[c-nsp] ASR9K VSM
Pshem Kowalczyk
pshem.k at gmail.com
Tue Mar 29 15:01:59 EDT 2016
Hi,
I was after subscribers, not sessions (as in 'active NAT translations').
Your current port_limit (of 2048) is higher than what you can get out of
ratio of private/public IPs (around 75:1). You can only get around 900
TCP + 900 UDP ports on average per active subscriber in your setup. From
the number of translations you seem to be getting 4mil/300k = ~ 1.3k
translations per active subscriber, which likely means you're hitting the
limit on the number of available ports (and public IPs) (TCP sessions tend
to be longer living than UDP and there's usually more of TCP sessions then
UDP sessions (at least in our customer base)).
kind regards
Pshem
On Wed, 30 Mar 2016 at 02:24 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
> Dear Pshem
> I think I got confused :)
> I have around 4M or 4000K active sessions not 300K if I got you right
> And then 4000000/4096=976
> Am I right ?
>
> BR,
>
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:32:25 +0000
>
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> Looking at the number of subscribers you have there (~300k) and the fact
> that you have 2 x /21 allocated for public space - that means about 70
> subscribers per public IP address. This feels a little bit on the high
> side, even for mobile traffic. Since all sessions belonging to a given
> private IP address must be mapped to a the same public IP address it's
> likely that you're running out of ports on public IP addresses (as there
> are only ~65k ports x 2 (UDP+TCP)). I'd suggest increasing the public pool
> sizes and checking the stats again.
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 22:11 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
>
> RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
>
> Statistics summary of NAT44 instance: 'nat1'
> Number of active translations: 3993473
> Number of sessions: 100482
> Translations create rate: 18464
> Translations delete rate: 16367
> Inside to outside forward rate: 523403
> Outside to inside forward rate: 755919
> Inside to outside drops port limit exceeded: 481732
> Inside to outside drops system limit reached: 0
> Inside to outside drops resource depletion: 0
> No translation entry drops: 28976704
> PPTP active tunnels: 2
> PPTP active channels: 2
> PPTP ctrl message drops: 2
> Number of subscribers: 309101
> Drops due to session db limit exceeded: 0
> Drops due to source ip not configured: 0
>
> Pool address totally free: 0
> Pool address used: 4096
> Pool address usage:
>
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:06:19 +0000
>
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> How many active subscribers (inside IPs) do you have per one outside IP?
>
> For example in one of the installations I worked on we used 16 active
> subscribers per outside IP (4096 ports per subscriber).
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 22:03 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
>
> Hi
> Can you clarify me more in order to be precise
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 09:00:30 +0000
>
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
> Hi,
>
> What's your inside IP/outside IP ratio?
>
> kind regards
> Pshem
>
>
> On Mon, 28 Mar 2016 at 21:44 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Hi Pshem
> Thanks for the reply , please check my configuration below
>
> vrf OUTSIDE
> address-family ipv4 unicast
>
> vrf INSIDE-1
> address-family ipv4 unicast
>
> vrf INSIDE-2
> address-family ipv4 unicast
>
> hw-module service cgn location 0/1/CPU0
>
> interface TenGigE0/0/1/1
> mtu 9216
> load-interval 30
>
> interface TenGigE0/0/1/1.900
> description ## VLAN 900 SUBINTERFACE ##
> vrf INSIDE-1
> ipv4 address 172.20.60.130 255.255.255.248
> load-interval 30
> encapsulation dot1q 900
>
> interface TenGigE0/0/1/1.902
> description ## VLAN 902 SUBINTERFACE ##
> vrf INSIDE-2
> ipv4 address 172.20.60.146 255.255.255.248
> load-interval 30
> encapsulation dot1q 902
>
> interface TenGigE0/0/1/2
> mtu 9216
> load-interval 30
>
> interface TenGigE0/0/1/2.901
> description ## VLAN 901 SUBINTERFACE ##
> vrf INSIDE-1
> ipv4 address 172.20.60.138 255.255.255.248
> load-interval 30
> encapsulation dot1q 901
>
> interface TenGigE0/0/1/2.903
> description ## VLAN 903 SUBINTERFACE ##
> vrf INSIDE-2
> ipv4 address 172.20.60.154 255.255.255.248
> load-interval 30
> encapsulation dot1q 903
>
> interface ServiceApp1
> vrf INSIDE-1
> ipv4 address 1.1.1.1 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp2
> ipv4 address 2.2.2.2 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp3
> vrf INSIDE-2
> ipv4 address 30.30.30.30 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceApp4
> ipv4 address 4.4.4.2 255.255.255.252
> load-interval 30
> service cgn cgn1 service-type nat44
>
> interface ServiceInfra1
> ipv4 address 10.99.99.2 255.255.255.0
> service-location 0/1/CPU0
>
> router static
> address-family ipv4 unicast
> x.x.x.x/21 ServiceApp2
> y.y.y.y/21 ServiceApp4
>
> vrf INSIDE-1
> address-family ipv4 unicast
> 0.0.0.0/0 172.20.60.131 50
> 0.0.0.0/0 ServiceApp1
> 10.4.160.0/28 172.20.60.132
> 10.5.0.0/17 172.20.60.132
> 10.5.128.0/17 172.20.60.132
> 10.13.0.0/17 172.20.60.132
> 10.13.128.0/17 172.20.60.132
> 10.14.0.0/17 172.20.60.132
> 10.14.128.0/17 172.20.60.132
> 10.16.0.0/17 172.20.60.132
> 10.16.128.0/17 172.20.60.132
> 10.21.0.0/17 172.20.60.132
> 10.21.128.0/17 172.20.60.132
> 10.23.0.0/17 172.20.60.132
> 10.23.128.0/17 172.20.60.132
> 10.25.0.0/17 172.20.60.132
> 10.25.128.0/17 172.20.60.132
> 10.55.0.0/27 172.20.60.132
> 10.128.0.0/16 172.20.60.132
> 10.129.0.0/16 172.20.60.132
> 10.130.0.0/16 172.20.60.132
> 10.131.0.0/16 172.20.60.132
> 10.132.0.0/16 172.20.60.132
> 10.133.0.0/16 172.20.60.132
> 10.134.0.0/16 172.20.60.132
> 10.135.0.0/16 172.20.60.132
> 10.136.0.0/16 172.20.60.132
> 10.137.0.0/16 172.20.60.132
> 10.138.0.0/17 172.20.60.132
> 172.17.56.0/29 172.20.60.132
>
> vrf INSIDE-2
> address-family ipv4 unicast
> 0.0.0.0/0 172.20.60.147 50
> 0.0.0.0/0 ServiceApp3
> 10.11.0.0/18 172.20.60.148
> 10.11.64.0/20 172.20.60.148
> 10.11.80.0/20 172.20.60.148
> 10.11.96.0/19 172.20.60.148
> 10.11.128.0/17 172.20.60.148
> 10.138.128.0/17 172.20.60.148
> 10.140.0.0/16 172.20.60.148
> 10.141.0.0/16 172.20.60.148
> 10.142.0.0/16 172.20.60.148
> 10.143.0.0/16 172.20.60.148
> 10.144.0.0/16 172.20.60.148
> 10.145.0.0/16 172.20.60.148
> 10.146.0.0/16 172.20.60.148
> 10.147.0.0/16 172.20.60.148
> 10.152.0.0/16 172.20.60.148
>
> service cgn cgn1
> service-location preferred-active 0/1/CPU0
> service-type nat44 nat1
> portlimit 2048
> alg ActiveFTP
> alg rtsp server-port 10000
> alg pptpAlg
> inside-vrf INSIDE-1
> map outsideServiceApp ServiceApp2 address-pool x.x.x.x/21
>
> inside-vrf INSIDE-2
> map outsideServiceApp ServiceApp4 address-pool y.y.y.y/21
>
> protocol udp
> session initial timeout 30
> session active timeout 100
>
> protocol tcp
> session initial timeout 120
> session active timeout 900
>
> protocol icmp
> timeout 60
>
> refresh-direction Outbound
>
> BR,
> Mohammad
> ------------------------------
> From: pshem.k at gmail.com
> Date: Mon, 28 Mar 2016 08:28:46 +0000
> Subject: Re: [c-nsp] ASR9K VSM
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>
>
> Hi,
>
> The card is capable of 60mil translations, but you have to 'partition'
> your traffic into at least 2 ServiceApp interface pairs (4 ServiceApp
> interfaces total).
>
> The port drops mean that the 'inside' IP/ports couldn't be mapped because
> there is not enough ports left on give public IP. Do you do block
> allocations? How many inside IPs per one outside IP? If these drops are
> increasing quickly it means that your customers are most likely having
> issues accessing the internet. The number of ports will be generally
> specific to your customer base (for example setup for mobile tends to be
> able to get away with less ports then customers on fibre access).
>
> No translation drops are generally harmless - these are things like port
> scans across your ranges, packets received past time-outs for give
> protocols, etc.
>
> kind regards
> Pshem
>
>
> On Sun, 27 Mar 2016 at 20:45 Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Dears
> I have installed VSM on ASR9K for NAT44 CGN
> I can see a lot of drops in the output of show cgn nat44 nat1 statistics
> RP/0/RSP0/CPU0:NAT1#show cgn nat44 nat1 statistics
>
>
>
> Statistics summary of NAT44 instance: 'nat1'
>
> Number of active translations: 4079397
>
> Inside to outside drops port limit exceeded: 155093
>
> No translation entry drops: 1617189
>
> I have some questions regarding this if you can assist
>
> One of the experts told me that number of active translations are 4M (it
> can be shown from the above output that the number is like that) , is this
> number per module ? per service ? can I configure extra to isolate this?
> inside to outside drops ?
> portlimit drops ? I have configured it to be 2048 , should I increase it ?
> 2048 means for each private IP address there is 2048 available ?
>
> Thanks in advance
>
> BR,
> Mohammad
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list