Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Recently I got from cisco presentation about ISM. Bulk port allocation was planned for the release 4.2.1. But I am not sure if regulator can send port number with IP address. Without port number bulk port allocation will be useless feature. Ruslan Pustovoitov пишет: I know Alcatel has Bulk Port Allocation in it's MS-ISA and it work fine. ISM-100/CGSE has no such feature but my aim is argue that ISM is the right answer ) jean-francois.tremblay...@videotron.com пишет: We in europe have some pressure to have the ability to map the ip/port/timestamp touple back to user. Of course nobody will be able to deliver the port together with the ip and an accurate enough timestamp for this to be meaningfull. Bulk Port Allocation (also called Port Range Allocation) is probably what you're looking for. It reduces logging requirements by several orders of magnitudes and your timestamping doesn't have to be as precise. This is a must to deploy any CGN, IMHO. Coming soon to your favorite Cisco CGN implementation, apparently... I can see this becoming a larger problem when more nats appear on conventional DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Mobile networks aren't that low bandwidth anymore. They have the same issues with logging. /JF ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
But I am not sure if regulator can send port number with IP address. Without port number bulk port allocation will be useless feature. This is why RFC6302 was written (http://tools.ietf.org/html/rfc6302). The source port will be required for any law enforcement or abuse case, because a timestamp and all connections logs aren't usually enough to prove the connection comes from a specific user on popular destinations. Anyway, good luck logging everything. For a large ISP, we're talking about petabytes of data over a year. Bulk/range port allocation is a must IMHO. /JF ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
In Russia the situation with law enforsement is simpler at least with real IP addresses. Now we insert prism into ligthpath between neighbor's SFP/XFP in point where regulator wont and send to their equipment all traffic without saving flows information in database. I hope with NAT situation will be the same. For real time correlation between internal (private IP) and external IP (real IP) I hope regulator be able to get from us Netflow v9 ) Christian Kratzer пишет: Hi, On Wed, 14 Mar 2012, Xu Hu wrote: Actually in our 3G network, we use the 7609 (two ACE modules) for the NAT, in the live situation, we had 4M users. It is quite stable for now. Also we bought the ASR9K to expand the 3G network, maybe will migrate the NAT to ASR9K. I am curios if and if how you are doing logging for law enforment purposes on that scale ? We in europe have some pressure to have the ability to map the ip/port/timestamp touple back to user. Of course nobody will be able to deliver the port together with the ip and an accurate enough timestamp for this to be meaningfull. I can see this becoming a larger problem when more nats appear on conventional DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Greetings Christian Xu Hu 2012/3/14 Ruslan Pustovoitov ru...@mostelekom.net The question was what strategy of NAT deployment can be accepted by large ISP if one of the internal condition to use only cisco boxes for NAT ? Hidden cost was always visible to engeneers ) Now It is time to pay ) Has cisco plan to announce in next two year sucsessor of ISM-100 with better performance ? For example, if ISP already has asr9k chassis placed everywere in it's network, it will be happy to know that in 2013 cisco planning to do another card which will seat instead of ISM-100 into the same chassis. Gert Doering ?: Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
The question was what strategy of NAT deployment can be accepted by large ISP if one of the internal condition to use only cisco boxes for NAT ? Hidden cost was always visible to engeneers ) Now It is time to pay ) Has cisco plan to announce in next two year sucsessor of ISM-100 with better performance ? For example, if ISP already has asr9k chassis placed everywere in it's network, it will be happy to know that in 2013 cisco planning to do another card which will seat instead of ISM-100 into the same chassis. Gert Doering пишет: Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Actually in our 3G network, we use the 7609 (two ACE modules) for the NAT, in the live situation, we had 4M users. It is quite stable for now. Also we bought the ASR9K to expand the 3G network, maybe will migrate the NAT to ASR9K. Xu Hu 2012/3/14 Ruslan Pustovoitov ru...@mostelekom.net The question was what strategy of NAT deployment can be accepted by large ISP if one of the internal condition to use only cisco boxes for NAT ? Hidden cost was always visible to engeneers ) Now It is time to pay ) Has cisco plan to announce in next two year sucsessor of ISM-100 with better performance ? For example, if ISP already has asr9k chassis placed everywere in it's network, it will be happy to know that in 2013 cisco planning to do another card which will seat instead of ISM-100 into the same chassis. Gert Doering пишет: Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Hi, On Wed, 14 Mar 2012, Xu Hu wrote: Actually in our 3G network, we use the 7609 (two ACE modules) for the NAT, in the live situation, we had 4M users. It is quite stable for now. Also we bought the ASR9K to expand the 3G network, maybe will migrate the NAT to ASR9K. I am curios if and if how you are doing logging for law enforment purposes on that scale ? We in europe have some pressure to have the ability to map the ip/port/timestamp touple back to user. Of course nobody will be able to deliver the port together with the ip and an accurate enough timestamp for this to be meaningfull. I can see this becoming a larger problem when more nats appear on conventional DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Greetings Christian Xu Hu 2012/3/14 Ruslan Pustovoitov ru...@mostelekom.net The question was what strategy of NAT deployment can be accepted by large ISP if one of the internal condition to use only cisco boxes for NAT ? Hidden cost was always visible to engeneers ) Now It is time to pay ) Has cisco plan to announce in next two year sucsessor of ISM-100 with better performance ? For example, if ISP already has asr9k chassis placed everywere in it's network, it will be happy to know that in 2013 cisco planning to do another card which will seat instead of ISM-100 into the same chassis. Gert Doering ?: Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
We in europe have some pressure to have the ability to map the ip/port/timestamp touple back to user. Of course nobody will be able to deliver the port together with the ip and an accurate enough timestamp for this to be meaningfull. Bulk Port Allocation (also called Port Range Allocation) is probably what you're looking for. It reduces logging requirements by several orders of magnitudes and your timestamping doesn't have to be as precise. This is a must to deploy any CGN, IMHO. Coming soon to your favorite Cisco CGN implementation, apparently... I can see this becoming a larger problem when more nats appear on conventional DSL / FTTx / Cable access products as opposed to just low bandwidth mobile networks. Mobile networks aren't that low bandwidth anymore. They have the same issues with logging. /JF ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Does this question not worry community ? Ruslan Pustovoytov пишет: Hi all Does anybody explain me what is the best way to do CGN on Cisco boxes ? I look for powerfull solution with price congruous with other vendor. Recently I closely looked at ISM-100 card for asr9k platform. I was negativly surprised that performance of this card is about 10 Gbit/s half-duplex.. Card is occupied full slot in chassis and costs about 200.000$ in GPL with license for 10 miilion sessions. I know that other vendors with more ancient NATs has double performance for this price. Also, I look in CGSE blade for CRS-1 and CRS-3 platform. Presentation says it has 10 Gbit/s full-duplex performance and card occupy one slot. Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this is the sort of marketing game ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... Sorry, what was the question? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp8cmwcgrrb1.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Hi, On Tue, 13 Mar 2012, Gert Doering wrote: Hi, On Tue, Mar 13, 2012 at 07:01:10PM +0400, Ruslan Pustovoitov wrote: Does this question not worry community ? I think it's great that the hidden costs that come with running IPv4 now start being openly visible... next let's think about the cost of maintaining a database of nat mappings for law enforment purposes when you have a high speed ftth user base ;) Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Carrier grade NAT44 newest Cisco boxes
Hi, On Tuesday 13 March 2012 16:01:10 Ruslan Pustovoitov wrote: Card is occupied full slot in chassis and costs about 200.000$ in GPL with license for 10 miilion sessions. I know that other vendors with more ancient NATs has double performance for this price. Also, I look in CGSE blade for CRS-1 and CRS-3 platform. Presentation says it has 10 Gbit/s full-duplex performance and card occupy one slot. Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this is the sort of marketing game ? ...the CGSE can hold up to 20 mio concurrent nat sessions and multiple blades can be installed in one CRS-1. I thought the ISE for asr9k is more or less identical to the CGSE (at least it's based on the same code), so it might be a marketing decision to allow only 10mio sessions. regards, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Carrier grade NAT44 newest Cisco boxes
Hi all Does anybody explain me what is the best way to do CGN on Cisco boxes ? I look for powerfull solution with price congruous with other vendor. Recently I closely looked at ISM-100 card for asr9k platform. I was negativly surprised that performance of this card is about 10 Gbit/s half-duplex.. Card is occupied full slot in chassis and costs about 200.000$ in GPL with license for 10 miilion sessions. I know that other vendors with more ancient NATs has double performance for this price. Also, I look in CGSE blade for CRS-1 and CRS-3 platform. Presentation says it has 10 Gbit/s full-duplex performance and card occupy one slot. Does it meen that CGN in CRS more powerfull that CGN in ASR9k or this is the sort of marketing game ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/