On Apr 30, 2012, at 7:42 AM, Dave <[email protected]> wrote:
> CEF is showing enabled and running on all interfaces, however I am seeing a
> large number of packets that are process switched. ( I assume due to NAT
> Translation)
I had thought NAT entry creation was moved into the CEF path during 12.4T. As
mentioned already, try dropping NBAR.
How much non-interrupt CPU are you using? For office workloads of that volume,
I've often had to pull down translation timers to keep the IP NAT Ager process
tamed...
(You're not going to get much beyond where you are now, but little bits can
help.)
> interface GigabitEthernet0/0
> ip address xxx.xxx.xxx 255.255.255.252
> ip access-group OFFICE_LAN in
> ip flow egress
> ip nat outside
While trying not to stoke NAT-is-not-security flames, do be aware that this
probably isn't achieving what you think it is. Even for a basic config, you
should include CBAC ("ip inspect ...").
IOS NAT will create 1:1 entries for some flows, which will allow inbound
traffic. It's an ugly surprise when you suddenly see random desktops responding
on that outside address pool...
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
