cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6852
Views
34
Helpful
33
Replies

An ISR Router that can handle 1000+ simultaneous NAT

Hello,

    Due to the limitations of the BPL devices we use in our ISP backbone, we have to handle Network Address Translations centrally. At our perimeter point, we need a router that can

   1)Terminate MetroEthernet at outside FastEthernet interface (Easy)

   2)Perform well in router-on-a-stick scenario for 32 VLANs at inside interface(**)

   3)Handle Network Address Translations for about 1000+ clients(**)

   4)Perform IPS and Firewall

** ->I detached a Cisco 2651XM with latest IOS, configured as router-on-a-stick, router from a location where 500+ NATs were occuring and CPU was hitting %100 and rendering the device unresponsive. This issue might be occuring because of these ** mentioned points above. I attached a simple device called Netasq that runs on FreeBSD platform, configured same, and it performs great with %4 CPU. Maybe it was a bug, I called TAC but it was EOL, opened a topic in NetPro but no solution.

Waiting for suggestions

Thanks

33 Replies 33

Nearly 20% of all posters are due to issues brought about by McDonald-style design and implementation.  When it comes to network design and implentation, I am a firm believer in the adage "You have three options:  cheap, fast and correctly.  Choose two."

Hi Husycisco,

This is a very interesting read.

I have not seen a true answer as to either why the Netasq is either cheap or not doing networking properly.

When balancing the cost effectiveness, the ability to do the job, the ability to support the product and the scalability of the solution. I believe (yes this is a Cisco Support Community - but we are networkers solving problems first and foremost) the Netasq outperforms the Cisco in all the above criteria when related to the tasks you require to be performed on your network and the guidelines you have laid out.

We may fudge here and there but based on your posts you really have no option barring brand loyalty :-)

Thanks for the heads up jon, been long time, hope you are doing fine. Winston got what I mean actually. Everyone thanks for your valuable inputs

"

Regarding the device they are using now, try copying an huge file between gigabit-equipped servers on different VLANs. Perhaps, throw some ACL in there too. Compare time to the same copy made between servers in the same vlan.

Then, try having a disk crash on that box and see what you are left with"

This statement moves our discussion to another topic, probably called "Router-on-a-stick. Should we consider doing? or not?". Plus, buffering and queing that occur due to the bad nature of R-O-A-S would most probably take place in RAMs not disks. Anyway whaever happens behind the scenes, I am definitely against router on a stick, I also answer questions here and this is how a NetPro thinks. Lets come to the real discussion, which is "But this forum is titled "NetPro", and as such we try to remain."

Lets forget about the name Netasq, its just another firm like Fortigate or any xxx that runs on top of BSD. It is a matter of BSD versus IOS.

We are a BPL ISP with 1000+ clients. Objective is simple. 32 VLANs sometimes more depending on campus, they all have to be just NATed for Internet connection. No inter-vlan routing required.

BSD does it, price is crap CPU util %5

IOS cant, CPU %100, price is 2K

One Network admin is a CCNP CCSP Netpro. Agrees to pay 2K and no solution.

Other admin is a non-cisco guy. Agrees to pay 1K or less to a BSD platform, and everything works like a charm

Countries import CEOs that are good on savings and can survive in this period of economy.

Unemployment is %10 in USA only

Now as such we try to remain?

If Cisco worked, either better or worse than BSD, I could have said that "This is Cisco, the industry leader with its proprietary Operating system" and earn a point. Its not the discussion of BSD does and IOS is worse, it is BSD does and IOS crashes.

With years of Cisco experience of mine, I dont mind whatever the real answer is, my answer is "This is a bug, should be easily solved"

husycisco wrote:

Thanks for the heads up jon, been long time, hope you are doing fine. Winston got what I mean actually. Everyone thanks for your valuable inputs

"

Regarding the device they are using now, try copying an huge file between gigabit-equipped servers on different VLANs. Perhaps, throw some ACL in there too. Compare time to the same copy made between servers in the same vlan.

Then, try having a disk crash on that box and see what you are left with"

This statement moves our discussion to another topic, probably called "Router-on-a-stick. Should we consider doing? or not?". Plus, buffering and queing that occur due to the bad nature of R-O-A-S would most probably take place in RAMs not disks. Anyway whaever happens behind the scenes, I am definitely against router on a stick, I also answer questions here and this is how a NetPro thinks. Lets come to the real discussion, which is "But this forum is titled "NetPro", and as such we try to remain."

Lets forget about the name Netasq, its just another firm like Fortigate or any xxx that runs on top of BSD. It is a matter of BSD versus IOS.

We are a BPL ISP with 1000+ clients. Objective is simple. 32 VLANs sometimes more depending on campus, they all have to be just NATed for Internet connection. No inter-vlan routing required.

BSD does it, price is **** CPU util %5

IOS cant, CPU %100, price is 2K

One Network admin is a CCNP CCSP Netpro. Agrees to pay 2K and no solution.

Other admin is a non-cisco guy. Agrees to pay 1K or less to a BSD platform, and everything works like a charm

Countries import CEOs that are good on savings and can survive in this period of economy.

Unemployment is %10 in USA only

Now as such we try to remain?

If Cisco worked, either better or worse than BSD, I could have said that "This is Cisco, the industry leader with its proprietary Operating system" and earn a point. Its not the discussion of BSD does and IOS is worse, it is BSD does and IOS crashes.

With years of Cisco experience of mine, I dont mind whatever the real answer is, my answer is "This is a bug, should be easily solved"

It could be a bug but then again it could just be that the BSD box performs this specific set of tasks more efficiently than a Cisco router. I think that can be a problem on these forums sometimes in that we all work with Cisco and so perhaps unwittingly sometimes are not prepared to be too critical of their products.

Cisco make very good networking products but they are not necessarily the best at what they do nor are they the cheapest. I don't accept the idea that if you use Cisco that is a professional solution but if you use BSD then it isn't. As a network designer i was often having to evaluate Cisco against other vendors and as often as not the other product would be as good if not better in terms of performance/features/cost. Nine times out of ten though we would still go with Cisco for the following reasons -

1) Support within the company - I haven't used Netasq, altho i am familiar with Unix, but adding another vendors box into the mix means additional support overheads.

2) Existing investement - can be a bit of a catch 22 this one but if you have invested in CiscoWorks etc.. for managing your network adding non-Cisco devices can become quite a headache

3) Support from Cisco via TAC, these forums, their website etc. - just the amount of information on their website is very impressive in terms of tech docs for just about any scenario

4) Future proofing - Cisco are not going to fold in the next 12 months, or at least we should all hope not or we will be looking for alternative work That's an important factor to take into account altho obviously this applies to the likes of Juniper etc.

5) Size of network. Last place i worked had over 20000 users spread across the whole of the UK. With this sort of setup introducing a new vendor can be very time consuming. Didn't mean we didn't do it though.

Basically if the device did what we wanted of it we would tend to buy Cisco. If another vendors porducts did the same but had another 10 features, if we didn't need them then it was still Cisco.

But without a doubt Cisco do not make the best of everything. They still cannot, for example, support true clustered firewalls with the best they can do being active/active contexts although this is nowhere near the same. It's just a trade off between functionality and all the other costs involved.

Jon

I have followed this discussion almost from the beginning and have managed to say nothing up to the point where I've learned that bugs are so easy to resolve. If that's what you think and you are also worried about unemployement, I have good news for you: Cisco is hiring on this field and takes a reeeaally long time for open positions to disappear from cisco's website. I am currently a student (again) and sometimes worried about how things are going to go in general. Still, I'm not in a hurry to apply to any of those jobs or any other similars elsewhere, because it is a fact of life: People prefer to compare 1000$ to say 3000$, come up with an answer that even my 5-year old niece can figure and play it smart CEOs, than get to work and resolve the bugs! Also, what makes you think that software can solve the issues of the hardware? If hardware limitations exist, software can't play it God!

Life is full of trade-off's and machines/systems are no exception. High performance and many features is a tough thing to accomplish in a system. However, all this will be a thing of the past if I decide to get back to work and finally release my super-fast (and most importantly bug-free ;)) multicore processor messaging library. By the way, why is it that before testing everything works perfectly? For some weird reason everything seems to fall apart when I start testing. I removed some sanity checks to make it faster, so if user isn't careful, my super-fast library crashes reeeally fast!

I would like to thank Jon for capturing some of my thoughts on this one. I am not usually a fan of private companies for various reasons, but I throw an exception for cisco notably because I like the products, the very helpful employees, the wealth of open documentation, and other open activities such as NetPro. I have been a fan of cisco for many years, and although cisco doesn't seem to share my feelings so much, I've learned to live with that! I will just add 2 more things to what Jon said:

1. When we entered 3rd year of technical school (more than 10 years ago), a professor encouraged us to go shopping and we happily went for some shopping therapy bying fun stuff like resistors, capacitors, diodes, cables, etc for the purposes of building a circuit from scratch. We were poor students, so we chose the cheapest tools, and guess what? We endeded up buying the expensive one's as well, because some of the tools were not accurate enough to do work with the thin cables we were using! Cheap can turn into more expensive than the expensive sometimes. Not to mention cheap non-cisco memories, full upgrades of 7500 series because some CEO can't understand that a GSR is needed sometimes, etc.

2. Cisco doesn't really have to resolve the bugs. If we take a look at what cisco is doing lately, it would be better if cisco just bought the NetAsq (or whatever). Some companies exist just for the purpose of being sold in the future you know. In this case, if your machine has issues, you could still open a discussion here, instead of trying to find the cost-free NetAsq Support Community!

3. (ok there is a third one as well) If the decision on this one is so obvious and easy, why don't you just buy the non-cisco device and end of the story?

Some companies exist just for the purpose of being sold in the future you know

You know too much by now Maria. Watch out for white vans around you live.

Hi Paolo,

Before I seriously ask for your protection services, and since you have been a Technical Marketing Engineer, could you please enlighten us on what the following press release means?

http://www.business-standard.com/india/news/airbus-arm-starts-india-operations/378475/

[December  4, 2009, 0:18 IST ... "We aim to capture the network security market with aggressive marketing and brand visibility techniques,” Dominique Meurisse, executive vice-president (sales and marketing), NetASQ, told reporters.]

How would you define "aggressive marketing and brand visibility techniques"?

Kind Regards,

Maria

How would you define "aggressive marketing and brand visibility techniques"?

AdWords and pray.

How would you define "aggressive marketing and brand visibility techniques"?

Mudslinging, economic sabotage, blackmail, intimidation, buy-out, "payola" (aka the "Intel" way).  This are the things I can come up with which falls in the Terms of Condition with the forum. 

Thanks for your replies.

Leo, it's interesting that you mentioned the CSC Acceptable Use Agreement. For some reason I have been reading it today. However, I was more focusing on article 5 (rather than the 2b you were probably referring to ).

5.    Transfers/Competitive Use. [...] You may not use the Site or the Services to advertise, promote, endorse or market, directly or indirectly, any products, services, solutions or other technologies that, in Cisco’s sole and absolute discretion, compete with the products, services, solutions or technologies of Cisco.

However, I am not Cisco and cannot know what "Cisco’s sole and absolute discretion" is!

marikakis wrote:

Thanks for your replies.

Leo, it's interesting that you mentioned the CSC Acceptable Use Agreement. For some reason I have been reading it today. However, I was more focusing on article 5 (rather than the 2b you were probably referring to ).

5.    Transfers/Competitive Use. [...] You may not use the Site or the Services to advertise, promote, endorse or market, directly or indirectly, any products, services, solutions or other technologies that, in Cisco’s sole and absolute discretion, compete with the products, services, solutions or technologies of Cisco.

However, I am not Cisco and cannot know what "Cisco’s sole and absolute discretion" is!

Now that is interesting, especially the words promote and endorse. I wasn't aware of this, better be careful what we say

Jon

So does this mean that:

a.  I can have an abusive opinion of products other than Cisco?  (Yipee-ka-ya!)
b.  This post is invalid because it's an "discussion" about a product other than Cisco?

a. Yes, you can say anything you like about Internet ExploDer!

b. We could ask Dan, but, in any case, I think cisco is a cool giant. By the way, did you read about the latest acquisition of cisco? The news was released in google finance perhaps at approximately the time I was suggesting about something like that happening. I can assure you I had no inside information!

Anyway, I think most of us were luckily cisco-biased enough to avoid the lawsuit!

p.s. You also got points in this thread (mostly from me), so let's keep this thread a secret! If Dan makes it disappear, you will lose your points!

Thanks Mari.

I'm sure your CIO knows more than you.  He should.  But how about asking someone to support something they are not familiar with?  Will they provide technical training?  How about time to "get to know" the product, functions, quirks and pitfalls?  How about the documentations?  What about warranties?  When it comes to IT products it's you-get-what-you-paid-for ... Microsoft is an exception to the rule.

Don't rock the boat, in my humble opinion.  If your boss tells you to make a recommendation, make one with the product of their choice and add two more.  List the pros and cons about it and let them soft it out.  When they buy the product of their choosing and it fails, step back and watch the spectacular fireworks as they go off.  7 out of 10 when someone-who's-got-no-idea making the decision someone pays double (or more) just to correct it. 

Review Cisco Networking for a $25 gift card