We deterministicly NAT up to four devices for an individual user to a single public IP. As our typical user has less than four devices, it works out that most students have a single public IP assigned to them. Should they authenticate a fifth device, a second IP is assigned to cover devices five, six, seven, and eight. The effect is that we've quadrupled our IP utilization.
It's mostly a matter of handing out predetermined IP addresses which include a series of bits used to identify which "group of four" it should be NATed to. Our F5 box can examine the private IP, do a little bit shuffling, and calculate the corresponding public IP. This calculation is extremely light-weight, allowing the whole system to scale quite well. The heavy lifting occurs when the device is on boarded the first time, at which point a "group of four" is allocated for the user. Norman Elton College of William & Mary On Monday, February 23, 2015, Chuck Anderson <[email protected]> wrote: > If you have 1 public IP address reserved for each individual user, why > do you need to do NAT at all? This is a serious question--if you > aren't saving public IPs by doing 1:many NAT, why do NAT at all? > > Thanks. > > On Mon, Feb 23, 2015 at 11:33:45AM -0500, Norman Elton wrote: > > We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar > > to the A10 gear). The DHCP server hands out predetermined private IP > > addresses to devices as soon as we determine ownership (through our > > NAC). For outbound traffic, the F5 uses this private IP address to NAT > > to a public IP address that is reserved for the individual user. The > > end result is that no matter where the device is on campus, we know > > that 128.239.x.y is something owned by Joe Smith. If we need to know > > exactly which device, we consult our flow logs. But at least we're 99% > > confident we're dealing with the right student. > > > > I'm happy to share the gory details if someone wants to wrap their > > head around it. > > > > Norman Elton > > College of William & Mary > > > > > > > > On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton <[email protected] > <javascript:;>> wrote: > > > We've got our Juniper SRX 5800 doing our NAT for all wireless, plus > all students and visitors (wired or wireless). > > > > > > We send those logs (and the SRX is VERY CHATTY about NAT) to our > Splunk server for the tying together of date/time, public IP and private IP > - in the event we get a notice from some TLA. > > > > > > -----Original Message----- > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > [email protected] <javascript:;>] On Behalf Of Heath > Barnhart > > > Sent: Monday, February 23, 2015 9:12 AM > > > To: [email protected] <javascript:;> > > > Subject: Re: [WIRELESS-LAN] NAT tracking question > > > > > > We use a Sonicwall E8500 for NAT, it will log all NAT translations and > send them as syslog to a server for storage. I have logrotate changing > files every hour to make it easier to search on. > > > -- > > > Heath Barnhart > > > ITS Network Administrator > > > Washburn University > > > Topeka, KS > > > > > > > > > On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote: > > >> To ALL: > > >> > > >> We have a large Cisco wireless deployment with public ip address > > >> space. Getting more public IP's is getting difficult so we are > > >> considering going to NAT. The issue we have with NAT is that we still > > >> want to be able to map an outside IP back to a individual user. Once > > >> you go to NAT that of course becomes more difficult to do. I know a > > >> lot of you are probably already doing this and I was wondering how and > > >> what products do you use? I assume most have a one to many NAT and > then > > >> use something like a netflow collector to to track the inside NAT IP > to > > >> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or > > >> products would be helpful. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
