[c-nsp] ASR9K VSM

Pshem Kowalczyk pshem.k at gmail.com
Mon Apr 25 20:48:59 EDT 2016


Hi,

If my calculations were correct you might not have enough of public IP
space for this. Increasing the port-limit is not going to help here, as the
contention is on the number of ports a single public IP can open.

kind regards
Pshem


On Sun, 24 Apr 2016 at 23:51 Mohammad Khalil <eng_mssk at hotmail.com> wrote:

> Hi
> I have increased the portlimit to 6144 , but still the drops in place
> The drops are not the same as before , but increasing
>
> BR,
> ------------------------------
> From: eng_mssk at hotmail.com
> To: pshem.k at gmail.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASR9K VSM
> Date: Wed, 13 Apr 2016 14:24:28 +0300
>
>
> Hi
> The last suggestion I got from Cisco TAC is to increase the portlimit
> value and do a comparison to check the behavior
>
> BR,
> Mohammad
>
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:32:25 +0000
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> Looking at the number of subscribers you have there (~300k) and the fact
> that you have 2 x /21 allocated for public space - that means about 70
> subscribers per public IP address. This feels a little bit on the high
> side, even for mobile traffic. Since all sessions belonging to a given
> private IP address must be mapped to a the same public IP address it's
> likely that you're running out of ports on public IP addresses (as there
> are only ~65k ports x 2 (UDP+TCP)). I'd suggest increasing the public pool
> sizes and checking the stats again.
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 22:11 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
>
> RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
>
> Statistics summary of NAT44 instance: 'nat1'
> Number of active translations: 3993473
> Number of sessions: 100482
> Translations create rate: 18464
> Translations delete rate: 16367
> Inside to outside forward rate: 523403
> Outside to inside forward rate: 755919
> Inside to outside drops port limit exceeded: 481732
> Inside to outside drops system limit reached: 0
> Inside to outside drops resource depletion: 0
> No translation entry drops: 28976704
> PPTP active tunnels: 2
> PPTP active channels: 2
> PPTP ctrl message drops: 2
> Number of subscribers: 309101
> Drops due to session db limit exceeded: 0
> Drops due to source ip not configured: 0
>
> Pool address totally free: 0
> Pool address used: 4096
> Pool address usage:
>
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:06:19 +0000
>
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> How many active subscribers (inside IPs) do you have per one outside IP?
>
> For example in one of the installations I worked on we used 16 active
> subscribers per outside IP (4096 ports per subscriber).
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 22:03 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
>
> Hi
> Can you clarify me more in order to be precise
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:00:30 +0000
>
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> Hi,
>
> What's your inside IP/outside IP ratio?
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Hi Pshem
> Thanks for the reply , please check my configuration below
>
> vrf OUTSIDE
>  address-family ipv4 unicast
>
> vrf INSIDE-1
>  address-family ipv4 unicast
>
> vrf INSIDE-2
>  address-family ipv4 unicast
>
> hw-module service cgn location 0/1/CPU0
>
> interface TenGigE0/0/1/1
>  mtu 9216
>  load-interval 30
>
> interface TenGigE0/0/1/1.900
>  description ## VLAN 900 SUBINTERFACE ##
>  vrf INSIDE-1
>  ipv4 address 172.20.60.130 255.255.255.248
>  load-interval 30
>  encapsulation dot1q 900
>
> interface TenGigE0/0/1/1.902
>  description ## VLAN 902 SUBINTERFACE ##
>  vrf INSIDE-2
>  ipv4 address 172.20.60.146 255.255.255.248
>  load-interval 30
>  encapsulation dot1q 902
>
> interface TenGigE0/0/1/2
>  mtu 9216
>  load-interval 30
>
> interface TenGigE0/0/1/2.901
>  description ## VLAN 901 SUBINTERFACE ##
>  vrf INSIDE-1
>  ipv4 address 172.20.60.138 255.255.255.248
>  load-interval 30
>  encapsulation dot1q 901
>
> interface TenGigE0/0/1/2.903
>  description ## VLAN 903 SUBINTERFACE ##
>  vrf INSIDE-2
>  ipv4 address 172.20.60.154 255.255.255.248
>  load-interval 30
>  encapsulation dot1q 903
>
> interface ServiceApp1
>  vrf INSIDE-1
>  ipv4 address 1.1.1.1 255.255.255.252
>  load-interval 30
>  service cgn cgn1 service-type nat44
>
> interface ServiceApp2
>  ipv4 address 2.2.2.2 255.255.255.252
>  load-interval 30
>  service cgn cgn1 service-type nat44
>
> interface ServiceApp3
>  vrf INSIDE-2
>  ipv4 address 30.30.30.30 255.255.255.252
>  load-interval 30
>  service cgn cgn1 service-type nat44
>
> interface ServiceApp4
>  ipv4 address 4.4.4.2 255.255.255.252
>  load-interval 30
>  service cgn cgn1 service-type nat44
>
> interface ServiceInfra1
>  ipv4 address 10.99.99.2 255.255.255.0
>  service-location 0/1/CPU0
>
> router static
>  address-family ipv4 unicast
>   x.x.x.x/21 ServiceApp2
>   y.y.y.y/21 ServiceApp4
>
>  vrf INSIDE-1
>   address-family ipv4 unicast
>    0.0.0.0/0 172.20.60.131 50
>    0.0.0.0/0 ServiceApp1
>    10.4.160.0/28 172.20.60.132
>    10.5.0.0/17 172.20.60.132
>    10.5.128.0/17 172.20.60.132
>    10.13.0.0/17 172.20.60.132
>    10.13.128.0/17 172.20.60.132
>    10.14.0.0/17 172.20.60.132
>    10.14.128.0/17 172.20.60.132
>    10.16.0.0/17 172.20.60.132
>    10.16.128.0/17 172.20.60.132
>    10.21.0.0/17 172.20.60.132
>    10.21.128.0/17 172.20.60.132
>    10.23.0.0/17 172.20.60.132
>    10.23.128.0/17 172.20.60.132
>    10.25.0.0/17 172.20.60.132
>    10.25.128.0/17 172.20.60.132
>    10.55.0.0/27 172.20.60.132
>    10.128.0.0/16 172.20.60.132
>    10.129.0.0/16 172.20.60.132
>    10.130.0.0/16 172.20.60.132
>    10.131.0.0/16 172.20.60.132
>    10.132.0.0/16 172.20.60.132
>    10.133.0.0/16 172.20.60.132
>    10.134.0.0/16 172.20.60.132
>    10.135.0.0/16 172.20.60.132
>    10.136.0.0/16 172.20.60.132
>    10.137.0.0/16 172.20.60.132
>    10.138.0.0/17 172.20.60.132
>    172.17.56.0/29 172.20.60.132
>
>  vrf INSIDE-2
>   address-family ipv4 unicast
>    0.0.0.0/0 172.20.60.147 50
>    0.0.0.0/0 ServiceApp3
>    10.11.0.0/18 172.20.60.148
>    10.11.64.0/20 172.20.60.148
>    10.11.80.0/20 172.20.60.148
>    10.11.96.0/19 172.20.60.148
>    10.11.128.0/17 172.20.60.148
>    10.138.128.0/17 172.20.60.148
>    10.140.0.0/16 172.20.60.148
>    10.141.0.0/16 172.20.60.148
>    10.142.0.0/16 172.20.60.148
>    10.143.0.0/16 172.20.60.148
>    10.144.0.0/16 172.20.60.148
>    10.145.0.0/16 172.20.60.148
>    10.146.0.0/16 172.20.60.148
>    10.147.0.0/16 172.20.60.148
>    10.152.0.0/16 172.20.60.148
>
> service cgn cgn1
>  service-location preferred-active 0/1/CPU0
>  service-type nat44 nat1
>   portlimit 2048
>   alg ActiveFTP
>   alg rtsp server-port 10000
>   alg pptpAlg
>   inside-vrf INSIDE-1
>    map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21
>
>   inside-vrf INSIDE-2
>    map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21
>
>   protocol udp
>    session initial timeout 30
>    session active timeout 100
>
>   protocol tcp
>    session initial timeout 120
>    session active timeout 900
>
>   protocol icmp
>    timeout 60
>
>   refresh-direction Outbound
>
> BR,
> Mohammad
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 08:28:46 +0000
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
>
> Hi,
>
> The card is capable of 60mil translations, but you have to 'partition'
> your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp
> interfaces total).
>
> The port drops mean that the 'inside' IP/ports couldn't be mapped because
> there is not enough ports left on give public IP. Do you do block
> allocations? How many inside IPs per one outside IP? If these drops are
> increasing quickly it means that your customers are most likely having
> issues accessing the internet. The number of ports will be generally
> specific to your customer base (for example setup for mobile tends to be
> able to get away with less ports then customers on fibre access).
>
> No translation drops are generally harmless - these are things like port
> scans across your ranges, packets received past time-outs for give
> protocols, etc.
>
> kind regards
> Pshem
>
>
> On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Dears
> I have installed VSM on ASR9K for NAT44 CGN
> I can see a lot of drops in the output of show cgn nat44 nat1 statistics
> RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
>
>
>
> Statistics summary of NAT44 instance: 'nat1'
>
> Number of active translations: 4079397
>
> Inside to outside drops port limit exceeded: 155093
>
> No translation entry drops: 1617189
>
> I have some questions regarding this if you can assist
>
> One of the experts told me that number of active translations are 4M (it
> can be shown from the above output that the number is like that) , is this
> number per module ? per service ? can I configure extra to isolate this?
> inside to outside drops ?
> portlimit drops ? I have configured it to be 2048 , should I increase it ?
> 2048 means for each private IP address there is 2048 available ?
>
> Thanks in advance
>
> BR,
> Mohammad
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list