[j-nsp] question NAT - ISG2000
Pavel Lunin
plunin at senetsy.ru
Wed Mar 24 17:06:15 EDT 2010
Hi Ibariouen,
Enough in this case can mean different things. Enough for what?
Usually not enough means that each external IP ‘generate’ too many
simultaneous and new (per second) sessions. This can trigger an attack
defence mechanisms on popular sites, etc.
But ‘too many’ is also quite not clear definition, but it is harder to
justify.
You can check how many sessions has each IP as a source with ‘get session
info’ command. You see total sessions and dividing them by the number of IPs
you can get the number of sessions per external IP. The same with new
sessions: issue ‘get perf session detail’.
There is one tricky thing here. The values you get dividing the total
numbers of [new] sessions by the number of external IP, can be either exact
or average.
If you do not use dip stickiness (by default it is off), the sessions are
distributed uniformly over the pool—each new session is translated to the
next IP on round-robin basis. If you do, than there is a dispersion due to
each internal IP is always hardly mapped to an external one while it has
active sessions. In most situations people switch the stickiness on to get
multisession services (like IKE without ALG or even FTP) work properly.
You can check if the stickness is on with ‘get dip’ command. If you see
‘Port-xlated dip stickness on’ in its output, then the numbers of sessions
per IP are average, not exact. In this case you have to keep in mind that
the actual maximum of sessions per IP can be much higher that the average
since there are more and less active users. The numbers of sessions
generated by them can differ tenfold and more.
I believe in your particular case you will receive tens of thousands of
simultaneous and at least early thousands of new sessions per external IP.
Believe me, it s TOO many. ICQ and others should definitely block your
users.
--
Regards,
Pavel
2010/3/24 Ibariouen Khalid <ibariouen.khalid at ericsson.com>
>
> Hi all
>
> Actually we are Nating around 11500 active internet users by a ISG-2000
> with 4 public Ip addresses
>
> As my understanding the NAT is done per session not per user.
> Can you please tell me how to check if those ip addresses are enough or not
> ?
>
> BR/
>
>
More information about the juniper-nsp
mailing list