Cisco → Re: Cisco 851 replacing almost dead 1811 after many fights ....

fixed it for you.

q.

software, no software... the table grows exponentially. unless you can create an algorithm for it like CEF and place an ASIC than yeah it should be quick, but I am sure Juniper/Cisco/Brocade have thought of that Billions of times...

enter the cavium on the asa, qfp on asr1k, and hardware assisted nat on c6k.
these are platforms that nat is nearly (or all) optimised in hardware with little to no impact on the control-plane aspect of the router/firewall.
there is still a limitation on the storage for these entries in tcam -- but thats no different than a routing table limitation on said platforms either.

q.

Even with all that packets get processed and not switched and hence the speed may be very fast but the CPU still gets the hit, unlike the CEF.

asr1k is pure hardware forwarding in nat.

»www.gossamer-threads.com ··· p/107217

there is no cpu hit in this box.

if i recall, cavium in asa is hardware until the nat teardown -- hence the asa can do line rate nat as long as pps isnt something stupid.
hardware assisted nat on c6k is tcam driven. i havent looked at it in a long time, but believe it functions much like the asa. cpu hit is very minimal unless pps is large and packet size is small (tcam limits aside).

q.

not sure which sup you're talking about but 720 is definitely getting hit with large userbase... it does not complain or slow down however you could clearly see using
sh proc cpu his
vs.
rem com swi sh proc cpu his

The Cavium chip is for crypto. And it's not even the best ones they make. (at least in a 5505.) NAT is much faster in an ASA because it has a faster processor that's better suited to the job -- instruction and memory architecture. Cisco's router have always been designed to move packets, not screw with them in the process.