Hi,

Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
loopback interface.

We're trying to determine how many public NAT-ed (or PAT-ed) IP addresses to
allocate to the end-users. Is there a general rule of thumb (like a standard
ratio)?

I don't have a generic "rule of thumb", but in our experience, for customers
of this size, a single (PAT-ed) IP usually suffices.

Some simple math: a single IP has about 65000 ports for TCP and UDP.

Divided by 150 (end-users) results in over 400 available ports per user.

Take away some ports for NAT table expiry time, etc., and you still can
have a 100 parallel TCP/UDP session per user - which is likely to fill
up your memory and CPU before running out of wiggle space.

(TH, watch out for virus outbreaks - these tend to fill up NAT tables
pretty quick with portscan garbage)

gert

Thanks Gert, for the helpful response

Message
From: "Gert Doering" <gert (AT) greenie (DOT) muc.de>
To: "Adam Greene" <maillist (AT) webjogger (DOT) net>
Cc: <cisco-nsp (AT) puck (DOT) nether.net>
Sent: Saturday, December 03, 2005 10:16 AM
Subject: Re: [c-nsp] NAT/PAT:end-user ratio

Hi,

Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
loopback interface.

We're trying to determine how many public NAT-ed (or PAT-ed) IP
addresses to
allocate to the end-users. Is there a general rule of thumb (like a
standard
ratio)?

I don't have a generic "rule of thumb", but in our experience, for
customers
of this size, a single (PAT-ed) IP usually suffices.

Some simple math: a single IP has about 65000 ports for TCP and UDP.

Divided by 150 (end-users) results in over 400 available ports per user.

Take away some ports for NAT table expiry time, etc., and you still can
have a 100 parallel TCP/UDP session per user - which is likely to fill
up your memory and CPU before running out of wiggle space.

(TH, watch out for virus outbreaks - these tend to fill up NAT tables
pretty quick with portscan garbage)

gert

Gert is right. Make sure you consider some of the NAT
per host translation limit parameters to protect against
such an outbreak where it chews up all your translations.

Rodney

Sat, Dec 03, 2005 at 04:16:44PM +0100, Gert Doering wrote:
Hi,

Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with us.
Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
loopback interface.

We're trying to determine how many public NAT-ed (or PAT-ed) IP addresses to
allocate to the end-users. Is there a general rule of thumb (like a standard
ratio)?

I don't have a generic "rule of thumb", but in our experience, for customers
of this size, a single (PAT-ed) IP usually suffices.

Some simple math: a single IP has about 65000 ports for TCP and UDP.

Divided by 150 (end-users) results in over 400 available ports per user.

Take away some ports for NAT table expiry time, etc., and you still can
have a 100 parallel TCP/UDP session per user - which is likely to fill
up your memory and CPU before running out of wiggle space.

(TH, watch out for virus outbreaks - these tend to fill up NAT tables
pretty quick with portscan garbage)

gert

Thanks we'll check that out as an extra precaution.

Much appreciated,
Adam

Message
From: "Rodney Dunn" <rodunn (AT) cisco (DOT) com>
To: "Gert Doering" <gert (AT) greenie (DOT) muc.de>
Cc: "Adam Greene" <maillist (AT) webjogger (DOT) net>; <cisco-nsp (AT) puck (DOT) nether.net>
Sent: Sunday, December 04, 2005 10:29 PM
Subject: Re: [c-nsp] NAT/PAT:end-user ratio

Gert is right. Make sure you consider some of the NAT
per host translation limit parameters to protect against
such an outbreak where it chews up all your translations.

Rodney

Sat, Dec 03, 2005 at 04:16:44PM +0100, Gert Doering wrote:
Hi,

Sat, Dec 03, 2005 at 09:50:02AM -0500, Adam Greene wrote:
We're setting up a 2801 (12.3(8)T8) for a customer, running BGP with
us.
Primary link: 4Mbps, backup link: 1.8Mbps. NAT is being performed on a
loopback interface.

We're trying to determine how many public NAT-ed (or PAT-ed) IP
addresses to
allocate to the end-users. Is there a general rule of thumb (like a
standard
ratio)?

I don't have a generic "rule of thumb", but in our experience, for
customers
of this size, a single (PAT-ed) IP usually suffices.

Some simple math: a single IP has about 65000 ports for TCP and UDP.

Divided by 150 (end-users) results in over 400 available ports per user.

Take away some ports for NAT table expiry time, etc., and you still can
have a 100 parallel TCP/UDP session per user - which is likely to fill
up your memory and CPU before running out of wiggle space.

(TH, watch out for virus outbreaks - these tend to fill up NAT tables
pretty quick with portscan garbage)

gert