[c-nsp] Esoteric NAT question...

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Jul 26 05:52:27 EDT 2006


Brett Looney <> wrote on Wednesday, July 26, 2006 8:33 AM:

> Greets,
> 
> Traditionally, when I do NAT I do it this way:
> 
> 	ip access-list extended NAT-Networks
> 	  permit ip <source> <destination>
> 	ip nat inside source list NAT-Networks interface <external
> interface> overload 
> 
> But, I can also do this:
> 
> 	ip access-list extended NAT-Networks
> 	  permit ip <source> <destination>
> 	route-map DoNAT permit 10
> 	  match ip address NAT-Networks
> 	ip nat inside source route-map DoNAT interface <external
interface>
> overload 
> 
> Intuition tells me that method #2 would be the less efficient way of
> doing this. (Yes, I realise I can get lots more flexibility out of a
> route map but assuming I didn't need that...)
> 
> But, is there any real proof that one is better than the other? Silly
> question, I know, but I thought I'd ask - it would help use argue it
> out internally. ;-)

well, we check the route-map/ACL once when there is no NAT translation
(before 12.3T in the process path, in the interrupt context in later
releases), so the difference in execution speed between route-map and
ACL (if there is any) is rather negligble, unless you are creating
*many* translations, but then you might saturate the CPU either way.

I'm not aware of any performance study comparing these two options, but
I'd be surprised if there was any..

	oli



More information about the cisco-nsp mailing list