fit on a PPPoE packet right? including overhead for PPP, PPPoE, and Ethernet frame headers. or would it be "optimal" to use 1452 due to cell padding?


edit: i do need PPPoe Auth, my dial pool is tied to ATM 0/0.1

 

[DreamerBrian]

Man.. I wish I was in a better position to help you out. ATM and what you are talking about is over my head... which doesn't make sense to me because I'm CCNA certified. I feel like I should be able to understand wtf you are saying.

 

[gangaskan]

have you done any ISDN ? you should have done this in CCNA4 unless they took it out. its smiliar to that, in order to connect to the DSL network that has authentication you need a Dialer profile nothing should consist on the interface. however, i talked to my teacher he said the only thing i should look at is turning proxy arp back on.


i'm waiting for my flash to come so i can install a better image, so i can do CBAC


have you started any of the NP courses yet? all i have left is Wireless and Multi layer switching i cant wait to finish!!!!

 

[dark_15]

You should only need to set the "ip tcp adjust-mss 1452" on the interface for your LAN because the hosts on the inside will have the larger MTU size (typically 1500 bytes), hence the need for adjustment on the internal LAN. That setting on the outside will have no affect on the traffic.

Just for reference the way you get to that number is you will have to allocate 20 bytes for the IP Header, 20 bytes for the TCP Header, and 8 bytes for the PPPoE header. 1500 - 20 - 20 - 8 = 1452

Not sure if the ciscos can do it, but I do know that on Juniper we can also specify MSS for VPN-encapsulated packets. If my fuzzy memory serves me correctly that value is typically 1350 bytes because of the additional overhead of the IPSec Header.

Another way to solve this problem is to allow Path-MTU discovery (PMTU), which allows the router to automatically negotiate the MTU and MSS with the endpoint using ICMP Packets. Sadly, sometimes it cannot be used due to network admins/engineers blocking ICMP along the path from the source to the destination.



Additional Fun-Filled reference:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

 

[gangaskan]

You should only need to set the "ip tcp adjust-mss 1452" on the interface for your LAN because the hosts on the inside will have the larger MTU size (typically 1500 bytes), hence the need for adjustment on the internal LAN. That setting on the outside will have no affect on the traffic.

Just for reference the way you get to that number is you will have to allocate 20 bytes for the IP Header, 20 bytes for the TCP Header, and 8 bytes for the PPPoE header. 1500 - 20 - 20 - 8 = 1452

Not sure if the ciscos can do it, but I do know that on Juniper we can also specify MSS for VPN-encapsulated packets. If my fuzzy memory serves me correctly that value is typically 1350 bytes because of the additional overhead of the IPSec Header.

Another way to solve this problem is to allow Path-MTU discovery (PMTU), which allows the router to automatically negotiate the MTU and MSS with the endpoint using ICMP Packets. Sadly, sometimes it cannot be used due to network admins/engineers blocking ICMP along the path from the source to the destination.



Additional Fun-Filled reference:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

i'll check that out later thanks dark i figured i just keep the MTU the same across the board since its going to need to process it down at some point or another. i'll make the changes later and find more out


i think you can knock down the size on vpn packets if they're sent via a GRE tunnel btw, since you have to setup a tunnel virtual interface in order for it to work.

 

[DreamerBrian]

have you done any ISDN ? you should have done this in CCNA4 unless they took it out. its smiliar to that, in order to connect to the DSL network that has authentication you need a Dialer profile nothing should consist on the interface.

have you started any of the NP courses yet? all i have left is Wireless and Multi layer switching i cant wait to finish!!!!

I guess no ISDN in CCNA 4.1. I JUST received my certificate in the mail from my recent successful exam, so it's possible that they took it out. Yea I'm deep into my CCNP ROUTE book already. After that I'll do SWITCH and then TSHOOT. I love CCNP, btw. It's almost like it's easier than CCNA because there are only a few topics - even if you go pretty deep into the subject matter.

Brian

 

[gangaskan]

I guess no ISDN in CCNA 4.1. I JUST received my certificate in the mail from my recent successful exam, so it's possible that they took it out. Yea I'm deep into my CCNP ROUTE book already. After that I'll do SWITCH and then TSHOOT. I love CCNP, btw. It's almost like it's easier than CCNA because there are only a few topics - even if you go pretty deep into the subject matter.

Brian

the routing gets a little tricky with doing multi path redundancy and things like that, but yeah, IMO CCNP is a whole different game, almost easier


QoS was a joke, Remote access was pretty easy, Advanced routing was a little hard for me, but i got through it i stll need to do MLS and wireless and i'm finished with the CCNP courses