[c-nsp] 2821 NAT Limitations

Rodney Dunn rodunn at cisco.com
Thu Oct 14 12:14:11 EDT 2010



On 10/14/10 8:29 AM, Ge Moua wrote:
> Rodney, thanks for the correction and feedback.
>
> Is it true then that the ASR1K platform could achieve the same amount of
> NAT throughput without severe resource exhaustion much like the ASA?

CPU and Memory...yes as it's all done in hardware.


  If
> so the this would be a viable option for the OP as "route-map" features
> would also be available on said router platform.
>

Yes. All is done in hardware.

Rodney


> --
> Regards,
> Ge Moua
> Network Design Engineer
>
> University of Minnesota | OIT - NTS
> --
>
>
> On 10/14/10 4:47 AM, Rodney Dunn wrote:
>> In the spirit of technical accuracy.
>>
>> NAT is a more complex feature than it appears on the surface. In
>> regards to the "process switch" portion. NAT today for normal http
>> traffic is CEF switched, even the SYN's, along with the payload data.
>> The FIN/RST's are punted to tear the translations down.
>>
>> As for the 2821 specifically, NAT is no different there (assuming same
>> code version) than it is on a 72xx for example. Only difference is CPU
>> power and memory (depending on the difference).
>>
>> Therefore, scale is a directly related to those two factors on the
>> platform. And port ranges if you do overload.
>>
>> The main factors to watch from a scale are:
>>
>> CPU
>> Memory
>> NAT pool allocation
>> Input Queue drops on interfaces (set them to the max)
>>
>> Good NAT'ing. :)
>>
>> For an IOS device the ASR1k is the leader today. It does ALL NAT'ing
>> (even ALG) in the *hardware* forwarding path.
>>
>> Rodney
>>
>>
>>
>> On 10/13/10 5:40 PM, Ge Moua wrote:
>>> forgot to mention that I'm fairly certain that many NAT sessions that
>>> you require will overun the 2800 which process switch that function (no
>>> good).
>>>
>>> --
>>> Regards,
>>> Ge Moua
>>> Network Design Engineer
>>>
>>> University of Minnesota | OIT - NTS
>>> --
>>>
>>>
>>> On 10/13/10 4:38 PM, Ge Moua wrote:
>>>> we do upwards of 75,000 NAT sessions on an asa-5550 with no problems;
>>>> bad thing here for you is that you'll also need a router platform to
>>>> do the route maps
>>>>
>>>> not sure if you can split the functions, but if so then this might
>>>> work for you.
>>>>
>>>> --
>>>> Regards,
>>>> Ge Moua
>>>> Network Design Engineer
>>>>
>>>> University of Minnesota | OIT - NTS
>>>> --
>>>>
>>>>
>>>> On 10/13/10 4:11 PM, Dan Letkeman wrote:
>>>>> Hi,
>>>>>
>>>>> Wondering if anyone has some experience with the NAT limitations on a
>>>>> 2821 router? I have about 1500 users, which about half of them are on
>>>>> the internet at one time, but we have a proxy web filter appliance
>>>>> that all of the clients connect to that does a website lookup, and
>>>>> check before it lets the client access the page, so it creates a
>>>>> separate entry for every page requested. This doubles the NAT entries
>>>>> in the router.
>>>>>
>>>>> Would 40,000 - 60,000 NAT translation entries be too much for a 2821?
>>>>> It's not doing much else except NAT and a couple of route-maps.
>>>>>
>>>>> If so would device would be recommended that could handle this amount
>>>>> of translations?
>>>>>
>>>>> Thanks,
>>>>> Dan.
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list