[c-nsp] 6500 MSFC2 and NAT

Chen, Qinxue QChen at corp.untd.com
Fri Apr 1 12:34:18 EST 2005 

It looks like the configration for vlan 100 was changed. Was "mls rp ip" there before the upgrade?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
shmapty at foureleven.org
Sent: Monday, March 28, 2005 10:17 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6500 MSFC2 and NAT


I followed the previous thread, "Better way of finding out the source
of process switched traffic?," but the problem is still not intuitive.
  
After upgrading 6500 Sup1a/MSFC2 to Sup2, it appears that outbound
traffic for one VLAN configured with "ip nat inside" is being process 
switched, whereas before most was done in hardware. running 12.1(23)E2

sh buffers input-interface vlan 100 packet shows non-NATed IP traffic.

We are using both static and dynamic pools.  I am considering setting 
up PBR to force NATed IPs to route to loop0, allowing non-NATed IPs 
to be L3 switched.  What other options do i have?

interface Vlan100
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 no ip mroute-cache
 mls rp ip
end

interface GigabitEthernet1/2
 ip address x.x.x.x 255.255.255.252
 ip access-group x-in-52 in
 ip access-group x-eg-01 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 keepalive 3
 speed nonegotiate
 flowcontrol send off
 no cdp enable

Vlan100
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor      93948    8103281      27447    4107259
             Route cache     229495   17721268     382494  196754127
       Distributed cache    3139728 1831656581          0          0
                   Total    3463171 1857481130     409941  200861386

Vlan100 is up, line protocol is up
  5 minute input rate 4469000 bits/sec, 1036 packets/sec
  5 minute output rate 273000 bits/sec, 74 packets/sec
  L2 Switched: ucast: 2935296 pkt, 565510167 bytes - mcast: 12649 pkt, 813521
  L3 in Switched: ucast: 2165039 pkt, 1247240388 bytes - mcast: 0 pkt, 0 bytes
  L3 out Switched: ucast: 0 pkt, 0 bytes

Total active translations: 220 (24 static, 196 dynamic; 196 extended)
Outside interfaces:
  GigabitEthernet1/1, GigabitEthernet1/2
Inside interfaces:
  Vlan100
Hits: 715151191  Misses: 403439
Expired translations: 403456
Dynamic mappings:
-- Inside Source
access-list 60 pool c1-nat-as refcount 109
 pool c1-nat-as: netmask 255.255.255.192
        start x.x.x.x end x.x.x.x
        type generic, total addresses 1, allocated 1 (100%), misses 0

here is one instance of IP data not defined by any NAT rule.  this
packet appears to be an ACK or PSH.

Buffer information for Middle buffer at 0x5007D6C4
  data_area 0x80A7FA4, refcount 1, next 0x0, flags 0x280
  linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
  if_input 0x432F92F0 (Vlan100), if_output 0x0 (None)
  inputtime 00:00:00.000 (elapsed never)
  outputtime 00:00:00.000 (elapsed never), oqnumber 65535
  datagramstart 0x80A801A, datagramsize 471, maximum size 804
  mac_start 0x80A801A, addr_start 0x80A801A, info_start 0x0
  network_start 0x80A8028, transport_start 0x80A803C, caller_pc 0x402EC60C

  source: x.x.x.x, destination: x.x.x.x, id: 0xC923, ttl: 63,
  TOS: 0 prot: 6, source port 9993, destination port 10978
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list