Main Nav

Wondering if anyone in the groups is using large scale NAT (say 50K private IPs translating to X public IPs) with any sort of appliance kind of thing? I know you can NAT directly from certain routers but curious about other options.

 

-Lee Badman

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Adjunct Instructor, iSchool

Syracuse University

315 443-3003

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Feb 22, 2012 at 08:18:53PM +0000, Lee H Badman wrote: > Wondering if anyone in the groups is using large scale NAT (say 50K private IPs > translating to X public IPs) with any sort of appliance kind of thing? I know > you can NAT directly from certain routers but curious about other options. We don't use an appliance, we use commodity hardware with FreeBSD. 17k users, up to four devices each, in the same /16, with two hundred public IPs. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GiLAACgkQsKMTOtQ3fKFuCQCgibWqgQXbsZlwBpbLgZtiUpsH owkAoMS8BXXnURfoytxp6zU8OsE+1dez =gttr -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Thanks, Kevin. Do you do any rate limiting on these IPs, and if so, is it in the same place?
Message from dyoung@mesd.k12.or.us

Lee,

 

We are looking at this too.  I am currently NAT’ing at the firewall.  I’d like (actually need) to separate that process for a few reasons.  We have looked at several technologies.  The best software solution we have thus far found is pfSense (which I believe was recommended via this list).  HOWEVER, as far as we can tell, it doesn’t log the state table information, which is a huge issue.  We have a Cisco (yes everyone, I actually have a Cisco box on my network) ASA that is underutilized.  We were going to investigate its logging capabilities.  Our Juniper rep suggest we look at their 4350.  I haven’t got that far.

 

I’ll be monitoring this thread, but if you find anything off-list that can handle that kind of volume and provide verbose logs, please make sure it gets posted here.

 

Good luck,

Brian

 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Feb 23, 2012 at 07:15:18PM +0000, Lee H Badman wrote: > Thanks, Kevin. Do you do any rate limiting on these IPs, and if so, is it in the same place? We do, we shape before it hits the firewalls. We considered shaping on the outside IP but weren't comfortable with letting one user impact everyone sharing that IP. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk9GpuUACgkQsKMTOtQ3fKGmdwCeO3ICseNE/1AipmjfS6mDMEv6 sqkAnRY1OE9/qVlpbtXMN3o9pEGlhPnt =hLqF -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We are doing NAT/PATing for our campus (~35K hosts), with a pair of Cisco ASA 5585X-SSP40 and have enabled informational logging. The logs which we get are ~7GB per day as raw text.

 

--Samuel

 

--

Samuel Petreski

Information Security Manager

Georgetown University

sp446@georgetown.edu

 

Brian, if it helps, we're using the pflowd package to log the state table. The state table is available through pfsync and the pflowd package translates the stream into NetFlow which we visualize with NfSen. The flow data we get is enough to tell us who, internally, was connecting to what externally at any given time. I believe others on this list have collected the raw pfsync data in some manner too and that may afford you even more information. We also load-balance within the NAT and sync the state table (and pfSense configuration changes) to a secondary system using CARP. If some of the larger institutions on this list do implement a pfSense or FreeBSD solution, I'd be interested to hear about your hardware configuration and how pfSense scales in your environment. ________________________________ Ian Bergeron - M.Ed, ACTC, ACMT, Net+ Administrator of Networked Systems MCLA Computer Support Services Office:(413)662-5394 - Cell:(413)663-0957 Ian.Bergeron@mcla.edu The EDUCAUSE Network Management Constituent Group Listserv writes: >Lee, > > > >We are looking at this too. I am currently NAT'ing at the firewall. I'd >like (actually need) to separate that process for a few reasons. We have >looked at several technologies. The best software solution we have thus >far found is pfSense (which I believe was recommended via this list). >HOWEVER, as far as we can tell, it doesn't log the state table >information, which is a huge issue. We have a Cisco (yes everyone, I >actually have a Cisco box on my network) ASA that is underutilized. We >were going to investigate its logging capabilities. Our Juniper rep >suggest we look at their 4350. I haven't got that far. > > > >I'll be monitoring this thread, but if you find anything off-list that >can handle that kind of volume and provide verbose logs, please make sure >it gets posted here. > > > >Good luck, > >Brian > > > > > > >
Great topic. Thanks. At the University of New Hampshire for our WiFi network we are using a Cisco FWSM in a 6504 chassis with a SUP720. We top out at 10,000 instantaneous concurrent wireless user-devices. The NAT translation table hits around 90,000 entries and NAT pool is using roughly 100 public addresses. We limit the number of connections per users to 1000 UDP and 200 TCP. The CPU averages 15% and memory averages 25%. Doug Douglas Green - Network Architect University of New Hampshire - Regional Optical Network Dept. 131 Main Street - 307 Nesmith Hall Durham NH 03824 (603) 862-4921 desk - (603) 978-1180 mobile http://NetworkNHnow.org/ "If I had more time, I would have written a shorter letter." - Cicero
Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.