I have a Cisco 7513 and then I have four Cisco 3640's out in the field hanging off the 7513 via Serial ports. Each Cisco 3640 has 4 t1's feeding to the 7513. Just last week I took NAT off the Cisco 3640's (due to high CPU usage) and added one big NAT pool on the 7513, all traffic from the 3640's feed into this one nat pool on the 7513 and then out my 100 Meg pipe to the internet. I have about 2000 High speed internet customers running off these 3640's. Before I enabled NAT on the 7513 my CPU ran about 30%, now that I have NAT running the CPU will sit at about 85%. This is how I have NAT configured:
ip nat translation timeout 900
ip nat translation tcp-timeout 3600
ip nat pool RAT-OVLD 188.8.131.52 184.108.40.206 prefix-length 24
ip nat inside source list 7 pool RAT-OVLD overload
access-list 7 permit 10.0.0.0 0.0.3.255
access-list 7 permit 192.168.2.0 0.0.0.255
access-list 7 permit 10.1.0.0 0.0.3.255
access-list 7 permit 10.0.4.0 0.0.3.255
is there a better way to configure NAT?
Here is a show process CPU:
CPU utilization for five seconds: 78%/65%; one minute: 75%; five minutes: 78%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
A nat sessions takes up a certain amount of RAM and consumes a certain amount of CPU. And putting 2000 customers, each one doing a lot of connections, naturally puts quite a strain on your router. And there's not much you can do about that.
Now, what you can do, is try and minimize the numbers of NAT sessions and thereby the load on your CPU.
Lower the timeouts, this way old sessions won't be in your way for as long.
I administer, among other things, a school with a 1605 (quite far from a 7513 but anyway), we had about 2500 NAT sessions going through it, the CPU was at a constant 85%. I took a look at what was actually going through (show ip nat translations) and found out that 70% of the traffic was virus related. By using a simple access list the CPU usage was lowered to about 35%.
Check yours to just to get a better view of what is causing the load.
Lastly, upgrade your routers..
Your previous set up seemed like a better choice if you ask me. Split up your clients and put them on smaller routers each one taking care of NAT then aggregate it to your 7513.
Debugging will be easier and above all, upgrades. Upgrading will simply be purchasing a new router and moving a few clients to it.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...