[c-nsp] WARNING: Netflow Data Export & Hardware assisted NAT not supported on 76xx/65xx on the same interface

Sun Aug 28 10:23:02 EDT 2011

We don't have fragmented packets. I checked all the caveats. You missed my point. I'm very aware of the restrictions with conflicting flowmasks, etc. 

The problem is that the hardware assisted NAT uses netflow to insert a custom tcam entry that doesn't get aged out. In other words, NDE will never work, no matter the configuration, no matter the design if NAT is configured on the same interface. This is not documented in any Cisco publication.

-----Original Message-----
From: Stig Meireles Johansen [mailto:stig.johansen at datametrix.no] 
Sent: Saturday, August 27, 2011 10:21 PM
To: Matthew Huff; 'Dale W. Carder'
Cc: 'cisco-nsp at puck.nether.net'
Subject: RE: [c-nsp] WARNING: Netflow Data Export & Hardware assisted NAT not supported on 76xx/65xx on the same interface

Matthew said:
>If it was made apparent, could you point to any public documentation that states that? I've scoured Cisco's site, google, and mail archives, and can't find any mention (other than specific caveats) that state that NDE and hardware assisted nat are not supported on the same interface. In fact, it took TAC almost two weeks of escalation before anyone would state it wasn't supported and they couldn't find any documentation that stated that.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/intro.html#wp1034472 and
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/intro.html#wp1031772

Quote:
"Note the following information about hardware-assisted NAT:
[...snip...]
-When you configure NAT and NDE on an interface, the PFC3 sends all traffic in fragmented packets to the MSFC3 to be processed in software. (CSCdz51590)"

When looking up this bugID, I get some foo about "contains proprietary information that cannot be disclosed at this time".

/Stig