Question

Cumulus Linux support for NAT


Userlevel 1
Hi all,

Do you know if Cumulus Linux supports NAT?

Thanks!

13 replies

Userlevel 4
Thanks for asking @Melvin but Cumulus Linux does not support NAT, as the hardware typically supports it.
Userlevel 4
@Melvin actually I had this wrong: we don't support NAT because the hardware doesn't support NAT. So if we tried, performance would be awful. Sorry for the confusion.
Userlevel 1
Got it. Thanks @Pete B So none of the current hardware available for the Cumulus Linux doesn't support NAT? I currently have an FS.com switch (N8500-32C with Cumulus Linux) which I assume the hardware itself doesn't support NAT.
Userlevel 3
That's right. None of the switch ASICs we support have hardware support for NAT, and running all traffic through the CPU to do NAT is a non-starter from a performance perspective, as Pete said.
Userlevel 1
Thanks guys! I agree that running traffic through the CPU to perform NATing would definitely put a strain on it. Thanks for your input as always!

Will you support chipsets with (stateful) NAT capability in the future and if so how does the roadmap look like in terms of dates?

 

By the way, for anyone that wants more information then offered here have a look https://mailman.nanog.org/pipermail/nanog/2018-October/097512.html

Userlevel 4

Hi @Roland thanks for asking! This is something we’re working on currently and should be out in a release in the coming months.

Also interested in this. Currently on Arista switches as it’s supported looking for alternatives.

Userlevel 4

Hey @charlesrg, @Melvin and @Roland: we just released Cumulus Linux 4.1 yesterday, which includes support for static and dynamic NAT!

Are there any plans to increase the max conntrack session table size for spectrum 2 switches? Currently cumulus has an 8k limit. Looking at the spectrum 2 ASIC product page shows it supports 100k+

With the limits that low, I’m not sure how realistic it is to be able to use this feature. Whats the expected use-case? I can’t really see much use for this with those kinds of limits.

Userlevel 4

@etfeet do you have a particular number in mind? We are looking to expand this number in an upcoming release.

something a little more usable. From what I can find kernel uses the following formula to determine default max size: 
# 64 bit system
CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (64  / 32) 


for the mallanox asic with 8gb of RAM that would come out to ~ 262,144

Ideally I’d like to have a session table that can support 200-300k connections.

From what I can tell the mellanox asic should be able to do it.

session table size is calculated using the following formula I believe:
session table size = conntrack struct size (in bytes) * 2 * num_total_connections

on Ubuntu 18.04 i have a 328 struct size. Using that as a baseline It can support ~800k session table in ~1gb of memory (assuming the formulas i found on google are correct).

 

Userlevel 4

OK thanks for that. I let engineering know so we’ll see where things go from here.

Reply