Hello All,
This is really a discussion on the usefulness of the XA1480 as a way to securely access the fabric from the Internet. The idea is great. We sometimes need to setup a temporary site with few network devices/ users and the XA is great to connect to our fabric using Internet/IPSEC without needing to setup a firewall site to site VPN or get a WAN link from our ISP. It can also be a good way to setup a remote LAB for someone working from home in pandemic situation for example... However. There are few holes in the setup.
1- The XA struggles with DHCP. It's very limited DHCP setup and even with new DHCP feature added, it can really only get the IP once and then expects that the IP going forward stays static. Although it is possible when getting internet link from an ISP, to ask for static one, it's limiting. Once you ship those to a site you wouldn't want to console/touch those devices and expect them to just work plug and play for the remote user.
2- The XA has few ports to use at a remote site, but since it a remote site, we think security is very important because remote sites has less physicals security, remote sites are harder to monitor. But sadly, the XA doesn't support NAC (802.1x) to make sure whomever plugs to those is legit (or approved IT device). Yes, I can add a small EXOS switch to do the NAC, but the uplink port still becomes an issue where someone can unplug it and just connect a PC to gain access to network, or course also the added setup/cost and complexity for the new EXOS switch.
3- The Receivers - currently can be another XA, a VSP 7400 or I think a VSP 4900. For something like this, where it's receiving IPSEC tunnels from the Internet, you wouldn't want want to keep this on your core where I usually have my VSP 7400s... likely you would put this on a DMZ zone. However, why would I buy a VSP 7400 power horse just to run a VM to receive IPSEC? VSP 4900 might be better choice or another XA, but honestly, I really think Extreme should consider a virtual machine that is easily added into existing DMZ VM Farm. You can charge a license for it. Just makes more sense.
Just thought I would put in my comments here to make this a lot more usable.
Thanks,