nanog mailing list archives
Re: automated site to site vpn recommendations
From: Spencer Ryan <sryan () arbor net>
Date: Wed, 29 Jun 2016 18:49:27 -0400
I treat Meraki like SmartNET. The subscription comes with lifetime support (TAC + Warranty), you do have support on your production network gear don't you? It's not like they trick you going into it either. I for one am a huge fan of the simplicity, it just works. Disclaimer: We use them. ~35 access points all around the world. *Spencer Ryan* | Senior Systems Administrator | sryan () arbor net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Wed, Jun 29, 2016 at 6:33 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:
My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user. You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired... If you want wifi with a centralized controller there's lots of ways to do it at either L2 (Unifi APs and Unifi controller reachable on the same LAN segment as the Unifis, or with its own management vlan), or with Unifi APs programmed to find a controller by hostname/IP address (L3). On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash <paul () nashnetworks ca> wrote:My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having toleavetheir desk. I have no reason to believe that they are malicious, or inthepay of the NSA, but I am too paranoid to allow their equipment anywhere near me. Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity. paulOn Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin () gmail com> wrote: I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-onperformance,and are by far the simplest platform to offer a field person. They'realsotenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances. From a security standpoint, they will offer features that will impressforthe price (Sourcefire, inability to use if stolen, 802.1x, and remoteVPNtunnel control), and we've found they punch above their weight andtheirAPs perform fantastically. We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on yourVPN,Meraki is the way to go. Be careful though: they have to becontinuallylicensed to work and can get pretty expensive if you go for the higherendgear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals. Dan (end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer () biplane com au> wrote:On Mon, 2016-06-27 at 13:08 -0700, c b wrote:In some cases...The words "in some cases" are a problem with any supposedly plug and play solution.We really could use a simple solution that you just flip on, it calls home, and works......but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network. MikroTik stuff is cheap as chips, small, comes with wifi, ethernet,USBfor a wireless dongle or storage, and has a highly-scriptableoperatingsystem. Not a bad platform. Regards, K. --~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Karl Auer (kauer () biplane com au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Current thread:
- Re: automated site to site vpn recommendations, (continued)
- Re: automated site to site vpn recommendations Karl Auer (Jun 27)
- Re: automated site to site vpn recommendations Mikeal Clark (Jun 27)
- Re: automated site to site vpn recommendations Dan Stralka (Jun 28)
- RE: automated site to site vpn recommendations Richard Greasley (Jun 28)
- Re: automated site to site vpn recommendations Greg Sowell (Jun 29)
- Re: automated site to site vpn recommendations Paul Nash (Jun 29)
- Re: automated site to site vpn recommendations Shawn L (Jun 29)
- Re: automated site to site vpn recommendations Rich Testani (Jun 29)
- RE: automated site to site vpn recommendations c b (Jun 29)
- Re: automated site to site vpn recommendations Eric Kuhnke (Jun 29)
- Re: automated site to site vpn recommendations Spencer Ryan (Jun 29)
- Re: automated site to site vpn recommendations Seth Mattinen (Jun 29)
- Re: automated site to site vpn recommendations Karl Auer (Jun 29)
- Re: automated site to site vpn recommendations Tim Raphael (Jun 29)
- Re: automated site to site vpn recommendations Geoff Wolf AB3LS (Jun 30)
- Re: automated site to site vpn recommendations Karl Auer (Jun 27)