Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
5
Replies

CSS: ACL & SNAT - performance impact?

savyer
Level 1
Level 1

‎05-02-2006 09:07 PM

Hi all,

What is the impact on performance of CSS 11503-06 when ACL and egress source NAT is enabled?

Also what is the least performance taxing <bypass> or <permit> clause statements? Any advantage in usage of one over another?

What is the limit in throughput of traffic passing thru SNAT on 11503?

We noticed an increase in latency for load-balanced content when SNAT was enabled on CSS 503. All circuits have "permit any any" applied except one circuit that has one NAT line via a group and <permit any any> as the second line.

Thanks

Labels:
0 Helpful
5 Replies 5

mchin345
Level 6
Level 6

‎05-09-2006 11:39 AM

Can you posts the configuration. Normally there must not be a big delay when source NAT and ACL are applied. Maybe there is something else that is causing the issue.

0 Helpful

savyer
Level 1
Level 1
In response to mchin345

‎05-10-2006 08:19 PM

acl on all vlans are permit any any, and only one vlan has the following acl

clause 90 permit any any destination any

clause 20 permit tcp 10.23.6.5 destination any eq smtp sourcegroup M-NAT

clause 21 permit tcp 10.23.6.8 destination any eq smtp sourcegroup M-NAT

clause 22 permit tcp 10.23.6.3 destination any eq smtp sourcegroup M-NAT

clause 10 permit any any destination 10.0.0.0 255.0.0.0

clause 11 permit any any destination 172.16.0.0 255.240.0.0

clause 9 permit tcp 10.23.6.0 255.255.255.0 destination 2.18.3.0 255.255.255.224 eq 443 sourcegroup M-NAT

clause 8 permit tcp 10.23.6.0 255.255.255.0 destination 2.18.3.0 255.255.255.224 eq 80 sourcegroup M-NAT

M-NAT is just a group with ip address configured on it.

if I issue acl disable latency seems goes away. Latency noticed during the fist connection to VIP subsequent connection seems a bit faster.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to savyer

‎05-12-2006 04:09 AM

At first glance I would say this is not CSS related.

I would capture a sniffer on client and server simultanously and see where is the delay.

Capture the same trace without acl to compare results.

Gilles.

0 Helpful

savyer
Level 1
Level 1
In response to Gilles Dufour

‎05-12-2006 07:02 PM

Does ACL flow/NAT processing is done in ASIC on Management CPU? Are there llama mode commands that can show more information regarding ACL/NAT in addition to

stanard show acl commands?

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to savyer

‎05-13-2006 06:33 AM

ACL/NAT is not done in ASIC.

Only basic filtering permit/deny is done in hardware.

But ACL/NAT will not be more impacting than doing loadbalancing. Actually ACL/NAT is always part of loadbalancing so it really is not an issue.

The problem must be somewhere else.

Capture a sniffer trace to make sure the delay comes from the CSS - I have seen too many times people blaming the network when it was actually a client/server issue.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents