[167188] in North American Network Operators' Group
Re: Advice on v4 NAT for farm of file transfer clients
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Dec 3 17:15:39 2013
In-Reply-To: <9F4D4FC766780045A8E7ECEA533A1A8D03924A2F@CORPTPMAIL03.corp.theplatform.com>
Date: Tue, 3 Dec 2013 17:15:18 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Andy Litzinger <Andy.Litzinger@theplatform.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
1) why not just use public ips?
2) why not (if not 1) have more than 1 outbound path/nat-device?
On Tue, Dec 3, 2013 at 5:05 PM, Andy Litzinger
<Andy.Litzinger@theplatform.com> wrote:
> Hi all,
> We have a pool of around 100 file transfer clients. They reach out to =
publicly addressed servers on the net to get and put files. Rather than bu=
rn 100 public v4 addresses for the clients, we've traditionally had these g=
uys behind a firewall performing source NAT/PAT overloading about 10 IPs.
>
> Recently we've been seeing increases in the amount of throughput to/from =
the servers through the FW. Within the next 12 mos I expect we'll want to =
support 10Gbps. Since buying a firewall that supports 10Gbps is fairly exp=
ensive I thought i'd seek out alternative ideas before we blindly purchase =
a bigger firewall. Also, a stateful firewall seems like a bit of overkill =
for what is actually required. I'm confident we can limit our FTP support =
to passive connections which should remove the requirement of using a devic=
e that supports active FTP (i.e. application inspection).
>
> currently we're using a Juniper SRX550 to do this (which replaced an over=
whelmed ASA 5520). Avg packet size we see according to the SRX is 1000 byt=
es.
>
> thanks!
> -andy
