[c-nsp] 2821 NAT Limitations

Ge Moua moua0100 at umn.edu
Thu Oct 14 08:29:00 EDT 2010


  Rodney, thanks for the correction and feedback.

Is it true then that the ASR1K platform could achieve the same amount of 
NAT throughput without severe resource exhaustion much like the ASA?  If 
so the this would be a viable option for the OP as "route-map" features 
would also be available on said router platform.

--
Regards,
Ge Moua
Network Design Engineer

University of Minnesota | OIT - NTS
--


On 10/14/10 4:47 AM, Rodney Dunn wrote:
> In the spirit of technical accuracy.
>
> NAT is a more complex feature than it appears on the surface. In 
> regards to the "process switch" portion. NAT today for normal http 
> traffic is CEF switched, even the SYN's, along with the payload data.
> The FIN/RST's are punted to tear the translations down.
>
> As for the 2821 specifically, NAT is no different there (assuming same 
> code version) than it is on a 72xx for example. Only difference is CPU 
> power and memory (depending on the difference).
>
> Therefore, scale is a directly related to those two factors on the 
> platform. And port ranges if you do overload.
>
> The main factors to watch from a scale are:
>
> CPU
> Memory
> NAT pool allocation
> Input Queue drops on interfaces (set them to the max)
>
> Good NAT'ing. :)
>
> For an IOS device the ASR1k is the leader today. It does ALL NAT'ing 
> (even ALG) in the *hardware* forwarding path.
>
> Rodney
>
>
>
> On 10/13/10 5:40 PM, Ge Moua wrote:
>> forgot to mention that I'm fairly certain that many NAT sessions that
>> you require will overun the 2800 which process switch that function (no
>> good).
>>
>> -- 
>> Regards,
>> Ge Moua
>> Network Design Engineer
>>
>> University of Minnesota | OIT - NTS
>> -- 
>>
>>
>> On 10/13/10 4:38 PM, Ge Moua wrote:
>>> we do upwards of 75,000 NAT sessions on an asa-5550 with no problems;
>>> bad thing here for you is that you'll also need a router platform to
>>> do the route maps
>>>
>>> not sure if you can split the functions, but if so then this might
>>> work for you.
>>>
>>> -- 
>>> Regards,
>>> Ge Moua
>>> Network Design Engineer
>>>
>>> University of Minnesota | OIT - NTS
>>> -- 
>>>
>>>
>>> On 10/13/10 4:11 PM, Dan Letkeman wrote:
>>>> Hi,
>>>>
>>>> Wondering if anyone has some experience with the NAT limitations on a
>>>> 2821 router? I have about 1500 users, which about half of them are on
>>>> the internet at one time, but we have a proxy web filter appliance
>>>> that all of the clients connect to that does a website lookup, and
>>>> check before it lets the client access the page, so it creates a
>>>> separate entry for every page requested. This doubles the NAT entries
>>>> in the router.
>>>>
>>>> Would 40,000 - 60,000 NAT translation entries be too much for a 2821?
>>>> It's not doing much else except NAT and a couple of route-maps.
>>>>
>>>> If so would device would be recommended that could handle this amount
>>>> of translations?
>>>>
>>>> Thanks,
>>>> Dan.
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list