[c-nsp] NAT/PAT:end-user ratio

Adam Greene maillist at webjogger.net
Mon Dec 5 11:18:08 EST 2005


Thanks ... we'll check that out as an extra precaution.

Much appreciated,
Adam

----- Original Message ----- 
From: "Rodney Dunn" <rodunn at cisco.com>
To: "Gert Doering" <gert at greenie.muc.de>
Cc: "Adam Greene" <maillist at webjogger.net>; <cisco-nsp at puck.nether.net>
Sent: Sunday, December 04, 2005 10:29 PM
Subject: Re: [c-nsp] NAT/PAT:end-user ratio


> Gert is right. Make sure you consider some of the NAT
> per host translation limit parameters to protect against
> such an outbreak where it chews up all your translations.
>
> Rodney
>
> On Sat, Dec 03, 2005 at 04:16:44PM +0100, Gert Doering wrote:
> > Hi,
> >
> > On Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
> > > We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with
us.
> > > Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
> > > loopback interface.
> > >
> > > We're trying to determine how many public NAT-ed (or PAT-ed) IP
addresses to
> > > allocate to the end-users. Is there a general rule of thumb (like a
standard
> > > ratio)?
> >
> > I don't have a generic "rule of thumb", but in our experience, for
customers
> > of this size, a single (PAT-ed) IP usually suffices.
> >
> > Some simple math: a single IP has about 65000 ports for TCP and UDP.
> >
> > Divided by 150 (end-users) results in over 400 available ports per user.
> >
> > Take away some ports for NAT table expiry time, etc., and you still can
> > have a 100 parallel TCP/UDP session per user - which is likely to fill
> > up your memory and CPU before running out of wiggle space.
> >
> > (OTOH, watch out for virus outbreaks - these tend to fill up NAT tables
> > pretty quick with portscan garbage)
> >
> > gert
> > -- 
> > USENET is *not* the non-clickable part of WWW!
> >
//www.muc.de/~gert/
> > Gert Doering - Munich, Germany
gert at greenie.muc.de
> > fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
System]
>
>

---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]



More information about the cisco-nsp mailing list