05-02-2006 09:07 PM
Hi all,
What is the impact on performance of CSS 11503-06 when ACL and egress source NAT is enabled?
Also what is the least performance taxing <bypass> or <permit> clause statements? Any advantage in usage of one over another?
What is the limit in throughput of traffic passing thru SNAT on 11503?
We noticed an increase in latency for load-balanced content when SNAT was enabled on CSS 503. All circuits have "permit any any" applied except one circuit that has one NAT line via a group and <permit any any> as the second line.
Thanks
05-09-2006 11:39 AM
Can you posts the configuration. Normally there must not be a big delay when source NAT and ACL are applied. Maybe there is something else that is causing the issue.
05-10-2006 08:19 PM
acl on all vlans are permit any any, and only one vlan has the following acl
clause 90 permit any any destination any
clause 20 permit tcp 10.23.6.5 destination any eq smtp sourcegroup M-NAT
clause 21 permit tcp 10.23.6.8 destination any eq smtp sourcegroup M-NAT
clause 22 permit tcp 10.23.6.3 destination any eq smtp sourcegroup M-NAT
clause 10 permit any any destination 10.0.0.0 255.0.0.0
clause 11 permit any any destination 172.16.0.0 255.240.0.0
clause 9 permit tcp 10.23.6.0 255.255.255.0 destination 2.18.3.0 255.255.255.224 eq 443 sourcegroup M-NAT
clause 8 permit tcp 10.23.6.0 255.255.255.0 destination 2.18.3.0 255.255.255.224 eq 80 sourcegroup M-NAT
M-NAT is just a group with ip address configured on it.
if I issue acl disable latency seems goes away. Latency noticed during the fist connection to VIP subsequent connection seems a bit faster.
05-12-2006 04:09 AM
At first glance I would say this is not CSS related.
I would capture a sniffer on client and server simultanously and see where is the delay.
Capture the same trace without acl to compare results.
Gilles.
05-12-2006 07:02 PM
Does ACL flow/NAT processing is done in ASIC on Management CPU? Are there llama mode commands that can show more information regarding ACL/NAT in addition to
stanard show acl commands?
05-13-2006 06:33 AM
ACL/NAT is not done in ASIC.
Only basic filtering permit/deny is done in hardware.
But ACL/NAT will not be more impacting than doing loadbalancing. Actually ACL/NAT is always part of loadbalancing so it really is not an issue.
The problem must be somewhere else.
Capture a sniffer trace to make sure the delay comes from the CSS - I have seen too many times people blaming the network when it was actually a client/server issue.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide