04-10-2012 11:17 AM - edited 03-04-2019 03:59 PM
Hi,
I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5
with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.
I was wondering if something is wrong with my config, as
sh fm fie flowmask shows:
Primary Flowmasks registered by Features
----------------------------+------------------------+---------------------
Feature Flowmask Flowmask Status
----------------------------+------------------------+--------------------- IP_ACCESS_INGRESS Intf Full Flow Enabled IP_ACCESS_EGRESS Intf Full Flow Disabled/Unused
NAT_INGRESS Intf Full Flow Enabled NAT_EGRESS Intf Full Flow Disabled/Unused
TCP_INTERCEPT Full Flow Least Disabled/Unused IPV6_RACL_INGRESS Intf Full Flow Disabled/Unused IPV6_RACL_EGRESS Intf Full Flow Disabled/Unused INSPECT Full Flow Disabled/Unused WCCP_INGRESS Intf Full Flow Disabled/Unused WCCP_EGRESS Intf Full Flow Disabled/Unused SLB Full Flow Least Disabled/Unused FM_SVC_ACCLRT Intf Full Flow Disabled/Unused IPV6_COPY_INGRESS Src only Disabled/Unused
Shouldn't Flowmasks for IP_ACCESS_EGRESS and NAT_EGRESS also be enabled for maximum performance?
Here the uplink configuration:
core#sh run in g1/1
Building configuration...
Current configuration : 178 bytes
!
interface GigabitEthernet1/1
description UPLINK
switchport
switchport access vlan 555
no cdp enable
spanning-tree bpduguard disable
end
core#sh run in vlan555
Building configuration...
Current configuration : 319 bytes
!
interface Vlan555
description VLAN555
ip address 88.43.2.34 255.255.255.252
ip access-group uplink_in in
ip access-group uplink_out out
ip verify unicast source reachable-via rx allow-default
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
tcam priority high
end
core#sh ip route static | i 0.0.0.0/0S* 0.0.0.0/0 [1/0] via 88.43.2.33
Here one user network + nat config:
core#sh run in vlan180
Building configuration...
Current configuration : 186 bytes
!
interface Vlan180
description helpdesk
ip address 172.16.180.1 255.255.255.0
ip access-group helpdesk_in in
ip access-group helpdesk_out out
ip nat inside
ip flow ingress
tcam priority high
end
ip dhcp pool helpdesk
network 172.16.180.0 255.255.255.0
default-router 172.16.180.1
lease 0 0 5
ip access-list standard helpdesk_nat
permit 172.16.180.0 0.0.0.255
ip nat translation icmp-timeout 5
ip nat pool helpdesk_pool 88.43.2.42 88.43.2.42 prefix-length 24
ip nat inside source list helpdesk_nat pool helpdesk_pool overload
Any thoughts?
Best Regards, Justus
04-17-2012 12:05 PM
Allright: here the solution: There was a feature conflict on a totally different
inferface and this seems to affect the whole device.
So do not use RACL + ip nat inside + ip flow ingress at the same time
-- Justus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: