Nat

Ahmed_Munaf · December 15, 2015, 6:08pm

Dear All,

We are using cisco for natting, we'd like to change it to another brand like A10 or Citrix.

Please any advice regarding the three brands and what are the advantages and disadvantages for each one?

Regards,

Nick_Ellermann · December 16, 2015, 1:12am

What features and scale do you need? Assume with NAT you are performing some levels of firewall security and serving applications?

Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect

E: nellermann@broadaspect.com
P: 703-297-4639
F: 703-996-4443

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

Hunter_Fuller · December 16, 2015, 1:15am

You are using a Cisco what for NAT? And which products are you considering?

Ahmed_Munaf · December 16, 2015, 10:45am

Yes, we are using ASR1004 for NAT, we are considering A10 or Citrix or F5. we’ve not decided till now!
maybe we change it to another product, if anyone give us a better solution.

this will be used for ISP’s users.

Mark_Tinka1 · December 16, 2015, 4:22pm

The ASR1000 is not a bad large scale NAT device. Are there any specific
issues you are facing with it?

Mark.

Ahmed_Munaf · December 16, 2015, 4:36pm

In addition to the limited concurrent sessions for ASR1000, we are facing some issue with many users how are playing online games! Nat problems!

Ahmed,

Mark_Tinka1 · December 16, 2015, 4:52pm

This could be a function of the size of your ESP.

The 5Gbps ESP can handle 256,000 NAT sessions, while the 200Gbps ESP
will do 4,000,000 NAT sessions with a per-second setup rate of 300,000
sessions.

Of course, it makes little sense to upgrade if you run out of sessions
before you hit the NAT throughput ceiling, so other vendors may be more
commercially palatable.

Mark.

Octavio_Alvarez1 · December 16, 2015, 7:37pm

If you are willing to rephrase it to "we are using Cisco IOS for
NATting, we'd like to change it to another platform or brand", you may
want to take a look at Cisco ASAs. In my opinion those are better
NATters than IOS.

Best regards.

Tony_Wicks · December 16, 2015, 7:46pm

We have the ASR1006 ESP40's handling 25,000+home broadband users running NAT and barely breaking a sweat. What ESP are you using ?

Livingood_Jason · December 16, 2015, 10:38pm

IPv4 NAT!? Free yourself from the tyranny of shared addresses.

http://www.comcast6.net/images/files/revolt.jpg

Jason

On 12/15/15, 1:08 PM, "NANOG on behalf of Ahmed Munaf"
<nanog-bounces+jason_livingood=cable.comcast.com@nanog.org on behalf of

Josh_Reynolds1 · December 16, 2015, 11:25pm

If it were only so easy...

Mark_Andrews2 · December 16, 2015, 11:28pm

+1000000

Nobody should have to be doing NAT today.

We need to make IPv4 painful to use. Adding delay between SYN and SYN/ACK would
be one way to achieve this. Start at 100ms..200ms and increase it by 100ms each year.

Mark

Charles_Monson · December 16, 2015, 11:39pm

We need to make IPv4 painful to use. Adding delay between SYN and
SYN/ACK would
be one way to achieve this. Start at 100ms..200ms and increase it by
100ms each year.

It seems like NAT would be another way to make IPv4 more painful to use.

alvin_nanog · December 16, 2015, 11:49pm

hi folkx

We need to make IPv4 painful to use.

already is too crowded

Adding delay between SYN and SYN/ACK would be one way to achieve this.

<flame suiton>
change tcp windoow size to 1 byte per packet or decrease from 1500 byte
packets, more traffic they use, slower it becomes

instead of zero byte as used in tarpits

Start at 100ms..200ms and increase it by 100ms each year.

some of verizon's shared IPv4 traffic has delays exceeding 3sec
and i seen it exceeding 6sec for simple things like using gmail
thru their network

"delays" are built in automatically ...
- too much spam ..
- too much useless video downloads
- too much useless steaming
- too much useless pix
- too much games

and alll that junk will increase as more people use it

it'd be nice to put these "services" on their own private LAN
and slow just themself down instead of slowing everybody down

pay more $$$ to get better/faster connectivity ...

</flame suiton>
ducking for cover
alvin

Mark_Andrews2 · December 16, 2015, 11:52pm

This doesn't put pain on those that have enough addresses that they don't need
to NAT yet. We need to put some pain onto everyone that is IPv4 only.

Mark

Mel_Beckman · December 17, 2015, 12:14am

Mark,

Why? Why do WE "need" to force people to bend to our will? The market will get us all there eventually.

I don't like what you eat. Lets put a surcharge on it to make you feel pain and do what I want.

-mel beckman

Larry_Sheldon · December 17, 2015, 12:28am

If it is such a good idea, why do you have to do that?

Larry_Sheldon · December 17, 2015, 12:30am

That's what I'm talking about.

But this IS right out of the current government's handbook.

Mark_Andrews2 · December 17, 2015, 12:57am

While we will get us there eventually it will be at the considerably more expensive
for everyone involved. There is also a distinct lack of a working free market in most
of the world. There isn't one in Australia. From what I read there isn't one in most
of the developed nations in the world including the US.

Mark

Bandy_Rush1 · December 17, 2015, 1:22am

We need to put some pain onto everyone that is IPv4 only.

this is the oppress the workers so they will revolt theory. load of
crap.

make ipv6 easier to deploy, especially in enterprise. repeat the
previous sentence 42 times.

what keeps the cows in the pasture is the quality of the grass not
the height of the fence.

randy