02-23-2014 02:24 PM
We're considering NATing our open (CP) SSID to ensure there's enough IPv4 space for our .1x users. Looking at the last three months the max clients for the open SSID is under 5k devices. Max clients for the .1x SSID is 15k. We have one master and ten local controllers, all M3ks, running 188.8.131.52.
With this scale can NAT for the 5k users be done on the controllers or do we need to look at external solutions? Looking at past posts I see Juniper SRX, and Cisco ASA as possible choices. Anyone doing this with Palo Alto?
Also, is NATing everything or only at the border a better way to go?
02-23-2014 10:43 PM
The main thing I would recommend you check into, is requirements from your user group in terms of non-NAT-friendly services. Some non-NATT legacy services still exist in the form of VPNs. These can be a challenge to support.
02-24-2014 09:04 AM
I am waiting for others, who have gone through this very exercise. Especialli in education.
Quite frankly, most users get a separate border device to do NAT, because they might have to do NAT-to-Public IP inspection, just in case they get a copyright notice. The specilized border device provides better logging and identification. You also want the controller to do what it does best: wireless and to not introduce any overhead that is best served by another device that is specialized to the task. Lastly, Airplay/Print will not function if it is between Natted devices, so I would push NAT to the border where it will not introduce issues and handcuff your design.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base