[c-nsp] NAT/PAT:end-user ratio
Rodney Dunn
rodunn at cisco.com
Sun Dec 4 22:29:41 EST 2005
Gert is right. Make sure you consider some of the NAT
per host translation limit parameters to protect against
such an outbreak where it chews up all your translations.
Rodney
On Sat, Dec 03, 2005 at 04:16:44PM +0100, Gert Doering wrote:
> Hi,
>
> On Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
> > We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
> > Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
> > loopback interface.
> >
> > We're trying to determine how many public NAT-ed (or PAT-ed) IP addresses to
> > allocate to the end-users. Is there a general rule of thumb (like a standard
> > ratio)?
>
> I don't have a generic "rule of thumb", but in our experience, for customers
> of this size, a single (PAT-ed) IP usually suffices.
>
> Some simple math: a single IP has about 65000 ports for TCP and UDP.
>
> Divided by 150 (end-users) results in over 400 available ports per user.
>
> Take away some ports for NAT table expiry time, etc., and you still can
> have a 100 parallel TCP/UDP session per user - which is likely to fill
> up your memory and CPU before running out of wiggle space.
>
> (OTOH, watch out for virus outbreaks - these tend to fill up NAT tables
> pretty quick with portscan garbage)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list