Hi folks - So, in an attempt to address some fun issues with NAT I'm having with my 6500s, I'm considering resorting to the use of an FWSM as a fancy specialized NAT device - call it a complicated hairpin, if you will (one VRF is on one side of the FWSM, one is on the other, the VRFs communicate with each other via VLANs set to pass through the FWSM, which is in transparent mode).
This doesn't seem like it would be such a terribly difficult project, but... I'm seeing round-trip latencies of approx 250us pushing data through the FWSM, and a relatively ridiculously high rate of packet loss. This is just with having the firewall in transparent mode, two hosts on one vlan and two hosts on another VLAN bridged via the FWSM, with all inspection turned off. Are these cards _really_ that bad? Or am I missing something really dumb and obvious here? The 6500 is a 6506-E, vs720 supervisor, 6748-GE-TX linecard with a CFC (test kit), the hosts are direct-attached on the 6748 on vlans 240 and 250. Thanks, -bacon stub off the FWSM: interface Vlan240 nameif inside-2 bridge-group 2 security-level 80 ! interface Vlan250 nameif outside-2 bridge-group 2 security-level 0 ! access-list OUT extended permit icmp any any access-list OUT extended permit ip any any access-list OUT extended permit ospf any any access-group OUT in interface inside-2 access-group OUT in interface outside-2 class-map bypass-traffic match access-list bypass policy-map bypass-policy class bypass-traffic set connection random-sequence-number disable set connection advanced-options tcp-state-bypass policy-map nothing ! service-policy bypass-policy global off the 6500: firewall autostate firewall multiple-vlan-interfaces firewall module 4 vlan-group 1,2,3 firewall vlan-group 1 140,150 firewall vlan-group 2 120 firewall vlan-group 3 240,250 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/