Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor I
Posts: 95
Registered: ‎04-09-2007
Nat solution

So we need to finally go down the NAT/PAT rabbit hole....

 

Looking at using a separate external NAT device, but wondering if there's any solution from those that have gone before and have been hapy with.   We'd like to have something that could do deterministic/algorithmic NAT to reduce logging/facilitate the inevitable DMCA/security lookup.... but then we also have to think about cost....

 

Toying with a quick solution to use clearpass to classify smartdevices and then only NAT them on the controller.... 

MVP
Posts: 4,238
Registered: ‎07-20-2011
Re: Nat solution

 

How many unique devices are you planning to nat ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,368
Registered: ‎12-12-2011
Re: Nat solution

Take a look at some load balancers out there.  Brocade's ServerIron has a great NAT feature set and can do a ton of sessions based on the model of course.  But...yes...to Victor's point, how many sessions are we talking about?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor I
Posts: 95
Registered: ‎04-09-2007
Re: Nat solution

we are looking to NAT our entire wireless user base - last year we saw a max concurrent connection count reaching 16K - and we expect more growth in the comming year.

 

So we are looking for something for a campus wide deployement...  first blush looking at juniper srx - just since we are familiar with junos - and could be scaled to provide NAT for more than just wireless - though wireless will be the largest user population by far.

 

 

hadnt really though of a load-balancer - brocade's server-iron is likely not intended for the number of NAT clients... perhaps F5?  hmm anyone actually use a load balancer vs firewall for Natting at this scale?

MVP
Posts: 4,238
Registered: ‎07-20-2011
Re: Nat solution

 

My experience it's been with a firewall and we used a Cisco ASA 5500

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,335
Registered: ‎09-08-2010
Re: Nat solution

What are you using for border routers?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 95
Registered: ‎04-09-2007
Re: Nat solution

We have juniper routers currently at the border - but no current firewall sized for NATing at this scale... yet

Occasional Contributor II
Posts: 13
Registered: ‎06-09-2011
Re: Nat solution

so, ive been down this road

 

we had a home grown nat solution a few years a go where the users were directley nat'd as part of dhcp

 

ran into scaling problems as we grew the system, had to rework it

 

Now we are nating at the campus edge through a couple of SRX's, much better and easier to scale

-Brian

Network Engineering|Texas A&M University
pacecar02@exchange.tamu.edu
Frequent Contributor I
Posts: 98
Registered: ‎08-19-2008
Re: Nat solution

We just migrated to NAT on all our wifi networks (fac and student, guest, and gaming).  We too thought of using the controllers for NATing, but TAC engineering suggested we do not use the controllers for that many users (about 7-10K).  So we ended up using a two box design, our border router (ASR-1006) for the guest traffic, and our firewall (ASA 5520) for the rest.  So far so good, but will really see how both boxes handle NATing after school starts in a couple of week.

Regarding logs, we are using a combination of Radius logs, Airwave logs, and some from the Cisco boxes.

Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Occasional Contributor I
Posts: 12
Registered: ‎03-01-2012
Re: Nat solution

We've been doing NAT for awhile now. We have two ASR 1002's with ESP10's...one for our guest network and one for our secure network. At peak last semester we we're see about 18k users connected.

Search Airheads
Showing results for 
Search instead for 
Did you mean: