Wireless Access

Regular Contributor I

NAT scaling on M3k

We're considering NATing our open (CP) SSID to ensure there's enough IPv4 space for our .1x users. Looking at the last three months the max clients for the open SSID is under 5k devices. Max clients for the .1x SSID is 15k. We have one master and ten local controllers, all M3ks, running


With this scale can NAT for the 5k users be done on the controllers or do we need to look at external solutions? Looking at past posts I see Juniper SRX, and Cisco ASA as possible choices. Anyone doing this with Palo Alto?


Also, is NATing everything or only at the border a better way to go?




Valued Contributor I

Re: NAT scaling on M3k

Broadly speaking, I think you'd be fine in terms of scaling. Your numbers suggest around 2k users per M3 assuming equal spread. Is that accurate? All users I mean.

The main thing I would recommend you check into, is requirements from your user group in terms of non-NAT-friendly services. Some non-NATT legacy services still exist in the form of VPNs. These can be a challenge to support.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Regular Contributor I

Re: NAT scaling on M3k

Thanks. Do you know if doing NAT on the controllers would interfere with offering Airgroup to NAT'd device?



Guru Elite

Re: NAT scaling on M3k



I am waiting for others, who have gone through this very exercise.  Especialli in education.


Quite frankly, most users get a separate border device to do NAT, because they might have to do NAT-to-Public IP inspection, just in case they get a copyright notice.  The specilized border device provides better logging and identification.  You also want the controller to do what it does best:  wireless and to not introduce any overhead that is best served by another device that is specialized to the task.  Lastly, Airplay/Print will not function if it is between Natted devices, so I would push NAT to the border where it will not introduce issues and handcuff your design.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: