Category Archives: Cloud Networking

Contemplations on Large-Scale Cloud Wi-Fi in Higher Education

For so many years, the Wi-Fi story at most campuses has been pretty similar: hundreds or thousands of access points connect to some number of controllers, and it’s all managed by a network management system. Sounds simple enough, but this basic formula of WLAN building blocks has a number of implications that many of us who keep these networks up frequently get weary of. I recently took part in a panel discussion webinar where some notable wireless network managers and architects from the higher ed space discussed these implications. Let me share what we talked about, and we’ll see if any of it resonates with you- and I’m sure that you’d agree that the topics covered here certainly apply well beyond higher ed.

Mist Systems Hosts the Panel Discussion
Mist Systems isn’t the first company to bring cloud-managed wireless to market, but they do offer some fairly comprehensive strategies for those interested in different options. During the panel session, we talked with Bryan Ward from Dartmouth College and Brian Stephens from MIT. Both of these gents are now using Mist for their respective campus WLAN environments, albeit in different topologies. Rounding out the panel was Rowell Dionicio of Packet6.com, Wes Purvis and Jussi Kiviniemi (Mist Product Management team), and myself. Though Rowell and I both have deep backgrounds in higher ed wireless, we joined this session as independent consultants.

The Layer 2 Elephant in the Room
Back in the day when controllers first hit the market, they gave the WLAN world a major gift at Layer 2. With “fat APs”, any VLAN in use by the access point needs to be part of a trunk on the Ethernet uplink. But when the AP is controller based, a single management VLAN can be used to encapsulate a number of VLANs using CAPWAP tunnels. Using controllers allows for a much simpler L2 paradigm from the perspective of AP-uplink switch and switchport configurations- by an order of magnitude in large environments. To me, this is perhaps one of the most significant single benefits of using controller-based WLAN, and is one potential obstacle when going to a cloud-managed model. Old L2 concerns come back to haunt us when the controller gives way to a cloud-managed management plane, and not all vendors have an answer to the dilemma.

During our discussion, we learned that Dartmouth re-engineered their LAN network and embraced configuration automation to reduce the L2 admin burden when they migrated away from their old Cisco controllers to Mist’s cloud-managed WLAN. By contrast, MIT’s timeline for WLAN upgrades required that they NOT re-engineer their L2 environment, meaning they needed a solution to the L2 dilemma.

How do you take advantage of CAPWAP/similiar tunnel terminations afforded by controllers, when you are abandoning controllers? Mist provides an appliance called the Mist Edge which allows for termination of AP-management tunnels and VLAN aggregation, while still keeping the rest of Management Plane functions out in the cloud. This option allowed MIT to quickly get their Wi-Fi moved to the cloud paradigm while preserving their legacy LAN topology.

There was a lot of good discussion about what exactly a controller is versus solutions like Mist Edge and similar building blocks from other vendors. Wes presented this graphic to guide discussion:

Why Else is the Controller Construct so Important When Considering Cloud W-Fi?
Aside from Layer 2 concerns, we heard from both MIT and Dartmouth the various ways their admin time has gotten more productive since they jettisoned controllers. We all spoke of reliability and such, and there is no doubt that a move to the cloud simplifies major administrative tasks. I’ve used cloud-managed networking in almost twenty branch locations of varying sizes for at least a decade, and I can say that not having to upkeep both controller code and quirky, feature-bloated management servers is nothing short of liberating.

The panel as a group seemed to agree that many WLAN professionals get hung up on the loss of nerd-knobs and command-line deep debug capabilities when they consider a move away from controllers to cloud. I wasn’t the only one to vocalize that often the deeper debugs we do on controllers are when we are troubleshooting controller code for TAC rather than actually trying to figure out Wi-Fi or client issues (this gets extremely old). Dartmouth’s Bryan Ward spoke highly of the ease of use and effectiveness of Mist’s API capabilities from first-hand experience when deeper-than-GUI information is needed, while MIT’s Brian Stephens reflected on the Mist interface being comprehensive enough for daily use. Both perspectives are good news for the controller-weary. Competing cloud systems have similar API functionality, and one point of analysis at evaluation time is always “is there the right balance between GUI and API?” from the usability perspective.

A Lot to Consider, Digest
For me, this discussion does scrape off a significant portion of apprehension about potentially moving a large WLAN of many thousands of access points to the cloud-managed paradigm. (In my perfect world, I’d be able to keep my existing very expensive controller-based APs and use them with another vendor’s cloud solution- but the world doesn’t work that way, and likely never really will at enterprise scale.) We covered a lot of ground, with these among some of the other details to ponder:

• Rowell asked a great question- can we make a Mist Edge in VM? Wes replied that it could be done, but most customers don’t.
• Bryan Ward pointed out that SNMP completely goes away with the Mist deployment.
• Brian Stephens made the case that so many other enterprise systems are moving to a cloud-managed model that taking Wi-Fi there really isn’t that much of a leap.
• We all talked about the “what if your Internet connection goes down?” I’ll say that your Mist Wi-Fi will be fine during the downtime, but let you hear the rest of the conversation for yourself when you watch the session.
• We also hit on how funding changes from Capex to Opex with cloud management, and the value of scripting skills for network admins

There’s a lot more to hear, and it’s better firsthand so I hope you spend an hour or so and watch it. I will close by saying this: regardless of what system you are contemplating, you really have to do an honest eval with it the way you would actually use it daily, and you also have to talk to real-world customers that have been empowered to speak freely about the good and less-than-great of the solution you’re interested in.

This panel discussion was especially useful to me because Bryan and Brian have already gone down a road I think about often, and Rowell’s insights are always right on. I’m now better equipped to think about the WLAN future of environments that I manage.

If you missed one of the embedded links above, find the webinar here.

Linksys Leverages Tanaza for Cost-Conscious Cloud-Managed Wi-Fi

You’ve heard of Linksys, everybody has. But Tanaza? Is that an energy drink? No, but it is what fuels Linksys’ latest go at cloud-managed Wi-Fi. Let’s get the Tanaza thing out of the way first, then we’ll talk about what Linksys is up to (if you’ve had with expensive vendor license paradigms, you’ll want to read on).

Tanaza Explained

Tanaza – Logos Download

Tanaza is a cloud-managed networking platform based in Italy, I’ve been tire-kicking and following the evolution of the Tanaza system for a while now, Here’s a blog I wrote on Tanaza, to get you started. I like the company, their people, and the UI. As an enterprise WLAN guy myself, I sometime have to stretch my mind to get the appeal of a company that (so far) only manages Wi-Fi and not “the full network stack”, but once you get that it’s easy to appreciate Tanaza’s effectiveness. Recognizing a company’s Wi-Fi as the thing that many SMB customers interact with the most with, Tanaza makes providing well-managed and feature-rich WLAN environments easy for single sites or distributed locations likely served by MSP types or savvy in-house staff that need the most for their precious network budget dollars.

Linksys Cloud-Managed Wi-Fi 2.0

As a reminder, Linksys is part of Belkin, which is part of Foxconn. You of a certain age may be pre-disposed to think of Linksys as a home router vendor, but the company has long since evolved to having business-grade products in several spaces. With its latest strategy for cloud-managed WLAN, Linksys replaces it’s old in-house magic with Tenaza’s very polished dashboard and management framework and pairs it with a so-far modest handful of decent indoor 802.11ac wireless access points.

So what is the actual news here?

Tanaza has the cloud-management thing down pretty well. The case can be made that Foxconn/Belkin/Linksys using Tanaza’s framework validates Tanaza’s suitability for the SMB/MSP masses. The Linksys empire includes manufacturing, support, various channel relationships, and the ability to capitalize on Tanaza’s native cloud goodness to offer a decent SMB solution at compelling prices. And what makes those prices compelling? Probably the biggest selling point is that no licenses are required when you compare to other cloud-managed solutions. In my opinion, many of the bigger guys have gotten so license-happy they have priced themselves out of the SMB market.

Good Stuff, But Is It Enough?

Linksys Cloud Management 2.0 promises unlimited scaling (again, think MSP), easy pre-configurations and new access point adds (think Meraki-style), and has a good road map for options that will help customers to either directly or indirectly monetize their guest WLAN environments. All that sounds good when you can get it for cheap with no licenses, and I will say that the Tanaza access point I’ve been running works well. But I also can’t help but think that sooner or later “cloud managed Wi-Fi only” is going to be an issue for some potential customers. Even Open Mesh, before they were acquired by Datto, had a pretty effective cloud managed switch and edge router offering to go with their wireless APs, as does Ubiquiti- who is always the elephant in the room in this space. An outdoor AP option with external antenna capabilities would also be nice.

Linksys Cloud Manager 2.0 web page

Celona Tees Up Bigtime on CBRS

Private 5G networking has been discussed a lot over the last year. Engineers and installers are getting trained on design, installation, and support. Though it’s not exactly a new topic, it is still fairly exotic. It’s like we’re all kind of waiting for CBRS to take some big, meaningful step forward that signals “OK, it’s really finally here. Really, like for real.” With Celona’s latest news, that big step has arguably just been taken.

Back in February of this year, I pondered on the past and short future of CBRS in this blog. I’ve gotten to know Celona (the private mobile network company) up close and personal at Mobility Field Day events last year and in 2020 and through a number of private briefings. From where I sit, the entire CBRS and Celona thing has been kind of a slow simmer- waiting for things to break open and get real.

We’re there now.

Platform, Products

Celona is ready to rock and roll the CBRS-hungry enterprise crowd with all the makings of a build-it-yourself 5G networking solution. The details are here, but the short version goes like this- product components of Celona’s integrated solution architecture include:

Celona RAN: Indoor and outdoor CBRS LTE access points built for Enterprise environments. They provide up to 25K indoor sqft and 1M outdoor sqft of coverage. Radio functions are fully automated via Celona software with their power level and frequency channel assignments in the CBRS spectrum, no manual configurations required.

Celona Edge: Private LTE/5G core Enterprise appliance that’s designed to integrate with any existing network environment. Deployable on-premises for strict SLA enforcement for local applications, within private / public / edge clouds for service scalability, or both.

Celona Orchestrator: The AIOps platform that enables remote installation of Celona’s access points and Edge software, across multiple enterprise sites. Orchestrator provisions Celona SIM cards against required device level access control policies within the enterprise network. Providing more than monitoring of infrastructure components, Orchestrator also keeps track of application and device KPIs for Celona MicroSlicing™ (think QoS on steroids, but there’s more to it than just that).

Everything you need to build your own private 5G environment.

Aruba Networks Partnership

Celona has also formed a partnership with Aruba networks, who will sell Celona gear where a given customer is looking for not just Wi-Fi but also private mobile networking. Given Aruba’s lofty position in the WLAN space, this is a good thing for Celona as they set out to conquer this new market.

A Fat Wad of Series B Funding Never Hurts

Not that further validation that Celona is doing things right is needed, but one could argue that the cash the company has just secured is another indicator that industry is taking both Celona and their new tech solution seriously.

There are some decent folks at Celona that I’ve known in different roles at other companies, and it’s exciting to see them move their collective vision forward. I’m looking forward to seeing how this unfolds for Celona, the fledging CBRS industry, and for the customers about to go down this road.

See the new Celona Platform.

NetAlly Unleashes the Right Tester, at the Right Time: EtherScope nXG

 Change is both inevitible, and fickle. Vendors come, go, and buy each other. Some product lines that we love die on the vine, others thankfully go on to only get better with time. I sat in a room with the NetAlly folks at Mobility Field Day 4 and got an eyefull/earfull of teaser information on a slick new tester that would be released later in the year that would bear these notions out in spades.

I’m here to tell you- “later” is now, and the product line that we have grown to appreciate from its start at Fluke Networks, through it’s run as part of NETSCOUT, and now as the baby of spin-off NetAlly continues its tradition of excellence with the new Etherscope nXG.

Does this look vaguely familiar?
EtherScopenXG

If you own (or have Jonesed for) either the AirCheck G2 or the Link Runner G2, that color scheme will look familiar. But the EtherScope nXG’s overall feature set makes the very-capable G2 units suddenly feel a litlle less-than, despite each being a testing powerhouse in its own right. (And if you’ve been around a while, you might remember the old yellow EtherScope from the Fluke Networks

NetAlly brings the EtherScope to market right when it is needed. What do I mean by that?

  • With the 802.11ax tide starting to rise, troubleshooting tools need to keep up
  • On the wired side, NBASE-T and 10G are becoming facts of life
  • Bluetooth is penetrating the enterprise in interesting new ways
  • “Convergence” is one of those overplayed words in networking, but the reality is that both operations and support of those operations has very much seen a convergence and fewer of us do one or the other (not to mention work in data centers and server rooms)
  • Senior engineers can’t be everywhere, and it’s not uncommon to rely on others to gather data that we then analyze from some other location
  • Performance testing and detailed path analysis of different network segments can be daunting as topologies get more sophisticated.
  • Uploading of results to a cloud repository brings huge advantages in baselining, team-wide scrutiny, and reporting.

Networks are getting more complicated. Tolerance for time-to-problem-resolution is decreasing. The EtherScope nXG is marketed as a “Portable Network Expert”, and despite my frequent disdain for grandiose marketing plattitudes, I find this to be an apt description.

Rather than regurgitate the tester’s specs, let me point you to them here (scroll down).  The full data sheet from the product docs is here and shows the product’s impressive range nicely. And to get a feel for just what the EtherScope nXG can do, have a look at these videos that show several different testing scenarios.

I’m going to cap this one here. There is just sooooo much to talk about with this new tester. Yes, I know I sound borderline giddy and buzzed on the Kool-Aid- and I’m OK with that. I can tell you that the new tester feels good in the hand, and casual kicking of the tires is in itself impressive. I have an eval unit, and will be putting it through it’s paces for real in the near future. Watch for the next blog on the EtherScope nXG.

 

 

Don’t Forget About Those OTHER Meraki MX Firewall Rules

I’m a long-time user of the Meraki MX security appliance product line. Going way back to the MX-70, I have found tremendous value in what the MX products can do for my far-off sites. (Here’s an old- and I mean old- case study that gets into the early appreciation of the MX line.) I’ve probably set up maybe 65ish total MX devices through the years in multiple states and countries, doing site-to-site VPN, stand-alone, and also some pretty creative configurations. Despite my experience, I was recently reminded that I don’t know it all about a product that I feel extremely comfortable calling myself an expert on.

In one remote site that connects to the main network with site-to-site VPAN, an NTP vulnerability was flagged on a couple of audio visual devices. The device vendor was of absolutely no help (go figure), and our security team asked if we could help from the Meraki side. “Oh sure…” says I. “We got a firewall to leverage.”

We needed to cabash NTP between the remote site and the main network. I pulled up the Firewall page on the MX and set to work. This is an area in the MX I’ve probably manipulated maybe a couple of dozen times, for everything from stopping phantom ringing on 3rd-party hosted IP phones to simple outbound protocol blocks.

L3 Firewall

That image represents like three stages of desperation in getting rules right- as nothing I did worked. I simply could not tame the NTP beast to/from the two hosts, and it was making me feel silly. My first inclination was to blame Meraki- surely this stupid box must have issues! Except it didn’t… about the only thing Meraki could have done is perhaps mentioned on the L3 Firewall Page that there is a seperate firewall rule set on the VPN configuration page for site-to-site rules. That looks like this:

Site-to-Site FW

I had just never did firewall rules for the site-to-site tunnel. I didn’t know after many years! But I did leverage the Meraki “search our documentation” repository to get educated, with this document that explains it. There’s nothing complicated about it, you just have to know where to find it the first time you need to configure rules for the tunnel versus the Internet edge.

And now you know, too.

 

Mojo (Arista) Answers The Layer 2 Situation for WLAN Migration To Cloud

I recently wrote about the challenges, as I see them, with the Layer 2 aspects of moving from an established controller-based WLAN solution to one like Aerohive, Meraki, Mist, or Ubiquiti that is managed in the cloud. That article is here, at IT Toolbox.

Want the short version of The Layer 2 Situation? Being all about value, I can help you out… Let’s start with the simple view of VLANs that underpin a controller-based WLAN environment:

L2-1

Betwixt the switch and the AP you have a single VLAN. It’s simple, it’s clean. It’s not a spanning tree asspain. But cut into that single VLAN with your magic network knife, and you’ll find a CAPWAP tunnel with as many VLANs as you need. In large environments, that may be dozens o’ VLANs for various SSIDs scattered across thousands of APs.

Contrast that with the typical fat AP/cloud AP VLAN underlay:
L2-2

Ugh- see the difference? In those large WLAN environments- where thousands of APs equals hundreds of switches- you might have to configure thousands and thousands of switch interfaces to convert the simple CAPWAP-oriented LAN to the VLAN-heavy LAN needed by fatty-fat APs- AND most cloud APs.

Ugh.

Mojo evidently agrees with that ugh and offers an option that preserves the goodness of the cloud approach (No NMS to keep up, easier code upgrades, no buggy controllers to babysit, etc) while providing an easy way to NOT go down VLAN rabbit holes when converting from controller to cloud. This magical hybrid approach features the Multiservice Platform:

multiservice_platform_3

Tres sexy, no? I had heard about Mojo’s Multiservice Platform last year at Mobility Field Day 2, but will admit I lost some of the messaging in the din of all the “Cognitive blah blah blah”. But when I recently wrote about The Layer 2 Situation, two good citizens from WLAN land came forward and reminded me that this nut has indeed been cracked, and by Mojo.

Recall if you will- Mojo has been acquired by Arista Networks since Mobility Field Day 2. I also happened to be present at the Mojorista MFD3 presentation, which I wrote about here.

So… will Arista continue with the Multiservice Platform? I have to say that I really hope so. I hope they promote the heck out of it, and that other cloud Wi-Fi vendors follow suite. I don’t know whether I’ll ever run a massive cloud AP WLAN (I do currently run a massive controller-based Wi-Fi network and a lot of cloud-based branches), but if I do it’s nice to know that there is at least hope for The Layer 2 Situation.

Open Mesh Brings Major Disruption to SMB Space, Goes Full-Stack

Another router coming to the SMB market generally isn’t that exciting, but this one is different for a number of reasons.

OM1

For one thing, it comes from Open Mesh. Those ports are part of the G200, which is the first router ever released by Open Mesh. It has a list price of $249 dollars, and it also brings the Open Mesh product line into the proverbial “full stack” domain.

OM2

Now customers can use access points, switches, and the G200 all from Open Mesh, and all cloud-managed in the excellent CloudTrax dashboard with no license costs.

Yes, you heard me right… I said “with no license costs”. If you are not familiar with Open Mesh, the operational paradigm is easy- you buy your components (routers, switches, and access points), you register them in the CloudTrax dashboard, and off you go with configuration and operation. CloudTrax is a pretty decent network management system in and of itself, and it is the only way you manage Open Mesh components. It’s simple, it’s feature rich, and given what Open Mesh hardware costs, the entire paradigm is an absolute steal compared to pricing and complexity of enterprise solutions that masquerade as SMB-friendly.

The G200 is a significant milestone to not only the Open Mesh product line, but also to the SMB market in that it seriously drops upfront costs and TCO while providing what may be the easiest to use interface among any of it’s competitors.

But what do you get for under $250 for features with the G200? A lot, actually. From a resource perspective, Open Mesh promises gigabit throughput compliments of a quad-core processor and dedicated crypto engine. The G200 has two passive PoE ports for Open Mesh APs to connect directly, and also has an SFP port for fiber uplink to an Open Mesh switch or 3rd party vendor switch. All the typical “router stuff” is onboard, from VLAN support, DHCP server and firewall to decent traffic classification, QoS, NAT functionality, user VPN, and even usage statistics. Not bad for an initial edge-router at this price point, that won’t hit you up in 12 months for a fat license fee to keep using it. Mine has been reliable as I could ask for in the couple of weeks that I’ve been testing it. One gripe- no site-to-site VPN, although that is coming.

g200

I can’t stress how important price is for the SMB space, and I know some of my own customers are dealing with sticker shock that comes from other cloud-managed solutions that charge big and small environments the same way when it comes to licensing (or worse, they penalize the small networks for not having volume purchasing leading to better pricing). If Open Mesh continues to evolve their edge functionality and hardware offerings, this vendor could deliver a sales smack-down to the bigger players who have become license-happy to the point of ridiculousness over the last few years.

A New Access Point and Switch, Too!

I’m a huge fan of the Open Mesh A60 dual-band indoor/outdoor 802.11ac access point. It has been the top-dog of the Open Mesh access point line for several months, with a list price of $225 (again, no licensing and free CloudTrax support). Now, as part of the same product announcement that features the G200 router, Open Mesh is also bringing out it’s new A62 access point. It’s still dual-band and indoor/outdoor, but this Wave 2 AP also sports two 5 GHz radios, support for up to an estimated 150 streaming clients, and the same $225 price tag as the A60.

The latest S24 switch also breaks new ground for Open Mesh with 10 Gbps SFP+ uplink ports and a higher PoE power budget than it’s predecessor.

Let’s Do Some Math

Open Mesh has over 100,000 network customers around the world. When I think of one of my own small sites that’s up for renewal with another cloud vendor, I’m looking at trying to explain to my customer why a 3-year renewal license on old AP costs almost as much as purchasing the latest license-free AP from Open Mesh, and why a 3-year renewal license on an older security appliance costs almost twice the price of a new Open Mesh G200 router that would never need another license. These are real dollars for small businesses, and you pay the big price for the other guys whether you ever use actual support or not.

It’s time for a shake-up at this end of the market, and I think Open Mesh is the vendor to do it.

___

Related posts: