[c-nsp] cat6500/fwsm performance

[Jeff Bacon]

Hi folks - 

So, in an attempt to address some fun issues with NAT I'm having with my
6500s, I'm considering resorting to the use of an FWSM as a fancy
specialized NAT device - call it a complicated hairpin, if you will (one
VRF is on one side of the FWSM, one is on the other, the VRFs
communicate with each other via VLANs set to pass through the FWSM,
which is in transparent mode).

This doesn't seem like it would be such a terribly difficult project,
but... 

I'm seeing round-trip latencies of approx 250us pushing data through the
FWSM, and a relatively ridiculously high rate of packet loss. This is
just with having the firewall in transparent mode, two hosts on one vlan
and two hosts on another VLAN bridged via the FWSM, with all inspection
turned off. 

Are these cards _really_ that bad? Or am I missing something really dumb
and obvious here? 

The 6500 is a 6506-E, vs720 supervisor, 6748-GE-TX linecard with a CFC
(test kit), the hosts are direct-attached on the 6748 on vlans 240 and
250. 

Thanks,
-bacon

stub off the FWSM:

interface Vlan240
 nameif inside-2
 bridge-group 2
 security-level 80
!
interface Vlan250
 nameif outside-2
 bridge-group 2
 security-level 0
!
access-list OUT extended permit icmp any any
access-list OUT extended permit ip any any
access-list OUT extended permit ospf any any
access-group OUT in interface inside-2
access-group OUT in interface outside-2
class-map bypass-traffic
 match access-list bypass
policy-map bypass-policy
 class bypass-traffic
  set connection random-sequence-number disable
  set connection advanced-options tcp-state-bypass
policy-map nothing
!
service-policy bypass-policy global

off the 6500:
firewall autostate
firewall multiple-vlan-interfaces
firewall module 4 vlan-group 1,2,3
firewall vlan-group 1  140,150
firewall vlan-group 2  120
firewall vlan-group 3  240,250