[37934] in Resnet-Forum
Re: Anyone using NAT in Resnet?
daemon@ATHENA.MIT.EDU (Andrew Wolf)
Wed Feb 6 20:19:52 2013
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_D6AE4526AE192B4592161988CA31B8FC235C9758maildbwfolinfie_"
MIME-Version: 1.0
Message-ID: <D6AE4526AE192B4592161988CA31B8FC235C9758@maildb.wfo.linfield.edu>
Date: Thu, 7 Feb 2013 01:19:13 +0000
Reply-To: Resnet Forum <RESNET-L@LISTSERV.ND.EDU>
From: Andrew Wolf <awolf@linfield.edu>
To: RESNET-L@LISTSERV.ND.EDU
In-Reply-To: <5112FE3D.5060505@utc.edu>
--_000_D6AE4526AE192B4592161988CA31B8FC235C9758maildbwfolinfie_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Pretty much the same here, but using PAT. All the students are in one of 4=
sub nets which translate to 4 public IP addresses with PAT.
10.120.x.x for wired
10.121.x.x for wireless
10.122.x.x for gamers
10.123.x.x for special stuff
Our NetEqualizer keeps the simultaneous connections down to a minimum, so p=
2p is very restricted. Student bandwidth is controlled in a maximum pool ou=
t of a total bandwidth for the campus; and the wireless additionally have r=
ate caps to keep the wireless network in check.
Feel free to contact me offline for specific questions....
Andrew Wolf
Linfield College
From: Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU] On Behalf Of Jeff Kell
Sent: Wednesday, February 06, 2013 5:07 PM
To: RESNET-L@LISTSERV.ND.EDU
Subject: Re: Anyone using NAT in Resnet?
On 2/6/2013 7:05 PM, Todd Chapman wrote:
Hello,
We are running into IP space limitations here and are considering using NAT=
for the student housing network. We have a Procera PL8820 handling the ban=
dwidth enforcement duties. My question is, has anyone out there done this w=
ith a similar setup, and if so are there any 'gotcha' issues to be aware of=
?
We NAT our entire campus :) Default deny inbound. If you want to run a pu=
blic-facing service, you apply for a static NAT and specify which ports/pro=
tocols are to be exposed. Everything else is thrown into 1-to-1 dynamic NA=
T pools with somewhat conservative idle timeouts that result in a teardown =
of the translation and return to the pool. Public-facing services are redu=
ced to a few /24s, everything else is blocked.
You must be prepared with a "healthy" logging facility to track your intern=
al-to-external mappings, but if you have the space to maintain 1-to-1 dynam=
ic mappings, you need only track the setups and teardowns of the translatio=
ns. If you do overload NAT / PAT then you must log each connection (which =
gets huge and difficult to track).
Depending on your device... you may be able to compromise. We have a large=
1-to-1 NAT pool and a much smaller overload pool in the event we run out o=
f IPs.
You likely want NAT performed as close to your border as possible, so that =
any intermediate logging/inspection (netflow, IDS/IPS, firewall, etc) will =
be referencing internal IPs as opposed to the externals you will have to tr=
ack back down to get the true source.
Really depends on your NAT policy and device capabilities, it is a potentia=
l choke point (DoS or DDoS). If you permit P2P traffic, it will tax your N=
AT resources further (single clients can generate thousands of connections)=
but that is essentially true of any stateful firewall, NAT or not.
Good luck :) If you have any more specific questions, feel free to contact=
me offline.
Jeff
___________________________________________________ You are subscribed to t=
he ResNet-L mailing list.
To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.=
EDU/archives/resnet-l.html ________________________________________________=
___
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--_000_D6AE4526AE192B4592161988CA31B8FC235C9758maildbwfolinfie_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Pretty much the same h=
ere, but using PAT. All the students are in one of 4 sub nets which t=
ranslate to 4 public IP addresses with PAT.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">10.120.x.x for wired<o=
:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">10.121.x.x for wireles=
s<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">10.122.x.x for gamers<=
o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">10.123.x.x for special=
stuff<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Our NetEqualizer keeps=
the simultaneous connections down to a minimum, so p2p is very restricted.=
Student bandwidth is controlled in a maximum pool out of a total bandwidth=
for the campus; and the wireless additionally
have rate caps to keep the wireless network in check.<o:p></o:p></span></p=
>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Feel free to contact m=
e offline for specific questions….<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Andrew Wolf<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Linfield College<o:p><=
/o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p> </o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:"=
;Tahoma","sans-serif";color:windowtext">From:</span></b><spa=
n style=3D"font-size:10.0pt;font-family:"Tahoma","sans-serif=
";color:windowtext"> Resnet Forum [mailto:RESNET-L@LISTSERV.ND.EDU]
<b>On Behalf Of </b>Jeff Kell<br>
<b>Sent:</b> Wednesday, February 06, 2013 5:07 PM<br>
<b>To:</b> RESNET-L@LISTSERV.ND.EDU<br>
<b>Subject:</b> Re: Anyone using NAT in Resnet?<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal">On 2/6/2013 7:05 PM, Todd Chapman wrote:<o:p></o:p><=
/p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal">Hello,<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
<p class=3D"MsoNormal">We are running into IP space limitations here and ar=
e considering using NAT for the student housing network. We have a Procera =
PL8820 handling the bandwidth enforcement duties. My question is, has anyon=
e out there done this with a similar
setup, and if so are there any ‘gotcha’ issues to be aware of?=
<o:p></o:p></p>
<p class=3D"MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif""><br>
We NAT our entire campus :) Default deny inbound. If you want t=
o run a public-facing service, you apply for a static NAT and specify which=
ports/protocols are to be exposed. Everything else is thrown into 1-=
to-1 dynamic NAT pools with somewhat conservative
idle timeouts that result in a teardown of the translation and return to t=
he pool. Public-facing services are reduced to a few /24s, everything=
else is blocked.<br>
<br>
You must be prepared with a "healthy" logging facility to track y=
our internal-to-external mappings, but if you have the space to maintain 1-=
to-1 dynamic mappings, you need only track the setups and teardowns of the =
translations. If you do overload NAT / PAT
then you must log each connection (which gets huge and difficult to track)=
.<br>
<br>
Depending on your device... you may be able to compromise. We have a =
large 1-to-1 NAT pool and a much smaller overload pool in the event we run =
out of IPs.<br>
<br>
You likely want NAT performed as close to your border as possible, so that =
any intermediate logging/inspection (netflow, IDS/IPS, firewall, etc) will =
be referencing internal IPs as opposed to the externals you will have to tr=
ack back down to get the true source.<br>
<br>
Really depends on your NAT policy and device capabilities, it is a potentia=
l choke point (DoS or DDoS). If you permit P2P traffic, it will tax y=
our NAT resources further (single clients can generate thousands of connect=
ions) but that is essentially true of
any stateful firewall, NAT or not.<br>
<br>
Good luck :) If you have any more specific questions, feel free to co=
ntact me offline.<br>
<br>
Jeff<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:12.0pt;font-family:"Ti=
mes New Roman","serif";color:windowtext">___________________=
________________________________ You are subscribed to the ResNet-L mailing=
list.
<o:p></o:p></span></p>
<p><span style=3D"color:windowtext">To subscribe, unsubscribe or search the=
archives, go to
<a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank"=
>http://LISTSERV.ND.EDU/archives/resnet-l.html</a> ________________________=
___________________________
<o:p></o:p></span></p>
</div>
</body>
</html>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--_000_D6AE4526AE192B4592161988CA31B8FC235C9758maildbwfolinfie_--
