Skip to content

November 16, 2011

Howto not crash Cisco’s NAT

Maiz is the dormitory of my school, and it hosts around 170 people. As a school of network & telecom, it is only natural that us students manage our own network, and so do we.

However, we suffer from severe bandwidth limitations. Indeed, because of many factors, we can only have a few ADSL lines. Still, we try to give our comrades a decent Internet connection, but with only lousy Netgears modems (see the previous post), it’s quite difficult to get the network to scale up.

So the current challenge is to find modems that will not crash after a few hours/minutes. To give you an order of idea, there is approximately 20 connections opened each second. We have to reboot the Netgear every 20 minutes in order to keep it alive…

Then we tried a Cisco 1700 with a modem card. It goes fine, but however crashed after a few hours. Reason ? Too many NAT entries and no RAM left. And indeed, Cisco’s timeouts are really, really conservative: the default TCP timeout is 24 hours. After setting those to more reasonable values, it seems to work better!

ip nat translation timeout 3
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 3
ip nat translation syn-timeout 10
ip nat translation dns-timeout 3
ip nat translation icmp-timeout 3
ip nat translation max-entries 30000

You’ll note the last line setting the max-entries. Its purpose is not to limit the users, but to have the router to refuse connections before it gets out of memory.

I can’t wait for IPv6 and for this f*cking NAT to be dead! #optimistic

Read more from Maiznet
, ,

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

CAPTCHA Image
*