思科默认NAT timeout
Defaults
timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
seconds: 0 (never)
Defaults
timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
seconds: 0 (never)
具体优化需要根据实际业务应用而定!如果没有特别需求,可以将其修改为:
TCP会话老化时间为300秒
UDP会话老化时间为180秒
PPTP会话老化时间为300秒
修改ICMP会话老化时间为10秒
修改DNS会话老化时间为10秒
修改tcp-syn报文老化时间为10秒
TCP会话老化时间为300秒
UDP会话老化时间为180秒
PPTP会话老化时间为300秒
修改ICMP会话老化时间为10秒
修改DNS会话老化时间为10秒
修改tcp-syn报文老化时间为10秒
经验是nat的问题,可以限制并发nat数和nat的有效时间,例如
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat translation syn-timeout 20
ip nat translation icmp-timeout 10
ip nat translation max-entries 10000
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat translation syn-timeout 20
ip nat translation icmp-timeout 10
ip nat translation max-entries 10000
No comments:
Post a Comment