[c-nsp] NAT/PAT:end-user ratio

Adam Greene maillist at webjogger.net
Sat Dec 3 13:25:08 EST 2005


Thanks Gert, for the helpful response ...

----- Original Message ----- 
From: "Gert Doering" <gert at greenie.muc.de>
To: "Adam Greene" <maillist at webjogger.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Saturday, December 03, 2005 10:16 AM
Subject: Re: [c-nsp] NAT/PAT:end-user ratio


> Hi,
>
> On Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
> > We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
> > Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
> > loopback interface.
> >
> > We're trying to determine how many public NAT-ed (or PAT-ed) IP
addresses to
> > allocate to the end-users. Is there a general rule of thumb (like a
standard
> > ratio)?
>
> I don't have a generic "rule of thumb", but in our experience, for
customers
> of this size, a single (PAT-ed) IP usually suffices.
>
> Some simple math: a single IP has about 65000 ports for TCP and UDP.
>
> Divided by 150 (end-users) results in over 400 available ports per user.
>
> Take away some ports for NAT table expiry time, etc., and you still can
> have a 100 parallel TCP/UDP session per user - which is likely to fill
> up your memory and CPU before running out of wiggle space.
>
> (OTOH, watch out for virus outbreaks - these tend to fill up NAT tables
> pretty quick with portscan garbage)
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>
//www.muc.de/~gert/
> Gert Doering - Munich, Germany
gert at greenie.muc.de
> fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]



More information about the cisco-nsp mailing list