Licensing Question

[jcoehoorn]

I saw this recently:

License Management

There is now an alert shown if you are currently exceeding your license. Also, devices beyond your seat limit still have their traffic processed as normal, however the hostname and username in the Host Table will both be "unlicensed" for devices beyond the limit.

I'm concerned because of the way our network topology is set up. Our campus has various wifi zones. Each zone encompasses small groups of nearby buildings: anywhere from 1 to 5. Each zone has it's own vlan and IP address range. A device like a smartphone, tablet, or laptop that roams around campus could end up with as many as 8 different IP addresses (rare, but 3 for the same device is common). My understanding is that, since it's the same device, this should only count against our license agreement once, but since it could have 8 IP addresses, depending on how Untangle counts things, it might count against our seat limit 8 times.

I'm also curious how rapidly devices will be removed from the seat count after going offline. We have long lease times (8 days), so that devices will tend to keep the same set of addresses over the course of term. However, we are not using untangle for DHCP, so untangle won't see the DHCP requests when addresses change or expire anyway.

I don't currently have a good way on campus of getting an accurate device count, as we don't require students or guests to register anywhere. Based on student counts and device-per-student estimates, I do suspect we've been running in the top 1/4 of our license tier, and I'm worried the multiple-IP address issue will push us well over that mark. For what it's worth, that will cause problem when I talk to my VP about renewal next summer... he will ask me to look at alternatives before approving an increase.

[sky-knight]

The sites I support that are doing what you're doing are facing one of two realities.

1.) Buying an unlimited Untangle sub.
2.) Swapping publicly accessible wifi zones to OpenDNS

Because the last time I checked, the licensing was based on the IP addresses consumed. Which drives me up a wall because... well that's Sonicwall. The very reason why I started using Untangle was to get away from this crap. Fortunately there isn't any automatic enforcement, so having this conversation is possible. My actions in this regard might just be overly paranoid! It'd be nice if they were.

Also, why the long lease times on public segments? Don't you run out of addresses?

[sky-knight]

http://wiki.untangle.com/index.php/P...ensing_work.3F

For licensing purposes, a user is defined as a pc or laptop on the network.

Given that sentence I would assume a device is a device, not an address. But Untangle can only see addresses. So logically you're OK, but according to enforcement you aren't?

[jcoehoorn]

Given that sentence I would assume a device is a device, not an address. But Untangle can only see addresses. So logically you're OK, but according to enforcement you aren't?

That's what concerns me.

... Also, why the long lease times on public segments? Don't you run out of addresses?

We use long leases for two reasons.

The first is so that I can use IP addresses for rules in untangle for policy manager, captive portal, etc, and have high confidence that the address will stick through the term. Eight days is long enough that this still holds across thanksgiving and spring break. (Also, 8 days is, or was, the default in Windows Server. We had it shorter for a while, but eventually determined that it wasn't needed.)

The second purpose is to keep things consistent in reporting to track violations throughout the academic term based on IP address instead of username. This also makes sure enforcement is fair when investigating violations. Sketchy ads and occasionally legitimate bittorrent uses mean that even well-meaning students can accidentally show up in my logs in a big way. Only the heaviest violators are ever referred to Student Affairs (and thankfully even that is quite rare -- I have yet to make a referral this term). When a referral does happen, the first step they take is making a subjective determination on how to proceed: as a disciplinary intervention, or a more-polite "please be more careful in the future" intervention. Those two conversations go very different ways, and so we don't turn the address into a username until after the enforcement decision is made. This way justice is blind, and our student affairs office can't be accused of favoring some students over others. The decision is made solely on the merits of the activity.

No let's talk about wifi addressing. This is gonna be technical, but fun

We don't run out of addresses because the subnets in each zone are large enough to accommodate the entire student population (I'm using /21's right now). This works because even though the address space provided by the subnet is relatively large, the use of multiple zones ensures that the number of active devices currently online in a given subnet is small enough to not create problems with excessive broadcast traffic and the like.

If you get a fancy wifi system from Cisco, Aruba, etc, they'll help you support roaming across campus on a single SSID, even on networks with 10s of thousands of devices online. In a network like this, collisions and noise from broadcast traffic are a real concern. They do this without the need for a zoned setup like I have; I'm using zones because I can't afford the big guys (I don't even have a controller).

The way they accomplish this is by allowing you to map an entire pool of vlans to a single SSID. The pool as a whole has enough addresses to support the entire population, but each vlan within the pool is typically only a /24. When a device connects to the SSID, a central controller system handles the connection, instead of the AP. The controller assigns the connecting device to a specific vlan in the pool and tracks what APs the devices in each vlan are using. APs in turn tunnel all traffic back to and from the controller. Broadcast and multicast traffic within a vlan now only needs to be sent through APs that actually have clients in that vlan. This keeps the normal broadcast traffic from overwhelming a large wifi network. The really big players also support having multiple controllers in a cluster, so that your controller system is able to keep up with network demands.

The architecture described above works best when individual vlans within the pool only have a small number of active devices (hence the /24's). Additionally, short lease times are used in order to expire devices as quickly as possible and keep down the number of APs that need to be included in a broadcast. That is the entire rationale for short lease times: it's all about limiting the scope of broadcast traffic in a large wifi network.

Sometimes in small networks, where the entire network may be served by a single /24, short lease times are also used to keep relatively large numbers of guests in a short time from running you out of addresses, and to recover quickly if that does happen. For this siutation, if your equipment supports it, I'd argue that longer leases and larger subnets are nearly as effective, with the benefit of keeping consistent addresses over time for your regular guests and the ability to support larger numbers of guests at once.

Because I'm using zones instead of vlan pools, the short lease times don't help. Broadcast traffic still goes to all APs in a zone regardless. This means I can safely have longer leases. In order to support longer leases, I do need bigger subnets. The goal is still to keep the number of devices in a zone down to less than about 250, but just because I've assigned more addresses than that, it doesn't mean that many devices are ever actually online all at the same time. I do give up the ability to roam across campus on a single SSID, but the way our zones are laid out, it's really not that disruptive to us.

Something that intrigues me is the possibility of a hybrid approach. Imagine a vlan pool scenario where instead of random vlan assignment, devices are assigned based on the initial AP, where groups APs have "affinities" for a smaller set of vlans; each group would effectively be a "zone". As a device roams, the vlan would still roam with it: any AP could support any vlan in the larger pool. But the short lease times would limit the exposure of of those vlans outside of the original zone. The advantage here is that I think this would be more effective at limiting broadcast scope, and in an education scenario would make it easier to support things likes wireless printing, AppleTVs, etc, where you have consumer devices that assume everything is on the same subnet.

[sky-knight]

Have you looked at unifi access points? Because they can do the central management, corporate thing but don't have the price tag attached. I've had 600 people spread over 5 access points at my largest deployment, I'm not sure how it would handle thousands.

[jcoehoorn]

Six hundred can still fit in a single broadcast domain and be okay. I know this from experience, because a few years ago that's all we had for a campus of about 550 people, and that many people means well over that number of devices. However, the "experts" at cisco, Juniper, Aruba, etc, tend to recommend 250 or fewer. So we're right at the border: we'll be just fine most of the time. However, on a special weekend like Homecoming or our spring recruitment visit weekend, I'm happier with our broadcast domains carved up a bit.

I have looked at ubiquiti, and I know that if push comes to shove I could just have two-four separate ubiquiti systems, but at that point I'm doing much the same thing I am now with zones. Also, at the moment I'm using APs with dual-2.4/5Ghz radios, and paying less per AP than the equivalent unifi APs. When I start doing 802.11ac APs next year, the cost parity will make unifi a real contender. At that point, I'm real tempted to try them out to do one of my existing zones.

[sky-knight]

Six hundred can still fit in a single broadcast domain and be okay. I know this from experience, because a few years ago that's all we had for a campus of about 550 people, and that many people means well over that number of devices. However, the "experts" at cisco, Juniper, Aruba, etc, tend to recommend 250 or fewer. So we're right at the border: we'll be just fine most of the time. However, on a special weekend like Homecoming or our spring recruitment visit weekend, I'm happier with our broadcast domains carved up a bit.

I have looked at ubiquiti, and I know that push comes to shove I could just have two-four separate ubiquiti systems, but at the point I'm doing much the same thing I am now.

The current release of the unifi software allows for multi-site use, which can just as easily be separate managed networks. There is also the ability to push different SSIDs across the entire network. So instead of carving things up by building, you'd simply divide the student body / faculty / grades / people into different groups and assign them a SSID that's campus wide. Basically carve your people into groups, instead of your devices into buildings.

[sky-knight]

According to the discussion in my post a couple of months ago and my little talk with sales, that simply is no longer the case, common sense license application is no longer the case, if they so much as see a smart switch, you pay.

If said smart switch is going to the Internet for something, then yes you should be paying for it. It's benefiting from Untangle's filters. If you don't want it filtered, bypass it. It's not like printers / cameras / switches aren't easy to bypass.

[fasttech]

Too slow, I was going to adjust my statement.

Printers, cameras, switches, they do not benefit from 'filtering', that's fluff.
Out of something like 80 printers not one of them I have on any of the networks 'go to the internet' for anything but they certainly have an ip, so they would count against licensing.

My clients are not relevant to Untangle, they're simply too small, now if jcoehoorn's vp decided he didn't like the licensing and cancelled their sub for another provider, then maybe that would get their attention and they'd rethink thier licensing, but frankly, I don't think that's the case.

Like I said before, business is business, I can manage these clients with free solutions, I was just trying to do something to give back, but I won't be made to look like a fool to do so, it doesn't matter so I don't really bother to concern myself with it.

But, saying pc and laptop strikes me as a bit disingenuous.

[sky-knight]

If a printer has a default gateway configured, it's going online. More over, a great many printers these days are using Internet printing protocols and cloud integration features. These things are controlled, and protected by Web Filter and many other features of Untangle. The fact of reality is, printers are protected. Cameras are no different. And if you've got a list of devices that shouldn't ever see the Internet, just make a filter rule for them preventing access. Basic security guidelines direct you to do this, and this will prevent them from being counted in the host table too. And for small environments, like the stuff we're both used to working with this type of thing is trivially easy. Annoying? yes... patronizing? yes... but easy.

But I do agree, there are issues here. Untangle is enforcing a per device licensing model, when everything else is going per user. BYOD is burying networks, and Untangle's response is buy a site license? Not a single 1500+ user license has ever been sold to my knowledge. Note, I'm not talking about the education version, I'm talking about the full commercial version. And why would it sell? Who's going to pay $20,000 on Untangle just because some smart phones attach to a wifi? And smart phones actually benefit visibly!

That's why all my public wifi segments are slowly being bypassed, and the DHCP servers modified to pass out OpenDNS. Which Untangle better stand up and take notice of, because OpenDNS Umbrella is freaking awesome. And it works regardless of client location and what network it's attached to. Granted, it's an apples to orange comparison, but given the cost of it per device Untangle is in a price noncompetitive place in several key market segments. But, that's life. No product is perfect, deploy what makes sense to deploy. That's our job is it not?