[c-nsp] Question about NAT Rate Limiting

Rodney Dunn rodunn at cisco.com
Tue Nov 16 10:18:04 EST 2004 

On Tue, Nov 16, 2004 at 08:34:21AM -0600, Brian Feeny wrote:
> 
> Rodney,
> 
> Yes "all-host" would do what I want.  I assume this feature is working. 
>   Do you know, if the limit is reached, what is the behavior, do older 
> entries get prematurely purged, or does attempts to create new entries 
> just fail and the user must wait for older entries to time out?

I just tested it.  I set the per host limit to 2 and on the
3rd telnet through the box with debug ip nat I get:

101_#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 10.10.10.1:11295   1.1.1.100:11295    4.4.4.103:23       4.4.4.103:23
tcp 10.10.10.1:56730   1.1.1.100:56730    4.4.4.103:23       4.4.4.103:23
101_#
*Nov 16 15:15:09.231: NAT*: s=1.1.1.100->10.10.10.1, d=4.4.4.103 [21]
*Nov 16 15:15:10.391: NAT: administratively-defined entry limit reached (2)
*Nov 16 15:15:10.403: NAT: administratively-defined entry limit reached (2)
*Nov 16 15:15:10.403: NAT: translation failed (A), dropping packet s=1.1.1.100 d=4.4.4.103


> 
> I have a customer doing NAT for an entire apartment complex on a 1700 
> (I know, REALLY bad idea).  One of these users is running some emule 
> type program that feels it needs to scan the entire internet on a udp 
> port searching for other emule people.   Its creating translation 
> entries so fast (udp has default timeout of like 5 min) and consuming 
> the memory (32MB) before they can start to expire.

Yep.  That's exactly what this is supposed to fix.

> 
> I mainly wish to deploy this feature to prevent this user from taking 
> down the router, and not have to put a global cap on everyone.  To me, 
> this is more a policy problem and not a technical one, but the 
> apartment managers aren't dealing with the situation appropriately so I 
> am trying to work up a technical solution.

I made a mistake below. :(  This didn't make it in the code in time
for 12.3(11)T.  It went in 12.3(11.1)T so it will be in the next
T release on CCO.  If you would like to test this some since I was
involved with the development of this I could probably get you
an image to try.  Contact me offline if you are interested in
trying it out.

Rodney

 
> Brian
> 
> 
> On Nov 15, 2004, at 9:10 PM, Rodney Dunn wrote:
> 
> > I filed a request for this just for this reason:
> >
> > CSCec16330
> > Internally found moderate defect: Resolved (R)
> > Request ability to limit per user NAT entries
> >
> >
> > 12.3(11)T:
> >
> > Router(config)#ip nat translation max-entries ?
> >   <1-2147483647>  Number of entries
> >   all-host        Specify maximum number of NAT entries for each host
> >   all-vrf         Specify maximum number of NAT entries for each vrf
> >   host            Specify per-host NAT entry limit
> >   list            Specify access list based NAT entry limit
> >   vrf             Specify per-VRF NAT entry limit
> >
> > Router(config)#ip nat translation max-entries all-host ?
> >   <1-2147483647>  Number of entries
> >
> > Router(config)#ip nat translation max-entries all-host 20
> >
> > I'm not sure why the doc's didn't get updated to reflect
> > this.  I will check on that.
> >
> > I just filed yesterday:
> >
> > CSCsa42809
> > Internally found enhancement defect: Assigned (A)
> > Ability to limit per user NAT entries (CSCec16330) should be VRF aware
> >
> > Does CSCec16330 do what you are asking for with the all-host option?
> >
> > Rodney
> >
> >
> >
> >
> > On Mon, Nov 15, 2004 at 08:25:47PM -0600, Brian Feeny wrote:
> >> I have a question regarding the NAT rate limiting in 12.3:
> >>
> >> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/
> >> products_feature_guide09186a00801d09f0.html#1027258
> >>
> >> I understand you can globally limit the number of NAT translations:
> >>
> >> ip nat translation max-entries 300
> >>
> >> or you can limit a single host
> >>
> >> ip nat translation max-entries host 127.0.0.1 300
> >>
> >> can you use the ACL functionality to set a maximum amount of entries 
> >> on
> >> a per host level?  For example:
> >>
> >> ip nat translation max-entries list perHost 100
> >> ip access-list extended perHost
> >> 	permit ip 192.168.1.0 0.0.0.255 any
> >>
> >> would the above make it so that each host in 192.168.1.0 had its own
> >> max-entries of 100, or would that be shared across all hosts in the
> >> ACL?  I am trying to look for a way so that each host has its own
> >> "max-entries" without having to set a bunch of lines specifically
> >> setting it for each host.
> >>
> >> Brian
> >>
> >> ---------------------------------------------
> >> Brian Feeny, CCIE #8036, CISSP
> >> Network Engineer
> >> ShreveNet Inc.
> >
> >
> >
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> ---------------------------------------------
> Brian Feeny, CCIE #8036, CISSP
> Network Engineer
> ShreveNet Inc.
>

More information about the cisco-nsp mailing list