[c-nsp] cisco-bba@puck.nether.net

Justin M. Streiner streiner at cluebyfour.org
Tue Oct 25 08:43:45 EDT 2005


On Tue, 25 Oct 2005, Imad Buhidma wrote:

> We are currently running a 7200/G1 box as aggregation for
> thousands of DSL users. All the users get private ip address.
>
> What are the recommended values in production environment
> of "ip nat translation tcp-timeout" and
> "ip nat translation udp-timeout" commands ?

When I was responsible for running a similar setup at a previous job, 
through trial and error I found that an overall NAT translation timeout
of 5 minutes (300 seconds) worked out well for us.

There really isn't a solid method for determining what the optimum 
timeout values would be, because there are so many variables (IOS 
version, traffic loads, NAT translation activity, any other functions or 
processes running on the router that can consume CPU or memory, etc...). 
For me, 300 seconds struck the right balance between controlling CPU 
utilization and NAT translation table utilization in most situations.

Also keep in mind that as the number of users served by the router 
changes, the translation timeout values may need to be changed.

I also ran across a threshold for the number of NAT translations in some 
older IOS versions where, once crossed, the CPU utilization would spike up 
to 100% and bad things would start to happen.

As always, your mileage may vary :-)

jms


More information about the cisco-nsp mailing list