[c-nsp] 2821 NAT Limitations
Dan Letkeman
danletkeman at gmail.com
Thu Oct 14 09:26:28 EDT 2010
I'll look into getting an ASA. My graphs show about 40000 nat
translations at the time the router had issues, would an ASA5510 be
the right choice or would you go with a 5520?
Dan.
On Thu, Oct 14, 2010 at 4:47 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> In the spirit of technical accuracy.
>
> NAT is a more complex feature than it appears on the surface. In regards to
> the "process switch" portion. NAT today for normal http traffic is CEF
> switched, even the SYN's, along with the payload data.
> The FIN/RST's are punted to tear the translations down.
>
> As for the 2821 specifically, NAT is no different there (assuming same code
> version) than it is on a 72xx for example. Only difference is CPU power and
> memory (depending on the difference).
>
> Therefore, scale is a directly related to those two factors on the platform.
> And port ranges if you do overload.
>
> The main factors to watch from a scale are:
>
> CPU
> Memory
> NAT pool allocation
> Input Queue drops on interfaces (set them to the max)
>
> Good NAT'ing. :)
>
> For an IOS device the ASR1k is the leader today. It does ALL NAT'ing (even
> ALG) in the *hardware* forwarding path.
>
> Rodney
>
>
>
> On 10/13/10 5:40 PM, Ge Moua wrote:
>>
>> forgot to mention that I'm fairly certain that many NAT sessions that
>> you require will overun the 2800 which process switch that function (no
>> good).
>>
>> --
>> Regards,
>> Ge Moua
>> Network Design Engineer
>>
>> University of Minnesota | OIT - NTS
>> --
>>
>>
>> On 10/13/10 4:38 PM, Ge Moua wrote:
>>>
>>> we do upwards of 75,000 NAT sessions on an asa-5550 with no problems;
>>> bad thing here for you is that you'll also need a router platform to
>>> do the route maps
>>>
>>> not sure if you can split the functions, but if so then this might
>>> work for you.
>>>
>>> --
>>> Regards,
>>> Ge Moua
>>> Network Design Engineer
>>>
>>> University of Minnesota | OIT - NTS
>>> --
>>>
>>>
>>> On 10/13/10 4:11 PM, Dan Letkeman wrote:
>>>>
>>>> Hi,
>>>>
>>>> Wondering if anyone has some experience with the NAT limitations on a
>>>> 2821 router? I have about 1500 users, which about half of them are on
>>>> the internet at one time, but we have a proxy web filter appliance
>>>> that all of the clients connect to that does a website lookup, and
>>>> check before it lets the client access the page, so it creates a
>>>> separate entry for every page requested. This doubles the NAT entries
>>>> in the router.
>>>>
>>>> Would 40,000 - 60,000 NAT translation entries be too much for a 2821?
>>>> It's not doing much else except NAT and a couple of route-maps.
>>>>
>>>> If so would device would be recommended that could handle this amount
>>>> of translations?
>>>>
>>>> Thanks,
>>>> Dan.
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list