nanog mailing list archives

Re: automated site to site vpn recommendations

From: Geoff Wolf AB3LS <liltechdude13 () gmail com>
Date: Wed, 29 Jun 2016 22:50:39 -0400

I have a feeling that most if not all of the requirements you have could be
achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup
back to a network VPN hub. The ISR G3 series has the option of enabling a
built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN
from the spoke router in the field to the hub and also for 802.1X port
authentication. Depending upon the number of port's you'd need, a
downstream switch may be needed (ISR4331 has optional 4-port PoE switch
module).
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/200031-Zero-Touch-Deployment-ZTD-of-VPN-Remot.html

That said, I think this would be a huge headache compared to what can be
done with Meraki. It would also involve a TON of R&D time (believe me).

On Wed, Jun 29, 2016 at 7:38 PM, Tim Raphael <raphael.timothy () gmail com>
wrote:

There is a downside to subscription pricing for the vendor: they don't get
the instant cashflow they're used to. I know Cisco seems to be taking a
tactic where only some product lines use subscriptions and the others are
on a typical enterprise 3-5 year replacements cycle to provide Cisco with
the  large cash injections upon upgrade.

Tim

On 30 Jun 2016, at 7:00 AM, Seth Mattinen <sethm () rollernet us> wrote:

On 6/29/16 15:33, Eric Kuhnke wrote:
My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to

the

equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your

in-house

802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...



I'm sure most hardware makers would love to lock in a revenue stream of

"keep me working" subscriptions if they could get away with it. From the
company's perspective what's not to love about that kind of guaranteed
revenue?


I often wonder if Microsoft will someday make Office365 the only way to

get Office, which if you don't maintain a subscription your locally
installed copy of Word will cease to function.


~Seth




-- 
Geoffrey Wolf

Current thread:

Re: automated site to site vpn recommendations, (continued)
- - - Re: automated site to site vpn recommendations Greg Sowell (Jun 29)
    - Re: automated site to site vpn recommendations Paul Nash (Jun 29)
    - Re: automated site to site vpn recommendations Shawn L (Jun 29)
    - Re: automated site to site vpn recommendations Rich Testani (Jun 29)
    - RE: automated site to site vpn recommendations c b (Jun 29)
    - Re: automated site to site vpn recommendations Eric Kuhnke (Jun 29)
    - Re: automated site to site vpn recommendations Spencer Ryan (Jun 29)
    - Re: automated site to site vpn recommendations Seth Mattinen (Jun 29)
    - Re: automated site to site vpn recommendations Karl Auer (Jun 29)
    - Re: automated site to site vpn recommendations Tim Raphael (Jun 29)
    - Re: automated site to site vpn recommendations Geoff Wolf AB3LS (Jun 30)