From experience (we ran out of IPv4 a long time ago in the APNIC region)
I run ASR1k6's ESP40/RP2 with 10-15k BNG clients on each running full CGNAT. Translations peak at about 250k per 10K users. The ESP40 can handle 2M translations, so there is plenty of room to run them up to 32k users without having to be concerned (64k in an emergency). I have been running this configuration for 2+ years in production and never had any issue with getting anywhere near close to having a performance issue. Now incoming DDOS attacks are another matter, they are a lot more common and damaging with the CGNAT as you need to remove the destination IP from your nat pool for the duration. If you were doing your CGNAT on an older 72xx or similar CPU based box, well then all bets are off, I would expect available NAT table resource to be very easy to exhaust. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins Sent: Monday, 30 June 2014 10:12 p.m. To: nanog@nanog.org list Subject: Re: Cheap LSN/CGN/NAT444 Solution On Jun 30, 2014, at 4:53 PM, Tony Wicks <tony@wicks.co.nz> wrote: this is not needed, I've seen huge problems from compromised machines completely killing NATs from the southbound side.
what is needed however is session timeouts.
This can help, but it isn't a solution to the botted/abusive machine problem. They'll just keep right on pumping out packets and establishing new sessions, 'crowding out' legitimate users and filling up the state-table, maxing the CPU. Embryonic connection limits and all that stuff aren't enough, either. ----------------------------------------------------------------------