Re: CGNAT

["Compton, Rich A" <Rich.Compton () charter com>]

Hi Aaron, thanks for the info.  I¹m curious what you or others do about
DDoS attacks to CGNAT devices.  It seems that a single attack could affect
the thousands of customers that use those devices.  Also, do you have
issues detecting attacks vs. legitimate traffic when you have so much
traffic destined to a small group of IPs?

Rich Compton  |      Principal Eng     |  314.596.2828
14810 Grasslands  Dr,    Englewood,      CO    80112






On 4/6/17, 2:33 PM, "NANOG on behalf of Aaron Gould"
<nanog-bounces () nanog org on behalf of aaron1 () gvtc com> wrote:

> Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G
> in
> my lab.
>
> I went with MX104/MS-MIC-16G.  I love it.
>
> I deployed (2) MX104's.  Each MX104 has a single MX-MIC-16G card in it.  I
> integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside
> vrf.  Both MX104's learn 0/0 route for outside and send a 0/0 route for
> inside to all the PE's that have DSLAMs connected to them.  So each PE
> with
> DSL connected to it learns default route towards 2 equal cost MX104's.  I
> could easily add a third MX104 to this modular architecture.
>
> I have 7,000 DSL broadband customers behind it.  Peak time throughput is
> hitting up at 4 gbps... I see a little over 100,000 service flows
> (translations) at peak time
>
> I think each MX104 MS-MIC-16G can able about ~7 million translations and
> about 7 gbps of cgnat throughput... so I'm good.
>
> I have a /25 for each MX104 outside public address pool (so /24 total for
> both MX104's)... pretty sweet how I use /24 for ~7,000 customers :)
>
> I'll freeze this probably for DSL and not put anything else behind it.  I
> want to leave well-enough alone.
>
> If I move forward with CGNAT'ing Cable Modem (~6,000 more subsrcibers)
> I'll
> probably roll-out (2) more MX104's with a new vrf for that...
>
> If I move forward with CGNAT'ing FTTH (~20,000 more subsrcibers) I'll
> probably roll-out (2) MX240/480/960 with MS-MPC... I feel I'd want/need
> something beefier for FTTH...
>
> - Aaron

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain 
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this 
message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly prohibited.