NAT Deployment Topologies

vSZ-D/SZ100-D supports several deployment topologies.

AP Behind NAT and vSZ-D/SZ100-D Behind NAT

When an AP is behind NAT, it is assumed that AP is sitting in the private world and wants to talk to vSZ-D/SZ100-D in the public world through NAT. The AP obtains its private IP address and communicate with the vSZ-D/SZ100-D through NAT. During communication with vSZ-D/SZ100-D, the NAT router will intercept the packet and change the source IP address (which is the AP IP address) to a public IP address and add a new source port number before forwarding the packet to vSZ-D/SZ100-D. vSZ-D/SZ100-D, in this case, is insensitive to the NAT router’s operation. When the packet comes back from vSZ-D/SZ100-D to the AP, the NAT router will intercept the packet and translate the destination IP address and port number back to the appropriate (original) AP IP address and port number.

When vSZ-D/SZ100-D is behind NAT, it is assumed that vSZ-D/SZ100-D is sitting in the private world and wants to talk to the AP in the public world through NAT. In this case, it is needed to setup the NAT IP (public IP) and a port number pair in vSZ-D/SZ100-D “setup” process. vSZ picks up this public address and the associated port number and informs the AP that this is the vSZ-D/SZ100-D address/port (public-IP, port) pair to connect to.

It is also needed to configure the NAT device and enter the port mapping, basically, (public-IP, port) <-> (private-IP, 23233) into NAT’s rule table. Thus, when NAT receives the packet bound for vSZ-D/SZ100-D (sent to public-IP/port) from the AP, it will translate it to (private-IP, 23233) based on the rule table before sending it to vSZ-D/SZ100-D, and conversely, for packet from vSZ-D/SZ100-D, NAT router will look at the srcIP/srcPort (IP, 23233), and convert it to public IP address or port based on the rule table before sending it to AP.

Note: Both TCP and UDP protocols on port 23233 need to be forwarded as both are used (TCP is used for tunnel establishment and UDP for client data)

vSZ and vSZ-D/SZ100-D at Data Center Behind NAT

In this deployment topology, vSZ-D/SZ100-D and vSZ are co-located at the data center behind NAT, while Ruckus APs are on the access network behind NAT.
Figure 1. vSZ and vSZ-D/SZ100-D at data center behind NAT

vSZ-D/SZ100-D at Access Site with NAT

In this deployment topology, vSZ is at the data center and vSZ-D/SZ100-D is co-located with the Ruckus APs on the access network. In this scenario, there are NAT routers between vSZ and vSZ-D/SZ100-D/Ruckus APs.

Figure 2. vSZ-D/SZ100-D at access site with a NAT router


vSZ-D/SZ100-D Behind NAT

In this deployment topology, vSZ is at the data center and vSZ-D/SZ100-D is in a distributed site but not co-located with the Ruckus APs within the access network. There are NAT routers between vSZ and vSZ-D/SZ100-D, and between vSZ-D/SZ100-D and Ruckus APs. The vSZ-D/SZ100-D port to communicate with vSZ control plane is port 22.

Figure 3. vSZ-D/SZ100-D behind a NAT router

DHCP Relay with NAT

Similar to the vSZ-D/SZ100-D Behind NAT, in this deployment topology, vSZ is at the data center and vSZ-D/SZ100-D is in a distributed site but not co-located with the Ruckus APs within the access network. There are NAT routers between vSZ and vSZ-D/SZ100-D, and between vSZ-D/SZ100-D and Ruckus APs. However, in this topology, the DHCP server assigning client IP addresses is on its own separate subnet. vSZ-D/SZ100-D provides the DHCP relay function to support such a network configuration.

Figure 4. DHCP relay with a NAT router

If you are enabling the DHCP Option 82 in WLAN configuration in the controller vSZ, it means that the AP is going to put DHCP Option 82 in the DHCP server and will send it to vSZ-D/SZ100-D. This is in the format IF-Name:VLAN-ID:ESSID:AP-Model:AP-Name:AP-MAC. If you want to give the users the option to choose what needs to be included in DHCP Option 82, you would need to create a Bridge Service Profile in the vSZ controller web interface. Follow the steps to create a Bridge Service Profile.
  • Go to vSZ controller web interface > Services & Profiles > Core Network Tunnel
  • Click on Create to add a Bridge Forwarding Profile
  • Verify if the DHCP Relay is enabled.
  • Add the DHCP server IP address
  • Enable DHCP Option 82 and choose the sub options based on your requirement or of the user. This will be taken care by vSZ-D/SZ100-D during DHCP packet relay to the DHCP server.
    Figure 5. Creating Bridge Profile

  • Go to vSZ controller web interface > Wireless LANs
  • Click on Create to add the following new WLAN configuration:
    • Access Network as Tunnel WLAN traffic through Ruckus GRE
    • Core Network as Bridge
    • Authentication Options > Methodas Open
    • Encryption Options > Methodas None
    • Forwarding Policy as Factory Default . Choose the forwarding policy as the bridge profile.
  • Click OK to complete and save the configuration.
Figure 6. Creating a WLAN Configuration