[c-nsp] Question about NAT Rate Limiting
Brian Feeny
signal at shreve.net
Tue Nov 16 09:34:21 EST 2004
Rodney,
Yes "all-host" would do what I want. I assume this feature is working.
Do you know, if the limit is reached, what is the behavior, do older
entries get prematurely purged, or does attempts to create new entries
just fail and the user must wait for older entries to time out?
I have a customer doing NAT for an entire apartment complex on a 1700
(I know, REALLY bad idea). One of these users is running some emule
type program that feels it needs to scan the entire internet on a udp
port searching for other emule people. Its creating translation
entries so fast (udp has default timeout of like 5 min) and consuming
the memory (32MB) before they can start to expire.
I mainly wish to deploy this feature to prevent this user from taking
down the router, and not have to put a global cap on everyone. To me,
this is more a policy problem and not a technical one, but the
apartment managers aren't dealing with the situation appropriately so I
am trying to work up a technical solution.
Brian
On Nov 15, 2004, at 9:10 PM, Rodney Dunn wrote:
> I filed a request for this just for this reason:
>
> CSCec16330
> Internally found moderate defect: Resolved (R)
> Request ability to limit per user NAT entries
>
>
> 12.3(11)T:
>
> Router(config)#ip nat translation max-entries ?
> <1-2147483647> Number of entries
> all-host Specify maximum number of NAT entries for each host
> all-vrf Specify maximum number of NAT entries for each vrf
> host Specify per-host NAT entry limit
> list Specify access list based NAT entry limit
> vrf Specify per-VRF NAT entry limit
>
> Router(config)#ip nat translation max-entries all-host ?
> <1-2147483647> Number of entries
>
> Router(config)#ip nat translation max-entries all-host 20
>
> I'm not sure why the doc's didn't get updated to reflect
> this. I will check on that.
>
> I just filed yesterday:
>
> CSCsa42809
> Internally found enhancement defect: Assigned (A)
> Ability to limit per user NAT entries (CSCec16330) should be VRF aware
>
> Does CSCec16330 do what you are asking for with the all-host option?
>
> Rodney
>
>
>
>
> On Mon, Nov 15, 2004 at 08:25:47PM -0600, Brian Feeny wrote:
>> I have a question regarding the NAT rate limiting in 12.3:
>>
>> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/
>> products_feature_guide09186a00801d09f0.html#1027258
>>
>> I understand you can globally limit the number of NAT translations:
>>
>> ip nat translation max-entries 300
>>
>> or you can limit a single host
>>
>> ip nat translation max-entries host 127.0.0.1 300
>>
>> can you use the ACL functionality to set a maximum amount of entries
>> on
>> a per host level? For example:
>>
>> ip nat translation max-entries list perHost 100
>> ip access-list extended perHost
>> permit ip 192.168.1.0 0.0.0.255 any
>>
>> would the above make it so that each host in 192.168.1.0 had its own
>> max-entries of 100, or would that be shared across all hosts in the
>> ACL? I am trying to look for a way so that each host has its own
>> "max-entries" without having to set a bunch of lines specifically
>> setting it for each host.
>>
>> Brian
>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>
>
>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041116/c00a2278/PGP.bin
More information about the cisco-nsp
mailing list