[c-nsp] help on NAT rate limiting

Rodney Dunn rodunn at cisco.com
Tue Dec 28 16:54:33 EST 2004 

Please provide more information so someone
can help answer your question:
 
Version of code (exactly)
Configuration you are using 
etc..

There were a lot of NAT changes that went
it to 12.3(4)T for major scalability problems.
There were also different changes made to give
users the ability to do various rate limiting.
Here is a good page on it:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d09f0.html

Defaults are not changed just for the heck of it
and any time you change a timer you can find a scenario
where it isn't the optimal value.

Rodney




On Tue, Dec 28, 2004 at 10:02:06AM -0800, Ted Mittelstaedt wrote:
> Hi All,
> 
>   We have a customer that's a small office about 20 people
> behind a 1720.  The router is configured to overload on to
> a single IP address, and has a vpn to another 1720 coming
> in to it.
> 
>   They wanted another ethernet interface in this so we put a
> wic-1enet card into the router - this required going to 12.3
> ios to support the hardware and that is when all hell broke loose.
> 
>   previous to 12.3 the ios had no way to rate limit nat - 
> normally the translation table would run about a couple hundred
> entries.  Every once in a while they would get a virus and
> the table would balloon - which would be simple to see by
> showing the nat translation table, finding the offending inside
> ip address, and removing the virus, the table would go back to
> normal.  They were running 12.1 on that 1700 for a year at
> least with no other problems.
> 
>   Now with 12.3 there is a way to rate limit nat - but the
> people at Cisco that thought this was a good idea
> quite obviously figured they would -raise- all the timeouts
> in the translator.  So now, even without a virus, the router
> will run on average of 20,000 translation entries sometimes.
> 
>   configuring rate limiting to wack off the table at 2-3 thousand
> entries creates a situation where the router simply runs up
> the translation table to the limit, then stops creating new
> entries.
> 
>   We want to reset the timeouts in ios back to what they
> were rather than trying to wack the table off at it's knees -
> but there is no info I can find on the Cisco website as to
> what the SENSIBLE timeouts were that were used in 12.1, 12.0,
> etc.  And furthermore the ios commands that are available for
> reducing the timeouts don't apply to overloads - which of course
> is what everything on this router is.
> 
>   Going back to an old IOS is not possible because of the
> ethernet wic.
> 
>   Whoever did this at Cisco obviously never heard of the
> axiom "if it ain't broke don't fix it".  A nat rate-limiting
> command is an impossibility - a virus will use all available
> ram in the router for translation entries no matter how high
> or how low the limit is set - and will just max out the translation
> slots with the rate-limit set, and the router stops working,
> so this command gains nothing.  And to put a command like this
> in and use it as a license to raise the timeouts which is what
> it seems they have done is absurd.
> 
>   No doubt Cisco was besiged with idiots trying to press wussy-assed
> routers into service as translators for fortune 100 companies -
> they should have told those morons to go pound sand and buy a pix
> and left the translation code for the small routers alone, it was
> working fine before.  Changing the translator operation in 12.3
> has screwed it for everyone else I think.
> 
>   Please someone, tell me the documentation is wrong and that the
> nat timeout commands do apply to overloads!
> 
> Ted
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list