I've got two networks defined on one of our CRS224 boxes. One with public addresses, the other one is a LAN.
To give some devices on the LAN (only) outbound access to the internet (to download firmware updates etc.) I've setup NAT translation so outbound LAN traffic can use the CRS's main public IP.
This has worked well for quite a while. But I now we have to push large amounts of data from the LAN towards s3. Given the CRS's poor routing capabilities this is quite a pain, resulting in 30Mbps upstream and of course maxing out the CRS's CPU.
While thinking about the issue the ACL features of the CRS224 switch chip came into my mind. I haven't used the ACL feature in production yet and actually doubt it'll work. But as theres little documentation on that feature I might miss something ...