[c-nsp] ASR9K VSM
Mohammad Khalil
eng_mssk at hotmail.com
Wed Apr 13 07:24:28 EDT 2016
Hi
The last suggestion I got from Cisco TAC is to increase the portlimit value and do a comparison to check the behavior
BR,
Mohammad
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:32:25 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
Looking at the number of subscribers you have there (~300k) and the fact that you have 2 x /21 allocated for public space - that means about 70 subscribers per public IP address. This feels a little bit on the high side, even for mobile traffic. Since all sessions belonging to a given private IP address must be mapped to a the same public IP address it's likely that you're running out of ports on public IP addresses (as there are only ~65k ports x 2 (UDP+TCP)). I'd suggest increasing the public pool sizes and checking the stats again.
kind regardsPshem
On Mon, 28 Mar 2016 at 22:11 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
Statistics summary of NAT44 instance: 'nat1'
Number of active translations: 3993473
Number of sessions: 100482
Translations create rate: 18464
Translations delete rate: 16367
Inside to outside forward rate: 523403
Outside to inside forward rate: 755919
Inside to outside drops port limit exceeded: 481732
Inside to outside drops system limit reached: 0
Inside to outside drops resource depletion: 0
No translation entry drops: 28976704
PPTP active tunnels: 2
PPTP active channels: 2
PPTP ctrl message drops: 2
Number of subscribers: 309101
Drops due to session db limit exceeded: 0
Drops due to source ip not configured: 0
Pool address totally free: 0
Pool address used: 4096
Pool address usage:
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:06:19 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
How many active subscribers (inside IPs) do you have per one outside IP?
For example in one of the installations I worked on we used 16 active subscribers per outside IP (4096 ports per subscriber).
kind regardsPshem
On Mon, 28 Mar 2016 at 22:03 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
Hi
Can you clarify me more in order to be precise
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 09:00:30 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
Hi,
What's your inside IP/outside IP ratio?
kind regardsPshem
On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
Hi Pshem
Thanks for the reply , please check my configuration below
vrf OUTSIDE
address-family ipv4 unicast
vrf INSIDE-1
address-family ipv4 unicast
vrf INSIDE-2
address-family ipv4 unicast
hw-module service cgn location 0/1/CPU0
interface TenGigE0/0/1/1
mtu 9216
load-interval 30
interface TenGigE0/0/1/1.900
description ## VLAN 900 SUBINTERFACE ##
vrf INSIDE-1
ipv4 address 172.20.60.130 255.255.255.248
load-interval 30
encapsulation dot1q 900
interface TenGigE0/0/1/1.902
description ## VLAN 902 SUBINTERFACE ##
vrf INSIDE-2
ipv4 address 172.20.60.146 255.255.255.248
load-interval 30
encapsulation dot1q 902
interface TenGigE0/0/1/2
mtu 9216
load-interval 30
interface TenGigE0/0/1/2.901
description ## VLAN 901 SUBINTERFACE ##
vrf INSIDE-1
ipv4 address 172.20.60.138 255.255.255.248
load-interval 30
encapsulation dot1q 901
interface TenGigE0/0/1/2.903
description ## VLAN 903 SUBINTERFACE ##
vrf INSIDE-2
ipv4 address 172.20.60.154 255.255.255.248
load-interval 30
encapsulation dot1q 903
interface ServiceApp1
vrf INSIDE-1
ipv4 address 1.1.1.1 255.255.255.252
load-interval 30
service cgn cgn1 service-type nat44
interface ServiceApp2
ipv4 address 2.2.2.2 255.255.255.252
load-interval 30
service cgn cgn1 service-type nat44
interface ServiceApp3
vrf INSIDE-2
ipv4 address 30.30.30.30 255.255.255.252
load-interval 30
service cgn cgn1 service-type nat44
interface ServiceApp4
ipv4 address 4.4.4.2 255.255.255.252
load-interval 30
service cgn cgn1 service-type nat44
interface ServiceInfra1
ipv4 address 10.99.99.2 255.255.255.0
service-location 0/1/CPU0
router static
address-family ipv4 unicast
x.x.x.x/21 ServiceApp2
y.y.y.y/21 ServiceApp4
vrf INSIDE-1
address-family ipv4 unicast
0.0.0.0/0 172.20.60.131 50
0.0.0.0/0 ServiceApp1
10.4.160.0/28 172.20.60.132
10.5.0.0/17 172.20.60.132
10.5.128.0/17 172.20.60.132
10.13.0.0/17 172.20.60.132
10.13.128.0/17 172.20.60.132
10.14.0.0/17 172.20.60.132
10.14.128.0/17 172.20.60.132
10.16.0.0/17 172.20.60.132
10.16.128.0/17 172.20.60.132
10.21.0.0/17 172.20.60.132
10.21.128.0/17 172.20.60.132
10.23.0.0/17 172.20.60.132
10.23.128.0/17 172.20.60.132
10.25.0.0/17 172.20.60.132
10.25.128.0/17 172.20.60.132
10.55.0.0/27 172.20.60.132
10.128.0.0/16 172.20.60.132
10.129.0.0/16 172.20.60.132
10.130.0.0/16 172.20.60.132
10.131.0.0/16 172.20.60.132
10.132.0.0/16 172.20.60.132
10.133.0.0/16 172.20.60.132
10.134.0.0/16 172.20.60.132
10.135.0.0/16 172.20.60.132
10.136.0.0/16 172.20.60.132
10.137.0.0/16 172.20.60.132
10.138.0.0/17 172.20.60.132
172.17.56.0/29 172.20.60.132
vrf INSIDE-2
address-family ipv4 unicast
0.0.0.0/0 172.20.60.147 50
0.0.0.0/0 ServiceApp3
10.11.0.0/18 172.20.60.148
10.11.64.0/20 172.20.60.148
10.11.80.0/20 172.20.60.148
10.11.96.0/19 172.20.60.148
10.11.128.0/17 172.20.60.148
10.138.128.0/17 172.20.60.148
10.140.0.0/16 172.20.60.148
10.141.0.0/16 172.20.60.148
10.142.0.0/16 172.20.60.148
10.143.0.0/16 172.20.60.148
10.144.0.0/16 172.20.60.148
10.145.0.0/16 172.20.60.148
10.146.0.0/16 172.20.60.148
10.147.0.0/16 172.20.60.148
10.152.0.0/16 172.20.60.148
service cgn cgn1
service-location preferred-active 0/1/CPU0
service-type nat44 nat1
portlimit 2048
alg ActiveFTP
alg rtsp server-port 10000
alg pptpAlg
inside-vrf INSIDE-1
map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21
inside-vrf INSIDE-2
map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21
protocol udp
session initial timeout 30
session active timeout 100
protocol tcp
session initial timeout 120
session active timeout 900
protocol icmp
timeout 60
refresh-direction Outbound
BR,
Mohammad
From: pshem.k at gmail.com
Date: Mon, 28 Mar 2016 08:28:46 +0000
Subject: Re: [c-nsp] ASR9K VSM
To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
Hi,
The card is capable of 60mil translations, but you have to 'partition' your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp interfaces total).
The port drops mean that the 'inside' IP/ports couldn't be mapped because there is not enough ports left on give public IP. Do you do block allocations? How many inside IPs per one outside IP? If these drops are increasing quickly it means that your customers are most likely having issues accessing the internet. The number of ports will be generally specific to your customer base (for example setup for mobile tends to be able to get away with less ports then customers on fibre access).
No translation drops are generally harmless - these are things like port scans across your ranges, packets received past time-outs for give protocols, etc.
kind regardsPshem
On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
Dears
I have installed VSM on ASR9K for NAT44 CGN
I can see a lot of drops in the output of show cgn nat44 nat1 statistics
RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
Statistics summary of NAT44 instance: 'nat1'
Number of active translations: 4079397
Inside to outside drops port limit exceeded: 155093
No translation entry drops: 1617189
I have some questions regarding this if you can assist
One of the experts told me that number of active translations are 4M (it can be shown from the above output that the number is like that) , is this number per module ? per service ? can I configure extra to isolate this?
inside to outside drops ?
portlimit drops ? I have configured it to be 2048 , should I increase it ? 2048 means for each private IP address there is 2048 available ?
Thanks in advance
BR,
Mohammad
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list