[c-nsp] Will the Cisco 2911 push GigE with NAT enabled ?
Kevin Graham
kgraham at industrial-marshmallow.com
Tue May 1 10:45:59 EDT 2012
On Apr 30, 2012, at 7:42 AM, Dave <dcostell-cisconsp at torzo.com> wrote:
> CEF is showing enabled and running on all interfaces, however I am seeing a large number of packets that are process switched. ( I assume due to NAT Translation)
I had thought NAT entry creation was moved into the CEF path during 12.4T. As mentioned already, try dropping NBAR.
How much non-interrupt CPU are you using? For office workloads of that volume, I've often had to pull down translation timers to keep the IP NAT Ager process tamed...
(You're not going to get much beyond where you are now, but little bits can help.)
> interface GigabitEthernet0/0
> ip address xxx.xxx.xxx 255.255.255.252
> ip access-group OFFICE_LAN in
> ip flow egress
> ip nat outside
While trying not to stoke NAT-is-not-security flames, do be aware that this probably isn't achieving what you think it is. Even for a basic config, you should include CBAC ("ip inspect ...").
IOS NAT will create 1:1 entries for some flows, which will allow inbound traffic. It's an ugly surprise when you suddenly see random desktops responding on that outside address pool...
More information about the cisco-nsp
mailing list