[c-nsp] SUP720-3B and NAT performance
Tim Stevenson
tstevens at cisco.com
Thu Mar 1 22:16:04 EST 2007
If it's just one session, then you're hitting some other problem (ie,
for some reason the h/w NF entry is not getting installed).
The IPSEC tunnel is terminated on the 6500 or...?
Tim
At 10:46 PM 3/1/2007 +0100, Elmar K. Bins opined:
>Hi Tim,
>
>tstevens at cisco.com (Tim Stevenson) wrote:
>
> > At 08:23 PM 3/1/2007 +0100, Peter Salanki opined:
> > >If NAT is done in hardware, no CPU increase would be noticeable.
> >
>
>[CPU impact of a lot of sessions starting up]
>
>True. In this case that was _one_ session (test-wise FTP through
>a very stable IPSEC tunnel, the latter being the "session",
>obviously).
>
> > The latter is done for *every* session, not just ones needing an
> > xlation entry (ie, we *always* have to push down a new NF entry for a
> > new flow even if the xlation in IOS exists). Note that for a TCP
> > session, the entire 3-way handshake is punted before you'll get full
> > h/w fwding of that NAT. Once you have full bidir h/w NF entries set
> > up, then the fwding rate is very high (20Mpps), for packets in that flow.
>
>Well, it isn't, it's one flow and it only goes up to 8kpps.
>What now - what can I have done wrong there? Or should I go with the idea
>of upgrading first and worrying later? ;-)
>
>Yours,
> Elmar.
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list