Thanks for the replies. Glad to see that our initial goal to NAT at the border with a large firewall is a common option that has been proven to work..... unfortuneately our border is being redesigned.... and there is pushback to get a new firewall that might just get replaced....
so looks like I'll be testing the waters of initially NATing smartdevices - using NAT pools on our controllers themselves.... so far in a small test that works ok....
still looking at if I should just NAT everthing/ or only src-nat traffic destined for off-campus.
Also does anyone know specifics for Aruba's NAT/PAT.... ie just looking to do some port location math will aruba do PAT to all 65536 ports for a given NAT-POOL ip
ie so for 2K devices being NAT'ed if I cap users at 512 sessions... I should have more than 15 IP's in the NAT-pool to handle the case where all 2k users have 512 active sessions....