[unisog] Chronicle of Higher Ed. article on NetPD
sagenung at ilstu.edu
Thu Nov 8 00:52:28 GMT 2001
At 04:41 PM 11/7/2001 -0600, you wrote:
>On Wed, 7 Nov 2001, Paul L Schmehl wrote:
> > We use NAT in the residence halls. That's even worse. At the present
> > we have no way of verifying who was using a particular IP at a particular
> > time. So, even if we could ID the user, by the time we did that (by
> > grepping logs for MAC addresses associated with an IP - if the user is
> > still online - there's no logging) and associated their IP/MAC with a name
> > and physical location, they could be in class/eating/at the library/you
> > name it.
We had a similar dilemma. We've deployed private addressing everywhere on
the campus network where DHCP is required (ie: in the residence hall
networks, off-campus ADSL networks, public access networks, and so on).
This model created a huge dependency upon NAT. As expected, the largest
percentage of Internet volume is sourced from private IP address space.
Our NAT solution is based upon multiple Cisco routers optimized for NAT
(ie: NSE-1 processors with PXF enabled). When we started seeing these
messages from NetPD, there wasn't much that we could do in the beginning
except hope that the translation hadn't expired.
A month or two ago, a newer version of IOS (ie: 12.2.(3)) supported the
logging of NAT translations and expirations to syslog. Since CiscoWorks
doesn't support the format for these records, we built a separate syslog
server and tied our DHCP logs into the same box. We're not quite done with
it yet but it has already yielded some major benefits. Now we can resolve a
translated address to a MAC address through the served private address.
Since we require our DHCP users to complete a web form to obtain a real
address lease, we know who owns the MAC address. We then pass this
information on to the appropriate people on campus that deal with these issues.
I'm sure others are using a different NAT solution than we are. Tormenting
your vendor about NAT logging is probably the next best step to solving
Manager of Networking Systems
Telecommunications and Network Support Services
Illinois State University
More information about the unisog