If I go around the NAT, I can

Daniel Davidson · ‎09-30-2015

We have a new 6807 that we are looking to install, but before we do, I need to set up a nat between two vlans. This is in place and working, but it is extremely slow (about 200KB/s) and we need to get that sorted out before we move forward. Nether CPU or memory utilization are high. Advice is welcome, I cannot see the problem.

Running 141-2.SY5

Important running config info, real ips have been removed:

ip dhcp pool vlan40
   import all
   network 172.16.0.0 255.255.252.0
   domain-name our.domain.com
   dns-server a.b.c.16 a.b.c.17
   default-router 172.16.0.1
!

interface Vlan40
ip address 172.16.0.1 255.255.252.0
ip nat inside
!

interface Vlan281
ip address a.b.c.f 255.255.252.0
ip nat outside
ip flow monitor campus-public-monitor input
!

no ip nat create flow-entries
ip nat inside source list 100 interface Vlan281 overload
ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.1
ip route 172.22.0.0 255.255.0.0 172.22.87.1

access-list 100 permit ip 172.16.0.0 0.0.3.255 any

Jon Marshall · ‎09-30-2015

Daniel

Haven't used this switch so the following are just suggestions.

1) You have "no ip nat create flow-entries" in your configuration.

This command should not apply to PAT which is what you are doing as it needs to create flow cache entries for it's translations so it should be ignored.

Can you just try enabling them and see if anything happens in terms of performance.

2) if that makes no difference can you temporarily disable the "ip flow monitor ..." on the SVI for vlan 281 and see if that changes anything.

I doubt either will make much difference but I can't see anything obviously wrong with your configuration.

Jon

Daniel Davidson · ‎10-06-2015

I have made these changes, my throughput did improve, but not as much as I think it should.

Right now, with nobody else using the router, on a copper line, I can get just shy of 20MB/s of throughput. I was expecting more, am I missing something?

Jon Marshall · ‎10-06-2015

A lot depends on exactly what you are trying to do ie. the application itself etc.

If you completely remove the NAT what throughput do you get ie. is it the NAT that is slowing it down ?

Jon

Daniel Davidson · ‎10-06-2015

If I go around the NAT, I can get near line rate on our 1Gb ports. On our 10GB systems I can go much higher.

Jon Marshall · ‎10-06-2015

It sounds like the packets are being processed switched but then you would be seeing higher CPU than you say you are.

NAT should be hardware assisted ie. the first packet is process switched to setup the flow but after that packets should be hardware switched.

Unfortunately as I said I haven't used those switches so can't really say for sure what is normal and what isn't.

May be worth a TAC call if you have that option.

Sorry I can't be more help.

Jon

Slow Nat Performance (6807)