I want to deploy CGN on MX240 using MS-DPC and just want to know if there are any performance limits. Is there any max sessions and sessions per second limit on single MS-DPC?
There are 100k users in groups of 8 (each 8 users use the same external IP address), so there are 12.5k unique external addresses. When I tried to use SRX, I got error when committing configuration, that only 8192 nat pools are supported (at least 12.5k is needed + future growth). Please refer to table at http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/release-notes/11.1/index.html?topic-51166.html#jd0e11897
Is MX240 capable of doing large scale nat as described? Will configuration parser accept such a long config? Where can I find more docs on this topic (I've already read http://www.juniper.net/us/en/local/pdf/implementation-guides/8010076-en.pdf)?
The MSDPC performance and scaling numbers _per_NPU_ are:
1/ 5 million flows (2 flows == 1 session)
2/ flow setup rate 48K fps
3/ 1200 NAT rule terms per service-set
4/ 6000 service-sets per NPU
Flows and NAT translations are _not_ automatically shared between NPUs, you have to direct flows into different NPUs explicitly in the config (based on source IP ranges or IP header fields hash) to share the load.
MSDPC NAT is not limited by number of pools but rather by number of NAT rule terms, and same NAT pool can be referenced multiple times in different NAT rule terms.
Thank you for your answer. It helps me a lot. Nevertheless, I need a clarification.
Let assume I have a topology similar to the one from www.juniper.net/us/en/local/pdf/implementation-guides/8010076-en.pdf page 5 (figure 2). All the flows are aggregated to one interface. So according to the limits from the previous post, I can handle only 1200*8 (each rule services 8 users) users when using interface service style set (if only one service set can be referenced under an interface configuration).
Should I use next-hop service style to overcome this limitation? Maybe using multiple logical interfaces is a better solution? What's the preferred way to configure MX240 as a NAT gateway when one term must be used for every 8 users (there is 100k number of users in total)?
I also want to confirm that each MSDPC contains two NPUs. How to configure load balancing between them (I mean: is there any documentation or configuration guide?)?
Thank you for your help again,
The numbers provided earlier are a somewhat off,
the correct values are below.
I recommend you contact firstname.lastname@example.org
we'd be happy to assist you with you configuration requiremetns and sizing.
Peak Flow Ramp up Rate
Public Port Pool
Number of Subscribers
Ramp-up time (4M Flows)
@nail2k wrote:Thank you for your answer. It helps me a lot. Nevertheless, I need a clarification. Let assume I have a topology similar to the one from www.juniper.net/us/en/local/pdf/implementation-guides/8010076-en.pdf page 5 (figure 2). All the flows are aggregated to one interface. So according to the limits from the previous post, I can handle only 1200*8 (each rule services 8 users) users when using interface service style set (if only one service set can be referenced under an interface configuration).
Using interface-style service-sets, more than 1 service-set can be referenced under logical interface.I have personally seen 12 interface-style service-sets referenced under same logical interface with different service-filters and it's all working fine.
Each MSDPC has 2 NPUs. Assuming interface-style service-sets, You have to direct traffic into NPUs based on private source IP, and in opposite direction matching on public NAT pool IP - You cannot reuse same service-set containing same public NAT pool on different NPUs anyway.
You have to construct very specific service-filters to properly direct traffic into different service-sets.
Nexthop-style service-sets require VR/VRFs to work with NAT (one VR/VRF per service-set) - I personally prefer interface-style since it's less time-consuming to configure.
However, if you have internet inside VRF, NH-style may be a better choice.
If you need each public NAT pool IP to be used exactly by 8 private users, and you do care which private IP uses which pool (which is a valid requirement e.g as substitute for NAT logging), then indeed you have to configure 12,500 terms and 12,500 pools. However, if you only require statistically-multiplexed 8:1 private-IP-to-public-IP ratio, then 1 big NAT pool with round-robin address-allocation and 1 service-set with 2 service-filters (1 in each direction) should be fine.
Lastly, the numbers I gave in my previous post are those I personally tested and witnessed in the lab with Spirent and IXIA traffic generators. JUNOS 10.4R2 and 10.4R4.
Hello, the number that Guy gave are based on some improvement in scaling/performance brought by JUNOS 11.2. This explain the difference compare to 10.4 testing.
Are those numbers documented somewhere on juniper.net ? Are they still valid with version >= 11.2 or did they changed ?
Does anyone has any actual numbers of the MS-DPC??
The MS-DPC "numbers" haven't changed since 2011 when they were last enhanced.
Or are You after some other "numbers"? Please say so and I'd be happy to assist.
From an NSN presentation I gathered this numbers. They are a bit different from the ones posted here earlier, the ramp-up rate has incresed a bit but I'm not sure if this numbers are "official" since the official datasheet fo the MS-DPC doesn't display this information.
Revised url for the cg nat documentation