[c-nsp] Question about NAT Rate Limiting

Rodney Dunn rodunn at cisco.com
Mon Nov 15 22:10:06 EST 2004


I filed a request for this just for this reason:

CSCec16330
Internally found moderate defect: Resolved (R)
Request ability to limit per user NAT entries


12.3(11)T:

Router(config)#ip nat translation max-entries ?        
  <1-2147483647>  Number of entries
  all-host        Specify maximum number of NAT entries for each host
  all-vrf         Specify maximum number of NAT entries for each vrf
  host            Specify per-host NAT entry limit
  list            Specify access list based NAT entry limit
  vrf             Specify per-VRF NAT entry limit

Router(config)#ip nat translation max-entries all-host ?
  <1-2147483647>  Number of entries

Router(config)#ip nat translation max-entries all-host 20

I'm not sure why the doc's didn't get updated to reflect
this.  I will check on that.

I just filed yesterday:

CSCsa42809
Internally found enhancement defect: Assigned (A)
Ability to limit per user NAT entries (CSCec16330) should be VRF aware

Does CSCec16330 do what you are asking for with the all-host option?

Rodney




On Mon, Nov 15, 2004 at 08:25:47PM -0600, Brian Feeny wrote:
> I have a question regarding the NAT rate limiting in 12.3:
> 
> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/ 
> products_feature_guide09186a00801d09f0.html#1027258
> 
> I understand you can globally limit the number of NAT translations:
> 
> ip nat translation max-entries 300
> 
> or you can limit a single host
> 
> ip nat translation max-entries host 127.0.0.1 300
> 
> can you use the ACL functionality to set a maximum amount of entries on  
> a per host level?  For example:
> 
> ip nat translation max-entries list perHost 100
> ip access-list extended perHost
> 	permit ip 192.168.1.0 0.0.0.255 any
> 
> would the above make it so that each host in 192.168.1.0 had its own  
> max-entries of 100, or would that be shared across all hosts in the  
> ACL?  I am trying to look for a way so that each host has its own  
> "max-entries" without having to set a bunch of lines specifically  
> setting it for each host.
> 
> Brian
> 
> ---------------------------------------------
> Brian Feeny, CCIE #8036, CISSP
> Network Engineer
> ShreveNet Inc.



> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list