Suggestions for new APs and Firewall
-
@jaredbusch said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
@jaredbusch said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
@jaredbusch said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
@coliver said in Suggestions for new APs and Firewall:
@dafyre they are certainly cheap enough.
Yeah. If nothing else he could keep them around for places that need Wifi temporarily or something.
My question is what Ubiquiti Router would you get for a campus with ~1200 people and a 500 mbit internet connection?
Disclaimer: I used to work in the position that @Markferron now fills.
ERL
Number of users is really never a factor. Throughput is how you measure router performance, not user count.
You obviously have not grasp of reality. I have posted more than one thread here about real world throughput on these units (because I love them and use the heck out of them).
What are you seeing as a max throughput on the router functionality? VPN doesn't count.
With any type of basic traffic shaping on the ERL your max throughput will be 60mbps.
Yes, but we aren't talking about that.
Yes, we are talking about that. Real world. Who runs a network with no traffic shaping on their edge router device?
A college that has to prevent students from torrenting up all the bandwidth leaving none for important things like Facebook and Netflix.
-
This can happen with a single user at home, or not happen with thousands of users sharing a connection. User and device count just don't matter.
-
@scottalanmiller said in Suggestions for new APs and Firewall:
You need to worry about traffic shaping when your high priority traffic is gaining unacceptable latency caused by low priority traffick saturating the outbound connection. That's it.
Sure, of course... that could be the case with a single user.
So if that's really the situation, then the answer to my question is - one.
-
@dashrender said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
You need to worry about traffic shaping when your high priority traffic is gaining unacceptable latency caused by low priority traffick saturating the outbound connection. That's it.
Sure, of course... that could be the case with a single user.
So if that's really the situation, then the answer to my question is - one.
No, that's certainly not the answer.
-
The answer is... users aren't a factor. That's the only answer to your question.
It's like asking "how many cupcakes does it take to get to the moon?"
There is no answer, the question is just wrong. That you can get to the moon before you need to eat one cupcake isn't relevant as it isn't the cupcake getting you to the moon.
-
This is for a school, not an SMB. With out some form of traffic shaping somewhere, their bandwidth would be overrun with torrents.
@Markferron can correct me if I'm wrong, but right now, I think the Meraki APs are where the bandwidth shaping is being done now.
-
@dafyre said in Suggestions for new APs and Firewall:
This is for a school, not an SMB. With out some form of traffic shaping somewhere, their bandwidth would be overrun with torrents.
@Markferron can correct me if I'm wrong, but right now, I think the Meraki APs are where the bandwidth shaping is being done now.
There is a lot more to it than that. How many schools have their phones via their public WAN, for example? They might, and then they likely need shaping, but the things that make you need shaping often go away when dealing with things like schools.
-
@scottalanmiller said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
This is for a school, not an SMB. With out some form of traffic shaping somewhere, their bandwidth would be overrun with torrents.
@Markferron can correct me if I'm wrong, but right now, I think the Meraki APs are where the bandwidth shaping is being done now.
There is a lot more to it than that. How many schools have their phones via their public WAN, for example? They might, and then they likely need shaping, but the things that make you need shaping often go away when dealing with things like schools.
@scottalanmiller, I have worked at this place. They need shaping to prevent 3 computers with bit torrent from overrunning every ounce of bandwidth they have. Been there, done that, turned on traffic shaping, problem solved.
Edit: The Phone system is a different topic.
-
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
This is for a school, not an SMB. With out some form of traffic shaping somewhere, their bandwidth would be overrun with torrents.
@Markferron can correct me if I'm wrong, but right now, I think the Meraki APs are where the bandwidth shaping is being done now.
There is a lot more to it than that. How many schools have their phones via their public WAN, for example? They might, and then they likely need shaping, but the things that make you need shaping often go away when dealing with things like schools.
@scottalanmiller, I have worked at this place. They need shaping to prevent 3 computers with bit torrent from overrunning every ounce of bandwidth they have. Been there, done that, turned on traffic shaping, problem solved.
Edit: The Phone system is a different topic.
Why not block those rather than shape?
-
@scottalanmiller said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
This is for a school, not an SMB. With out some form of traffic shaping somewhere, their bandwidth would be overrun with torrents.
@Markferron can correct me if I'm wrong, but right now, I think the Meraki APs are where the bandwidth shaping is being done now.
There is a lot more to it than that. How many schools have their phones via their public WAN, for example? They might, and then they likely need shaping, but the things that make you need shaping often go away when dealing with things like schools.
@scottalanmiller, I have worked at this place. They need shaping to prevent 3 computers with bit torrent from overrunning every ounce of bandwidth they have. Been there, done that, turned on traffic shaping, problem solved.
Edit: The Phone system is a different topic.
Why not block those rather than shape?
In general, you cannot. Not without some packet inspection going on. and that again kill the CPU in the router.
-
If you want to do all of this at the FW, which is reasonable but not the only choice, then yeah, obviously a bigger model is needed. If you are using the router only for routing, it will handle a lot of bandwidth. Just depends how you are setting it all up.
-
If they wanted to block it all at the edge, I'd assume they would need to look at something such as a Palo Alto or what-not?
ER Pro -> Palo Alto -> Internal Network?
-
@dafyre said in Suggestions for new APs and Firewall:
If they wanted to block it all at the edge, I'd assume they would need to look at something such as a Palo Alto or what-not?
ER Pro -> Palo Alto -> Internal Network?
That's one approach.
-
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
-
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
-
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
If that's the only thing you're doing - it is worth splitting?
-
@dashrender said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
If that's the only thing you're doing - it is worth splitting?
They would likely benefit form the Web filtering and such on the Palo Alto (currently handled by the Meraki FW).
-
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
Depends. Blocking one service is a very minor thing and easily handled by the entry level enterprise non-UTM device. So likely, no, you'd not split for one little thing.
-
@dafyre said in Suggestions for new APs and Firewall:
@dashrender said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
If that's the only thing you're doing - it is worth splitting?
They would likely benefit form the Web filtering and such on the Palo Alto (currently handled by the Meraki FW).
Then you aren't doing just one thing of filtering out Torrents.
-
@dafyre said in Suggestions for new APs and Firewall:
@dashrender said in Suggestions for new APs and Firewall:
@dafyre said in Suggestions for new APs and Firewall:
@scottalanmiller said in Suggestions for new APs and Firewall:
EdgeRouter have an option for blocking BitTorrent themselves. But they have to spend time looking at the traffic to do so.
That's better done on a separate device, isn't it?
If that's the only thing you're doing - it is worth splitting?
They would likely benefit form the Web filtering and such on the Palo Alto (currently handled by the Meraki FW).
They likely would, but that would be a different discussion.