Cheap LSN/CGN/NAT444 Solution

Tony Wicks tony at
Mon Jun 30 21:28:19 UTC 2014

I run ASR1k6's ESP40/RP2 with 10-15k BNG clients on each running full CGNAT.
Translations peak at about 250k per 10K users. The ESP40 can handle 2M
translations, so there is plenty of room to run them up to 32k users without
having to be concerned (64k in an emergency). I have been running this
configuration for 2+ years in production and never had any issue with
getting anywhere near close to having a performance issue. Now incoming DDOS
attacks are another matter, they are a lot more common and damaging with the
CGNAT as you need to remove the destination IP from your nat pool for the

If you were doing your CGNAT on an older 72xx or similar CPU based box, well
then all bets are off, I would expect available NAT table resource to be
very easy to exhaust.

-----Original Message-----
From: NANOG [mailto:nanog-bounces at] On Behalf Of Roland Dobbins
Sent: Monday, 30 June 2014 10:12 p.m.
To: nanog at list
Subject: Re: Cheap LSN/CGN/NAT444 Solution

On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony at> wrote:

> From experience (we ran out of IPv4 a long time ago in the APNIC region)
this is not needed,

I've seen huge problems from compromised machines completely killing NATs
from the southbound side.

> what is needed however is session timeouts. 

This can help, but it isn't a solution to the botted/abusive machine
problem.  They'll just keep right on pumping out packets and establishing
new sessions, 'crowding out' legitimate users and filling up the
state-table, maxing the CPU.  Embryonic connection limits and all that stuff
aren't enough, either.


More information about the NANOG mailing list