Our Cisco WiSM2s are reaching EOL and we are evaluating the path forward. We've been happy with Cisco as a product, but not happy about new licensing schemes, forced obsolescence, the increasing cost of annual maintenance, etc. So we're looking at other solutions. With our use case, we want to stick to controller based. I've got some Aruba gear in for evaluation right now, and got a controller and AirWave set up last week and ClearPass set up today. Ruckus has agreed to send us some demo gear as well.
While I like the SDA stuff from Cisco, we don't like the price. (We don't have ISE, just ACS which is also reaching its end. And we have Prime which is also being phased out. So this seems like a good time for a complete refresh.) I've mostly liked the Aruba stuff so far, but a few small things give me pause.
Has anyone gone through this process? Which route did you go? Any thoughts or things you've encountered that you mind sharing?
I deal with lots of large customer environments. I've seen Aruba in them, have not seen any Ruckus. I do also see Meraki making inroads and one customer testing out the Arista small office solution for some branches.
I guess Cisco is getting the message and they have come back with some very aggressive "promo deal" pricing. And the relationship we have with our Cisco SE is something I don't think any vendor can match. We've looked at the Meraki stuff and have decided it's just not a fit for us. Maybe in some isolated locations, but not as our main wireless solution. All but one of our dorms (we're a university) are completely outsourced, including internet connectivity (which I hate, because it's terrible service and there's nothing we can do about it, yet we take a lot of the heat from students). They use Ruckus wireless, but I don't think it's really Ruckus's fault it's so bad. We talked with another university that went with Ruckus and they are pretty happy but they have a very different environment than we do and are not even trying to do some of the things I want to accomplish.
Right now, I'm leaning toward Aruba with ClearPass. But I'm early in the evaluation and it's hard to break away from Cisco.
Outsourcing... have I ever heard of a customer that was satisfied enough with an outsourcer to happily renew the contract? No, I have not.
Well, administration is happy. Those of us "in the field" not so much. Our previous President didn't like it and was on the path of doing away with it, but wasn't able to get it done before he moved on. Current administration is unlikely to change anything.
Back to the technical question... what is it about Cisco that makes you want to look at other products? And what is it about Aruba and Ruckus that make you hesitate to commit to them?
The only problem I have with Cisco is the licensing schemes they're trying to move to. We typically have annual support only on core equipment, not every switch and AP in our environment. It seems like they're trying to force customers into buying support on every piece of equipment and that's something we just can't afford. And they're really pushing SDA, and while I like it, that's an insurmountable cost at this point. If we want SDA compatible switches, the hundreds of 2960X switches at the access layer would have to be replaced with more expensive switches. We would have to buy ISE which is expensive, replacing the controllers (which is expensive) means also replacing the ~250 APs we still have that are not compatible with the new controller and that's expensive (and how long will the other ~400 APs remain compatible?), and then the maintenance and support... Yes, much of this (particularly switches) can be phased, but it's still a lot. And I'm a 1.5-man team. (I'm the only dedicated network person, but the phone/L1 guy has been working with me and learning a bit and I trust him with some basic switch config stuff.) And so it's just a good time to look at other options.
The more I play with Aruba, the more I like it. Airwave feels too simplified sometimes and nowhere near the capabilities of Prime, but I don't really use Prime for all it can do anyway. Almost everything I'm used to doing with Prime, I've found I can do with Airwave. There are some exceptions, but they're not deal-breakers. For instance, the guy that manages the IP camera system can go into Prime and cycle a switch port to reboot a camera without having to involve me. And maybe that can be done with Airwave. I have been focusing on wireless and haven't really gotten that far with it yet.
I've also only scratched the surface of ClearPass. I've never used ISE to compare it with, but it is a step above ACS. We have multiple SSIDs for different use cases and condensing that down to a single SSID with access granted and controlled based on credentials is a direction I definitely want to go. That was amazingly easy to set up with ClearPass. Today I'm going to look at better ways we can handle guests and devices onboarding with ClearPass then start looking at how well it integrates with our existing Cisco environment.
Cisco and Aruba can both get us where we want to be, but it looks like Aruba can do it at a better price point and licensing that's easier to stomach. Honestly, my main reservation about Aruba is that they are not Cisco. I *know* Cisco. I know their sales people, their engineers, I've experienced TAC. Our Cisco SE is available at a moment's notice. He is on site frequently, put in 14-hour days right beside me replacing firewalls and core switches, etc. There's a very good relationship there and that means something.
As far as Ruckus, I can't really say anything about them right now. I've only had one meeting with them and they talked a good talk, and I'll give them a fair evaluation, but I don't know enough about them or their product to have a fair opinion yet.
compare ACS Vs ISE, is like compare redwood seed to tall redwood tree,
Been working with ISE about a month now. mostly on posture compliance.
building policy elements, combining elements in policies, building policies into
rules. it's all hierarchy driven. pretty easy, but knowing what knobs to turn
and things to tweak, that's a whole other ball games and comes with experience.
If you're doing wireless only with ISE/ClearPass/Forescout/Microsoft, it's all going to be 802.1X and pretty easy to set up, as that's baked into WLCs.
I would say the call to be made is on managing your environment. If Aruba is already easy to use for you at this time, imagine how it will be when you get more skilled with it.
A new item in the "con" column for Aruba: the lack of information such as guides and how-to articles for accomplishing certain tasks. In the Cisco world, there is a plethora of documentation from users. Anything you want to know how to do, someone has written a how-to guide or made a video showing how to do it regardless how unusual it is.
But I've been trying to get guest access set up using ClearPass for captive portal and just can't get it working. Guest WiFi using just the controller is no problem. Guest user accounts would have to be created manually by someone authorized to do that. That's what we do now. But I'd really like to setup ClearPass to let guests register themselves and their devices, have their sponsor authorize their access, etc.
The guides I've found to do this are all either very outdated, incomplete, using equipment I don't have, not in English, or it's just not working. I'll do some more reading over the weekend, give it another shot Monday, and then maybe see how their support is.
I'm on CPPM training next week, I'll have a look in the official training course, sure it's covered there.
DISCLAIMER: I work for Forescout, which does compete with ClearPass in setting up guest wireless.
I know that guest wireless self-provisioning and employee sponsorship are two features with Forescout's guest wireless offering.
I've made a lot of progress with the Aruba stuff, management of it has "clicked" for me now, and I really like it. If price and features were the same, I'd likely stick with Cisco because of the wealth of information and the relationship with our SE. Even if we stick with Cisco controllers and APs, I'm going to lobby for ClearPass to replace ACS/ISE and maybe even AirWave to replace Prime. Both will work with Cisco equipment and give me all of the functionality I've been wanting and at a fraction of the cost of ISE and DNA Center.
Cool deal. Hopefully, you were able to work this into one of the vendor demos:
:showme:
My Ruckus eval got off the a rough start. They sent a team on site to get the eval up and going and left without it up and going. I just today received a hardware controller appliance from them to use instead of the VM we were trying to set up previously. I expect that will fit in our environment for demo purposes a lot better.
But we also have another contender. MIST. https://www.mist.com/ We ran into them at a conference recently and, even though I don't have warm and fuzzies about cloud based management, they looked interesting enough to at least sit through one of their Wednesday Webinar sessions. That was a train wreck. Technical problems at the start, and the presenter didn't really seem to be familiar with the product at all. I bailed about half way through. But, we reached out and set up a meeting with them and they completely redeemed themselves. What I saw in their presentation was pretty impressive. So we're starting the process of getting some demo gear from them as well.
The big question with the cloud wireless providers is scalability. If you are big enough to where you hit a limit somewhere in the product to where you need to consider multiple top-level groupings (organizations in Meraki, don't know the Mist equvalent), then you might hit a hard barrier down the line, especially if you need it to integrate with other products. I know the Mist API limit is very low, so you get something like 2/second with it.
Quote from: heath on August 15, 2019, 10:54:24 AM
And I'm a 1.5-man team. (I'm the only dedicated network person, but the phone/L1 guy has been working with me and learning a bit and I trust him with some basic switch config stuff.)
This is a bit off topic, but I'm curious how you are managing a network of this size with what appears to be fairly limited manpower :eek:. Is there a substantial automation component? Is there a dedicated support team in the background that isn't mentioned?
Quote from: config t on October 28, 2019, 04:46:22 AM
Quote from: heath on August 15, 2019, 10:54:24 AM
And I'm a 1.5-man team. (I'm the only dedicated network person, but the phone/L1 guy has been working with me and learning a bit and I trust him with some basic switch config stuff.)
This is a bit off topic, but I'm curious how you are managing a network of this size with what appears to be fairly limited manpower :eek:. Is there a substantial automation component? Is there a dedicated support team in the background that isn't mentioned?
It's just the way it is. There's just me and I manage all the route/switch/wireless/security. Everything between the ISP and the jack in the wall. We have an enrollment of about 12k students that includes online only, main campus, four small to medium branch campuses, a dedicated classrooms at other locations around the state like a military base, a Native American tribal office. I've got 38 buildings on the main campus. Most have 1 network closet, several have 2 or 3, but the largest has 7 network closets.
I have the phone guy who is transitioning to more network support as we SLOWLY replace our ancient Nortel PBX with VoIP, but he spends most of his time on phone tickets and trying to keep the PBX limping along. He also handles all of the UPSs for all the network closets. I've been begging for an additional person for a while. I'm told I can grab a part-time student worker from help desk. Which doesn't help me. I'd still have to hold their hand through everything until they're trained and then the semester is over and they're gone. So I don't bother.
We have a Systems team that handles all the datacenter stuff - storage, servers real and virtual, and a few basic network services like DHCP and DNS. They have a team of 4 people and have a current opening for a 5th. Which I try to not let bother me. Well, 2 of them split time with help desk/user support. The lead Systems guy manages the F5 appliances we have for SSL offloading, load balancing, and he uses it as his DMZ firewall. That in itself is a bit of a load off of me. But I control the main firewall. Help desk/user support has an additional 2 full time people and a few student workers that handle faculty/staff computers and try to say everything is a network problem. It's not a network problem. It's a "you unplugged the network cable from the correct wall jack, plugged it back in to the wrong jack, and complained to me before even trying to find the right jack" problem. But I digress. There's also another team of 2 people and an army of student workers that handle all student tech support, classroom equipment, and computer labs. We do a lot of distance education, so we have a ton of classrooms equipped for that.
We outsource cabling to contractors. If we need new ports put in somewhere or existing ports relocated or repaired, we have a contractor come in and do that. So that's a big load off of me. I keep some tools and supplies on hand for cabling, but seldom have to use them.
As I mentioned, we don't do anything with student housing except for one small building. In that one dorm building I've got a compact, wall-mount AP with 4 usable hardwire ports in all 100 rooms. If I had to manage the rest of student housing, that would have to come with an additional network person.
I don't do much automation. I've been opposed to that in the past, but I'm coming around. There's more need for it now from a security perspective. I try to make the best use I can of free tools. I could stand to do a lot better with monitoring what is happening with the network, but I don't have the time for the cheap ways or the money for the easy ways. I do keep things very well documented with Visio and OneNote and well organized, both logically and physically. My predecessor left me very outdated and incomplete documentation, messy network racks with tangled waterfalls of patch cables, supplies stored in cardboard boxes scattered around random network closets. And he had an assistant under him. That person got mad and quit when they didn't get his job and that whole assistant position was eliminated all before my start date. It took a couple years, but I have cleaned all of that up and keep everything tidy and organized. I try to find little ways to be more efficient where I can without sacrificing that organization. For instance, I designed and 3D printed a clip to hold network cables in position when replacing a switch. Between that, and the rack being tidy, it takes more time for the new switch to boot up than it did to physically swap it out including reconnecting the patch cables. I used to have a ton of DMCA notices to deal with and that took a lot of my time. But I've mostly blocked bittorrent and with that along with legitimate affordable streaming services, those notices are very few and far between now.
Good documentation, organization, and finding ways to be efficient are the biggest tools to help to keep the workload manageable. The main thing I wish I had more time for was R&D, product evaluations, and keeping an eye on the future. But there are some weeks and months when it can be quite stressful, particularly summer when most of the students are gone. That's when most big projects get done. I don't take a summer vacation. I take a fall vacation instead. And that works out great because I'd rather be in the mountains in the fall than the beach in the summer (or any other time).
I didn't realize this reply was going to go on so long.
TL;DR - No, there's no substantial automation component or unmentioned support team. Just me and half of another guy, doing what we can. I don't even use "professional services" from our vendors when implementing big projects.
Quote from: heath on October 30, 2019, 02:17:52 PM
I have the phone guy who is transitioning to more network support as we SLOWLY replace our ancient Nortel PBX with VoIP, but he spends most of his time on phone tickets and trying to keep the PBX limping along. He also handles all of the UPSs for all the network closets.
Help desk/user support has an additional 2 full time people and a few student workers that handle faculty/staff computers and try to say everything is a network problem. It's not a network problem. It's a "you unplugged the network cable from the correct wall jack, plugged it back in to the wrong jack, and complained to me before even trying to find the right jack" problem. But I digress.
My predecessor left me very outdated and incomplete documentation, messy network racks with tangled waterfalls of patch cables, supplies stored in cardboard boxes scattered around random network closets.
These parts hit me right in the feels.
Sorry for the necro here... but just wanted to ask something for my education
Question: You mentioned specifically wanting a controller-based solution. Why is that?
Point: Arista's Wireless solution is *not* small office. It scales to thousands of APs, and is one of the few if not only to achieve FedRAMP and used in the highest levels of the fed govt. It's WIPS is probably second to none, and offers WiFi 6 with the latest chipset to provide full functionality versus others who rushed it to market with the first gen chipsets, resulting in an incomplete WiFi 6 feature set.
Part of wanting a controller-based solution is, I think, familiarity with the technology. Being able to run CLI stuff to get info that isn't in the GUI is another thing.
There's also the matter of the controller still working after the licenses/support contracts expire... :whistle:
Quote from: deanwebb on April 29, 2020, 10:06:41 AM
There's also the matter of the controller still working after the licenses/support contracts expire... :whistle:
:XD: :XD:
Quote from: NetworkGroover on April 27, 2020, 06:56:59 PM
Sorry for the necro here... but just wanted to ask something for my education
Question: You mentioned specifically wanting a controller-based solution. Why is that?
Point: Arista's Wireless solution is *not* small office. It scales to thousands of APs, and is one of the few if not only to achieve FedRAMP and used in the highest levels of the fed govt. It's WIPS is probably second to none, and offers WiFi 6 with the latest chipset to provide full functionality versus others who rushed it to market with the first gen chipsets, resulting in an incomplete WiFi 6 feature set.
I'll necro your necro! LOL
My reasoning for a controller-based solution was, as Dean said, familiarity with technology. That's the implementation - only local management Vlans for APs, CAPWAP tunnels, etc - our network is built around and I just don't have the time to re-architect things. I know there are ways to keep that architecture, but they seem like temporary workarounds and extra overhead to me and I would just be kicking the can down the road. Secondly, I was not a fan of cloud based network management. I don't like so much control of my network being in someone else's hands. I say "was not a fan" because I'm starting to come around.
As an update, we STILL have not made a move to a new WiFi system. Things had to be put off for one reason or another until Covid put it off for a while. I was actually in the middle of a Mist evaluation back in March when we shut down and started working from home. That experience, along with the Mist product, was what finally made me look at "cloud managed" a little differently. I have never liked Meraki, but I was very impressed with the Mist product.
Although we had decided to stick with Cisco after coming back, budget issues are pushing any purchasing out further and further. By the time we can make a move on something, I don't know that the same decision will be made. The decision to stick with Cisco was based on budget and being able to upgrade in phases and spread it out over a couple years instead of all at once. If we are eventually able to go ahead with a forklift upgrade, I would take a serious look at Mist.
^ I'm thinking cloud is going to look better and better for most firms.