Licenses for APs and Switches
-
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
-
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
-
Is it a business requirement? Seems like that would need to be something that should be determined prior to paying for it again.
-
@scottalanmiller said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
Are you talking about these settings? I’ve not had much luck with it. But it has been a couple years since I tried. I will test it again.
-
@coliver said in Licenses for APs and Switches:
Is it a business requirement? Seems like that would need to be something that should be determined prior to paying for it again.
It's for a school. But definitely someone should determine if it is "this one guy wants this for his own personal reasons" or "this is actually something that the school should have."
-
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
Are you talking about these settings? I’ve not had much luck with it. But it has been a couple years since I tried. I will test it again.
That's the settings, yeah. Don't know how good it is, but it's something (and free.)
-
@markferron said in Licenses for APs and Switches:
Along with the cost of licenses I would also like to put in that requiring licences for APs and switches is not an industry standard,
Considering Cisco is 30% of the networking industry them deciding to do something makes it an industry standard...
For enterprise-class, AP's that have 24/7 enterprise support it's common to have to make an opex payment. It's common to need to license features. Aruba, and others charge the same way.
Access class switching it's not common (Cisco will give you lifetime replacement and patches for Catalyst 2/3K switches in response to competitors doing the same thing).
-
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
-
@jaredbusch said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
and keeping the MX400.
Why keep it? Clean house totally.
Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).
-
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
-
@storageninja said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
and keeping the MX400.
Why keep it? Clean house totally.
Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).
Luckily our firewall setup is really simple. There's really not a lot we have going on.
-
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
-
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
-
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Ahhh. For a private college I'd do a few things....
-
Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.
-
Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.
-
Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Considering this is complying with censorship requests I'd assume they don't care. Personally, I'd allow porn, just shape it into the lowest traffic class (whatever is left over). If you block it people will VPN/get around it. If you allow it but make it slow then people will just give up and use their phones etc for it.
-
-
@markferron The other thing is how big of pipes do you have, and how many networks are you mixing. Are you doing your own e-BGP announcements (if so what' is your AS?).
Sometimes it's more cost effective to have a boring router on the edge, and do WCCP redirection, and open flow to edge device based inspection to avoid having to invest in a "big layer 7 on the wire" appliance vs. selectively approving/denying out of band.
-
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...
-
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...
Do you offer dual credit classes to high school students? Curious if that trips the need for CIPA?
-
@storageninja said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...
Do you offer dual credit classes to high school students? Curious if that trips the need for CIPA?
Only likely if they are on campus. My nieces do that but they don't go on campus, so while the classes are for high school students, they aren't on the campus networks (but that is Texas.)
-
@storageninja said in Licenses for APs and Switches:
Ahhh. For a private college I'd do a few things....
-
Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.
-
Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.
-
Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).
- Yup, that was already setup by my predecessor @dafyre
- That feature is actually on the Meraki, but I've never messed with it. Probably should now. From what I'm reading PaloAlto supports NAC pretty well.
- We do provide internet to dorms. I'm not sure that we would need a caching appliance. So far our network seems to working okay at our 500mb connection, but in the future that might be something to look at.
-
-
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...
Do you offer dual credit classes to high school students? Curious if that trips the need for CIPA?
Only likely if they are on campus. My nieces do that but they don't go on campus, so while the classes are for high school students, they aren't on the campus networks (but that is Texas.)
Our school is close to a few high schools in the area so professors actually will go to their school and teach in their classrooms.