Neal- We also view our publicly routed IP space as a finite space, to be managed carefully. Though we do no NAT or private IP space for wireless users, we are seeing tremendous benefit in both security and public IP space preservation by moving large blocks of devices that have no need to see (or to be seen by) the Internet to private spaces.
For example, all or our APs and controllers are managed in private space. The gain? Around 1,700 IP addresses today, well over 2,000 by year's end. We are starting to move management of our network switches into private space- another 1,000 IPs saved. Also, starting to work with folks responsible for vending machines, door controllers, PCI-compliance devices, etc- all very good candidates for private space. Hundreds more public addresses saved, and lots of security gains. NAT, on the other hand, has been an unpopular notion for many reasons for us. Probably the most noteworthy is tracking who did what and when (from both the nuisance traffic tracking and troubleshooting angles) when thousands of users all NAT to a single IP address (or a few IP addresses). -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Neil M Sent: Thursday, May 29, 2008 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users. We will be out of address space for one of our wireless nets (currently a /21) in the fall. We do not have a larger block available, and attempts to obtain additional address space by fall are not looking promising, so there is a distinct possibility that will have to move our wireless users to private address space. So I'm looking for information from other institutions who use private address space for their wireless networks. We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in production. We use 802.1X (WPA2 Enterprise) for authentication. Here are the questions I have: - How do you implement NAT ? - How do you provide DHCP addresses to your clients ? - How do you handle IDS and Flow data collection ? - What tools and processes do you use to tie a public IP address back to an 802.1X authenticated user ? - What kind of application issues have you run into and how do you handle them ? - Are your end-users satisfied with the service ? Thanks. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 269.24.3/1472 - Release Date: 5/29/2008 7:27 AM ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.