Wireless Access

We're considering NATing our open (CP) SSID to ensure there's enough IPv4 space for our .1x users. Looking at the last three months the max clients for the open SSID is under 5k devices. Max clients for the .1x SSID is 15k. We have one master and ten local controllers, all M3ks, running 6.2.1.5.

 

With this scale can NAT for the 5k users be done on the controllers or do we need to look at external solutions? Looking at past posts I see Juniper SRX, and Cisco ASA as possible choices. Anyone doing this with Palo Alto?

 

Also, is NATing everything or only at the border a better way to go?

 

Thanks,

Mike

Broadly speaking, I think you'd be fine in terms of scaling. Your numbers suggest around 2k users per M3 assuming equal spread. Is that accurate? All users I mean.

The main thing I would recommend you check into, is requirements from your user group in terms of non-NAT-friendly services. Some non-NATT legacy services still exist in the form of VPNs. These can be a challenge to support.

Thanks. Do you know if doing NAT on the controllers would interfere with offering Airgroup to NAT'd device?

 

Mike

mldickson,

 

I am waiting for others, who have gone through this very exercise.  Especialli in education.

 

Quite frankly, most users get a separate border device to do NAT, because they might have to do NAT-to-Public IP inspection, just in case they get a copyright notice.  The specilized border device provides better logging and identification.  You also want the controller to do what it does best:  wireless and to not introduce any overhead that is best served by another device that is specialized to the task.  Lastly, Airplay/Print will not function if it is between Natted devices, so I would push NAT to the border where it will not introduce issues and handcuff your design.