Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
NAT/PAT machine
- Thread starter drman
- Start date
Wow, now that is a lot of PAT
In theory, you cannot PAT more than 65K ports for there are only that number of TCP ports available (this is an approximation) per IP address.
If a 7206 is not constantly at 90%, Your choices are very limited as a 7200 series router is a very powerfull machine.
But with the numbers of PAT, i'm not surprised.
Why, may i ask, do you need so many PATs in the first place? Can you reduce the amount that you use? What about spliting the load on different routers?
In theory, you cannot PAT more than 65K ports for there are only that number of TCP ports available (this is an approximation) per IP address.
If a 7206 is not constantly at 90%, Your choices are very limited as a 7200 series router is a very powerfull machine.
But with the numbers of PAT, i'm not surprised.
Why, may i ask, do you need so many PATs in the first place? Can you reduce the amount that you use? What about spliting the load on different routers?
- Thread starter
- #3
The problem is that the same router is performing policy-based routing and it is not so easy to split traffic. Normally the PAT table entries are between 12k-15k but customers are growing fast and although we are blocking P2P they tend to start multiple tcp/udp sessions. We have tried all nat timeout capabilities, very strict firewall/acl policy etc but nothing. According to Cisco, PAT can reach 65k (depending on the SDRAM) but practicaly the cpu meltdown point is somewhere between 25k-40k. We are planning to put a PIX 515E on the WAN side of the router and move all NAT functions there, what is your opinion?
Also we are thinking of using a Linux NAT box with P4 hyperthreading cpu (or maybe dual Xeon), what do you think?
Regards
Also we are thinking of using a Linux NAT box with P4 hyperthreading cpu (or maybe dual Xeon), what do you think?
Regards
I think that having all your policy-based routing on the 7206 and all the PAT on the 515E is a good start. If possible, split the ACL between the two.
As far as Linux box in the telecommunication path is not recommended. But i'm a telecom guy, not a Linux guy. For heavy communication needs, like you have, stick to telecom devices. They are engineered to work as fast as possible with as little latency as possible. A Linux box is, well, an operating system.
Have you talked to your Cisco representative about this? What do they recommend?
As far as Linux box in the telecommunication path is not recommended. But i'm a telecom guy, not a Linux guy. For heavy communication needs, like you have, stick to telecom devices. They are engineered to work as fast as possible with as little latency as possible. A Linux box is, well, an operating system.
Have you talked to your Cisco representative about this? What do they recommend?
- Thread starter
- #5
The same thing, move NAT to PIX - we are already preparing the procedure. Regarding the usage of Linux as a telecom device i can tell you that we have a QOS/Routing system controlling 40-45 Mbps of traffic working on a BSD/Slackware OS and the availability is 99.999% over the past 2 years. Of course, the hardware must be reliable, because if a disk fails... 
Thanks for the assistance, i will inform you of the results
Thanks for the assistance, i will inform you of the results
I would've also recommended a PIX for what you want to do albeit I'm not sold on the 515E being able to handle the amount of PAt translations you want to throw at it.
It's system specs are:
Processor: 433-MHz Intel Celeron Processor
Random access memory: 64 MB or 128 MB of SDRAM
Chances are your VXR, depends on its age obviously, at least matches if not surpasses this specification.
I'd be more inclined perhaps to look at the 525. As usual though you can't find the definitive figure on the CCO about how many NAT translations each PIX device can support.
I know from bitter experience that a 7206 VXR with NPE300 goes into melt down mode between 20 and 30k PAT translations. This particular device was hit badly by the Slammer virus. This VXR had more DRAM than a 515 (256mb) but a slightly inferior CPU (260 Mhz). As you can see, I'm not convinced the 515E will be a significant upgrade.
If you have access to a Cisco SE or any Cisco partner, I'd probably run your requirements by them and ask them to recommend the most appropriate PIX device.
Hope this helps
It's system specs are:
Processor: 433-MHz Intel Celeron Processor
Random access memory: 64 MB or 128 MB of SDRAM
Chances are your VXR, depends on its age obviously, at least matches if not surpasses this specification.
I'd be more inclined perhaps to look at the 525. As usual though you can't find the definitive figure on the CCO about how many NAT translations each PIX device can support.
I know from bitter experience that a 7206 VXR with NPE300 goes into melt down mode between 20 and 30k PAT translations. This particular device was hit badly by the Slammer virus. This VXR had more DRAM than a 515 (256mb) but a slightly inferior CPU (260 Mhz). As you can see, I'm not convinced the 515E will be a significant upgrade.
If you have access to a Cisco SE or any Cisco partner, I'd probably run your requirements by them and ask them to recommend the most appropriate PIX device.
Hope this helps
- Status
Similar threads
