Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
5
Replies

Slow Nat Performance (6807)

Daniel Davidson
Level 1
Level 1

‎09-30-2015 02:24 PM - edited ‎03-08-2019 02:00 AM

We have a new 6807 that we are looking to install, but before we do, I need to set up a nat between two vlans.  This is in place and working, but it is extremely slow (about 200KB/s) and we need to get that sorted out before we move forward.  Nether CPU or memory utilization are high.  Advice is welcome, I cannot see the problem.

Running 141-2.SY5

 Important running config info, real ips have been removed:

ip dhcp pool vlan40
   import all
   network 172.16.0.0 255.255.252.0
   domain-name our.domain.com
   dns-server a.b.c.16 a.b.c.17
   default-router 172.16.0.1
!

interface Vlan40
 ip address 172.16.0.1 255.255.252.0
 ip nat inside
!

interface Vlan281
 ip address a.b.c.f 255.255.252.0
 ip nat outside
 ip flow monitor campus-public-monitor input
!

no ip nat create flow-entries
ip nat inside source list 100 interface Vlan281 overload
ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.1
ip route 172.22.0.0 255.255.0.0 172.22.87.1

access-list 100 permit ip 172.16.0.0 0.0.3.255 any

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎09-30-2015 03:06 PM

Daniel

Haven't used this switch so the following are just suggestions.

1) You have "no ip nat create flow-entries" in your configuration.

This command should not apply to PAT which is what you are doing as it needs to create flow cache entries for it's translations so it should be ignored.

Can you just try enabling them and see if anything happens in terms of performance.

2) if that makes no difference can you temporarily disable the "ip flow monitor ..." on the SVI for vlan 281 and see if that changes anything.

I doubt either will make much difference but I can't see anything obviously wrong with your configuration.

Jon

0 Helpful

Daniel Davidson
Level 1
Level 1
In response to Jon Marshall

‎10-06-2015 07:10 AM

I have made these changes, my throughput did improve, but not as much as I think it should. 

Right now, with nobody else using the router, on a copper line, I can get just shy of 20MB/s of throughput.  I was expecting more, am I missing something?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Daniel Davidson

‎10-06-2015 07:15 AM

A lot depends on exactly what you are trying to do ie. the application itself etc.

If you completely remove the NAT what throughput do you get ie. is it the NAT that is slowing it down ?

Jon

0 Helpful

Daniel Davidson
Level 1
Level 1
In response to Jon Marshall

‎10-06-2015 07:49 AM

If I go around the NAT, I can get near line rate on our 1Gb ports.  On our 10GB systems I can go much higher.

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Daniel Davidson

‎10-06-2015 08:04 AM

It sounds like the packets are being processed switched but then you would be seeing higher CPU than you say you are.

NAT should be hardware assisted ie. the first packet is process switched to setup the flow but after that packets should be hardware switched.

Unfortunately as I said I haven't used those switches so can't really say for sure what is normal and what isn't.

May be worth a TAC call if you have that option.

Sorry I can't be more help.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card