An ISR Router that can handle 1000+ simultaneous NAT - Page 3

husycisco · ‎12-30-2009

Hello,

Due to the limitations of the BPL devices we use in our ISP backbone, we have to handle Network Address Translations centrally. At our perimeter point, we need a router that can

1)Terminate MetroEthernet at outside FastEthernet interface (Easy)

2)Perform well in router-on-a-stick scenario for 32 VLANs at inside interface(**)

3)Handle Network Address Translations for about 1000+ clients(**)

4)Perform IPS and Firewall

** ->I detached a Cisco 2651XM with latest IOS, configured as router-on-a-stick, router from a location where 500+ NATs were occuring and CPU was hitting %100 and rendering the device unresponsive. This issue might be occuring because of these ** mentioned points above. I attached a simple device called Netasq that runs on FreeBSD platform, configured same, and it performs great with %4 CPU. Maybe it was a bug, I called TAC but it was EOL, opened a topic in NetPro but no solution.

Waiting for suggestions

Thanks

Leo Laohoo · ‎01-09-2010

Take me for example. A few months ago, our team were asked to design the LAN/WAN for a new building. Fair enough. We designed one based on what was required and price. We submitted the design and quote for the equipments and didn't hear from upper management for a few weeks.

Next thing we know I get a call and was told to receive equipments for the project. Okey dokey. When I saw the delivery docket, my jaw dropped. All the equipments arrived were the wrong models: The ones that arrived where a few notches down. We designed the LAN to be able to do QoS and we got ones that WOULDN'T do QoS. We designed the LAN to require PoE and we got switches that can only do 8 ports PoE.

How did this happen? Apparently, someone from the food chain decided otherwise. The retard asked the authorized Cisco reseller for the cheapest price for the particular model and got it. This soon-to-be-deceased person didn't go through the requirement and didn't go through the proper channel and ordered me 50 units of useless equipments. Come Monday morning, I'm taking one of the useless equipments out of the box, walk over to his office and beat-the-livin'-cr@p out of him.

(Okey, okey, okey. I promised my parole officer to calm down. I'll just gingerly walk over to his office and spike his coffee with ex-Lax!)

It all boils down to someone who can't tell the difference between a loaf of bread and a fried chicked was asked to do a job outside his IQ range. Price has got nothing to do with this. There are things FreeBSD can do and Cisco can't. But there are things Cisco can do that FreeBSD can't. But when things starts falling apart, you reap what you sow.

marikakis · ‎01-10-2010

Leo, you are probably right that price has nothing to do with the answer to the question which device can do NAT better. Still, I do not see any reason why IOS cannot do NAT from an operating system perspective. First of all, it obviously can, since it does it. Second, it's not like I've put IOS in my notebook and try to use it to post to this forum. [My notebook came with XP (hehe). Could have been Vista, but in my country we say 'ta vista svista', which means 'erase the vista' (hehe). I also have ubuntu installed, but honestly I use any OS that fits purpose, no problem with that (hehe), although I might have preferred the IOS look and feel (hehe)]. I tend to agree with Peter's original post on this point. That is, this is a matter of hardware and not software. Bugs are part of the ecosystem, but, assuming an ideal world without cockroaches, a high performance CPU, caches, plenty of memory, high performance bus or even switched internal interconnect are hard(ware) things to beat, no matter which operating system you are using. My notebook might do NAT better than an old cisco device model and costs less than 400 euros. I think this is an unfair comparison since hardware technology evolves (when also boosted by wide audience sales) and the expensive coolest device of the present becomes the legacy thing of the future (that's why I don't have cool gadgets). Also, what kind of OS you put in an embedded device depends on many factors. We had VxWorks (or even no OS), then embedded Linux came. But then again, it all comes down back to price and not OS quality, and we wanted to avoid the price discussion.

By the way, why do you people still do NAT? In Networkers 2008 I've heard IPv6 is a necessity because we are running out of addresses. In 2009 they pushed it a little bit and said that if you want to stay within competition, offer new services, generate revenue, etc (always nice to hear this kind of stuff, very entertaining) in this financial situation, you must go with IPv6. I guess this year they will say that you either do IPv6 or die. I always love it when people are trying to sell stuff to me. They make me feel a real consumer and I was having some doubts about this aspect of my personality.

glennbronson · ‎01-11-2012

Does anyone know how many simultaneous nat translations a low end device such as a Cisco RV016 supports?

I know this is a low end device but I see no reason that with a typical allocaiton of 220 bytes per entry and modern CPU's that this RV016 could not support 500 to 1000 easily.

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/792_pp.htm#wp39411

Any reasonable device should support 500 to 1000. I believe a linux box would do it effortlessly up to 100Mbits/second but I would prefer a cisco router.

Am I way off on this?

paolo bevilacqua · ‎01-11-2012

RV routers are not true Cisco routers, try asking in "small business - routers".