[c-nsp] ASR9K VSM

Mohammad Khalil eng_mssk at hotmail.com
Wed Apr 13 07:24:28 EDT 2016


Hi
The last suggestion I got from Cisco TAC is to increase the portlimit value and do a comparison to check the behavior

BR,
Mohammad

From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:32:25 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net

Looking at the number of subscribers you have there (~300k) and the fact that you have 2 x /21 allocated for public space - that means about 70 subscribers per public IP address. This feels a little bit on the high side, even for mobile traffic. Since all sessions belonging to a given private IP address must be mapped to a the same public IP address it's likely that you're running out of ports on public IP addresses (as there are only ~65k ports x 2 (UDP+TCP)). I'd suggest increasing the public pool sizes and checking the stats again. 
kind regardsPshem

On Mon, 28 Mar 2016 at 22:11 Mohammad Khalil <eng_mssk at hotmail.com> wrote:

RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics 

Statistics summary of NAT44 instance: 'nat1'
Number of active translations: 3993473
Number of sessions: 100482
Translations create rate: 18464
Translations delete rate: 16367
Inside to outside forward rate: 523403
Outside to inside forward rate: 755919
Inside to outside drops port limit exceeded: 481732
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
No translation entry drops: 28976704
PPTP active tunnels: 2
PPTP active channels: 2
PPTP ctrl message drops: 2
Number of subscribers: 309101
Drops due to session db limit exceeded: 0
Drops due to source ip not configured: 0

Pool address totally free: 0
Pool address used: 4096
Pool address usage:

From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:06:19 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net

How many active subscribers (inside IPs) do you have per one outside IP?
For example in one of the installations I worked on we used 16 active subscribers per outside IP (4096 ports per subscriber).
kind regardsPshem

On Mon, 28 Mar 2016 at 22:03 Mohammad Khalil <eng_mssk at hotmail.com> wrote:




Hi
Can you clarify me more in order to be precise 
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:00:30 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net

Hi,
What's your inside IP/outside IP ratio? 
kind regardsPshem

On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_mssk at hotmail.com> wrote:



Hi Pshem
Thanks for the reply , please check my configuration below

vrf OUTSIDE
 address-family ipv4 unicast

vrf INSIDE-1
 address-family ipv4 unicast

vrf INSIDE-2
 address-family ipv4 unicast

hw-module service cgn location 0/1/CPU0

interface TenGigE0/0/1/1
 mtu 9216
 load-interval 30

interface TenGigE0/0/1/1.900
 description ## VLAN 900 SUBINTERFACE ##
 vrf INSIDE-1
 ipv4 address 172.20.60.130 255.255.255.248
 load-interval 30
 encapsulation dot1q 900

interface TenGigE0/0/1/1.902
 description ## VLAN 902 SUBINTERFACE ##
 vrf INSIDE-2
 ipv4 address 172.20.60.146 255.255.255.248
 load-interval 30
 encapsulation dot1q 902

interface TenGigE0/0/1/2
 mtu 9216
 load-interval 30

interface TenGigE0/0/1/2.901
 description ## VLAN 901 SUBINTERFACE ##
 vrf INSIDE-1
 ipv4 address 172.20.60.138 255.255.255.248
 load-interval 30
 encapsulation dot1q 901

interface TenGigE0/0/1/2.903
 description ## VLAN 903 SUBINTERFACE ##
 vrf INSIDE-2
 ipv4 address 172.20.60.154 255.255.255.248
 load-interval 30
 encapsulation dot1q 903

interface ServiceApp1
 vrf INSIDE-1
 ipv4 address 1.1.1.1 255.255.255.252
 load-interval 30
 service cgn cgn1 service-type nat44

interface ServiceApp2
 ipv4 address 2.2.2.2 255.255.255.252
 load-interval 30
 service cgn cgn1 service-type nat44

interface ServiceApp3
 vrf INSIDE-2
 ipv4 address 30.30.30.30 255.255.255.252
 load-interval 30
 service cgn cgn1 service-type nat44

interface ServiceApp4
 ipv4 address 4.4.4.2 255.255.255.252
 load-interval 30
 service cgn cgn1 service-type nat44

interface ServiceInfra1
 ipv4 address 10.99.99.2 255.255.255.0
 service-location 0/1/CPU0

router static
 address-family ipv4 unicast
  x.x.x.x/21 ServiceApp2
  y.y.y.y/21 ServiceApp4

 vrf INSIDE-1
  address-family ipv4 unicast
   0.0.0.0/0 172.20.60.131 50
   0.0.0.0/0 ServiceApp1
   10.4.160.0/28 172.20.60.132
   10.5.0.0/17 172.20.60.132
   10.5.128.0/17 172.20.60.132
   10.13.0.0/17 172.20.60.132
   10.13.128.0/17 172.20.60.132
   10.14.0.0/17 172.20.60.132
   10.14.128.0/17 172.20.60.132
   10.16.0.0/17 172.20.60.132
   10.16.128.0/17 172.20.60.132
   10.21.0.0/17 172.20.60.132
   10.21.128.0/17 172.20.60.132
   10.23.0.0/17 172.20.60.132
   10.23.128.0/17 172.20.60.132
   10.25.0.0/17 172.20.60.132
   10.25.128.0/17 172.20.60.132
   10.55.0.0/27 172.20.60.132
   10.128.0.0/16 172.20.60.132
   10.129.0.0/16 172.20.60.132
   10.130.0.0/16 172.20.60.132
   10.131.0.0/16 172.20.60.132
   10.132.0.0/16 172.20.60.132
   10.133.0.0/16 172.20.60.132
   10.134.0.0/16 172.20.60.132
   10.135.0.0/16 172.20.60.132
   10.136.0.0/16 172.20.60.132
   10.137.0.0/16 172.20.60.132
   10.138.0.0/17 172.20.60.132
   172.17.56.0/29 172.20.60.132

 vrf INSIDE-2
  address-family ipv4 unicast
   0.0.0.0/0 172.20.60.147 50
   0.0.0.0/0 ServiceApp3
   10.11.0.0/18 172.20.60.148
   10.11.64.0/20 172.20.60.148
   10.11.80.0/20 172.20.60.148
   10.11.96.0/19 172.20.60.148
   10.11.128.0/17 172.20.60.148
   10.138.128.0/17 172.20.60.148
   10.140.0.0/16 172.20.60.148
   10.141.0.0/16 172.20.60.148
   10.142.0.0/16 172.20.60.148
   10.143.0.0/16 172.20.60.148
   10.144.0.0/16 172.20.60.148
   10.145.0.0/16 172.20.60.148
   10.146.0.0/16 172.20.60.148
   10.147.0.0/16 172.20.60.148
   10.152.0.0/16 172.20.60.148

service cgn cgn1
 service-location preferred-active 0/1/CPU0
 service-type nat44 nat1
  portlimit 2048
  alg ActiveFTP
  alg rtsp server-port 10000
  alg pptpAlg
  inside-vrf INSIDE-1
   map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21

  inside-vrf INSIDE-2
   map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21

  protocol udp
   session initial timeout 30
   session active timeout 100

  protocol tcp
   session initial timeout 120
   session active timeout 900

  protocol icmp
   timeout 60

  refresh-direction Outbound

BR,
Mohammad
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 08:28:46 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net

Hi,
The card is capable of 60mil translations, but you have to 'partition' your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp interfaces total). 

The port drops mean that the 'inside' IP/ports couldn't be mapped because there is not enough ports left on give public IP. Do you do block allocations? How many inside IPs per one outside IP? If these drops are increasing quickly it means that your customers are most likely having issues accessing the internet. The number of ports will be generally specific to your customer base (for example setup for mobile tends to be able to get away with less ports then customers on fibre access).
No translation drops are generally harmless - these are things like port scans across your ranges, packets received past time-outs for give protocols, etc.
kind regardsPshem

On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
Dears

I have installed VSM on ASR9K for NAT44 CGN

I can see a lot of drops in the output of show cgn nat44 nat1 statistics

RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics







Statistics summary of NAT44 instance: 'nat1'



Number of active translations: 4079397



Inside to outside drops port limit exceeded: 155093



No translation entry drops: 1617189



I have some questions regarding this if you can assist



One of the experts told me that number of active translations are 4M (it can be shown from the above output that the number is like that) , is this number per module ? per service ? can I configure extra to isolate this?

inside to outside drops ?

portlimit drops ? I have configured it to be 2048 , should I increase it ? 2048 means for each private IP address there is 2048 available ?



Thanks in advance



BR,

Mohammad



_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

 		 	   		  


More information about the cisco-nsp mailing list