Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Flowmask TCAM NAT Performance c6509

Hi,

I have a cisco WS-C6509 running IOS s72033_rp-IPSERVICESK9-M, Version 12.2(33)SXI5

with a WS-SUP720-3B Rev 5.2 + WS-SUP720 MSFC3 Daughterboard Rev. 2.5.

I was wondering if something is wrong with my config, as

sh fm fie flowmask shows:

Primary Flowmasks registered by Features

----------------------------+------------------------+---------------------

          Feature                   Flowmask             Flowmask Status

----------------------------+------------------------+--------------------- IP_ACCESS_INGRESS               Intf Full Flow            Enabled IP_ACCESS_EGRESS                Intf Full Flow            Disabled/Unused
NAT_INGRESS                     Intf Full Flow            Enabled NAT_EGRESS                      Intf Full Flow            Disabled/Unused
TCP_INTERCEPT                   Full Flow Least           Disabled/Unused IPV6_RACL_INGRESS               Intf Full Flow            Disabled/Unused IPV6_RACL_EGRESS                Intf Full Flow            Disabled/Unused INSPECT                         Full Flow                 Disabled/Unused WCCP_INGRESS                    Intf Full Flow            Disabled/Unused WCCP_EGRESS                     Intf Full Flow            Disabled/Unused SLB                             Full Flow Least           Disabled/Unused FM_SVC_ACCLRT                   Intf Full Flow            Disabled/Unused IPV6_COPY_INGRESS               Src only                  Disabled/Unused

Shouldn't Flowmasks for IP_ACCESS_EGRESS and NAT_EGRESS also be enabled for maximum performance?

Here the uplink configuration:

core#sh run in g1/1           

Building configuration...

Current configuration : 178 bytes

!

interface GigabitEthernet1/1

description UPLINK

switchport

switchport access vlan 555

no cdp enable

spanning-tree bpduguard disable

end

core#sh run in vlan555

Building configuration...

Current configuration : 319 bytes

!

interface Vlan555

description VLAN555

ip address 88.43.2.34 255.255.255.252

ip access-group uplink_in in

ip access-group uplink_out out

ip verify unicast source reachable-via rx allow-default

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip mroute-cache

tcam priority high

end


core#sh ip route static | i 0.0.0.0/0

S*   0.0.0.0/0 [1/0] via 88.43.2.33

Here one user network + nat config:

core#sh run in vlan180                     

Building configuration...

Current configuration : 186 bytes

!

interface Vlan180

description helpdesk

ip address 172.16.180.1 255.255.255.0

ip access-group helpdesk_in in

ip access-group helpdesk_out out

ip nat inside

ip flow ingress

tcam priority high

end

ip dhcp pool helpdesk

   network 172.16.180.0 255.255.255.0

   default-router 172.16.180.1

   lease 0 0 5


ip access-list standard helpdesk_nat

permit 172.16.180.0 0.0.0.255


ip nat translation icmp-timeout 5

ip nat pool helpdesk_pool 88.43.2.42 88.43.2.42 prefix-length 24

ip nat inside source list helpdesk_nat pool helpdesk_pool overload


Any thoughts?

Best Regards, Justus

1 REPLY
New Member

Flowmask TCAM NAT Performance c6509

Allright: here the solution: There was a feature conflict on a totally different

inferface and this seems to affect the whole device.

So do not use RACL + ip nat inside + ip flow ingress at the same time

-- Justus

595
Views
0
Helpful
1
Replies
CreatePlease login to create content