Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
1
Replies

Flowmask TCAM NAT Performance c6509

Justus.Deere
Level 1
Level 1

‎04-10-2012 11:17 AM - edited ‎03-04-2019 03:59 PM

Hi,

I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5

with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.

I was wondering if something is wrong with my config, as

sh fm fie flowmask shows:

Primary Flowmasks registered by Features
----------------------------+------------------------+---------------------
          Feature                   Flowmask             Flowmask Status
----------------------------+------------------------+---------------------
 IP_ACCESS_INGRESS               Intf Full Flow            Enabled
 IP_ACCESS_EGRESS                Intf Full Flow            Disabled/Unused 
 NAT_INGRESS                     Intf Full Flow            Enabled
 NAT_EGRESS                      Intf Full Flow            Disabled/Unused 
 TCP_INTERCEPT                   Full Flow Least           Disabled/Unused
 IPV6_RACL_INGRESS               Intf Full Flow            Disabled/Unused
 IPV6_RACL_EGRESS                Intf Full Flow            Disabled/Unused
 INSPECT                         Full Flow                 Disabled/Unused
 WCCP_INGRESS                    Intf Full Flow            Disabled/Unused
 WCCP_EGRESS                     Intf Full Flow            Disabled/Unused
 SLB                             Full Flow Least           Disabled/Unused
 FM_SVC_ACCLRT                   Intf Full Flow            Disabled/Unused
 IPV6_COPY_INGRESS               Src only                  Disabled/Unused

Shouldn't Flowmasks for IP_ACCESS_EGRESS and NAT_EGRESS also be enabled for maximum performance?

Here the uplink configuration:

core#sh run in g1/1            
Building configuration...
Current configuration : 178 bytes
!
interface GigabitEthernet1/1
 description UPLINK
 switchport
 switchport access vlan 555
 no cdp enable
 spanning-tree bpduguard disable
end
core#sh run in vlan555
Building configuration...
Current configuration : 319 bytes
!
interface Vlan555
 description VLAN555
 ip address 88.43.2.34 255.255.255.252
 ip access-group uplink_in in
 ip access-group uplink_out out
 ip verify unicast source reachable-via rx allow-default
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 tcam priority high
end

core#sh ip route static | i 0.0.0.0/0
S*   0.0.0.0/0 [1/0] via 88.43.2.33

Here one user network + nat config:

core#sh run in vlan180                      
Building configuration...
Current configuration : 186 bytes
!
interface Vlan180
 description helpdesk
 ip address 172.16.180.1 255.255.255.0
 ip access-group helpdesk_in in
 ip access-group helpdesk_out out
 ip nat inside
 ip flow ingress
 tcam priority high
end
ip dhcp pool helpdesk
   network 172.16.180.0 255.255.255.0
   default-router 172.16.180.1 
   lease 0 0 5

ip access-list standard helpdesk_nat
 permit 172.16.180.0 0.0.0.255

ip nat translation icmp-timeout 5
ip nat pool helpdesk_pool 88.43.2.42 88.43.2.42 prefix-length 24
ip nat inside source list helpdesk_nat pool helpdesk_pool overload

Any thoughts?

Best Regards, Justus

Labels:
0 Helpful
1 Reply 1

Justus.Deere
Level 1
Level 1

‎04-17-2012 12:05 PM

Allright: here the solution: There was a feature conflict on a totally different

inferface and this seems to affect the whole device.

So do not use RACL + ip nat inside + ip flow ingress at the same time

-- Justus

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card