[167187] in North American Network Operators' Group
Advice on v4 NAT for farm of file transfer clients
daemon@ATHENA.MIT.EDU (Andy Litzinger)
Tue Dec 3 17:05:54 2013
X-Barracuda-Envelope-From: Andy.Litzinger@theplatform.com
From: Andy Litzinger <Andy.Litzinger@theplatform.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 3 Dec 2013 22:05:41 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi all,
We have a pool of around 100 file transfer clients. They reach out to pu=
blicly addressed servers on the net to get and put files. Rather than burn=
100 public v4 addresses for the clients, we've traditionally had these guy=
s behind a firewall performing source NAT/PAT overloading about 10 IPs.
Recently we've been seeing increases in the amount of throughput to/from th=
e servers through the FW. Within the next 12 mos I expect we'll want to su=
pport 10Gbps. Since buying a firewall that supports 10Gbps is fairly expen=
sive I thought i'd seek out alternative ideas before we blindly purchase a =
bigger firewall. Also, a stateful firewall seems like a bit of overkill fo=
r what is actually required. I'm confident we can limit our FTP support to=
passive connections which should remove the requirement of using a device =
that supports active FTP (i.e. application inspection).
currently we're using a Juniper SRX550 to do this (which replaced an overwh=
elmed ASA 5520). Avg packet size we see according to the SRX is 1000 bytes=
.
thanks!
-andy
