[c-nsp] Question about NAT Rate Limiting

Tue Nov 16 10:37:26 EST 2004

Thanks for the information, I think i have some time on this so I can  
wait for it to get
release first.  Are  you saying that:

ip nat translation max-entries list perHost 100
ip access-list extended perHost
	permit ip 192.168.1.0 0.0.0.255 any

would not accomplish a "per-host" setting for hosts in 192.168.1.0/24?   
Since its just a single /24
I am protecting, I don't mind doing the ACL if it will effectively do  
the same thing for now.

Brian

On Nov 16, 2004, at 9:18 AM, Rodney Dunn wrote:

> On Tue, Nov 16, 2004 at 08:34:21AM -0600, Brian Feeny wrote:
>>
>> Rodney,
>>
>> Yes "all-host" would do what I want.  I assume this feature is  
>> working.
>>   Do you know, if the limit is reached, what is the behavior, do older
>> entries get prematurely purged, or does attempts to create new entries
>> just fail and the user must wait for older entries to time out?
>
> I just tested it.  I set the per host limit to 2 and on the
> 3rd telnet through the box with debug ip nat I get:
>
> 101_#sh ip nat trans
> Pro Inside global      Inside local       Outside local      Outside  
> global
> tcp 10.10.10.1:11295   1.1.1.100:11295    4.4.4.103:23        
> 4.4.4.103:23
> tcp 10.10.10.1:56730   1.1.1.100:56730    4.4.4.103:23        
> 4.4.4.103:23
> 101_#
> *Nov 16 15:15:09.231: NAT*: s=1.1.1.100->10.10.10.1, d=4.4.4.103 [21]
> *Nov 16 15:15:10.391: NAT: administratively-defined entry limit  
> reached (2)
> *Nov 16 15:15:10.403: NAT: administratively-defined entry limit  
> reached (2)
> *Nov 16 15:15:10.403: NAT: translation failed (A), dropping packet  
> s=1.1.1.100 d=4.4.4.103
>
>
>>
>> I have a customer doing NAT for an entire apartment complex on a 1700
>> (I know, REALLY bad idea).  One of these users is running some emule
>> type program that feels it needs to scan the entire internet on a udp
>> port searching for other emule people.   Its creating translation
>> entries so fast (udp has default timeout of like 5 min) and consuming
>> the memory (32MB) before they can start to expire.
>
> Yep.  That's exactly what this is supposed to fix.
>
>>
>> I mainly wish to deploy this feature to prevent this user from taking
>> down the router, and not have to put a global cap on everyone.  To me,
>> this is more a policy problem and not a technical one, but the
>> apartment managers aren't dealing with the situation appropriately so  
>> I
>> am trying to work up a technical solution.
>
> I made a mistake below. :(  This didn't make it in the code in time
> for 12.3(11)T.  It went in 12.3(11.1)T so it will be in the next
> T release on CCO.  If you would like to test this some since I was
> involved with the development of this I could probably get you
> an image to try.  Contact me offline if you are interested in
> trying it out.
>
> Rodney
>
>
>> Brian
>>
>>
>> On Nov 15, 2004, at 9:10 PM, Rodney Dunn wrote:
>>
>>> I filed a request for this just for this reason:
>>>
>>> CSCec16330
>>> Internally found moderate defect: Resolved (R)
>>> Request ability to limit per user NAT entries
>>>
>>>
>>> 12.3(11)T:
>>>
>>> Router(config)#ip nat translation max-entries ?
>>>   <1-2147483647>  Number of entries
>>>   all-host        Specify maximum number of NAT entries for each host
>>>   all-vrf         Specify maximum number of NAT entries for each vrf
>>>   host            Specify per-host NAT entry limit
>>>   list            Specify access list based NAT entry limit
>>>   vrf             Specify per-VRF NAT entry limit
>>>
>>> Router(config)#ip nat translation max-entries all-host ?
>>>   <1-2147483647>  Number of entries
>>>
>>> Router(config)#ip nat translation max-entries all-host 20
>>>
>>> I'm not sure why the doc's didn't get updated to reflect
>>> this.  I will check on that.
>>>
>>> I just filed yesterday:
>>>
>>> CSCsa42809
>>> Internally found enhancement defect: Assigned (A)
>>> Ability to limit per user NAT entries (CSCec16330) should be VRF  
>>> aware
>>>
>>> Does CSCec16330 do what you are asking for with the all-host option?
>>>
>>> Rodney
>>>
>>>
>>>
>>>
>>> On Mon, Nov 15, 2004 at 08:25:47PM -0600, Brian Feeny wrote:
>>>> I have a question regarding the NAT rate limiting in 12.3:
>>>>
>>>> http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/
>>>> products_feature_guide09186a00801d09f0.html#1027258
>>>>
>>>> I understand you can globally limit the number of NAT translations:
>>>>
>>>> ip nat translation max-entries 300
>>>>
>>>> or you can limit a single host
>>>>
>>>> ip nat translation max-entries host 127.0.0.1 300
>>>>
>>>> can you use the ACL functionality to set a maximum amount of entries
>>>> on
>>>> a per host level?  For example:
>>>>
>>>> ip nat translation max-entries list perHost 100
>>>> ip access-list extended perHost
>>>> 	permit ip 192.168.1.0 0.0.0.255 any
>>>>
>>>> would the above make it so that each host in 192.168.1.0 had its own
>>>> max-entries of 100, or would that be shared across all hosts in the
>>>> ACL?  I am trying to look for a way so that each host has its own
>>>> "max-entries" without having to set a bunch of lines specifically
>>>> setting it for each host.
>>>>
>>>> Brian
>>>>
>>>> ---------------------------------------------
>>>> Brian Feeny, CCIE #8036, CISSP
>>>> Network Engineer
>>>> ShreveNet Inc.
>>>
>>>
>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041116/97a8748b/PGP.bin