Cisco 2501 Router - Totally Confused
Discussion
We've just had a 100mbps internet connection installed.
We use Microsoft ISA Server at the edge of the LAN to control outbound access.
Pretty much all http(s) traffic is proxied and FTP traffic is treated as Secure NAT traffic which AIUI means it's handled by traditional TCP/IP and if it's for an external address it goes off to the default gateway etc.
I'd been assuming we'd have to replace the Cisco 2501 we have on the LAN acting as default gateway as it only has an AUI interface with a 10Base-t tranceiver on it.
I've just been doing some testing and I've been down pulling around 75mbps from external FTP sites.
Quite simply, I don't get how as the Cisco that's acting as the default gateway can't handle this, and the FTP client (FileZilla) isn't set to use a proxy so should be using the default gateway.
Am I being thick?
We use Microsoft ISA Server at the edge of the LAN to control outbound access.
Pretty much all http(s) traffic is proxied and FTP traffic is treated as Secure NAT traffic which AIUI means it's handled by traditional TCP/IP and if it's for an external address it goes off to the default gateway etc.
I'd been assuming we'd have to replace the Cisco 2501 we have on the LAN acting as default gateway as it only has an AUI interface with a 10Base-t tranceiver on it.
I've just been doing some testing and I've been down pulling around 75mbps from external FTP sites.
Quite simply, I don't get how as the Cisco that's acting as the default gateway can't handle this, and the FTP client (FileZilla) isn't set to use a proxy so should be using the default gateway.
Am I being thick?
Good question - though I would assume its an FE port (Fast Ethernet) which supports both 10 and 100 Mbps. Might be worth seeing what the port settings are and what it is negotiating. But I would suggest that the 2501 is reaching its limits with regards to performance (its quite an old model) and hence might be worth investigating in something newer.
Login to the Cisco and check what the port settings are. Also look on the back of it and it should say FE 0/1 for example on the back, which means its a fast ethernet model.
Login to the Cisco and check what the port settings are. Also look on the back of it and it should say FE 0/1 for example on the back, which means its a fast ethernet model.
off_again said:
Login to the Cisco and check what the port settings are. Also look on the back of it and it should say FE 0/1 for example on the back, which means its a fast ethernet model.
Thanks for the reply. I'm not physically there at the moment and don't know the login details but can check Monday.Either way unless my memory is playing tricks the AUI tranceiver in the back of it is a 10 baseT one, and AUI is only 10 baseT anyway isn't it?
paddyhasneeds said:
off_again said:
Login to the Cisco and check what the port settings are. Also look on the back of it and it should say FE 0/1 for example on the back, which means its a fast ethernet model.
Thanks for the reply. I'm not physically there at the moment and don't know the login details but can check Monday.Either way unless my memory is playing tricks the AUI tranceiver in the back of it is a 10 baseT one, and AUI is only 10 baseT anyway isn't it?
theboss said:
Sounds to me like the FTP traffic is being proxied through the ISA box one way or another. Can you monitor ISA to confirm if this is indeed the case?
I am assuming the ISA box has full 100Mbps connectivity to the WAN circuit?
I would have thought so too, but put if I haven't specified any sort of proxy in a "dumb" application like FileZilla then short of divine intervention it has to be ignorant of the ISA server and just going to the Default Gateway doesn't it?I am assuming the ISA box has full 100Mbps connectivity to the WAN circuit?
Edited by theboss on Saturday 23 February 20:56
The ISA logs/monitoring show that the FTP traffic is Firewall traffic rather than Web Proxy traffic too.
I've also tried it with things like SSH traffic which can't be proxied, and I can use SCP to upload various linux ISO images to a linux box in our DMZ at around 45-50mbps.
My best guess is that as the Cisco only has a single interface and is only handling routes that point to other IP's on the LAN then maybe it isn't acting like a traditional router by accepting packets and forwarding them, rather it's somehow "telling" clients where to send packets - sound feasible?!
paddyhasneeds said:
theboss said:
Sounds to me like the FTP traffic is being proxied through the ISA box one way or another. Can you monitor ISA to confirm if this is indeed the case?
I am assuming the ISA box has full 100Mbps connectivity to the WAN circuit?
I would have thought so too, but put if I haven't specified any sort of proxy in a "dumb" application like FileZilla then short of divine intervention it has to be ignorant of the ISA server and just going to the Default Gateway doesn't it?I am assuming the ISA box has full 100Mbps connectivity to the WAN circuit?
Edited by theboss on Saturday 23 February 20:56
The ISA logs/monitoring show that the FTP traffic is Firewall traffic rather than Web Proxy traffic too.
I've also tried it with things like SSH traffic which can't be proxied, and I can use SCP to upload various linux ISO images to a linux box in our DMZ at around 45-50mbps.
My best guess is that as the Cisco only has a single interface and is only handling routes that point to other IP's on the LAN then maybe it isn't acting like a traditional router by accepting packets and forwarding them, rather it's somehow "telling" clients where to send packets - sound feasible?!
theboss said:
I'm not a Cisco guy by any means but yes this does sound feasible. I presume all it would take is a default route on the Cisco referring to another gateway which could be via any of it's interfaces (not necessarily the 'WAN' one). Can you try a tracert?
They show the default gateway as being a hop.I've been doing a little more investigating and have found that running various speed testers and downloads through Internet Explorer I get different results depending if I have a proxy specified or not.
This suggests that, as expected, traffic is going either via the proxy, or via the TCP/IP routing.
I'm still totally scratching my head over the results, I'm happy enough that we may not need to spend a few quid on a replacement router that can handle the additional loading, but still confused as s
t over why things are behaving as they are.paddyhasneeds said:
theboss said:
I'm not a Cisco guy by any means but yes this does sound feasible. I presume all it would take is a default route on the Cisco referring to another gateway which could be via any of it's interfaces (not necessarily the 'WAN' one). Can you try a tracert?
They show the default gateway as being a hop.I've been doing a little more investigating and have found that running various speed testers and downloads through Internet Explorer I get different results depending if I have a proxy specified or not.
This suggests that, as expected, traffic is going either via the proxy, or via the TCP/IP routing.
I'm still totally scratching my head over the results, I'm happy enough that we may not need to spend a few quid on a replacement router that can handle the additional loading, but still confused as s
t over why things are behaving as they are.Default gateway = old slow router
ISA Server = on the same subnet as the client, quicker than old slow router.
What should happen is that the router will tell the client (via an ICMP redirect) to use the ISA server directly.
However, if you're using the ISA Client (or a browser with the proxy set) and the ISA Server is on the same subnet, then the ICMP redirect isn't necessary anyway.
You can check for an ICMP redirect pretty easily, as a Windows client will show it in it's routing table (ROUTE PRINT).
Edited by _DeeJay_ on Sunday 24th February 22:20
_DeeJay_ said:
I've kind of skim read the thread, so I hope I've got the gist;
Default gateway = old slow router
ISA Server = on the same subnet as the client, quicker than old slow router.
What should happen is that the router will tell the client (via an ICMP redirect) to use the ISA server directly.
However, if you're using the ISA Client (or a browser with the proxy set) and the ISA Server is on the same subnet, then the ICMP redirect isn't necessary anyway.
You can check for an ICMP redirect pretty easily, as a Windows client will show it in it's routing table (ROUTE PRINT).
Thanks, it certainly is ICMP Redirect (amazing how much sense it makes once you know the magic term to search for).Default gateway = old slow router
ISA Server = on the same subnet as the client, quicker than old slow router.
What should happen is that the router will tell the client (via an ICMP redirect) to use the ISA server directly.
However, if you're using the ISA Client (or a browser with the proxy set) and the ISA Server is on the same subnet, then the ICMP redirect isn't necessary anyway.
You can check for an ICMP redirect pretty easily, as a Windows client will show it in it's routing table (ROUTE PRINT).
Just to make it fun to diagnose Vista doesn't actually show up the alternative routes in its routing table, though XP and Server 2000/2003 do which confirmed it.
As you say 95% of traffic (maybe more) is handled by the proxy service on the ISA directly, so this should just be mopping up traffic that's routed over traditional TCP/IP settings.
paddyhasneeds said:
_DeeJay_ said:
I've kind of skim read the thread, so I hope I've got the gist;
Default gateway = old slow router
ISA Server = on the same subnet as the client, quicker than old slow router.
What should happen is that the router will tell the client (via an ICMP redirect) to use the ISA server directly.
However, if you're using the ISA Client (or a browser with the proxy set) and the ISA Server is on the same subnet, then the ICMP redirect isn't necessary anyway.
You can check for an ICMP redirect pretty easily, as a Windows client will show it in it's routing table (ROUTE PRINT).
Thanks, it certainly is ICMP Redirect (amazing how much sense it makes once you know the magic term to search for).Default gateway = old slow router
ISA Server = on the same subnet as the client, quicker than old slow router.
What should happen is that the router will tell the client (via an ICMP redirect) to use the ISA server directly.
However, if you're using the ISA Client (or a browser with the proxy set) and the ISA Server is on the same subnet, then the ICMP redirect isn't necessary anyway.
You can check for an ICMP redirect pretty easily, as a Windows client will show it in it's routing table (ROUTE PRINT).
Just to make it fun to diagnose Vista doesn't actually show up the alternative routes in its routing table, though XP and Server 2000/2003 do which confirmed it.
As you say 95% of traffic (maybe more) is handled by the proxy service on the ISA directly, so this should just be mopping up traffic that's routed over traditional TCP/IP settings.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff