Limits the number of NAT connections per user on Cisco IOS

This article describes in detail how to limit the number of single-user connections of NAT on Cisco router IOS, and provides detailed answers. I believe this article will help you.

The IOS software after Cisco IOS 12.3 (4) T supports NAT single-user restrictions, that is, you can limit the number of NAT table items for a single IP address for address translation, A major feature of P2P software such as BT is that there will be a large number of connections at the same time, which occupies a large number of NAT table items. Therefore, this method can effectively limit the use of BT, for example, we set the maximum number of NAT table entries for IP 10.1.1.1 to 200. Normal network access is sufficient, but if BT is used, the number of NAT table entries for this IP address will soon reach 200, once the peak value is reached, other accesses to the IP address cannot perform NAT translation. You must wait until the NAT table entry expires before you can use it again. This effectively protects the network bandwidth, it also serves as a warning.

For example, if the maximum number of NAT entries for a host whose IP address is 10.1.1.1 is 200, the configuration is as follows:

Ip nat translation max-entries host 10.1.1.1 200

If you want to restrict all hosts and set the NAT entry of each host to 200, you can perform the following Configuration:

Ip nat translation max-entries all-host 200

Restrict or prohibit BT downloads within a specific period of time

During the working hours of the campus network, BT downloading is restricted or prohibited. In this way, no BT downloading traffic and key business competition are involved during the working hours, and the key business of the campus network is fully protected. In addition, during non-work hours, campus networks can also use high-speed network resources on their own. Take a Cisco device as an example. The specific command is:

Time-range test

Periodic daily

Access-list 130 permit tcp any range 6881 6890 time-range test

Access-list 130 permit tcp any range 6881 6890 any time-range test

Dedicated dynamic bandwidth for key services

Divide key campus network services into dedicated dynamic bandwidth. BT downloads the remaining bandwidth to avoid competition between the two.

Certain campus networks use BT to download and provide services. For such a campus network, BT download is very aggressive, so protection mechanisms need to be used to ensure the normal operation of other key services. The network administrator can use some management software or network hardware configurations to impose fine-grained speed limits on application streams. For example, the priority for downloading BT users is 50, and 7 is the lowest ), the bandwidth limit is 64 kbps, which ensures that the use of btsoftware does not affect the development of other services and fully protects these applications. All remaining network resources can be provided for BT download.