@markferron The other thing is how big of pipes do you have, and how many networks are you mixing. Are you doing your own e-BGP announcements (if so what' is your AS?).

Sometimes it's more cost effective to have a boring router on the edge, and do WCCP redirection, and open flow to edge device based inspection to avoid having to invest in a "big layer 7 on the wire" appliance vs. selectively approving/denying out of band.

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Ahhh. For a private college I'd do a few things....

1. Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.

2. Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.

3. Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.

To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.

Considering this is complying with censorship requests I'd assume they don't care. Personally, I'd allow porn, just shape it into the lowest traffic class (whatever is left over). If you block it people will VPN/get around it. If you allow it but make it slow then people will just give up and use their phones etc for it.

Couple things...

1. At 20K users you should have a dedicated SOC or an outsource SOC doing 24/7 analytics of the logs and logs should be going somewhere IMMUTABLE (LogLogic etc).

2. If someone who is fired is creating accounts you need to call local law enforcement and refer this to them.

3. Track the time and labor involved in the cleanup. Bring in an outside security audit firm. If this crossed state lines or other factors on the cost of remediation this may involve the FBI.

4. If this is a public company the EXTERNAL accounting auditors need to be notified of the lack of internal controls. There may be SEC violations if policies didn't exist that need to, or were not followed that did exist. Going to lunch with external auditors and telling them what was fucked up was a GREAT way as a consultant to make sure a fire got lit for someone to fix something.

5. If significant fraud or other things are found call the SEC directly and report. Whistleblowers get paid well.

@jaredbusch said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

and keeping the MX400.

Why keep it? Clean house totally.

Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

@markferron said in Licenses for APs and Switches:

Along with the cost of licenses I would also like to put in that requiring licences for APs and switches is not an industry standard,

Considering Cisco is 30% of the networking industry them deciding to do something makes it an industry standard...

For enterprise-class, AP's that have 24/7 enterprise support it's common to have to make an opex payment. It's common to need to license features. Aruba, and others charge the same way.

Access class switching it's not common (Cisco will give you lifetime replacement and patches for Catalyst 2/3K switches in response to competitors doing the same thing).

@scottalanmiller said in If all hypervisors were priced the same...:

My question here is... what makes Hyper-V or VMware better on those small systems? Hyper-V's main problems, mostly huge management overhead and complexity, are worst at the small scale. where KVM or Xen's ease of use is a really big deal.
VMware I see in that mid-range... but companies in that range are crippled by cost today. If it was free, I think it would make sense all the way down. Hyper-V really depends on "free" more than KVM and Xen do.

There are quite a few points but one low hanging fruit is the DRS family of features (Compute/network DRS, Affinity rules, Storage DRS, SIOCv2 VAIO filters, Proactive - DRS). It's balancing logic is significantly more advanced. combined with better scheduler overheads, more advanced new workload placement logic means you can get by with a lot less hardware.

For someone with 10 tiny VM's this isn't going to matter, but for someone who's operating with a decent amount of scale having to throw money at hardware, and bodies instead of software become a trade-off that throws things into DRS being worth the premium for TCO.

Now if the hardware is free to you, and labor is $2 an hour then TCO will shift the other way vs paying for software.

Also, decisions are often more nuanced than simple TCO decisions. If you have compliance requirements this often shifts to commercial solutions that have validated FIPS 140-2 modules/solutions. If you need a DISA STIG at a given level paying some money and being able to deploy a single VIB to harden compliance vs. go through checklists and argue with auditors can be a big deal. How do you quantify the cost of applying with NIST for validation with a do it yourself setup vs. a turnkey solution?

The cost of management tools are generally looked at as a function of the cost of existing management labor (People), the cost of the solution stack, and the premium for availability.

If you have Oracle RAC or SQL Always ON clusters that cost 40K per host in licensing it's different math. Paying 2K for some hypervisor management tools that will let you run 1.5x to 2.5x denser on host usage (and drop associated licensing costs), or free up 15% time for a Sysadmin who's paid 100K so he can go get other projects finished, isn't a "Crippling cost" but a simple, logical conclusion.

Customers who need VM Fault Tolerance don't care what the cost is because the alternative is generally proprietary solutions that cost 250K per server, or death (US wrongful death is what 2.5 million each?) or re-writing their application and getting it revalidated by regulators(Millions in capex if even an option).

If you have Excel/Access Databases and 5 Windows XP VMs, and you have outsourced your sysadmin work to SouthEast Asia for 5K a year, and an outage is going to cost you nothing sure.

@scottalanmiller said in If all hypervisors were priced the same...:

Once Xen gets the PV driver features backported to core Xen PV, we will see a leap forward too, I think.

Didn't Amazon shift everything away from PV because of security? (There are a LOT fewer instance types of PV these days).

Other hypervisors moved away from PV for computing a long time ago as VT-x and newer hardware functionality (PCID etc) simply made the juice not worth the squeeze.

@irj I Laughed pretty hard. There are benefits to combining hardware and software together in a purchase, and then there are downsides. Weird trade in/up games is one of them.

@scottalanmiller said in If all hypervisors were priced the same...:

@olivier said in If all hypervisors were priced the same...:

@scottalanmiller Citrix doesn't care anymore on server virt market, since a while now.

Did they ever? They bought Xen for the name so that they could confuse their customers into thinking that XenApp was somehow virtualization.

They bought it because Vmware bundled the hypervisor with their VDI product, so Citrix bought Xen and had its devs focus on VDI friendly features (APIs for provisioning, and GPU support). They briefly tried to take on ESXi in the enterprise but abandoned that a few years back.

Citrix also pushed cloudstack for a while to hosting providers (but seems to have given up on that too).

@olivier said in If all hypervisors were priced the same...:

@tim_g said in If all hypervisors were priced the same...:

If features and costs (free) were identical across the board, I would choose KVM hands down.

I love being able to run off Fedora Server, plus all the doors that open up by doing that... which you can't get from Hyper-V or VMWare.

Sure Xen can be installed on there too, but it's dieing and I'm less familiar with it.

Can you stop with that FUD? Thanks. It's not dying at all. I hear this since 2006. It's like saying Linux is not secure because Open Source.

Do you have any 3rd party surveys or tracking showing growth in Xen, because all the public (and private sets like IDC) that I’ve seen show It loosing market share.

@bbigford said in If all hypervisors were priced the same...:

@dustinb3403 said in If all hypervisors were priced the same...:

XCP

What does xcp-ng mean? Couldn't find it on the introduction

It's a fork of XenServer to try to bring back the API's and the features that Citrix has locked from the free version (and also back port security patches to older versions as Citrix only does this for paid users now if you want beyond 6 months). It's being run by a small community group.

Citrix only sees XenServer as useful as a means to an end for VDI (and they have been slowly stepping down their investment in it). The linux foundation (who technically has Xen) Doesn't really care (They are backing KVM). So it's up to a rag tag band of rebels to keep Xen going...

@emad-r said in If all hypervisors were priced the same...:

why purchase RAID controller when you get good amount of reliability using software RAID, Linux software RAID have been tested alot and alot and many big companies of enterprise NAS systems utilize it. I understahd that hardware RAID controller works most of the time for nearly anything, and software raid most properly will fail due to end user fault, cause it has some learning curve.

You accelerate the end user fault because of issues with SES not working correctly (Getting the right drive light to blink is strangely hard with DAS shelfs), or because of lack of end to end testing (Good luck getting HotAdd to work on hot swap on some HBA's). You cripple performance at scale doing it on AHCI controllers (25 queue depth for all drives vs. 600+ for a proper raid controller or HBA).

SATA drives are fine for home backup type stuff (I have Reds at home too) but for production workloads 5400RPM means ~20 IOPS at low latency before they kinda fall over. I have a Ryzen desktop system, and I just boot from NVMe (M.2). Intel's vROC is interesting but I havn't seen any server OEM's adopt it yet.

@mike-davis said in Just How Hard is University to Overcome:

and think about investments instead of just listening to the mantra that if you go to college you'll earn more money.

If you want kids to think about investments some advise....

1. Against the Gods. https://www.amazon.com/Against-Gods-Remarkable-Story-Risk/dp/0471295639
   Teaches them Risk, and why humans are terrible at it.

2. Freakanomics. Applied statistics. (Also a fun read)

3. A random walk down Wall Street. - Good overview of why as a retail investor what your place in the world is.

Listen:

Planet money (NPR) Good podcast on all things money, finance, stats.
Freakanomics podcast - good fun trivial around stats.

Subscriptions:

Read the WSJ. https://www.wsj.com/ Well worth the subscription. I started reading USA today in first grade, but I moved onto the WSJ for biz coverage, and CSM for current events.

The Economist. Gives them a good neo liberal view of global economics with some realpolitik mixed in.

@tim_g Billionaires are outliers. Using them as a straw-man for college success or not vs. actual data is.... well a bad idea.

I'd also point out that some of the tech ones (Gates, Jobs) still went to college, and built their initial network there. Maybe they didn't need to graduate, but the first 2 years of classes (and more importantly) connections got them where they are now.

@mike-davis said in Just How Hard is University to Overcome:

Rich Dad, Poor Dad

Not really that great of a book, beyond arguing people should pay attention to cashflow, and invest in things that earn interest. Kiyosaki is a fraud. Idiot was preaching to buy Gold in 2015 and get out of the market. His obsession with slumlord rental properties is just a step above "flip this house" scaminars.

@bnrstnr said in If all hypervisors were priced the same...:

I've never even used VMware, but I'm pretty sure if every single feature was available for free (like all the other hypervisors), then I'm pretty sure that's a no-brainer.

It's not just feature but ecosytem to consider. xxx hypervisor may work for what you do, but what if you need to run XenDesktop. It's not a supported hypervisor for them to do PVS/MCS automation with. What if you needs FIPS 140-2 compliance, or need a DISA STIG.

What if you need NSX/microsegmentation and service insertion support? NSX-T can cover KVM, but for Hyper-V or Xen you'll need to deploy a gateway.

Hypervisor requirements tend to not live in a vacuum, and that drives a lot of stuff.

@emad-r said in If all hypervisors were priced the same...:

KVM, not cause of KVM cause it runs and actively supported and updated on Linux OSes, so eventually we will get all the features if not more, and benefits and more of ESXi via external packages like mdraid + cockpit, so you can build pretty strong system but the learning curve can scare people away.

People talk a lot about MDRAID, but given how hit/miss hot-add are on HBA's (Glares at HPE) or that it's commonly done with AHCI controllers (Garbage performance QD=25 for ALL drives!) I don't see what the big deal is about buying a proper raid controller that you can access through out of band (iLO/iDRAC), has proper hot-add support, and a NVDIMM cache, or layering a distributed SDS system on top (in which case you don't use MDRAID. Even RedHat was requiring a local raid controller for their cluster HCI thing last time I checked.

@tim_g said in If all hypervisors were priced the same...:

If features and costs (free) were identical across the board, I would choose KVM hands down.
I love being able to run off Fedora Server, plus all the doors that open up by doing that... which you can't get from Hyper-V or VMWare.
Sure Xen can be installed on there too, but it's dieing and I'm less familiar with it.

I've always liked a tiny hypervisor and push the management off to API's (That can have layered UI/CLI) rather than install the damn kitchen sink on the hypervisor. What value does Fedora Server bring for actually running on the KVM hosts? You need to run Containers on ring 0 or something weird?

@dustinb3403 As someone who ran Xen for a while I never bothered to look at the source code.
While I have access to one of the commercial hypervisors code, and early builds it's really the last code we produce that I"m generally interested in (Generally more interested in health check code as I"m working with engineering on some new ones).

I've reported CVE worthy bugs in commercial software and the code was really the last thing I needed to do to find them. It's generally as simple as finding an exception case, or noticing that they are using a protocol that can't be secured (TFTP) improperly (leaving things in the directory).