Campus Challenges

NetworkGroover · May 11, 2020, 12:08:50 PM

Quote from: deanwebb on May 11, 2020, 11:29:09 AM
Don't it, though? And while I've seen advocates for wall-to-wall Cisco, that message gets muddled when talking about Cisco acquisitions that compete directly with other Cisco lines. Aironet and Meraki are the number one example of "wall-to-wall Cisco" still resulting in a bake-off and a knife fight.

Yeah... the whole business unit in-fighting situation is kinda crazy. I think the idea was good initially to spur competition... but what that methodology has devolved into compared to entire companies being one big team... dunno if it was worth it.

wintermute000 · May 11, 2020, 05:47:13 PM

Despite all of us 'real' engineers sh1tting on Meraki, guess which line I'm going with 9.9 times out of 10 in this crazy DNA licensing era....

They're kind of a victim of progress just like smartphone manufacturers: we reached 'good enough' a long time ago with campus. In fact most users would be fine with 100M endpoints (guess what, they all work fine on wireless N...) so all that's left is to upsell on complexity. Esp. in my market there just isn't the need for the super complex 'campus' solutions except in a handful of scenarios - I mean a Cat 3750 core stack with 2960 floor stacks was good enough for 500+ users half a decade ago and would still be 100% fine aside from support. They even did 802.1X hahaha
If I was running my own environment and in charge of the budget I would be going with stupid simple or good-enough vendors. The 'full-fat' solution (*cough cooking-oil vendor cough*) just seems pointlessly complicated and expensive.

re: vendors its all the same, the small pure-play vendors are friendly with everyone, and as their footprint grows they get more and more hostile as they start actually butting heads. It will happen to Forescout too

(or you could be acquired... but seriously, a campus vendor without an identity solution is missing a key part of the lock-in. I'm surprised private equity got in before say JNPR or ANET but at first glance the valuation seems rich for a pure-play vendor, but what do I know)

Then again I'm an opinionated bigot so take it with a grain of salt!
Idle eng chatter: why is RADIUS the magic formula for endpoint micro-seg? Why can't we say run SAML to Azure AD or any other cloud identity solution? I'm aware things work totally differently to RADIUS but why can't the platform just translate/handle it properly assuming you don't want pre-logon and are happy for a quarantine VLAN for the SAML web-UI? Or is everyone just moving RADIUS into the cloud and being done with it, copy-paste the same 802.1X code?Also, why isn't ISE/Clearpass/Forescout-aaS a thing yet?

Otanx · May 12, 2020, 09:53:38 AM

I am naive, but I hope as Cisco turns into a services company that maybe they won't EOL their gear as fast. I would be OK with paying a little more extra per year in "support" costs if I can keep the same hardware for 10, 15, or 20 years. Their are only two reasons to replace gear. It can no longer support your needs, or the vendor stops supporting it. With the access layer my needs were met with the 3750G, the argument could be made even the 3750 is fine. I didn't need the 3750X, or 3850. I just needed something that had support so if it failed I could replace it, and I could patch it for bugs/security issues.

Of course this is the real world, and Cisco will just charge more for support, and still EOL their gear as fast as they can without pissing off customers too much.

Idle eng chatter: You could I guess. I would be against moving my network access into the cloud. My internet connection goes down, and all my end points start falling off the network as the re-auth timers hit. We did consider treating our access layer as a "public" network, and having all our endpoints VPN in. This way I auth and encrypt everything. I don't really care who plugs in as they can't do anything. Central control and the bonus of users automatically being able to just work from anywhere.

-Otanx

deanwebb · May 12, 2020, 10:21:58 AM

Always good to listen to the whisper in the ear that says, "You are mortal. You are mortal."

I can't comment on the reasons behind the purchase by the holding company instead of another firm. One is that I really wasn't in those discussions and two is I think I'm in a mandatory quiet period while they complete the transaction.

As for vendors in general... it does seem like the future is either getting big like MSFT or CSCO, getting bought by MSFT or CSCO, getting crushed by MSFT or CSCO, or living in a niche that MSFT or CSCO don't care to enter. I see firms getting big where it's fun times now on the way up, but when you hit that altitude and size, the magic starts to fade. I was at MSFT when it hit that plateau where their biggest competitor was themselves - people don't want to upgrade when what they have is already doing the job, and quite well.

Forescout aaS is, um, am I still in a quiet period? Well, if so, just check our marketing for our newest offerings... they're cloud based and available aaS. And one of those is our eyeSegment product that does the segmentation. No need to do dot1x for it, either.

NetworkGroover · May 12, 2020, 11:45:10 AM

Quote from: Otanx on May 12, 2020, 09:53:38 AM
I am naive, but I hope as Cisco turns into a services company that maybe they won't EOL their gear as fast. I would be OK with paying a little more extra per year in "support" costs if I can keep the same hardware for 10, 15, or 20 years. Their are only two reasons to replace gear. It can no longer support your needs, or the vendor stops supporting it. With the access layer my needs were met with the 3750G, the argument could be made even the 3750 is fine. I didn't need the 3750X, or 3850. I just needed something that had support so if it failed I could replace it, and I could patch it for bugs/security issues.

Of course this is the real world, and Cisco will just charge more for support, and still EOL their gear as fast as they can without pissing off customers too much.

Idle eng chatter: You could I guess. I would be against moving my network access into the cloud. My internet connection goes down, and all my end points start falling off the network as the re-auth timers hit. We did consider treating our access layer as a "public" network, and having all our endpoints VPN in. This way I auth and encrypt everything. I don't really care who plugs in as they can't do anything. Central control and the bonus of users automatically being able to just work from anywhere.

-Otanx

I mean I've been saying this for years, but have never been taken seriously since I work for a competitor. As a former Cisco fanboy, I don't know what they are doing/thinking between forcing DNA licensing, and prepare for more rip/replace as they push hard on Silicon One. It's like they want to push people to competitors. I'm pretty thick-skulled and see these initiatives as just plain stupid - I can imagine more than a few smart people over at Cisco at least thought to themselves, "maybe we shouldn't do this." I honestly don't get it. Are these practices something they're forced to do by investors indirectly?

deanwebb · May 12, 2020, 12:19:06 PM

Investor pressure, that's what we were told about our licensing changes back in the day. In 2018. It's better to have constant revenue than periodic landing of big whales to make quarter. Microsoft actually got started down that path in the late 90s with Enterprise Licensing. Since then, they expanded it to the consumer space with Office suite access now a subscription as opposed to ownership. With a subscription model, upgrades are no longer a sales question, but a matter of whether or not the customer wants to move forward now or later: no pressure to make quarter by selling an upgrade to version N+1.

The process involves some stock market pain - FSCT missed some earnings estimates because of our switch in sales models. That's one reason it made sense to go private - no pressure to make earnings until after we've changed our sales model. With the general tanking of the market in recent days, other companies have a great window to change all kinds of things, miss earnings as expected in the general recession going on, then when the economy starts up again, they're able to issue new earnings estimates in line with their new sales models.

And remember that sales operates on a technical level until the bake-off is over. After that, the losing vendor moves the pressure up to the director/VP/CIO level. That's when the engineers that did the bake-off are at risk of having vendors do some second-guessing of their expertise. The bigger the vendor and the bigger the deal, the more the second-guessing that goes on.

wintermute000 · May 12, 2020, 11:24:00 PM

Otanx take a look at zscaler private access... Exactly what you're talking about, cloud brokered Zero trust access. It works and it will kill traditional client VPN. I've got it running in a lab and my company has done a couple of live deployments it works

Aspiring, if I have to have another cisco DNA licensing conversation I will blow my brains out. NOT A SINGLE customer I've dealt with has anything nice to say about it, especially those standing up licensing servers lol

Otanx · May 13, 2020, 08:09:09 AM

Huh, they even are FedRAMP. Added to the list of things to dig into.

-Otanx

deanwebb · May 13, 2020, 08:48:11 AM

Maybe we need to start some new threads for the many directions this convo is going in...

NetworkGroover · May 13, 2020, 06:34:59 PM

Quote from: deanwebb on May 13, 2020, 08:48:11 AM
Maybe we need to start some new threads for the many directions this convo is going in...

Lol sorry

NetworkGroover · May 13, 2020, 06:36:13 PM

Quote from: wintermute000 on May 12, 2020, 11:24:00 PM
Otanx take a look at zscaler private access... Exactly what you're talking about, cloud brokered Zero trust access. It works and it will kill traditional client VPN. I've got it running in a lab and my company has done a couple of live deployments it works

Ah yes! Second this!

Quote from: wintermute000 on May 12, 2020, 11:24:00 PM
Aspiring, if I have to have another cisco DNA licensing conversation I will blow my brains out. NOT A SINGLE customer I've dealt with has anything nice to say about it, especially those standing up licensing servers lol

Yeah man all vendor bias aside, it's absolutely nuts. People have enough problems.

wintermute000 · May 14, 2020, 04:09:03 AM

Quote from: NetworkGroover on May 13, 2020, 06:34:59 PM
Quote from: deanwebb on May 13, 2020, 08:48:11 AM
Maybe we need to start some new threads for the many directions this convo is going in...

Lol sorry

Just change the topic to random shit talk thread lol

deanwebb · May 14, 2020, 11:54:28 AM

Quote from: wintermute000 on May 14, 2020, 04:09:03 AM
Quote from: NetworkGroover on May 13, 2020, 06:34:59 PM
Quote from: deanwebb on May 13, 2020, 08:48:11 AM
Maybe we need to start some new threads for the many directions this convo is going in...

Lol sorry

Just change the topic to random shit talk thread lol

I do that, we gotta move it private.

(re-reads thread)

Given what some of what we said here, maybe we should do that, anyway...

NetworkGroover · May 14, 2020, 01:22:53 PM

I'm totally that dog from the movie, "Up"....

SQUIRREL!

deanwebb · May 14, 2020, 01:59:15 PM

Soooooooo...

Back to the campuses...

Let's talk about how some places go insane with AP density... and then others where it literally takes a local city council approval to mount a new AP - where it has to also get approval of the architect firm that designed the building!