[c-nsp] WARNING: Netflow Data Export & Hardware assisted NAT not supported on 76xx/65xx on the same interface

Jeff Bacon bacon at walleyesoftware.com
Mon Aug 29 09:36:15 EDT 2011 

> I would instead consider moving the NAT somewhere else, and leaving the
> Netflow on the box. The hardware-assisted NAT feature in the 6500/7600
> has the feel of an "abandoned" feature; one that Cisco would rather you
> didn't use, and are sorry they ever implemented.


I would say that's not all that far from the truth. It's a hack, and an ugly one at that. It works, sort of, but it only works with some things and not with others and only sometimes. But it's not abandoned by any means, and they still attempt to work with it, within reason.

The problem is of course that said ugly hack also makes it <probably> the fastest NAT box on the planet, able to handle flows in the mpps range at sub-20-usec latency; it's about 16usec one-way on a gig link, DFC cards - I've measured it. This sort of behavior undoubtedly endears it to certain large financial firms that need that kind of performance. I can say that because I've worked at certain large financial firms, and these are the sorts of firms that

a) can afford to stuff a cat6503/dual-720 in front of a single exchange connection for the sole purpose of doing NAT
b) is making some tradeoff on latency vs ideal design vs "what they have to deal with" 
c) has huge dedicated teams from Cisco to advise them on what works and doesn't
d) can tell Cisco to "leave that feature or else"
e) will use the box in some blatantly simple fashion that doesn't involve learning all of the things that DON'T work because that's just not how they think

(We can have all sorts of discussions/arguments about network design and why NAT is evil and how it should or shouldn't be necessary. Please, let's not. Any large house is some huge conglomeration of networks made up of all of the partially-digested acquisitions, plus all sorts of business units heading in different directions trying to do conflicting things, with no central theme, with some poor saps trying to manage the vendor connectivity in the center. Idealism dies an ugly death somewhere in the middle, and such arguments are thus pointless.)

Besides, who ever REMOVES features from a platform? The marketing people would scream.

So NAT continues to exist. But it's not well-explored, as most 6500 users don't use it (or so says the TAC LAN switching team that should know), and thus all of the caveats and gotchas are not well-explored.

-bacon

More information about the cisco-nsp mailing list