Cisco, Ruckus, Meraki, Unifi, Aerohive...?

[joblo37pam]

This thread got me thinking about wireless solutions. In particular, we have a decent sized client that is due for an upgrade (hopefully later this year) and I'm not 100% sure what to recommend. We deal mostly with Unifi for our other clients, but they are mostly smaller and don't heavily rely on wireless for productivity. It works great, but I have read enough threads about it's quirks in an enterprise environment to shy away for a bigger project like this. If we're going to make a recommendation, I'd like to hear some real world opinions as well as get my hands on some of the equipment with plenty of time to test.

The client in question is a small school district (Maximum of 150 wireless connections simultaneously). They started a 1 to 1 initiative about 9 years ago. At that point, we installed a Cisco 4400 controller and 25 1131 APs as options were much more limited for that type of a deployment then and it's hard to go wrong with Cisco. There are tons of 'good' options out there now that all sound good on paper and could be cheaper than more Cisco equipment, but I'm more interested in input from people that have actually used multiple solutions and can give some opinions of what they liked and didn't.

I would prefer to stick to local controller/management with no recurring subscription fees, but I am open to other options if there is enough justification for it. We just contract for this school, so we need something that 'just works' without us needing to babysit.

What says the [H]?

 

[cajun73]

All of the above listed products, if you go with their enterprise systems, are fairly solid. Now others have had varying mileage with some brands over others. Personally I say go with the UniFi as UBNT has a good track record with number clients associated with each access point and not choking.

Two other brands that were not mentioned in your OP are Xirrus and Aruba. Xirrus I find somewhat enjoyable due to the distributed nature of the controller across all of the APs on your network, and upgrade ability of the individual nodes by swapping out the radio (if you purchase the appropriate units)

Also depending on the district, this year the federal ERate program has been vastly expanded to the tune of about $6.5 billion for wireless deployments if I recall correctly from my ERate webinar.

 

[firedrow]

Check the UniFi Stories page, http://community.ubnt.com/t5/UniFi-Stories/con-p/UniFi_Stories, I was reading about a school district upgrading their systems today. Now I can't find the story to link it directly, but he was dealing with multiple buildings across a town and all controlled by a single cloud controller. It was a nice write up.

You could contact some people about their stories and get more info from IT/IS people in Education markets.

 

[green91]

I handle a large Aerohive deployment in the education sector. You can PM me if you have specific product questions.

 

[thrash408]

I stick to Cisco 2702i and 5508 WLC, we have some clients that use Meraki but i don't really care for it as much. I use Unifi at my house and like it, but the fact it doesn't use standard power keeps me from trying it on my networks.

 

[/usr/sbin]

I stick to Cisco 2702i and 5508 WLC, we have some clients that use Meraki but i don't really care for it as much. I use Unifi at my house and like it, but the fact it doesn't use standard power keeps me from trying it on my networks.

Ubiquiti's higher end APs are standards compatible. The Pro is 802.3af, and the Unifi AC is 802.3at compliant. The normal AP and LR AP run a proprietary PoE implementation and need special injectors/a special Ubiquiti PoE switch. In a large installation this could possibly be a concern, however if this business is really WiFi dependent and they are overhauling now, I'd imagine they'd want the 5 GHz spectrum which limits you to the higher end UniFi APs anyways, making ti a moot point. If you were considering the lower end options then I'd be concerned about installation size.

 

[joblo37pam]

I'm actually little surprised to see the Ubiquiti love here. I think the basic and lr aps are great for small installations, but all I've heard about the higher end stuff is that it is buggy and not 'up to par' for enterprise installations. I'm glad to hear that's not entirely true, especially since I could set them up for half the price of the Cisco equipment I had been leaning toward. I wish they had a better system for mounting to a suspended ceiling grid, though.

So instead of narrowing down the choices, we've added to them. It's good that there are so many options, but it's not making the decision any easier....keep the recommendations coming, I think this is a good discussion that we can all benefit from.

Edit: In response to the POE questions above - this particular client has a couple Cisco POE switches (not sure of the model off the top of my head) in different closets powering the majority of the access points. There are 2 or 3 running from another closet that are using injectors. If we can keep using those switches I'm sure are only 802.3af that would be great, but in the case of the UBNT gear, we could replace the switches and still save money over the Cisco gear. Money isn't everything though, we need a solid solution.

 

[SkuLLy|RT]

Higher ED (comm college) here. Did a "cookoff" about a year ago between Aruba, Cisco, and Xirrus to replace a Meru system.

Xirrus was written off immediately for sending an incompetent sales team to POC their product to us. Beyond that, they had no customers in the area for us to speak to. The few higher ED references they did give were very "meh" about the performance of the product in high density environments.

Cisco came in with both Cisco and Meraki products. There was nothing particularly wow'ing about the products, but they appeared to be extremely stable and none of the K12s or EDUs in the area using their products really had anything bad to say about them. Where Cisco really shot themselves in the foot was ISE...

Aruba was the only company that had AC capable devices ready to sell at the time. Beyond that, ClearPass is the greatest thing ever. I started off using it to do the standard stuff like wireless 802.1X dropping people into specific VLANs based on credentials, guest self-reg for all of the silly events we host, and a basic web-auth w/ mac-caching for our students with older devices. Now it's grown into handling TACACS to all of our switching infrastructure (Cisco, Enterasys, and various other appliances that support it), wired 802.1X, and SSO auths that are devs tied into student forms. Super robust product, and a definite selling point. AppRF (DPI) is also great - I can curb torrents and throttle Facebook at the WLAN controller before they traverse our entire wired network to the McAffee box (that may or may not feel like doing it's job that particular day).

We have 5 7220s with around 1200 AP220 series devices deployed. They work, and they work well. I pop into AirWave everyday to gather metrics, but aside from that, the system handles itself.

That was probably more rant than you really needed. If you've got any questions, feel free to toss me a PM.

 

[goodcooper]

i have a deployment of ~40 APs in 18 locations, unifi, managed by a central linux server

can't say i have any problems with them...

maybe i'll go out for priority 2 erate next year and upgrade everything to AC/pros in the whole company... we're 90% eligible... nothing like paying $27 for a $270 AP

the question is, is it worth the trouble... i had $43k in switches i needed to purchase, but ended up finding off lease gig poe nortel switches for a song, and $2000 later i had all the switches i needed....

 

[joblo37pam]

I can curb torrents and throttle Facebook at the WLAN controller before they traverse our entire wired network to the McAffee box (that may or may not feel like doing it's job that particular day).

This brings up another point - Are there any products that can do filtering/QOS by OU? This school has a state-issued and managed Fortinet firewall. It works ok at filtering, but doesn't offer prioritization. If we could offer prioritization based on 802.1x authentication, it could help them use their limited bandwidth more efficiently. I've never heard of this feature from a product, but I've never gone looking for it, either.

 

[Mackintire]

I'm actually little surprised to see the Ubiquiti love here. I think the basic and lr aps are great for small installations, but all I've heard about the higher end stuff is that it is buggy and not 'up to par' for enterprise installations. I'm glad to hear that's not entirely true, especially since I could set them up for half the price of the Cisco equipment I had been leaning toward. I wish they had a better system for mounting to a suspended ceiling grid, though.

So instead of narrowing down the choices, we've added to them. It's good that there are so many options, but it's not making the decision any easier....keep the recommendations coming, I think this is a good discussion that we can all benefit from.

Edit: In response to the POE questions above - this particular client has a couple Cisco POE switches (not sure of the model off the top of my head) in different closets powering the majority of the access points. There are 2 or 3 running from another closet that are using injectors. If we can keep using those switches I'm sure are only 802.3af that would be great, but in the case of the UBNT gear, we could replace the switches and still save money over the Cisco gear. Money isn't everything though, we need a solid solution.

As of Firmware 3.2.10 the pro model is basically bug free. The AC model has 2 known bugs and 3 possible bugs left.

Issues do still exist on the controller or across the entire line, but your point was specific to the higher end Unifi's so that was what I was comparing against.

 

[/usr/sbin]

This brings up another point - Are there any products that can do filtering/QOS by OU? This school has a state-issued and managed Fortinet firewall. It works ok at filtering, but doesn't offer prioritization. If we could offer prioritization based on 802.1x authentication, it could help them use their limited bandwidth more efficiently. I've never heard of this feature from a product, but I've never gone looking for it, either.

I can tell you that the UniFi Contoller software allows you to limit based on classification at the directly at the WiFi access point. Here's a screenshot of our two profiles. We have authorized devices marked as privileged, with everything (guests, employee devices) else Defaulted and limited.

 

[wizdum]

This brings up another point - Are there any products that can do filtering/QOS by OU? This school has a state-issued and managed Fortinet firewall. It works ok at filtering, but doesn't offer prioritization. If we could offer prioritization based on 802.1x authentication, it could help them use their limited bandwidth more efficiently. I've never heard of this feature from a product, but I've never gone looking for it, either.

I've seen this done using different SSIDs. Basically, the faculty get the password to a "Staff" SSID, and the students just use the open guest network.

 

[joblo37pam]

I've seen the bandwidth limits in the Unifi software and the current Cisco controller has something similar, but setting limits isn't exactly what I was hoping for. For instance, if a teacher wants to show a youtube/etc clip during a lesson to a whole class full of students, I want that traffic to have priority over a single student in study hall, even if that student is watching the same clip from the same source. Of course, ideally, there would be enough bandwidth for everyone to do what they need at any time, but that's not realistic in this case. The prioritization by SSID idea could work, but I would prefer it to be a little smarter than just setting a cap that would affect the students at all times, not just when the pipe is full.

 

[goodcooper]

I've seen the bandwidth limits in the Unifi software and the current Cisco controller has something similar, but setting limits isn't exactly what I was hoping for. For instance, if a teacher wants to show a youtube/etc clip during a lesson to a whole class full of students, I want that traffic to have priority over a single student in study hall, even if that student is watching the same clip from the same source. Of course, ideally, there would be enough bandwidth for everyone to do what they need at any time, but that's not realistic in this case. The prioritization by SSID idea could work, but I would prefer it to be a little smarter than just setting a cap that would affect the students at all times, not just when the pipe is full.

i would think you would have to do that at the router end, because how does your AP know when your pipe is full

 

[joblo37pam]

i would think you would have to do that at the router end, because how does your AP know when your pipe is full

It wouldn't, but I'm not really expecting it to, either. I did say the 'pipe', but I was really just referring to wireless throughput. The state controls the router/firewall, so options are fairly limited there. I suppose a transparent bridge of some sort would be possible to do the prioritization, though...

 

[Langly]

I've seen the bandwidth limits in the Unifi software and the current Cisco controller has something similar, but setting limits isn't exactly what I was hoping for. For instance, if a teacher wants to show a youtube/etc clip during a lesson to a whole class full of students, I want that traffic to have priority over a single student in study hall, even if that student is watching the same clip from the same source. Of course, ideally, there would be enough bandwidth for everyone to do what they need at any time, but that's not realistic in this case. The prioritization by SSID idea could work, but I would prefer it to be a little smarter than just setting a cap that would affect the students at all times, not just when the pipe is full.

Look into Arubas clearpass. You can use it with other vendors hardware but with some limitations. From what you describe as your needs, that even Cisco's software management you can tie into their network may not be what you need.

 

[joblo37pam]

Aruba is another one that I have only heard grumblings about. For instance, the thread that I linked in the OP has a couple people saying they have only had problems with Aruba. The features look great on paper (I can't find much info on clearpass), but if they don't perform in real life... I take it your experience has been better?

 

[green91]

This brings up another point - Are there any products that can do filtering/QOS by OU? This school has a state-issued and managed Fortinet firewall. It works ok at filtering, but doesn't offer prioritization. If we could offer prioritization based on 802.1x authentication, it could help them use their limited bandwidth more efficiently. I've never heard of this feature from a product, but I've never gone looking for it, either.

The fortigates can actually do it no problem, using FSSO and any of the 5.0 firmware.

 

[green91]

I can tell you that the UniFi Contoller software allows you to limit based on classification at the directly at the WiFi access point. Here's a screenshot of our two profiles. We have authorized devices marked as privileged, with everything (guests, employee devices) else Defaulted and limited.

Aerohive does full L7 inspection and prioritization per application and can also do other prioritization based on radius attributes if need be.

 

[QwertyJuan]

The Unifi Pro works flawlessly. Have 4 of them here at work (with another 7 "normal" AP's and two outdoor units).

The Pro's (IMO) are the best of the units. They reboot the fastest, and can handle a TON of clients without any noticeable decrease in performance. We have 40+ clients connected at times (to a single Pro AP) and have NEVER had a complaint on speed issues.

 

[SineDave]

I have managed large Cisco and Aruba deployments. In terms of radio quality, and overall stability, Aruba was a nightmare.

The Cisco stuff is a PITA to manage compared to competitors and is expensive. I've deployed hundreds of 2600 and 3600 series AP's and while I love the hardware, it gets tiresome.

We are now looking pretty hard at Meraki. I have a UBNT Enterprise at home for testing - it's not bad, but i'm not completely sold either.

 

[joblo37pam]

The fortigates can actually do it no problem, using FSSO and any of the 5.0 firmware.

All that we have access to is filtering rules and SSL VPN. I can talk to the state to see if they can accommodate, though. Worst they can do is say no.

 

[joblo37pam]

Aerohive does full L7 inspection and prioritization per application and can also do other prioritization based on radius attributes if need be.

That's good to know. I'll have to look at them a little harder. Of course, if we can get the state to do the prioritization at the edge, it wouldn't be needed at the wireless controller level.

 

[WesM63]

Meh, to each their own I suppose.

I manage thousands of Cisco APs (~30 controllers), Cisco Prime Infrastructure and Cisco ISE. The issues are slim to none. I completely disagree with it being difficult to manage.

I cringe at the thought of using ubiquiti in a complex environment.

 

[green91]

That's good to know. I'll have to look at them a little harder. Of course, if we can get the state to do the prioritization at the edge, it wouldn't be needed at the wireless controller level.

Fortunately Aerohive doesnt use a controller, so the clients hit the network directly at the edge instead of being tunneled back to a controller.

 

[jjeff1]

You mentioned Ruckus, but no one else did.

Ruckus has all the same management features as the larger companies out there, but they started a little smaller, so their controller is really easy to use. You can easily setup a network in as much time as it takes you to unbox all the parts.

Ruckus also realized early on that RF was the key factor and they have a bunch of patents on antennas and such. If you compare actual performance between APs you'll find that Ruckus beats them all, in some cases their 2x2 AP is as fast as other 3x3 APs.

 

[wizdum]

Ruckus also realized early on that RF was the key factor and they have a bunch of patents on antennas and such. If you compare actual performance between APs you'll find that Ruckus beats them all, in some cases their 2x2 AP is as fast as other 3x3 APs.

I agree with you on the first bit, but this last bit sounds like marketing BS. Better antennas and firmware can reduce latency and increase range (somewhat, 99% of the time range, latency, and speed are going to be limited by the horrid radio in the client), but its not going to give you a performance jump anywhere close to adding another chain.

 

[Valnar]

I can't seem to find solid info on Meraki's subscription pricing. Can anyone list what those typically are, with discounts?

 

[thrash408]

$50-$70 per year per AP. Of course you get large discounts if you buy in bulk or get a sweet deal from cisco when you bundle with switches. I did a price comparison one time, and figured out in 90% of my sites meraki is more expensive than buying a controller with some 2702i's if the site has more than 50 ap's. That was without any special discounts on the meraki end of course.