Re: Large edu's doing NAT campus wide?

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

Our firewall guys tell me that inactivity timeouts runs 4-6 hours, with some translation timeouts set rather longer to 
keep tcp-based ERP app users from calling all the time.

Now, I should also mention that our syslog load is rather north of 10k messages/second.

We're looking at a way to refactor the logging infrastructure.  No, let me restate - we're always looking at 
refactoring, due to need, we're now trying to look at making some sort of hierarchical log capture/monitoring structure 
that won't be as scale sensitive as the current single-receiver system.

    -jml

> > > Kevin Shalla <kshalla () UIC EDU> 2007-05-02 11:23:33 >>>
How long do people set the time for NAT bindings?  Is that the same 
as the lease time?  I would have figured that it would be closer to a 
day than a minute.

At 04:45 PM 4/30/2007, John Ladwig wrote:
> NAT also severely complicates interactions with Law Enforcement at times.
>
> LE: "I have a connection to Yahoo.com from your IP a.b.c.d at this 
> time (measured in minutes, not seconds) - can you identify the user?"
>
> IR: "That IP maps to several hundred hosts behind a NAT, with a 
> 30-second inactivity timeout on the NAT bindings.  Can you be more 
> specific about source port information for our IP and timing down to 
> sub-second, ideally?"
>
> LE:  "...."
>
> Fortunately,  so far we haven't had any life- and safety-related 
> queries from LE that went down this path.
>
>     -jml
>
> > > > "Scott O. Bradner" <sob () HARVARD EDU> 2007-04-28 20:10:31 >>>
> > Is anyone aware of a study of large edu's who are doing NAT
> > campus wide?
>
> makes answering DMCA complaints quick :-)
>
> Scott