[c-nsp] SUP720-3B and NAT performance
Darrell Root
darrellroot at mac.com
Fri Mar 2 01:17:25 EST 2007
On Mar 1, 2007, at 7:16 PM, cisco-nsp-request at puck.nether.net wrote:
>
> Does anyone know what the NAT capabilities of the firewall blade
> for the 6500 are? Mb/s, setups/s, and concurrent translations?
I can't recite the stats, but the FWSM is based on the PIX, which is
first and foremost
a NAT box. Frankly it's better at NAT than firewalling (not that
it's bad at firewalling,
but NAT seems to be it's natural state, at least with 2.x FWSM code).
My team supported two similar conferences with a large number of
network users. The first year
we used IOS NAT on the cat6k (sup2/msfc2 hybrid mode)*. The second
year we did the NAT
on FWSM's.
The first year we barely survived. The cat6k CPU would start at 40%
and gradually rise as the
NAT translations increased. I don't think old translations were
"clearing out completely",
even with our timeout timers set low. We had to manually clear the
NAT translations
every couple hours during peak times to keep the CPU from going to
100%. I also remember
a similar "periodically clear NAT translations or die" situation with
large-scale IOS-NAT at
a previous employer. Of course, you can bet clearing the NAT
translations periodically
wasn't great for users with VPN connections.
The second year the FWSM didn't even break a sweat. No NAT-related
issues.
Darrell Root
darrellroot at mac.com
* This was a "you build the network with the equipment you have, not
the equipment
you want" experience.
More information about the cisco-nsp
mailing list