[OSL | CCIE_Security] ASA limit-resource

Thu, 10 May 2012 03:30:41 -0700 

Hi, guys!

I have question regarding resource limitation in multicontext mode on Cisco ASA.
I want to limit xlates per context proportionally (as a percentage), I don't 
want to use absolute value.

I know that xlate value is unlimited on Cisco ASA (as opposed to Cisco FWSM. In 
Cisco FWSM there's limit for 256,000 concurrent NAT or PAT translations).

But as I see the output of command syntax, here it should be possibility for 
using `%`:
       
    ASA1(config-class)# limit-resource xlates ?
     
    class mode commands/options:
      WORD  Value of resource limit (in <value> or <value>%)

But I'm getting error when try to set value in %:
      
    ASA1(config-class)# limit-resource xlates 50%
    ERROR: Capacity unknown for this resource type
     
    ASA1(config-class)# limit-resource xlates 50.00%
    ERROR: Capacity unknown for this resource type

So i'm considering some others ways to do it.

As I know it could be more NAT entries than the maximum number of concurrent 
connections. The number of active NAT translations (xlates) is capped by the 
available memory, not the concurrent connection limit for the platform.
There is information that it's spending around 260 bytes per xlate.
So we can try to calculate maximum number of xlates knowing amount of memory 
for the platform. But my gut tells me that it's not correct solution)

One more addition:

If we type extremely large number for xlates in limit-resource class we get 
finite value in show command:

    class LIMIT_XLATE
     limit-resource xlates 999999999999999999999999

    ASA1(config-class)# sh run class

    class TEST
    limit-resource Xlates 2147483647

2147483647 is actually (2^31) -1

Check the following:
     
    ASA1(config-ctx)# sh resource allocation | I Xlate

    Resource Total % of Avail
    Xlates 2147483647(U) 0.00%

But I'm sure that it's not possible to maintain that huge number per platform.

Any ideas? I'll be really appreciate for help. 
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to