on 07-23-2013 11:41 AM
So we need to finally go down the NAT/PAT rabbit hole....
Looking at using a separate external NAT device, but wondering if there's any solution from those that have gone before and have been hapy with. We'd like to have something that could do deterministic/algorithmic NAT to reduce logging/facilitate the inevitable DMCA/security lookup.... but then we also have to think about cost....
Toying with a quick solution to use clearpass to classify smartdevices and then only NAT them on the controller....
on 07-23-2013 11:49 AM
Take a look at some load balancers out there. Brocade's ServerIron has a great NAT feature set and can do a ton of sessions based on the model of course. But...yes...to Victor's point, how many sessions are we talking about?
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
on 07-23-2013 03:20 PM
we are looking to NAT our entire wireless user base - last year we saw a max concurrent connection count reaching 16K - and we expect more growth in the comming year.
So we are looking for something for a campus wide deployement... first blush looking at juniper srx - just since we are familiar with junos - and could be scaled to provide NAT for more than just wireless - though wireless will be the largest user population by far.
hadnt really though of a load-balancer - brocade's server-iron is likely not intended for the number of NAT clients... perhaps F5? hmm anyone actually use a load balancer vs firewall for Natting at this scale?
on 08-05-2013 06:19 AM
so, ive been down this road
we had a home grown nat solution a few years a go where the users were directley nat'd as part of dhcp
ran into scaling problems as we grew the system, had to rework it
Now we are nating at the campus edge through a couple of SRX's, much better and easier to scale
Network Engineering|Texas A&M University
on 08-05-2013 06:01 PM
We just migrated to NAT on all our wifi networks (fac and student, guest, and gaming). We too thought of using the controllers for NATing, but TAC engineering suggested we do not use the controllers for that many users (about 7-10K). So we ended up using a two box design, our border router (ASR-1006) for the guest traffic, and our firewall (ASA 5520) for the rest. So far so good, but will really see how both boxes handle NATing after school starts in a couple of week.
Regarding logs, we are using a combination of Radius logs, Airwave logs, and some from the Cisco boxes.
Wireless Network Architect-Engineer
University of Denver