[c-nsp] SUP720-3B and NAT performance
Karl Reuss
reuss at nts.umd.edu
Thu Mar 1 17:32:12 EST 2007
Asbjorn Hojmark - Lists wrote:
>
> I, unfortunately, also have real-world experience with using NAT
> on the C6K and have to comment that one should *never* plan on
> using NAT on the C6K for *any* purpose where the C6K makes any
> real sense, i.e. with any significant amount of traffic.
>
Unfortunately I have some real world experience here also. In
fact it just bit me a few hours ago... We've got about 2500
wireless users going through a pair of 6500s (using WISM blades).
We needed NAT and figured the Sup720s would be the place to
do it. Using 12.2(18)SXF7. With 5-10Mb/s of traffic and ~250
new flows per second, our CPUs run at 80% or more. The flow
translation tables on the MSFCs run about 10k entries, and mls
hardware tables are less than 10% full.
All it takes is someone doing aggressive P2P file sharing or a port
scan and a 6500 locks up. CPP and shortened flow timeouts would
help, but this is a loosing game.
Does anyone know what the NAT capabilities of the firewall blade
for the 6500 are? Mb/s, setups/s, and concurrent translations?
-Karl
More information about the cisco-nsp
mailing list