i am running CGN with NAT44 on ISM module. Problem i am facing is that whenever we face spamming by miscreant user in our network, our upstream blocks the public ip pool on which we perform nat44 translation, resulting all nat44 users to face outage. until we change the address-pool
Is there anyway to exclude one IP Address from address-pool ?? or define multiple address pools?
I asked this question because the problem we is that if one subscriber generates spam. Our upstream black-hole that IP address. & all others subscribers who were natted to that IP also face outage. & Since i cannot exclude Single IP. I have to change whole /24 address Pool every time.
For you question regarding multiple pools. I think you can achieve this by creating multiple inside VRF and each inside VRF can have a separate pool (ofcourse you will have to use ABF to route traffic of subscriber chunk to different vrfs)
Regarding spam, we've decided to allow only smtp traffic, with destination within our own country, because mostly, all spam traffic goes abroad. That helps us to not get any of our IP addreses black-holed.
But, there is another case. When one of our IP addresses got DDOS attacked. Then our upstream providers sometimes block that IP. That depends on how big malicios traffic is, because sometimes it just overuses our upstream links.
Yes, the solution could be, to create a lot of inside vrf's, but there would be to much addtional configs. We have now 6 inside-vrf's (ABF is used). Creating more vrf's? not sure.
It could be much more easier to simply remove one blocked IP from the pool, rather then kill all existing millions of sessions from pool (/26) and config a new one.
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
IntroductionIn this article we'll discuss how to troubleshoot packet
loss in the asr9000 and specifically understanding the NP drop counters,
what they mean and what you can do to mitigate them. This document will
be an ongoing effort to improve troublesh...