Very large client network - NATing woes

I have a bit of a dilemma. I am doing work on a very large client network (50,000 clients).

The backend is all private IP (dhcp), so at some point we have to NAT out.

We've hit two bottlenecks. First, is the dhcp server, the second is the appliance we use to NAT.

I had to fill in someone else's shoes, but lets just say the current appliance was a bad choice (Citrix Netscaler). I do know that they tried to NAT in their 7604 (Sup720), and the load was way too much.

Since some security was needed, my initial thoughs are an ASA 5550 (or mutliple 5550's). Just curious as to how well these units could handle a very very large NAT load of traffic.

As for the dhcp server, its a Sun box. I'm curious, but would using a

3800 series router be any better in performance. The current dhcp server is dealing with 30,000 clients at any time, plus handling existing/expiring leases. i.e. the dhcp lease file is over 100Mb. We're running isc-dhcp.
Reply to
essenz
Loading thread data ...

With a network this large, you should have: A) A firewall cluster (such as Checkpoint) with 4 or 5 nodes to do your NAT and firewalling. A single router or other device is not going to be able to handle this much load so you need some type of product that is able to use clusters to do this. We use NetScalers as well and they are very good at what they do, primarily load-balancing and content switching. While it will do NAT, it's not designed to do it on this large of scale.

B) Mulitple DHCP servers. It seems unbelievable to me that on a network that large you would have only one DHCP server. My network is 1/3 that size and we have 5 DHCP servers, plus another 2 that provide automatic failover in case one or more the primaries fail. A 3800 is a router, and while it does do DHCP, it also can't do it on this scale. It can probably handle only a hundred or so subnets and the administrative interface for DHCP is bad for only a few subnets, never mind thousands. My recommendation would be to purchase 3 or 4 additional Sun boxes to run DHCP and split the load amoungst them. Better yet, purchase a IP Address Management System or purchase DHCP appliances. Lucent's VitalQIP is one of the better IP Address Management systems. Their DHCP software can handle thousands of DHCP leases per second and is one of the best performers available, plus it does automatic failover without having to define split-scopes. InfoBlox makes DHCP appliances that have excellent performance and are very easy to setup and administer.

Reply to
Thrill5

Cat 6500 with Sup 720-3B does NAT in hardware (at around 20 Mpps according to Cisco but i never needed that).

To put it perspective, you then need a 10G or faster Internet pipe......

Most places dont have that kind of bandwidth - so size a set of firewalls to the Internet feed and the number of users.

Also dont forget the practical bottleneck may be a proxy farm.

2nded.

1 common "best practice" is to have 2 servers dedicated to the various lightweight services you need on a campus.

with 50k users you may have several autonomous sections to your network - then they should be treated separately.

DHCP, DNS cache, time server and probably a few others i forgot all benefit from running on this kind of separate server.

For DHCP you can use QIP, (which i like as well) or you just give each server 1/2 the space in each subnet (and make sure the subnet has double the address space it needs for connected devices).

The basic Windows or Unix built in services should handle your network size on a reasonable cost server.

Each device which requests DHCP will normally get offered 2 addresses, and just pick the 1.

Reply to
Stephen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.