Guys, thanks for all the responses. Thanks to everyone's feedback, we have a number of options that were not on the original list and that is what I was hoping for. Now it's a matter of comparing cost/learning-curve/support-challenge/compatibility with tools/monitoring, etc... Thanks again.
> From: r...@tehorange.com > Date: Wed, 29 Jun 2016 09:03:06 -0400 > Subject: Re: automated site to site vpn recommendations > To: p...@nashnetworks.ca > CC: nanog@nanog.org > > For several of our clients, we use Sophos UTMs coupled with their RED > units. Once registered with the UTM, the RED unit auto creates an SSL > based VPN back to the UTM. The RED unit is managed from the UTM and pulls > it's config when it boots. It's similar to the function of Meraki without > the direct cloud management portion, though the config profile does get > pushed to a section of Sophos' cloud. > > -Rich > > On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <p...@nashnetworks.ca> wrote: > > > My biggest issue with Meraki is that their tech staff can run tcpdump on > > the wired or wireless interface of your Meraki box without having to leave > > their desk. I have no reason to believe that they are malicious, or in the > > pay of the NSA, but I am too paranoid to allow their equipment anywhere > > near me. > > > > Yes, they work well and the cloud control panel makes remote support a > > breeze; you have to decide how you feel about the insecurity. > > > > paul > > > > > On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyelt...@gmail.com> wrote: > > > > > > I would second Meraki for the situation you describe. I don't feel that > > > they are the most capable platform, they're expensive, and don't always > > > present you with all the information you'd need for troubleshooting. > > > However, the VPN offers great dynamic tunneling, instant-on performance, > > > and are by far the simplest platform to offer a field person. They're > > also > > > tenacious - I've had them connect to the cloud management platform and > > > build a VPN under some trying circumstances. > > > > > > From a security standpoint, they will offer features that will impress > > for > > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN > > > tunnel control), and we've found they punch above their weight and their > > > APs perform fantastically. > > > > > > We deploy them worldwide many times per year in similar use cases, > > > sometimes with 150 users on the LAN. If your routing is simple, you can > > > define your security policies, and don't need crazy throughput on your > > VPN, > > > Meraki is the way to go. Be careful though: they have to be continually > > > licensed to work and can get pretty expensive if you go for the higher > > end > > > gear. Thus far, we've been able to stick to the cheaper stuff and > > > accomplish our goals. > > > > > > Dan > > > > > > (end) > > > On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote: > > > > > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote: > > >>> In some cases... > > >> > > >> The words "in some cases" are a problem with any supposedly plug and > > >> play solution. > > >> > > >>> We really could use a simple solution that you > > >>> just flip on, it calls home, and works... > > >> > > >> ...but still requiring someone to enter credentials of some sort, > > >> right? Otherwise you have a device wandering about that provides look > > >> -mum-no-hands access to your corporate network. > > >> > > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB > > >> for a wireless dongle or storage, and has a highly-scriptable operating > > >> system. Not a bad platform. > > >> > > >> Regards, K. > > >> > > >> -- > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> Karl Auer (ka...@biplane.com.au) > > >> http://www.biplane.com.au/kauer > > >> http://twitter.com/kauer389 > > >> > > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B > > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4 > > >> > > >> > > >> > > >> > > > >
