Wireless Access

Reply
Frequent Contributor I
Posts: 98
Registered: ‎08-19-2008

IP Capacity/NAT question

We are running out of IPs in our main SSID and are considering NATing.  I have a few questions for others that might have dealt with this situation:

-          Can the M3s handle NATing for about 7000 users?  Or, is it better to use another box to do the NATing? 

-          Seems Aruba VRDs recommend subnets no larger than /24, but with a vlan pool limit of 32, this will not be enough for us.  So we either need to do a couple of VAPs with the same SSID profile but different vlan pools with vlan mobility enabled (if we want roaming) or

-          I have seen some other large deployments use /23 or even /22s.  However, seems to me these would be too large of a broadcast domain, even with the “drop broadcast” flag enabled, there would still be a lot of DHCP traffic.  Moreover, I believe broadcasts get to the controller where in turn are dropped, so the AP still hears all the originating client broadcasts, right?

Thanks,

 

Marcelo

Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: IP Capacity/NAT question

If you go with /22 or /23 deployment you can enable the drop broadcast at the VAP level (drops multicast/broadcast in the air ) and also enable bcmc optimization on the VLAN (drops multicast / broadcast on the VLAN) and this way it should not get to AP but if you need multicast in your environment this may not be a good idea

If you go with the NATing for that many users its probably better to an external box do that
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: IP Capacity/NAT question

Optimize VLAN Broadcast and Multicast Traffic
Broadcast and Multicast (BCMC) traffic from APs, remote APs, or distributions terminating on the same VLAN floods all VLAN member ports. This causes critical bandwidth wastage especially when the APs are connected to L3 cloud where the available bandwidth is limited or expensive. Suppressing the VLAN BCMC traffic to prevent flooding can result in loss of client connectivity.
To effectively prevent flooding of BCMC traffic on all VLAN member ports, use the bcmc-optimizationparameter under the interface vlancommand. This parameter ensures controlled flooding of BCMC traffic without compromising the client connectivity. By default this option is disabled. You must enable this parameter for the controlled flooding of BCMC traffic.
The bcmc-optimization parameter has the following exemptions:
All DHCP traffic will continue to flood VLAN member ports even if the bcmc-optimizationparameter is enabled.

The controllerwill do proxy ARP if the target IP entry exists on the controller. If the target IP does not exist on the controller, ARP requests will be flooded on all VLAN member ports.

You can configure BCMC optimization in CLI and in the WebUI.
In the CLI
(host) (config) #interface vlan 1
(host) (config-subif)#bcmc-optimization
(host) (config-subif)#show interface vlan 1

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Network_Parameters.php
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 98
Registered: ‎08-19-2008

Re: IP Capacity/NAT question

Thanks Victor, I did read the UG many times, but still wasn't 100% sure "originating" client broadcast would not be heard by the AP, since the controller is the one blocking the traffic.  How would the controller block the traffic if it does not know about it?

Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: IP Capacity/NAT question

mlew2433,

 

You can actually make your subnets as large as you want, like Vfabian says.

 

If a client sends a brodcast and you have "drop broadcast and multicast" on that Virtual AP, it will not be replicated back down to all the wireless clients.  DHCP will only be sent out as a broadcast on the wired side.  ARP is answered by the controller and sent back to the client via unicast if you have "Broadcast Filter ARP" enabled on the VAP.  You would NOT do this if you have any applications that rely on wireless multicast.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 98
Registered: ‎08-19-2008

Re: IP Capacity/NAT question

Got it, thanks for the explanation.

How about suppress-arp at the vlan level, is this enabled by default on 6.2 code?  If not, worth also turning on for large subnets?

Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: IP Capacity/NAT question

According to the 6.1.3.2 release notes:

 

"Suppress-ARP and Broadcast-Filter ARP

Beginning with ArubaOS 6.1.3.2, suppress-arp on the VLAN interface and broadcast-filter arp on the VAP profile are enabled by default. Behaviors associated with these settings are enabled upon upgrade to ArubaOS 6.1.3.2. Note that suppress-arp has been modified such that gratuitous ARP will still be flooded on all AP tunnels. "

 

You should be good.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: