Solved: Catalyst 9300 NAT performance

Step · ‎05-26-2021

Hi comrades!

Can anyone answer me if I'm right?
Do Catalyst 9k series switches have hardware support for NAT? Or do they have any performance issues with that?
I took a look at Cisco Live presentation and found this. What does it mean about NAT?

CAT9K#show platform hardware fed switch active fwd-asic resource tcam utilization 0
CAM Utilization for ASIC Instance [0]
Table Max Values Used Values
--------------------------------------------------------------------------------
Unicast MAC addresses 32768/512 16/22
IGMP and Multicast groups 8192/512 0/0
L2 Multicast groups 8192/512 0/0
Directly or indirectly connected routes 24576/8192 10/21
NAT/PAT SA address and Port 0 0

Reza Sharifi · ‎05-26-2021

Hi,

Have a look at the config guide for 16.10.x regarding some of the limitations:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-10/configuration_guide/ip/b_1610_ip_9300_cg/configuring_nat.html

Limitations of NAT

There are certain NAT operations that are currently not supported in the Hardware data plane. The following are such operations that are carried out in the relatively slower Software data plane:
- Translation of Internet Control Message Protocol (ICMP) packets.
- Translation of packets that require application layer gateway (ALG) processing.
- Packets that require both inside and outside translation.
The maximum number of sessions that can be translated and forwarded in the hardware in an ideal setting is limited to 2500. Additional flows that require translation are handled in the software data plane at a reduced throughput.

Note

Each translation consumes two entries in TCAM.
A configured NAT rule might fail to get programmed into the hardware owing to resource constraint. This could result in packets that correspond to the given rule to get forwarded without translation.
ALG support is currently limited to FTP, TFTP and ICMP protocols. Also, although TCP SYN, TCP FIN and TCP RST are not part of ALG traffic, they are processed as part of ALG traffic.
Dynamically created NAT flows age out after a period of inactivity. The number of NAT flows whose activity can be tracked is limited to 4000.
Port channel is not supported in NAT configuration.
NAT does not support translation of fragmented packets.
NAT does not support Stateful Switchover (SSO). Dynamically created NAT states are not synchronized between the Active and Standby devices.
NAT configuration must be done without using route-maps, as route-mapped NAT is not supported.
Explicit deny access control entry (ACE) in NAT ACL is not supported. Only explicit permit ACE is supported.

View solution in original post

Leo Laohoo · ‎05-26-2021

Depends on the firmware and license feature, but yes.
Have a look at CSCvp78589.

Step · ‎05-26-2021

OK, I see
But this is about support by IOS XE.
I'm looking for information about hardware support for NAT.
What I found is that Catalyst 9300 Series switches support 2 templates, one of them is NAT.
But I didn't find any mention how many sessions it can process by hardware (ASICs) - Is there anything about it?

Reza Sharifi · ‎05-26-2021

Hi,

Have a look at the config guide for 16.10.x regarding some of the limitations:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-10/configuration_guide/ip/b_1610_ip_9300_cg/configuring_nat.html

Limitations of NAT

There are certain NAT operations that are currently not supported in the Hardware data plane. The following are such operations that are carried out in the relatively slower Software data plane:
- Translation of Internet Control Message Protocol (ICMP) packets.
- Translation of packets that require application layer gateway (ALG) processing.
- Packets that require both inside and outside translation.
The maximum number of sessions that can be translated and forwarded in the hardware in an ideal setting is limited to 2500. Additional flows that require translation are handled in the software data plane at a reduced throughput.

Note

Each translation consumes two entries in TCAM.
A configured NAT rule might fail to get programmed into the hardware owing to resource constraint. This could result in packets that correspond to the given rule to get forwarded without translation.
ALG support is currently limited to FTP, TFTP and ICMP protocols. Also, although TCP SYN, TCP FIN and TCP RST are not part of ALG traffic, they are processed as part of ALG traffic.
Dynamically created NAT flows age out after a period of inactivity. The number of NAT flows whose activity can be tracked is limited to 4000.
Port channel is not supported in NAT configuration.
NAT does not support translation of fragmented packets.
NAT does not support Stateful Switchover (SSO). Dynamically created NAT states are not synchronized between the Active and Standby devices.
NAT configuration must be done without using route-maps, as route-mapped NAT is not supported.
Explicit deny access control entry (ACE) in NAT ACL is not supported. Only explicit permit ACE is supported.