>If NAT is done in hardware, no CPU increase would be noticeable.
That's not entirely true. The bottleneck for h/w NAT on Sup720/Sup32
is in the *session setup* - the first packet(s) in every new
*session* is punted to the CPU to do one or both of the following:
* Create the NAT xlation
* Push down the appropriate netflow entry to the hardware to NAT that flow
The latter is done for *every* session, not just ones needing an
xlation entry (ie, we *always* have to push down a new NF entry for a
new flow even if the xlation in IOS exists). Note that for a TCP
session, the entire 3-way handshake is punted before you'll get full
h/w fwding of that NAT. Once you have full bidir h/w NF entries set
up, then the fwding rate is very high (20Mpps), for packets in that flow.
So bottom line - control plane scalability may be inadequate if you
have massive numbers of flows. Additionally, NF table scalability can
come into the picture as well (many factors apply, e.g. life of
flows, PFC version). If the NF entries can't be installed (no room),
we punt for everything that didn't fit.
HTH,
Tim
Tim Stevenson, tstevens [at] cisco
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
------------------------------------------------------------------------------
| Re: SUP720-3B and NAT performance [In reply to] | |
> been installed or not?
'sh mls netf ip sw' will show you software-installed NetFlow
entries.
> Funny also that the CPU load on the router should grow with
> traffic inside that one session (aka flow)...
That suggests to me that flows are not being set up correctly
for that one session.
But wait...
Were you trying to NAT ESP? The Sup720 will only NAT UDP and
TCP in 'hardware'.
-A
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
reference:
