Vardata
asked on
Cisco routers and maximum addreses we can NAT
Hi,
We have a customer that is using a 3845 for NAT and is almost at its limit with 55 customers (1 Class C address apparently). Can you recommend another router (preferably Cisco) that can NAT more?
Thanks,
Matt
We have a customer that is using a 3845 for NAT and is almost at its limit with 55 customers (1 Class C address apparently). Can you recommend another router (preferably Cisco) that can NAT more?
Thanks,
Matt
ASKER
Sorry I should have worded that better...the CPU utilization is at 75% with that many users doing NAT. Our DRAM is maxed at 1GB.
ASKER
I attached the CPU history . The 72 hour graph shows some spikes into the 90% range and a fair amount of max readings int the 50-70% range. Is this normal or do you think there should be concern with the spikes? I also had them run a 'show processes' command and there weren't any processes that were greater than 10%. Again these are only performing NAT on ~70 customers.
natrter2#show process cpu history
natrter2 02:36:00 PM Thursday Jan 15 2015 UTC
11122222111112222211111222
55577777777772222288888999
100
90
80
70
60
50
40 ***** ************
30 ***** ***** **********************
20 **************************
10 **************************
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
42323223422232343323323422
49020234365608442344661294
100
90
80
70
60
50
40 * * # * * ** * ** **# *** * ** *
30 #** * ********##* *#**** **######*###**#######**###
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
46566423224244467667874644
81886484915100871500270034
100
90 * * ***
80 ** ***** *** *
70 ** *** *** * * ****** * * *** ***
60 **** ******* * *** * ************* ** *###*****
50 ***** * ******** * *** * **###************ *###******
40 ****** * ********#******** * * ***#####************ *###**#***
30 **###**** * ***#######*****#***** ****######************ * * #####*##**
20 #####********#########*##*
10 ########**#*##############
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
natrter2#show process cpu history
natrter2 02:36:00 PM Thursday Jan 15 2015 UTC
11122222111112222211111222
55577777777772222288888999
100
90
80
70
60
50
40 ***** ************
30 ***** ***** **********************
20 **************************
10 **************************
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
42323223422232343323323422
49020234365608442344661294
100
90
80
70
60
50
40 * * # * * ** * ** **# *** * ** *
30 #** * ********##* *#**** **######*###**#######**###
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
46566423224244467667874644
81886484915100871500270034
100
90 * * ***
80 ** ***** *** *
70 ** *** *** * * ****** * * *** ***
60 **** ******* * *** * ************* ** *###*****
50 ***** * ******** * *** * **###************ *###******
40 ****** * ********#******** * * ***#####************ *###**#***
30 **###**** * ***#######*****#***** ****######************ * * #####*##**
20 #####********#########*##*
10 ########**#*##############
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Definitely some spiking going on. I assume that you've looked at the CPU utilization detail and that's how you determined it's a NAT issue, right?
What speed is your internet connection? And do you have a firewall inline?
What speed is your internet connection? And do you have a firewall inline?
ASKER
The only reason I mentioned NAT was because its the only thing this box is doing. when i ran the 'sh proceses cpu' there weren't any services over 10%. Of course that wasnt during a spike either.
Do you know of a command to show a history of the processes like the 'sh processes cpu history' command shows? I'm not sure about the firewall. I will ask and let you know. Thanks for your help so far...much appreciated
Do you know of a command to show a history of the processes like the 'sh processes cpu history' command shows? I'm not sure about the firewall. I will ask and let you know. Thanks for your help so far...much appreciated
No, I dont think there's a command that lets you see the history of individual processes.
I've always checked during the spikes.
I've always checked during the spikes.
ASKER
Ok thank you for the quick response! Wasnt sure if maybe a newer version IOS had that command.
do you think the spikes could be due to a virus somewhere on the network? Any other commands you think would be beneficial to run?
do you think the spikes could be due to a virus somewhere on the network? Any other commands you think would be beneficial to run?
ASKER
After further discussion with customer they also have a Sup720-3b in a 65060performing NAT. This also has spikes in CPU performance into the 90% level more often than the 3845's. We were going to take them to a Gig of Dram but they are now looking into purchasing a Linux server to perform NAT. Not familiar with this and was wondering if you had any experience with this? He is quite concerned and after looking at the CPU history on his Sup I can understand. I have his config if that would help shed some light on the issue. Any feedback is appreciated.
41634570028658071819478867
100
90 *
80 *
70 * ****** * ** ** * * ****
60 ****************** ******* ******** ***#** ** * *** *#**
50 ***#######################
40 ##########################
30 ##########################
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
87785433234567897876655656
76719646785568803875986190
100 * *
90 * ** * * * * ***
80 **** *** ** ***** * * *** *
70 **** ********* * ************* * *****
60 ***** ****************** **************** ***********
50 ###*** ****##************** ****###*******#***** ************
40 ####** * ****######*****#****** *****###############**** **######*#**
30 #####******###############
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
41634570028658071819478867
100
90 *
80 *
70 * ****** * ** ** * * ****
60 ****************** ******* ******** ***#** ** * *** *#**
50 ***#######################
40 ##########################
30 ##########################
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
87785433234567897876655656
76719646785568803875986190
100 * *
90 * ** * * * * ***
80 **** *** ** ***** * * *** *
70 **** ********* * ************* * *****
60 ***** ****************** **************** ***********
50 ###*** ****##************** ****###*******#***** ************
40 ####** * ****######*****#****** *****###############**** **######*#**
30 #####******###############
20 ##########################
10 ##########################
0....5....1....1....2....2
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry Don...Im down a guy in our lab and I have been busy keeping up. I agree that there has to be something else going on. Currently he has no firewall inline with the router. I do not know the connection speed, but will ask him. The 6500 has more than 55 users, but certainly not so many that it should be spiking like it is. I do have the configs on the 6500's and will forward to you as soon as I get the IP's and other private info masked. I will also get the 3845 configs. Thanks again for your input. Its much appreciated.
ASKER
Don,
Attached is the config of the 6500. Waiting on the 3845 config from customer.
BTW - they are looking into a router from a mfg I have not heard of...Routerboard? Specifically at this model CCR1036-12G-4S. According to the specs it can do 24 million pps. Any experience with this platform?
6500Config.txt
Attached is the config of the 6500. Waiting on the 3845 config from customer.
BTW - they are looking into a router from a mfg I have not heard of...Routerboard? Specifically at this model CCR1036-12G-4S. According to the specs it can do 24 million pps. Any experience with this platform?
6500Config.txt
I don't see anything on the 6500 config that could cause performance issues. But... I have never seen that many secondary IP addresses on an interface before. I know there is no theoretical limit on the number of secondary addresses but 75 seems a bit excessive. :-)
That could be the cause but I really can't say since I've never seen more than 3 secondary addresses on an interface.
Never heard of Routerboard. They appear to be a Latvian company that was established in 1995. But there doesn't seem to be much about them until around 2008. As for a $1,100 router that has 24mpps? Anything is possible... I guess. I don't think that I would be comfortable recommending this product to any of my consulting customers.
That could be the cause but I really can't say since I've never seen more than 3 secondary addresses on an interface.
Never heard of Routerboard. They appear to be a Latvian company that was established in 1995. But there doesn't seem to be much about them until around 2008. As for a $1,100 router that has 24mpps? Anything is possible... I guess. I don't think that I would be comfortable recommending this product to any of my consulting customers.
ASKER
Hi Don,
Sorry it took me so long, but here is the config on the 3845. Response from the customer regarding the connection speed..
"this cisco 3845 is connected at 1 gig --- but is processing peak traffic of about 35 Meg."
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.02.11 11:57:31 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 10645 bytes
!
! Last configuration change at 11:52:00 UTC Tue Jan 20 2015
! NVRAM config last updated at 11:52:04 UTC Tue Jan 20 2015
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime
no service password-encryption
!
hostname natrter2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tmRv$g90CrlyAnti/1414BT
enable password open4btc
!
no aaa new-model
clock timezone UTC -7
clock summer-time UTC recurring
dot11 syslog
--More-- !
!
ip cef
!
!
ip name-server xxx.168.40.6
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
mls qos map cos-dscp 0 10 16 26 32 46 48 56
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
--More-- !
!
!
!
!
!
!
!
!
!
!
!
username btc secret 5 $1$AsIw$Sz/Yydjzq2G8UcaT0S
username dp secret 5 $1$ICCg$iTfTvOavQjTLkvBkED
archive
log config
hidekeys
!
!
!
!
!
class-map match-any AutoQoS-VoIP-Remark
--More-- match ip dscp ef
match ip dscp cs3
match ip dscp af31
match ip dscp af11
class-map match-any AutoQoS-VoIP-Control-UnTru
match access-group name AutoQoS-VoIP-Control
match protocol rtcp
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 10
class AutoQoS-VoIP-Control-UnTru
bandwidth percent 10
class class-default
fair-queue
!
!
!
!
!
--More-- interface Loopback0
ip address 10.3.3.8 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
service-policy output AutoQoS-Policy-UnTrust
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address xxx.168.40.8 255.255.255.224
ip flow ingress
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
--More-- encapsulation dot1Q 2
ip address 10.235.2.1 255.255.255.0 secondary
ip address 10.235.1.1 255.255.255.0
ip access-group 111 out
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip policy route-map NAT
no ip mroute-cache
arp timeout 1200
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 8
log-adjacency-changes
network 10.235.1.0 0.0.0.255 area 1
network xxx.168.40.0 0.0.0.255 area 0
--More-- !
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.168.40.1
ip route 10.235.1.18 255.255.255.255 xxx.168.68.101
ip route 10.235.2.9 255.255.255.255 xxx.168.40.23
ip route 10.235.2.13 255.255.255.255 xxx.168.40.84
ip route 10.235.254.0 255.255.255.0 xxx.168.40.2
ip route 10.236.1.0 255.255.255.0 xxx.168.68.102
ip route 10.236.2.0 255.255.255.0 xxx.168.68.102
ip route 10.237.2.9 255.255.255.255 xxx.168.40.23
ip route 10.237.2.13 255.255.255.255 xxx.168.40.84
ip route 10.243.1.0 255.255.255.0 xxx.168.40.9
ip route 10.247.1.0 255.255.255.0 xxx.168.68.100
ip route 10.247.2.0 255.255.255.0 xxx.168.68.100
ip route 172.31.1.0 255.255.255.0 xxx.168.41.182
ip route xxx.168.40.0 255.255.255.0 GigabitEthernet0/0.1
ip route xxx.168.40.6 255.255.255.255 GigabitEthernet0/0.1
ip route xxx.168.40.80 255.255.255.248 xxx.168.40.81
ip route xxx.168.40.80 255.255.255.248 xxx.168.40.1
ip route xxx.168.40.160 255.255.255.224 xxx.168.40.2
ip route xxx.168.41.4 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.24 255.255.255.252 xxx.168.40.74
ip route xxx.168.41.108 255.255.255.252 xxx.168.40.2
--More-- ip route xxx.168.41.116 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.180 255.255.255.252 xxx.168.41.181
ip route xxx.168.41.180 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.184 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.208 255.255.255.240 xxx.168.40.4
ip route xxx.168.42.40 255.255.255.248 xxx.168.40.2
ip route xxx.168.68.0 255.255.255.0 xxx.168.40.1
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0.1
ip flow-export version 5
ip flow-export destination xxx.118.14.30 2058
!
ip http server
no ip http secure-server
ip nat translation tcp-timeout 150
ip nat translation udp-timeout 60
ip nat translation icmp-timeout 45
ip nat pool btcw xxx.168.43.81 xxx.168.43.82 netmask 255.255.255.252
ip nat inside source list 110 pool btcw overload
!
ip access-list extended AutoQoS-VoIP-RTCP
--More-- permit udp any any range 16384 32767
!
access-list 4 permit xxx.168.40.0 0.0.0.255
access-list 4 permit xxx.168.41.0 0.0.0.255
access-list 4 permit xxx.168.43.0 0.0.0.255
access-list 4 permit xxx.168.42.0 0.0.0.255
access-list 4 permit xxx.168.44.0 0.0.0.255
access-list 99 remark < prohibit unauthorized access >
access-list 99 permit xxx.168.40.0 0.0.0.255
access-list 99 permit xxx.168.41.0 0.0.0.255
access-list 99 permit xxx.168.68.0 0.0.0.255
access-list 110 permit ip 10.235.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit udp any any eq 1023
access-list 111 permit tcp any any eq 1723
access-list 111 permit udp any any eq 1723
access-list 111 permit icmp xxx.168.40.0 0.0.0.255 any
access-list 111 permit udp xxx.168.40.0 0.0.0.255 any
access-list 111 permit icmp xxx.168.41.0 0.0.0.255 any
access-list 111 permit udp xxx.168.41.0 0.0.0.255 any
access-list 111 permit icmp xxx.168.42.0 0.0.0.255 any
access-list 111 permit udp xxx.168.42.0 0.0.0.255 any
--More-- access-list 111 permit icmp xxx.168.43.0 0.0.0.255 any
access-list 111 permit udp xxx.168.43.0 0.0.0.255 any
access-list 111 permit udp any xxx.168.40.0 0.0.0.255
access-list 111 permit ip host 72.166.82.62 any
access-list 111 permit tcp any any eq 443
access-list 111 permit udp any any eq 443
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit tcp any any eq 500
access-list 111 permit ip any 10.242.2.0 0.0.0.255
access-list 111 remark < SIP VOIP ports>
access-list 111 permit udp any any range 5060 5080
access-list 111 permit tcp any any range 5060 5080
access-list 111 remark < Deny RFC 1918>
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 remark < DNS Amplification Exploited ports>
access-list 111 deny tcp any any eq domain
access-list 111 remark < Exploited ports>
access-list 111 deny tcp any any eq smtp
access-list 111 deny udp any any eq 25
access-list 111 deny udp any any eq tftp
access-list 111 deny tcp any any eq 135
--More-- access-list 111 deny udp any any eq 135
access-list 111 deny tcp any any eq 137
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny tcp any any eq 138
access-list 111 deny tcp any any eq 139
access-list 111 deny udp any any eq snmp
access-list 111 deny udp any any eq snmptrap
access-list 111 deny udp any any eq netbios-ss
access-list 111 deny tcp any any eq 193
access-list 111 deny tcp any any eq 445
access-list 111 deny tcp any any eq 587
access-list 111 deny tcp any any eq 593
access-list 111 deny tcp any any eq 707
access-list 111 deny udp any any range 995 999
access-list 111 remark < added Jan 29>
access-list 111 deny udp any any eq 1389
access-list 111 deny udp any any eq 2983
access-list 111 remark < end added Jan 29>
access-list 111 remark < deny Bittorrent P2P downloads>
access-list 111 deny tcp any any range 1027 1039
access-list 111 deny tcp any any eq 1040
access-list 111 deny tcp any any eq 1111
--More-- access-list 111 deny tcp any any eq 1143
access-list 111 deny tcp any any eq 1293
access-list 111 deny tcp any any eq 1303
access-list 111 deny tcp any any eq 1426
access-list 111 deny tcp any any eq 1842
access-list 111 deny tcp any any eq 1900
access-list 111 deny tcp any any eq 1955
access-list 111 deny tcp any any eq 2084
access-list 111 deny tcp any any eq 2085
access-list 111 deny tcp any any eq 2086
access-list 111 deny tcp any any eq 2087
access-list 111 deny tcp any any eq 2088
access-list 111 deny tcp any any eq 2089
access-list 111 deny tcp any any eq 2754
access-list 111 deny tcp any any eq 3410
access-list 111 deny tcp any any eq 3826
access-list 111 deny tcp any any eq 4444
access-list 111 deny tcp any any eq 4540
access-list 111 deny tcp any any eq 5370
access-list 111 deny tcp any any eq 6881
access-list 111 deny tcp any any eq 6882
access-list 111 deny tcp any any eq 6883
access-list 111 deny tcp any any eq 6884
--More-- access-list 111 deny tcp any any eq 6885
access-list 111 deny tcp any any eq 6886
access-list 111 deny tcp any any eq 6887
access-list 111 deny tcp any any eq 6888
access-list 111 deny tcp any any eq 6969
access-list 111 deny tcp any any eq 17148
access-list 111 deny tcp any any eq 18656
access-list 111 deny tcp any any eq 22276
access-list 111 deny tcp any any eq 25675
access-list 111 deny tcp any any eq 29249
access-list 111 deny tcp any any eq 32100
access-list 111 deny tcp any any eq 32851
access-list 111 deny tcp any any eq 35415
access-list 111 deny tcp any any eq 40743
access-list 111 deny tcp any any eq 43356
access-list 111 deny tcp any any eq 44789
access-list 111 deny tcp any any eq 45807
access-list 111 deny tcp any any eq 46059
access-list 111 deny tcp any any eq 46984
access-list 111 deny tcp any any eq 48195
access-list 111 deny tcp any any eq 48716
access-list 111 deny tcp any any eq 51236
access-list 111 deny tcp any any eq 51760
--More-- access-list 111 deny tcp any any eq 54027
access-list 111 deny tcp any any eq 54312
access-list 111 deny tcp any any eq 55289
access-list 111 deny tcp any any eq 58719
access-list 111 deny tcp any any eq 62020
access-list 111 remark < end Bittorrent>
access-list 111 deny udp any any eq 1900
access-list 111 deny udp any any eq 8998
access-list 111 deny udp any any eq 16470
access-list 111 deny udp any any eq 16464
access-list 111 deny udp any any eq 16465
access-list 111 deny udp any any eq 16471
access-list 111 deny udp any any eq 51236
access-list 111 deny udp any any eq 59355
access-list 111 permit ip any any
snmp-server community fonehm2btc RO
snmp-server community 4novam2get RO
snmp-server host xxx.118.1.20 4novam2get
snmp-server host xxx.118.14.30 4novam2get
snmp-server host xxx.168.40.23 fonehm2btc
snmp-server host xxx.168.40.27 fonehm2btc
!
!
--More-- !
route-map NAT permit 10
match ip address 110
set ip next-hop 10.3.3.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 99 in
--More-- password open4btc
login
!
scheduler allocate 20000 1000
ntp clock-period 17180393
ntp server xxx.168.40.6 version 2
!
end
natrter2# exit
Sorry it took me so long, but here is the config on the 3845. Response from the customer regarding the connection speed..
"this cisco 3845 is connected at 1 gig --- but is processing peak traffic of about 35 Meg."
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.02.11 11:57:31 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 10645 bytes
!
! Last configuration change at 11:52:00 UTC Tue Jan 20 2015
! NVRAM config last updated at 11:52:04 UTC Tue Jan 20 2015
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime
no service password-encryption
!
hostname natrter2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$tmRv$g90CrlyAnti/1414BT
enable password open4btc
!
no aaa new-model
clock timezone UTC -7
clock summer-time UTC recurring
dot11 syslog
--More-- !
!
ip cef
!
!
ip name-server xxx.168.40.6
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
mls qos map cos-dscp 0 10 16 26 32 46 48 56
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
--More-- !
!
!
!
!
!
!
!
!
!
!
!
username btc secret 5 $1$AsIw$Sz/Yydjzq2G8UcaT0S
username dp secret 5 $1$ICCg$iTfTvOavQjTLkvBkED
archive
log config
hidekeys
!
!
!
!
!
class-map match-any AutoQoS-VoIP-Remark
--More-- match ip dscp ef
match ip dscp cs3
match ip dscp af31
match ip dscp af11
class-map match-any AutoQoS-VoIP-Control-UnTru
match access-group name AutoQoS-VoIP-Control
match protocol rtcp
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match access-group name AutoQoS-VoIP-RTCP
!
!
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 10
class AutoQoS-VoIP-Control-UnTru
bandwidth percent 10
class class-default
fair-queue
!
!
!
!
!
--More-- interface Loopback0
ip address 10.3.3.8 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
service-policy output AutoQoS-Policy-UnTrust
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address xxx.168.40.8 255.255.255.224
ip flow ingress
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
--More-- encapsulation dot1Q 2
ip address 10.235.2.1 255.255.255.0 secondary
ip address 10.235.1.1 255.255.255.0
ip access-group 111 out
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip policy route-map NAT
no ip mroute-cache
arp timeout 1200
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 8
log-adjacency-changes
network 10.235.1.0 0.0.0.255 area 1
network xxx.168.40.0 0.0.0.255 area 0
--More-- !
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.168.40.1
ip route 10.235.1.18 255.255.255.255 xxx.168.68.101
ip route 10.235.2.9 255.255.255.255 xxx.168.40.23
ip route 10.235.2.13 255.255.255.255 xxx.168.40.84
ip route 10.235.254.0 255.255.255.0 xxx.168.40.2
ip route 10.236.1.0 255.255.255.0 xxx.168.68.102
ip route 10.236.2.0 255.255.255.0 xxx.168.68.102
ip route 10.237.2.9 255.255.255.255 xxx.168.40.23
ip route 10.237.2.13 255.255.255.255 xxx.168.40.84
ip route 10.243.1.0 255.255.255.0 xxx.168.40.9
ip route 10.247.1.0 255.255.255.0 xxx.168.68.100
ip route 10.247.2.0 255.255.255.0 xxx.168.68.100
ip route 172.31.1.0 255.255.255.0 xxx.168.41.182
ip route xxx.168.40.0 255.255.255.0 GigabitEthernet0/0.1
ip route xxx.168.40.6 255.255.255.255 GigabitEthernet0/0.1
ip route xxx.168.40.80 255.255.255.248 xxx.168.40.81
ip route xxx.168.40.80 255.255.255.248 xxx.168.40.1
ip route xxx.168.40.160 255.255.255.224 xxx.168.40.2
ip route xxx.168.41.4 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.24 255.255.255.252 xxx.168.40.74
ip route xxx.168.41.108 255.255.255.252 xxx.168.40.2
--More-- ip route xxx.168.41.116 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.180 255.255.255.252 xxx.168.41.181
ip route xxx.168.41.180 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.184 255.255.255.252 xxx.168.40.2
ip route xxx.168.41.208 255.255.255.240 xxx.168.40.4
ip route xxx.168.42.40 255.255.255.248 xxx.168.40.2
ip route xxx.168.68.0 255.255.255.0 xxx.168.40.1
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
ip flow-export source GigabitEthernet0/0.1
ip flow-export version 5
ip flow-export destination xxx.118.14.30 2058
!
ip http server
no ip http secure-server
ip nat translation tcp-timeout 150
ip nat translation udp-timeout 60
ip nat translation icmp-timeout 45
ip nat pool btcw xxx.168.43.81 xxx.168.43.82 netmask 255.255.255.252
ip nat inside source list 110 pool btcw overload
!
ip access-list extended AutoQoS-VoIP-RTCP
--More-- permit udp any any range 16384 32767
!
access-list 4 permit xxx.168.40.0 0.0.0.255
access-list 4 permit xxx.168.41.0 0.0.0.255
access-list 4 permit xxx.168.43.0 0.0.0.255
access-list 4 permit xxx.168.42.0 0.0.0.255
access-list 4 permit xxx.168.44.0 0.0.0.255
access-list 99 remark < prohibit unauthorized access >
access-list 99 permit xxx.168.40.0 0.0.0.255
access-list 99 permit xxx.168.41.0 0.0.0.255
access-list 99 permit xxx.168.68.0 0.0.0.255
access-list 110 permit ip 10.235.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit udp any any eq 1023
access-list 111 permit tcp any any eq 1723
access-list 111 permit udp any any eq 1723
access-list 111 permit icmp xxx.168.40.0 0.0.0.255 any
access-list 111 permit udp xxx.168.40.0 0.0.0.255 any
access-list 111 permit icmp xxx.168.41.0 0.0.0.255 any
access-list 111 permit udp xxx.168.41.0 0.0.0.255 any
access-list 111 permit icmp xxx.168.42.0 0.0.0.255 any
access-list 111 permit udp xxx.168.42.0 0.0.0.255 any
--More-- access-list 111 permit icmp xxx.168.43.0 0.0.0.255 any
access-list 111 permit udp xxx.168.43.0 0.0.0.255 any
access-list 111 permit udp any xxx.168.40.0 0.0.0.255
access-list 111 permit ip host 72.166.82.62 any
access-list 111 permit tcp any any eq 443
access-list 111 permit udp any any eq 443
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit tcp any any eq 500
access-list 111 permit ip any 10.242.2.0 0.0.0.255
access-list 111 remark < SIP VOIP ports>
access-list 111 permit udp any any range 5060 5080
access-list 111 permit tcp any any range 5060 5080
access-list 111 remark < Deny RFC 1918>
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 remark < DNS Amplification Exploited ports>
access-list 111 deny tcp any any eq domain
access-list 111 remark < Exploited ports>
access-list 111 deny tcp any any eq smtp
access-list 111 deny udp any any eq 25
access-list 111 deny udp any any eq tftp
access-list 111 deny tcp any any eq 135
--More-- access-list 111 deny udp any any eq 135
access-list 111 deny tcp any any eq 137
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny tcp any any eq 138
access-list 111 deny tcp any any eq 139
access-list 111 deny udp any any eq snmp
access-list 111 deny udp any any eq snmptrap
access-list 111 deny udp any any eq netbios-ss
access-list 111 deny tcp any any eq 193
access-list 111 deny tcp any any eq 445
access-list 111 deny tcp any any eq 587
access-list 111 deny tcp any any eq 593
access-list 111 deny tcp any any eq 707
access-list 111 deny udp any any range 995 999
access-list 111 remark < added Jan 29>
access-list 111 deny udp any any eq 1389
access-list 111 deny udp any any eq 2983
access-list 111 remark < end added Jan 29>
access-list 111 remark < deny Bittorrent P2P downloads>
access-list 111 deny tcp any any range 1027 1039
access-list 111 deny tcp any any eq 1040
access-list 111 deny tcp any any eq 1111
--More-- access-list 111 deny tcp any any eq 1143
access-list 111 deny tcp any any eq 1293
access-list 111 deny tcp any any eq 1303
access-list 111 deny tcp any any eq 1426
access-list 111 deny tcp any any eq 1842
access-list 111 deny tcp any any eq 1900
access-list 111 deny tcp any any eq 1955
access-list 111 deny tcp any any eq 2084
access-list 111 deny tcp any any eq 2085
access-list 111 deny tcp any any eq 2086
access-list 111 deny tcp any any eq 2087
access-list 111 deny tcp any any eq 2088
access-list 111 deny tcp any any eq 2089
access-list 111 deny tcp any any eq 2754
access-list 111 deny tcp any any eq 3410
access-list 111 deny tcp any any eq 3826
access-list 111 deny tcp any any eq 4444
access-list 111 deny tcp any any eq 4540
access-list 111 deny tcp any any eq 5370
access-list 111 deny tcp any any eq 6881
access-list 111 deny tcp any any eq 6882
access-list 111 deny tcp any any eq 6883
access-list 111 deny tcp any any eq 6884
--More-- access-list 111 deny tcp any any eq 6885
access-list 111 deny tcp any any eq 6886
access-list 111 deny tcp any any eq 6887
access-list 111 deny tcp any any eq 6888
access-list 111 deny tcp any any eq 6969
access-list 111 deny tcp any any eq 17148
access-list 111 deny tcp any any eq 18656
access-list 111 deny tcp any any eq 22276
access-list 111 deny tcp any any eq 25675
access-list 111 deny tcp any any eq 29249
access-list 111 deny tcp any any eq 32100
access-list 111 deny tcp any any eq 32851
access-list 111 deny tcp any any eq 35415
access-list 111 deny tcp any any eq 40743
access-list 111 deny tcp any any eq 43356
access-list 111 deny tcp any any eq 44789
access-list 111 deny tcp any any eq 45807
access-list 111 deny tcp any any eq 46059
access-list 111 deny tcp any any eq 46984
access-list 111 deny tcp any any eq 48195
access-list 111 deny tcp any any eq 48716
access-list 111 deny tcp any any eq 51236
access-list 111 deny tcp any any eq 51760
--More-- access-list 111 deny tcp any any eq 54027
access-list 111 deny tcp any any eq 54312
access-list 111 deny tcp any any eq 55289
access-list 111 deny tcp any any eq 58719
access-list 111 deny tcp any any eq 62020
access-list 111 remark < end Bittorrent>
access-list 111 deny udp any any eq 1900
access-list 111 deny udp any any eq 8998
access-list 111 deny udp any any eq 16470
access-list 111 deny udp any any eq 16464
access-list 111 deny udp any any eq 16465
access-list 111 deny udp any any eq 16471
access-list 111 deny udp any any eq 51236
access-list 111 deny udp any any eq 59355
access-list 111 permit ip any any
snmp-server community fonehm2btc RO
snmp-server community 4novam2get RO
snmp-server host xxx.118.1.20 4novam2get
snmp-server host xxx.118.14.30 4novam2get
snmp-server host xxx.168.40.23 fonehm2btc
snmp-server host xxx.168.40.27 fonehm2btc
!
!
--More-- !
route-map NAT permit 10
match ip address 110
set ip next-hop 10.3.3.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 99 in
--More-- password open4btc
login
!
scheduler allocate 20000 1000
ntp clock-period 17180393
ntp server xxx.168.40.6 version 2
!
end
natrter2# exit
I don't see anything in the router config that would cause any performance problems.
ASKER
Hey Don,
I'm going to ask him to put a firewall inline to see if we can determine what is reeking havoc with his routers. Hopefully this will shed some light on what is going on. I'm going to close this Post and give you the points. If you want, I will keep you informed as to what happens. Thank you for all your efforts. They are much appreciated!
I'm going to ask him to put a firewall inline to see if we can determine what is reeking havoc with his routers. Hopefully this will shed some light on what is going on. I'm going to close this Post and give you the points. If you want, I will keep you informed as to what happens. Thank you for all your efforts. They are much appreciated!
There is no "limit" on the number of address a router can NAT.