The time has come around again and Mr Cisco wants his money for Meraki licenses. I’ve been looking into options to replace our Meraki AP’s with Unifi U6Plus and U6 Pro’s but as we have 55 AP’s across 22 sites, the adoption and management has raised a few questions.
These sites all connect back to a DC and due to the CloudKey Gen2 being limited to 30ish devices, I’m considering deploying a UDM Pro Max to provide us headroom to grow. All the sites have VPN tunnels back to the DC to make use of the centralised Firewall.
It seems that with DHCP Option 43 or SSH with site-inform being set, the UDM should be able to adopt the AP’s.
We already have firewalls and routing is taken care of via other means. DHCP is also taken care of, although in time this could migrate to the UDM.
…is there any issue with me only using it for this limited purpose? I don’t need the gateway, DHCP, firewall or Protect functions of the UDM? I just want to centrally manage the AP’s. Oh…and not pay Mr Cisco…
If it were me I would stand up a Ubuntu server and install the UniFi controller on it. Since you already have the infrastructure in place for all the sites to talk back to the central location. Then you can deploy all the AP’s you want.
Unfortunately we are looking to remove our servers from the DC and move everything to the cloud. With the exception of one small application that is sat on a pair of DL380’s…we are almost there. However, I want to retain the centralised management of our network estate, hence retaining the connections back to the DC and the centralised firewall. If Unifi had a single management interface for multiple, distributed firewalls…then I may change the design but our key cost driver is simplicity and operation efficiency.
In this case, the logic being that the UDM is nothing more than an appliance with comparatively little overhead.
I assume that if a self hosted Unifi controller would work, then the UDM shouldn’t have an issue.
Not even RODC on prem? Yikes, what happens when you lose internet? Asking because we had this happen and were without internet services for 2 days while it was getting fixed. They immediately brought some of the services back onprem. Cloud only gives me a headache, but I understand some of the ways it can give you better flexibility.
We’re still served by a single provider, but they think bringing in a fiber on each end of campus is enough. I’m sure a few miles down the road everything merges so we are still just one drunk hitting a pole away from no service again. Our network guy isn’t enthused by this decision. We both think even a business class cable account would make a good backup to at least keep the phones working.
To answer your starting question, no there’s issue with using one of those in that way, but it is going to have a certain amount of jank/workarounds inherent in using a device intended for managing its local LAN only for devices all over the place.
Regarding your other point about potentially moving DHCP to the UDM - no, never. Unifi gateways have no function for DHCP that isn’t directly connected to their LANs - you can’t use it as the target for DHCP relay, and they have no tunnel-to-controller option.
The login credentials are cached locally on the machines if there isn’t any internet access but that’s rare, so users can still login to their devices. Most sites that have a retail point of presence also have a 5G (LTE) backup. These typically offer about 180Mbps which is often faster than the main link. but far less predictable. You only need a small traffic jam in the local area and that will plummet to almost nothing while folks are calling home with excusses for being late.
Failover to this is managed by the Firebricks, if they can’t see the DC, they failover and DHCP is then provided by the 5G(LTE) router with limited firewall capabilities. Not ideal, but works.
Smaller sites (free-to-enter museums) wouldn’t have the backup but as it’s free to enter, it’s not like we are losing much.
You’re correct about the fibre and single points of failure. In a previous life, we would make sure fibre and power to the DC’s came from different physical routes and providers.
I should have mentioned earlier that the VPN tunnels are L2, hence why the Option 43 can work across the sites without any relays. All DHCP requests are sent over to the DC and one of the DL380’s responds. In time I would like to decommision the two servers and was hoping the UDM could also cover that function. It wouldn’t be cost effective to have a UDM in each site.