Mike,
We, too, are an Aruba shop, and have been doing NAT on our academic and ResNet
wireless networks for about a year now. Two years ago, we ran out of IP
addresses on our wireless network on Move-In Weekend and had to scramble to add
additional subnets - a scarce commodity here at Emory. To prevent that from
happening last year, we implemented NAT for our wireless clients and now have
plenty of address space for our growing user base.
We let the Aruba controllers perform the NAT function (very easy to set up -
just a firewall rule in the user role in the Aruba config). We've not had any
complaints from users regarding NAT issues; we were concerned that it might
break some apps, but no problems have been observed or reported. We've even
got our homegrown NAC (NetReg/CAT) working over the wireless, too - NetReg DHCP
traffic is not NAT'ed, but all other traffic is. This all works great, thanks
to the Aruba capabilities.
The only issue we've had with NAT have been voiced by Philippe - DCMA notices
are hard to isolate. Our wired network has some protection in place to
identify and reduce peer-to-peer traffic (Tipping Points), so we don't
generally get a lot of notices. User tracking and RF location still works well
as those are functions of the radio and authentication subsystems. Our
academic users log on using 802.1x/WPA-Enterprise, so we have usernames and
locations in our logs. Connecting those usernames to the NAT pool IP addresses
is the hard part.
I'd be happy to share some basic configuration tips and tricks regarding NAT
with you off-list, or on-list if other s are interested.
BTW - We've been NAT'ing our guest access users since day one on the Aruba
equipment. Guests "log in" through the captive portal and are given limited
access - bandwidth limited web access and VPN access back to their home
organizations.
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: [EMAIL PROTECTED]
GoogleTalk: [EMAIL PROTECTED]
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL
PROTECTED] On Behalf Of Michael Dickson
Sent: Tuesday, July 01, 2008 9:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NAT in large scale wireless networks
Though we currently have enough available routed IP space for our
wireless clients we are looking toward the future and wondering if
NAT-ing the wireless network makes sense.
Does anyone have any experiences, good or bad, using NAT for the
wireless client pool in a large scale environment? What features "go
away" (i.e. RFID or user tracking, etc.) Are there any gotchas?
We're an Aruba shop and expect about 3000+ wireless clients this
semester and have been adding more APs by the week.
Thanks,
Mike
***************************************************************
Michael Dickson Phone: 413-545-9639
Network Analyst [EMAIL PROTECTED]
University of Massachusetts
Network Systems and Services
***************************************************************
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
