[194342] in North American Network Operators' Group
Re: CGNAT
daemon@ATHENA.MIT.EDU (Compton, Rich A)
Sat Apr 8 19:11:37 2017
X-Original-To: nanog@nanog.org
From: "Compton, Rich A" <Rich.Compton@charter.com>
To: Aaron Gould <aaron1@gvtc.com>, 'Ahmed Munaf' <ahmed.dalaali@hrins.net>,
"'Nanog@Nanog'" <nanog@nanog.org>
Date: Thu, 6 Apr 2017 20:48:39 +0000
In-Reply-To: <000001d2af15$14a94fa0$3dfbeee0$@gvtc.com>
Errors-To: nanog-bounces@nanog.org
Hi Aaron, thanks for the info. I=B9m curious what you or others do about
DDoS attacks to CGNAT devices. It seems that a single attack could affect
the thousands of customers that use those devices. Also, do you have
issues detecting attacks vs. legitimate traffic when you have so much
traffic destined to a small group of IPs?
Rich Compton | Principal Eng | 314.596.2828
14810 Grasslands Dr, Englewood, CO 80112
On 4/6/17, 2:33 PM, "NANOG on behalf of Aaron Gould"
<nanog-bounces@nanog.org on behalf of aaron1@gvtc.com> wrote:
>Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G
>in
>my lab.
>
>I went with MX104/MS-MIC-16G. I love it.
>
>I deployed (2) MX104's. Each MX104 has a single MX-MIC-16G card in it. I
>integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside
>vrf. Both MX104's learn 0/0 route for outside and send a 0/0 route for
>inside to all the PE's that have DSLAMs connected to them. So each PE
>with
>DSL connected to it learns default route towards 2 equal cost MX104's. I
>could easily add a third MX104 to this modular architecture.
>
>I have 7,000 DSL broadband customers behind it. Peak time throughput is
>hitting up at 4 gbps... I see a little over 100,000 service flows
>(translations) at peak time
>
>I think each MX104 MS-MIC-16G can able about ~7 million translations and
>about 7 gbps of cgnat throughput... so I'm good.
>
>I have a /25 for each MX104 outside public address pool (so /24 total for
>both MX104's)... pretty sweet how I use /24 for ~7,000 customers :)
>
>I'll freeze this probably for DSL and not put anything else behind it. I
>want to leave well-enough alone.
>
>If I move forward with CGNAT'ing Cable Modem (~6,000 more subsrcibers)
>I'll
>probably roll-out (2) more MX104's with a new vrf for that...
>
>If I move forward with CGNAT'ing FTTH (~20,000 more subsrcibers) I'll
>probably roll-out (2) MX240/480/960 with MS-MPC... I feel I'd want/need
>something beefier for FTTH...
>
>- Aaron
>
>
E-MAIL CONFIDENTIALITY NOTICE: =
The contents of this e-mail message and any attachments are intended solely=
for the addressee(s) and may contain confidential and/or legally privilege=
d information. If you are not the intended recipient of this message or if =
this message has been addressed to you in error, please immediately alert t=
he sender by reply e-mail and then delete this message and any attachments.=
If you are not the intended recipient, you are notified that any use, diss=
emination, distribution, copying, or storage of this message or any attachm=
ent is strictly prohibited.
