Licenses for APs and Switches
-
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@jaredbusch He likes the Layer 7 application blocking on the MX. I wanted to bring this up on a separate thread, but since you brought it up :D, I feel like that shouldn't really be an issue right?
Why does he like that? Make him put that feature into a dollar value.
I would love to. I'm going to include the price of keeping the MX in my proposal.
He says that he likes the ability of the layer 7 application blocking on the MX. But I feel like with appropriate firewall rules I could block those kinds of things, right? Even then the only thing I have under the Layer 7 rules blocks torrenting.Depends, what exactly is he blocking? And why?
We're looking to block things like P2P, adult content, basically anything a school should block.
Realistically, wouldn't a Pfsense router with a plugin like Pfblocker, or squidguard block stuff like that? I have a pfsense box at home, but I haven't been messing with plugins like I should. -
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
-
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@jaredbusch He likes the Layer 7 application blocking on the MX. I wanted to bring this up on a separate thread, but since you brought it up :D, I feel like that shouldn't really be an issue right?
Why does he like that? Make him put that feature into a dollar value.
I would love to. I'm going to include the price of keeping the MX in my proposal.
He says that he likes the ability of the layer 7 application blocking on the MX. But I feel like with appropriate firewall rules I could block those kinds of things, right? Even then the only thing I have under the Layer 7 rules blocks torrenting.Depends, what exactly is he blocking? And why?
We're looking to block things like P2P, adult content, basically anything a school should block.
Realistically, wouldn't a Pfsense router with a plugin like Pfblocker, or squidguard block stuff like that? I have a pfsense box at home, but I haven't been messing with plugins like I should.Those are two different kinds of things. One is blocking an app. The other is blocking sites. I’d handle those separately.
-
Consider something like Strongarm.io for blocking content.
-
Ubiquiti firewalls do P2P blocking, just turn it on.
-
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
-
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
-
Is it a business requirement? Seems like that would need to be something that should be determined prior to paying for it again.
-
@scottalanmiller said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
Are you talking about these settings? I’ve not had much luck with it. But it has been a couple years since I tried. I will test it again.
-
@coliver said in Licenses for APs and Switches:
Is it a business requirement? Seems like that would need to be something that should be determined prior to paying for it again.
It's for a school. But definitely someone should determine if it is "this one guy wants this for his own personal reasons" or "this is actually something that the school should have."
-
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
Ubiquiti firewalls do P2P blocking, just turn it on.
Not so much
It blocks some at least.
Are you talking about these settings? I’ve not had much luck with it. But it has been a couple years since I tried. I will test it again.
That's the settings, yeah. Don't know how good it is, but it's something (and free.)
-
@markferron said in Licenses for APs and Switches:
Along with the cost of licenses I would also like to put in that requiring licences for APs and switches is not an industry standard,
Considering Cisco is 30% of the networking industry them deciding to do something makes it an industry standard...
For enterprise-class, AP's that have 24/7 enterprise support it's common to have to make an opex payment. It's common to need to license features. Aruba, and others charge the same way.
Access class switching it's not common (Cisco will give you lifetime replacement and patches for Catalyst 2/3K switches in response to competitors doing the same thing).
-
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
-
@jaredbusch said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
and keeping the MX400.
Why keep it? Clean house totally.
Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).
-
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
-
@storageninja said in Licenses for APs and Switches:
@jaredbusch said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
and keeping the MX400.
Why keep it? Clean house totally.
Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).
Luckily our firewall setup is really simple. There's really not a lot we have going on.
-
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
-
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
-
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Ahhh. For a private college I'd do a few things....
-
Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.
-
Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.
-
Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).
@scottalanmiller said in Licenses for APs and Switches:
@markferron said in Licenses for APs and Switches:
@scottalanmiller said in Licenses for APs and Switches:
@storageninja said in Licenses for APs and Switches:
@dafyre said in Licenses for APs and Switches:
With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.
I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.
Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.
Private college, should be free to avoid CIPA.
Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.
To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.
Considering this is complying with censorship requests I'd assume they don't care. Personally, I'd allow porn, just shape it into the lowest traffic class (whatever is left over). If you block it people will VPN/get around it. If you allow it but make it slow then people will just give up and use their phones etc for it.
-
-
@markferron The other thing is how big of pipes do you have, and how many networks are you mixing. Are you doing your own e-BGP announcements (if so what' is your AS?).
Sometimes it's more cost effective to have a boring router on the edge, and do WCCP redirection, and open flow to edge device based inspection to avoid having to invest in a "big layer 7 on the wire" appliance vs. selectively approving/denying out of band.