Hey Norm, For those of us with limited IP space, this sounds really interesting. Not sure if it belongs on the listserv or not (feel free to contact me off-line) but I am interested in your setup/config and would like to know more about it. Would you be able to supply some details?
--- Jeff From: Norman Elton <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Monday, February 23, 2015 8:11 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] NAT tracking question We deterministicly NAT up to four devices for an individual user to a single public IP. As our typical user has less than four devices, it works out that most students have a single public IP assigned to them. Should they authenticate a fifth device, a second IP is assigned to cover devices five, six, seven, and eight. The effect is that we've quadrupled our IP utilization. It's mostly a matter of handing out predetermined IP addresses which include a series of bits used to identify which "group of four" it should be NATed to. Our F5 box can examine the private IP, do a little bit shuffling, and calculate the corresponding public IP. This calculation is extremely light-weight, allowing the whole system to scale quite well. The heavy lifting occurs when the device is on boarded the first time, at which point a "group of four" is allocated for the user. Norman Elton College of William & Mary On Monday, February 23, 2015, Chuck Anderson <[email protected]<mailto:[email protected]>> wrote: If you have 1 public IP address reserved for each individual user, why do you need to do NAT at all? This is a serious question--if you aren't saving public IPs by doing 1:many NAT, why do NAT at all? Thanks. On Mon, Feb 23, 2015 at 11:33:45AM -0500, Norman Elton wrote: > We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar > to the A10 gear). The DHCP server hands out predetermined private IP > addresses to devices as soon as we determine ownership (through our > NAC). For outbound traffic, the F5 uses this private IP address to NAT > to a public IP address that is reserved for the individual user. The > end result is that no matter where the device is on campus, we know > that 128.239.x.y is something owned by Joe Smith. If we need to know > exactly which device, we consult our flow logs. But at least we're 99% > confident we're dealing with the right student. > > I'm happy to share the gory details if someone wants to wrap their > head around it. > > Norman Elton > College of William & Mary > > > > On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton > <[email protected]<javascript:;>> wrote: > > We've got our Juniper SRX 5800 doing our NAT for all wireless, plus all > > students and visitors (wired or wireless). > > > > We send those logs (and the SRX is VERY CHATTY about NAT) to our Splunk > > server for the tying together of date/time, public IP and private IP - in > > the event we get a notice from some TLA. > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > > [mailto:[email protected]<javascript:;>] On Behalf Of > > Heath Barnhart > > Sent: Monday, February 23, 2015 9:12 AM > > To: [email protected]<javascript:;> > > Subject: Re: [WIRELESS-LAN] NAT tracking question > > > > We use a Sonicwall E8500 for NAT, it will log all NAT translations and send > > them as syslog to a server for storage. I have logrotate changing files > > every hour to make it easier to search on. > > -- > > Heath Barnhart > > ITS Network Administrator > > Washburn University > > Topeka, KS > > > > > > On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote: > >> To ALL: > >> > >> We have a large Cisco wireless deployment with public ip address > >> space. Getting more public IP's is getting difficult so we are > >> considering going to NAT. The issue we have with NAT is that we still > >> want to be able to map an outside IP back to a individual user. Once > >> you go to NAT that of course becomes more difficult to do. I know a > >> lot of you are probably already doing this and I was wondering how and > >> what products do you use? I assume most have a one to many NAT and then > >> use something like a netflow collector to to track the inside NAT IP to > >> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or > >> products would be helpful. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
