[c-nsp] ASR9K VSM
Pshem Kowalczyk
pshem.k at gmail.com
Mon Mar 28 05:00:30 EDT 2016
Hi,
What's your inside IP/outside IP ratio?
kind regards
Pshem
On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
> Hi Pshem
> Thanks for the reply , please check my configuration below
>
> vrf OUTSIDE
> address-family ipv4 unicast
>
> vrf INSIDE-1
> address-family ipv4 unicast
>
> vrf INSIDE-2
> address-family ipv4 unicast
>
> hw-module service cgn location 0/1/CPU0
>
> interface TenGigE0/0/1/1
> mtu 9216
> load-interval 30
>
> interface TenGigE0/0/1/1.900
> description ## VLAN 900 SUBINTERFACE ##
> vrf INSIDE-1
> ipv4 address 172.20.60.130 255.255.255.248
> load-interval 30
> encapsulation dot1q 900
>
> interface TenGigE0/0/1/1.902
> description ## VLAN 902 SUBINTERFACE ##
> vrf INSIDE-2
> ipv4 address 172.20.60.146 255.255.255.248
> load-interval 30
> encapsulation dot1q 902
>
> interface TenGigE0/0/1/2
> mtu 9216
> load-interval 30
>
> interface TenGigE0/0/1/2.901
> description ## VLAN 901 SUBINTERFACE ##
> vrf INSIDE-1
> ipv4 address 172.20.60.138 255.255.255.248
> load-interval 30
> encapsulation dot1q 901
>
> interface TenGigE0/0/1/2.903
> description ## VLAN 903 SUBINTERFACE ##
> vrf INSIDE-2
> ipv4 address 172.20.60.154 255.255.255.248
> load-interval 30
> encapsulation dot1q 903
>
> interface ServiceApp1
> vrf INSIDE-1
> ipv4 address 1.1.1.1 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp2
> ipv4 address 2.2.2.2 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp3
> vrf INSIDE-2
> ipv4 address 30.30.30.30 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp4
> ipv4 address 4.4.4.2 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceInfra1
> ipv4 address 10.99.99.2 255.255.255.0
> service-location 0/1/CPU0
>
> router static
> address-family ipv4 unicast
> x.x.x.x/21 ServiceApp2
> y.y.y.y/21 ServiceApp4
>
> vrf INSIDE-1
> address-family ipv4 unicast
> 0.0.0.0/0 172.20.60.131 50
> 0.0.0.0/0 ServiceApp1
> 10.4.160.0/28 172.20.60.132
> 10.5.0.0/17 172.20.60.132
> 10.5.128.0/17 172.20.60.132
> 10.13.0.0/17 172.20.60.132
> 10.13.128.0/17 172.20.60.132
> 10.14.0.0/17 172.20.60.132
> 10.14.128.0/17 172.20.60.132
> 10.16.0.0/17 172.20.60.132
> 10.16.128.0/17 172.20.60.132
> 10.21.0.0/17 172.20.60.132
> 10.21.128.0/17 172.20.60.132
> 10.23.0.0/17 172.20.60.132
> 10.23.128.0/17 172.20.60.132
> 10.25.0.0/17 172.20.60.132
> 10.25.128.0/17 172.20.60.132
> 10.55.0.0/27 172.20.60.132
> 10.128.0.0/16 172.20.60.132
> 10.129.0.0/16 172.20.60.132
> 10.130.0.0/16 172.20.60.132
> 10.131.0.0/16 172.20.60.132
> 10.132.0.0/16 172.20.60.132
> 10.133.0.0/16 172.20.60.132
> 10.134.0.0/16 172.20.60.132
> 10.135.0.0/16 172.20.60.132
> 10.136.0.0/16 172.20.60.132
> 10.137.0.0/16 172.20.60.132
> 10.138.0.0/17 172.20.60.132
> 172.17.56.0/29 172.20.60.132
>
> vrf INSIDE-2
> address-family ipv4 unicast
> 0.0.0.0/0 172.20.60.147 50
> 0.0.0.0/0 ServiceApp3
> 10.11.0.0/18 172.20.60.148
> 10.11.64.0/20 172.20.60.148
> 10.11.80.0/20 172.20.60.148
> 10.11.96.0/19 172.20.60.148
> 10.11.128.0/17 172.20.60.148
> 10.138.128.0/17 172.20.60.148
> 10.140.0.0/16 172.20.60.148
> 10.141.0.0/16 172.20.60.148
> 10.142.0.0/16 172.20.60.148
> 10.143.0.0/16 172.20.60.148
> 10.144.0.0/16 172.20.60.148
> 10.145.0.0/16 172.20.60.148
> 10.146.0.0/16 172.20.60.148
> 10.147.0.0/16 172.20.60.148
> 10.152.0.0/16 172.20.60.148
>
> service cgn cgn1
> service-location preferred-active 0/1/CPU0
> service-type nat44 nat1
> portlimit 2048
> alg ActiveFTP
> alg rtsp server-port 10000
> alg pptpAlg
> inside-vrf INSIDE-1
> map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21
>
> inside-vrf INSIDE-2
> map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21
>
> protocol udp
> session initial timeout 30
> session active timeout 100
>
> protocol tcp
> session initial timeout 120
> session active timeout 900
>
> protocol icmp
> timeout 60
>
> refresh-direction Outbound
>
> BR,
> Mohammad
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 08:28:46 +0000
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
>
> Hi,
>
> The card is capable of 60mil translations, but you have to 'partition'
> your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp
> interfaces total).
>
> The port drops mean that the 'inside' IP/ports couldn't be mapped because
> there is not enough ports left on give public IP. Do you do block
> allocations? How many inside IPs per one outside IP? If these drops are
> increasing quickly it means that your customers are most likely having
> issues accessing the internet. The number of ports will be generally
> specific to your customer base (for example setup for mobile tends to be
> able to get away with less ports then customers on fibre access).
>
> No translation drops are generally harmless - these are things like port
> scans across your ranges, packets received past time-outs for give
> protocols, etc.
>
> kind regards
> Pshem
>
>
> On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Dears
> I have installed VSM on ASR9K for NAT44 CGN
> I can see a lot of drops in the output of show cgn nat44 nat1 statistics
> RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
>
>
>
> Statistics summary of NAT44 instance: 'nat1'
>
> Number of active translations: 4079397
>
> Inside to outside drops port limit exceeded: 155093
>
> No translation entry drops: 1617189
>
> I have some questions regarding this if you can assist
>
> One of the experts told me that number of active translations are 4M (it
> can be shown from the above output that the number is like that) , is this
> number per module ? per service ? can I configure extra to isolate this?
> inside to outside drops ?
> portlimit drops ? I have configured it to be 2048 , should I increase it ?
> 2048 means for each private IP address there is 2048 available ?
>
> Thanks in advance
>
> BR,
> Mohammad
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list