Higher Education

So we need to finally go down the NAT/PAT rabbit hole....

Looking at using a separate external NAT device, but wondering if there's any solution from those that have gone before and have been hapy with.   We'd like to have something that could do deterministic/algorithmic NAT to reduce logging/facilitate the inevitable DMCA/security lookup.... but then we also have to think about cost....

Toying with a quick solution to use clearpass to classify smartdevices and then only NAT them on the controller.... 

How many unique devices are you planning to nat ?

Take a look at some load balancers out there.  Brocade's ServerIron has a great NAT feature set and can do a ton of sessions based on the model of course.  But...yes...to Victor's point, how many sessions are we talking about?

we are looking to NAT our entire wireless user base - last year we saw a max concurrent connection count reaching 16K - and we expect more growth in the comming year.

So we are looking for something for a campus wide deployement...  first blush looking at juniper srx - just since we are familiar with junos - and could be scaled to provide NAT for more than just wireless - though wireless will be the largest user population by far.

hadnt really though of a load-balancer - brocade's server-iron is likely not intended for the number of NAT clients... perhaps F5?  hmm anyone actually use a load balancer vs firewall for Natting at this scale?

My experience it's been with a firewall and we used a Cisco ASA 5500

What are you using for border routers?

We have juniper routers currently at the border - but no current firewall sized for NATing at this scale... yet

so, ive been down this road

we had a home grown nat solution a few years a go where the users were directley nat'd as part of dhcp

ran into scaling problems as we grew the system, had to rework it

Now we are nating at the campus edge through a couple of SRX's, much better and easier to scale

We just migrated to NAT on all our wifi networks (fac and student, guest, and gaming).  We too thought of using the controllers for NATing, but TAC engineering suggested we do not use the controllers for that many users (about 7-10K).  So we ended up using a two box design, our border router (ASR-1006) for the guest traffic, and our firewall (ASA 5520) for the rest.  So far so good, but will really see how both boxes handle NATing after school starts in a couple of week.

Regarding logs, we are using a combination of Radius logs, Airwave logs, and some from the Cisco boxes.

We've been doing NAT for awhile now. We have two ASR 1002's with ESP10's...one for our guest network and one for our secure network. At peak last semester we we're see about 18k users connected.

Thanks for the replies.     Glad to see that our initial goal to NAT at the border with a large firewall is a common option that has been proven to work..... unfortuneately our border is being redesigned.... and there is pushback to get a new firewall that might just get replaced....

so looks like I'll be testing the waters of initially NATing smartdevices - using NAT pools on our controllers themselves.... so far in a small test that works ok.... 

still looking at if I should just NAT everthing/ or only src-nat traffic destined for off-campus.

Also does anyone know specifics for Aruba's NAT/PAT.... ie just looking to do some port location math will aruba do PAT to all 65536 ports for a given NAT-POOL ip

ie so for 2K devices being NAT'ed if I cap users at 512 sessions... I should have more than 15 IP's in the NAT-pool to handle the case where all 2k users have 512 active sessions....