Posts made by Markferron

I'm looking to install around 140 total UniFi APs around our campus (or rather, make the argument for them). Probably around 45 SHDs, and the rest of them would be AC PROs, and a few AC LITEs. I still have around 8 months before the decision is made, and I want to make sure that I know how to administrate/manage them. I was thinking about just ordering myself one AC LITE for my home and installing a self hosted UniFi controller. Other than scale, would this be a comparable setup? I'm worried that the AC LITE and other APs would be somehow managed differently.

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.

To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.

Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...

Do you offer dual credit classes to high school students? Curious if that trips the need for CIPA?

Only likely if they are on campus. My nieces do that but they don't go on campus, so while the classes are for high school students, they aren't on the campus networks (but that is Texas.)

Our school is close to a few high schools in the area so professors actually will go to their school and teach in their classrooms.

@storageninja said in Licenses for APs and Switches:

Ahhh. For a private college I'd do a few things....

1. Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.

2. Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.

3. Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).

1. Yup, that was already setup by my predecessor @dafyre
2. That feature is actually on the Meraki, but I've never messed with it. Probably should now. From what I'm reading PaloAlto supports NAC pretty well.
3. We do provide internet to dorms. I'm not sure that we would need a caching appliance. So far our network seems to working okay at our 500mb connection, but in the future that might be something to look at.

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.

To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.

Yeah no kidding. I saw a few items on the list of of things they wanted to know about our college and it made me laugh. Wish I could remember what they were...

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.

@storageninja said in Licenses for APs and Switches:

@jaredbusch said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

and keeping the MX400.

Why keep it? Clean house totally.

Migrating firewall platforms can be a pain in the ass when you need up needing to re-write thousands of lines of rules (My old job at a hosting company that was the sum of the rules). We wrote scripts to translate them to the new platform but it was a bit scary to do the changeover. Ended up moving more and more firewalling into NSX and off the edge firewall because it made auto-cleanup of rules simpler, and made edge firewall rules more of an edge case to need (Mostly just OOB management stuff).

Luckily our firewall setup is really simple. There's really not a lot we have going on.

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@jaredbusch He likes the Layer 7 application blocking on the MX. I wanted to bring this up on a separate thread, but since you brought it up :D, I feel like that shouldn't really be an issue right?

Why does he like that? Make him put that feature into a dollar value.

I would love to. I'm going to include the price of keeping the MX in my proposal.
He says that he likes the ability of the layer 7 application blocking on the MX. But I feel like with appropriate firewall rules I could block those kinds of things, right? Even then the only thing I have under the Layer 7 rules blocks torrenting.

Depends, what exactly is he blocking? And why?

We're looking to block things like P2P, adult content, basically anything a school should block.
Realistically, wouldn't a Pfsense router with a plugin like Pfblocker, or squidguard block stuff like that? I have a pfsense box at home, but I haven't been messing with plugins like I should.

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@jaredbusch He likes the Layer 7 application blocking on the MX. I wanted to bring this up on a separate thread, but since you brought it up :D, I feel like that shouldn't really be an issue right?

Why does he like that? Make him put that feature into a dollar value.

I would love to. I'm going to include the price of keeping the MX in my proposal.
He says that he likes the ability of the layer 7 application blocking on the MX. But I feel like with appropriate firewall rules I could block those kinds of things, right? Even then the only thing I have under the Layer 7 rules blocks torrenting.

@thwr said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@thwr said in Licenses for APs and Switches:

@coliver said in Licenses for APs and Switches:

@thwr said in Licenses for APs and Switches:

@coliver said in Licenses for APs and Switches:

Make sure you include the labor in the comparison as well. Hanging new APs can get very costly.

I guess all the wires are already in place. Shouldn't be too hard to replace them

Still would be to get someone in a ladder or lift to do the replacement. I've done a 150 AP organization before that was a good week for two people.

The question is: Who should climb the ladder? Probably not someone who bills $150+ per hour.

That'll be me. They're cheap, but I know what I'm worth haha.

One day I'll be worth that...one day...

@thwr said in Licenses for APs and Switches:

@coliver said in Licenses for APs and Switches:

@thwr said in Licenses for APs and Switches:

@coliver said in Licenses for APs and Switches:

Make sure you include the labor in the comparison as well. Hanging new APs can get very costly.

I guess all the wires are already in place. Shouldn't be too hard to replace them

Still would be to get someone in a ladder or lift to do the replacement. I've done a 150 AP organization before that was a good week for two people.

The question is: Who should climb the ladder? Probably not someone who bills $150+ per hour.

That'll be me. They're cheap, but I know what I'm worth haha.

@coliver Definitely something they would like to see. But if I get approved to get something else, I'm working all day and night to get those in and they don't have to pay extra, haha.

@thwr Yeah it's safe to assume we got some sort of discount. But still..yeahhhh

@thwr That's actually another issue. I don't really know how the budget works here, and we don't really interact with our vendors. Just guestimation...Amazon has 3 year licences for the MR32 @ $208 each and $120 for the switch. So that's about $29,240 for a set of 3 year licenses.

@jaredbusch He likes the Layer 7 application blocking on the MX. I wanted to bring this up on a separate thread, but since you brought it up :D, I feel like that shouldn't really be an issue right?

I'm making a proposal for my boss to get us off of our Meraki equipment this November when out licenses expire. Currently, we have an MX400, 140 MR32 APs, and 1 MS220-8P (switch). The huge cost for renewing licenses, to me, justify just buying Ubiquity APs and keeping the MX400. Along with the cost of licenses I would also like to put in that requiring licences for APs and switches is not an industry standard, but I wasn't actually sure if that's the case. I don't have enough experience with equipment to make that claim. I'm I right? Would you use that in a point? What else would you add to a proposal?

One more question. I'm going to add multi-threading to make it run fast (/MT) and the machine I'm running this command on (which is the destination machine) is a virtual machine. Is there a correlation with number of threads to CPU core count or RAM?

@tim_g Oh wow I didn't realize that it would create the file for you.
Works well. I just have to manually share the file and give AD groups the correct Permissions (Sharing tab) under Advanced Sharing. It also still retains the correct permissions under Security as well.

I'm going to leave out /V and /TEE and add in /NP /NDL since there is a log at then end. Seems like a waste of energy (also seemed to run faster in my tests).

Robocopy “\titus\TestIT” “E:\File Shares” /MIR /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

Oh that's weird. It's leaving out my second "\"

This is what I actually run:
Robocopy “\\titus\TestIT” “E:\File Shares” /MIR /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

I'm looking to use robocopy to copy over a network share drive. For some reason I can't find a way to copy over the source file and all of its subfolders. This is the command I am running from the destination server:

Robocopy “\titus\TestIT” “E:\File Shares” /MIR /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

This will only copy the subfolders and everything in them and not the actual "TestIT" folder. I can create a TestIT folder on the destination and then manually share it through appropriate groups in AD, but I know I'm missing something simple.

@dashrender said in How do ISPs get business?:

I was reading JB's and other talking about getting 100 Mb/s + for around $30-40/month. Others are talking about getting 1 Gb/s for $70/m.

Here in Nebraska in Cox land, 150/20 Mb/s cost $80/m for residential.
100/20 for business costs $350/m

Here in the town I'm in there is only Windstream. 15 Mb/s for $60 a month, ridiculous. Basically government blessed robbery.
The town over I had TruVista and they charged $10/month for the Wi-Fi feature on their modem/router/AP combos. We obviously opted out, but they still charged us $5/month for the modem rental along with $90/month with the fees for 50 Mb/s. These companies make they're money back on the hardware "rental" fees alone.