[c-nsp] NAT/PAT:end-user ratio
Gert Doering
gert at greenie.muc.de
Sat Dec 3 10:16:44 EST 2005
Hi,
On Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
> We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
> Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
> loopback interface.
>
> We're trying to determine how many public NAT-ed (or PAT-ed) IP addresses to
> allocate to the end-users. Is there a general rule of thumb (like a standard
> ratio)?
I don't have a generic "rule of thumb", but in our experience, for customers
of this size, a single (PAT-ed) IP usually suffices.
Some simple math: a single IP has about 65000 ports for TCP and UDP.
Divided by 150 (end-users) results in over 400 available ports per user.
Take away some ports for NAT table expiry time, etc., and you still can
have a 100 parallel TCP/UDP session per user - which is likely to fill
up your memory and CPU before running out of wiggle space.
(OTOH, watch out for virus outbreaks - these tend to fill up NAT tables
pretty quick with portscan garbage)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list