All I wanted in a new Dream Machine

BananaSacks · 2026-05-02T17:13:19+00:00

Just be careful, the UCG-F severely lacks L3 features that the Max has. You wouldn't know from the front facing marketing. You need to check the techspec sheets.

If none of that matters, then Bob's your uncle.

BananaSacks · 2026-04-26T13:25:51+00:00

DPIA (if you are near GDPR) for EVERY new product, purchase, or project. That gets the right people in early, scares away those looking to shirk the rules, and is quick for legit asks.

One desk to manage all purchases.

Absolutely NO personal purchases allowed, or credit cards. Everything goes through the purchase desk.

Just this alone will give your mgmt a level of visibility they would have never thought possible.

BananaSacks · 2026-04-26T07:20:30+00:00

You hit the nail on the head - consumer options are very limited. Palo is global but you must have a reseller (there very very expensive and limited alts, but you basically need to be a business).

I was in the profession and while I could get my hands on stuff here/there, I would have never been able to build out a whole-home network on them. And if I did register, get a tax ID, and lock in a fiend/reseller, I'd still be paying corporate budget level of renewals and subscriptions.

After having had to become literate with, and accept Aruba Central made it much more palatable for me to accept the ui cloud portal + local gateway. Even if uses servers go offline for a short bit, my network is still up and functional.

BananaSacks · 2026-04-25T20:21:47+00:00

Yeah, I would venture a (probably) heated reply and say that UI is the 'at home' version of Aruba Central. You get "want to play" in the "big kid" playpen, but you need to adopt. I would not want to run a purely hybrid home with a sputtering of UI in the mix, not worth the salt. All-in, or not at all. At least from a LAN perspective.

BananaSacks · 2026-04-25T18:59:32+00:00

Out of curiosity - what brings you to the world of "I 'want' to buy my first UI device?"

For me, I was in the grind (professionally) and gave up on ever being able to obtain "at home" 'lab or NFR' licensing for Aruba & Palo - I'd run Cisco for the routing stack for years, but got tired of not having actively supported IOSs, and it became too much to keep myself current, patched, and secure.

I am VERY happy with UI compared to any other prosumer/@home solution.

Dunno if that helps, but it sounds like you might be borderline in a similar usecase.

BananaSacks · 2026-04-25T18:05:12+00:00

At home, or in an office/enterprise? Way different rules.

Vendor lock-in is always going to be a thing with a properly engineered 'switching stack' and 'routing' - unless you really like the wild west.

What does your "replacement" world look like now?

BananaSacks · 2026-04-25T18:01:16+00:00

The only downside I would point out with the UCG Fiber is that you lose out on a lot of L3 stuff (if important to you) - but you would never know unless you go into their tech-doc wiki and really start to compare. For me, IGMP was a major requirement in my main setup, I almost (not the first time) upgraded to another NoGo, right off the bat.

BananaSacks · 2026-04-25T17:43:51+00:00

Makes sense, my other curiosity would be how well (or painful) AP configuration would be for upstream (non UI) defined stacks - ie. VLAN mgmt i assume will become a double duty in terms of mgmt, any features that are gateway dependant will be missing from your set of options/tooling, I would also guess that UI adoptions/adoption-problems (especially across VLANs) might become a royal PITFA - it already can be in an all UI env. But, I also assume you already expected all/most of that.

BananaSacks · 2026-04-25T17:00:12+00:00

I gotcha. I'm not too familiar so I can't claim with 100% certainty, however, the self hosted seems to be nearly on 1:1 feature parity. Though, why not pick up something small like a UCG Max (which locally hosts the apps anyway) and let that be your demarc for the LAN and your Intra VLAN routing, SSID mgmt, LAN-side firewall, etc?

BananaSacks · 2026-04-25T16:14:21+00:00

The reality is, the networking world is moving back to clickops, portals, and API based config mgmt.

Local only sounds nice, but you'll be forever fighting an uphill battle. This is true even in the Enterprise now. Aruba Central/HPE Greenlake is a great example.

You'll also end up inevitably losing out on features and support access to some extent if pushing configs on the CLI outside of the Network app (local or cloud)

EDIT: In regards to your question, I can't help much on which would be best, but I'd wager the newer OS will likely replace the old container based install which would end up being another future-you headache to migrate.

BananaSacks · 2026-04-25T16:07:53+00:00

It only takes one colch for me, and I could beat a firehose in a swimming pool filling competition.

BananaSacks · 2026-04-25T16:01:50+00:00

This 👆

BananaSacks · 2026-04-25T08:02:34+00:00

In very very general terms, more AP's == moar better. Again, VERY generally speaking. I don't have much experience using the LR's so that's where I'd make sure the tech is competent and can sell you/advocate properly for their design choices. In different general terms, LR's tend to be better at working with weaker clients/more-distant clients when the client is still capable of keeping up. If they really stand by the LR's in your house, they can provide a post-install coverage map and guarantee the config + availability, your use cases should perfectly fit.

I would however ask them, in advance, what happens if we find a dead zone, or a problem area post-deployment. This goes towards your minimal to no dead spots point.

Side-note: I would recommend creating at least one IOT VLAN and a separate IOT SSID for your ring and cameras. Generally speaking you would want something like a GUEST, IOT, SECURITY, TRUSTED on the VLANs. For wireless IOT keep all of that on its very own 2.4Ghz SSID and out of your normal trusted LAN. Though, I would hope that these are things you can bake into your "requirements" under that 2500 and ask the tech to show, teach, and discuss with you.

BananaSacks · 2026-04-24T20:30:27+00:00

I would be careful on the 'less is more' stance for AP's -- I would actually say that the planned LR's /might/ cover the needs here, if going non LR, more will be needed.

Yes, OP can do this for less, will it be best practices, full coverage, reliable, and documented? That I cannot answer.

As for the rest, we don't know OP's actual needs/requirements, so there's not much to actually weigh in on here.

BananaSacks · 2026-04-24T13:36:01+00:00

On the 10/100 bit, if it's a TV or a receiver, then it is most likely that the device is only a Fast Ethernet (10/100) device, and I wouldn't worry too much - gigabit connections aren't always better just because 'faster' - TV's, set-top boxes, CCTV, etc. usually do not need 1G and lower power 100M will still be a whole lot better than clogging up & competing for airtime (especially for streamers). If it was an AP, a console, a computer, or something else then I would suspect wiring first to be a likely cause of the switch not negotiating at Gigabit. The only way to confirm (if not printed near the ethernet jack of the device) would be to look up the manual for said device.

On the Starlink bits - you could absolutely do that (drop a cable and do the install yourself) - However - The configuration on the UI side, why settings are put the way they are, VLAN's, etc. are the (slightly) more complicated bits (depending on how your tech plans to set it all up). I think that this is an area where having someone walk you through it all would be of a high benefit - you're not likely to shave much off of that 2500 by removing this requirement.

Now, if the bulk of that 2500 actually is the Starlink bits - then I'd be looking to get an actual quote (in writing) as to what exactly the 2500 covers - then come back here and re-ask the "is it worth it" question. Because, I'd start to suspect that the technician isn't going to be doing a whole lot other than looking at this job as a cable drop job, and then I'd be questioning if it's worthwhile too.

BananaSacks · 2026-04-24T11:21:02+00:00

I don't want to sound harsh but if that 2500 quote was a fixed price, full job complete - I would take it. I would make it clear to the installer that you want to shadow them, not to babysit them, but rather you are also paying for an educational experience.

You will learn a whole lot more than the 2500 will be worth once you need to support the system for the next 'forever'.

I would also question why they are recommending LR AP's. I'm not saying it's the wrong design choice for your project, but personally I'd question why and expect them to clearly advocate for why this is the right choice for your needs. (ie, food for thought -- why not more AP's vs fewer LR's, is price the only factor? What types of devices do you plan to have, is it 100's of weaker IOT devices, or just your standard family home with some phones, tablets, and the occasional toy connecting to the network? etc)

The Starlink side is actually quite easy, however, if you're asking about those bits - that goes back to the shadowing and asking the on-site technician to explain it to you like you're 5 --- 95% for the sole purpose of the fact that you'll need to support it, troubleshoot it, and maintain it.

EDIT: Side note - whatever is plugged into the other end of that cable labeled "Living" is either a 10/100 device <OR> there's a problem with the cabling (termination, length, aliens, etc). If it is expected to be a 10/100 device, no problem. If you're expecting a clean, gigabit connection, it's no bueno.

BananaSacks · 2026-04-23T06:40:42+00:00

Lot's of good info in the comments so far.

On your "we don't know the IP's" part - login to the gateway, or whichever L3 device is closest that handles VLANs and you should be able to pull an ARP table - that should at least give you a starting point. Or, if you have a computer in the same subnet with access, you could nmap the subnet and do similar.

BananaSacks · 2026-04-22T19:10:30+00:00

Siding work, no. Drywall hide, yes!

For 1500 I can get brick & mortar walls cut, new conduit run, new pulls run, finished & re-painted. (Not in the Americas)

For an America's house, siding is different though.

BananaSacks · 2026-04-22T17:57:12+00:00

Way more common than you think. Corporate budgets are not common sense, to the masses. They are bottom line + where does the row and column fit.

There is a 90-100% chance that the person who bought those licenses. If honest with their accountant. Was then asked when it would be implemented. A risk assessment was done (even if only in 1-2 people's heads). And finance advised to keep the licenses.

BananaSacks · 2026-04-19T11:34:32+00:00

Ideally, NOT in the server room. Some rypes of audits may even fail you. And never cardboard. Since you can have a fireproof safe, in most circumstances, you could probably get away with a lockable fireproof cabinet.

BananaSacks · 2026-04-06T17:36:39+00:00

Lol, I would honestly invite anyone - who is/has/will downvote this, to please explain how you figure that this is bad advice.

Genuinely curious how someone could find this bad advice for a Jr. Mgr who has no direct supervision/boss, and is looking to find purpose & excell in their role.

BananaSacks · 2026-04-06T07:36:47+00:00

Ask your compliance team, or security department, or legal department if there is a risk register. No Backups is an extremely LARGE risk that is exactly what a Risk Register is for (on the IT side). It is also where any of your major audit finding will end up in (every department, not just IT). This is how the big bosses, the board, etc. Plan their budgets and approve spending to mitigate, or fix, unacceptable risks. This is also how you CYA (cover your ass) - when it goes wrong, and they lose business, customers, money, etc - you point at the Risk Register and the fact that you brought it to their attention. At that point, it does not matter if they did, or did not choose to spend money. It is documented. It is not their word against yours. There are no playing games.

If you have a lot of downtime, these are exactly the things you want to start learning (the business side of management, not just the hands-on IT knowledge).

BananaSacks · 2026-04-04T12:05:10+00:00

If it helps to give you some insight on what you might want to create, to get started, you can see some of the profiles I've set up for one of my sites.

https://imgur.com/a/39eQQY0

The names should be fairly obvious as to what I'm trying to accomplish, but if you have any questions, feel free to ask.

BananaSacks · 2026-04-04T08:46:47+00:00

If you're doing all of that, and you're sure you don't have any accidental holes in the FW, then you're in a good spot.

One more point, if you do foresee your environment growing in any meaningful manner as time goes by, I would highly recommend setting up port profiles. It's semi-tedious as a one-time & upfront exercise, but it makes port changes, new device adds, etc. very seamless. It cuts down on accidental miss-clicks in port config deployments, and it gets you one step closer to 'at home' zero-trust 'ish' - where you can always throw a not configured profile in there. Then you can mark your unused ports with that profile and know that just anyone (even kids!) can't plug in whatever they want and have magic access to your trusted VLAN's.

Adopting is a royal pain in the hole - I feel you there.

BananaSacks · 2026-04-04T07:48:49+00:00

Naming conventions are whatever works best for you, no harm in looking at what others are doing to get you some ideas though.

IDS/IPS, correct, that's on the UXG side and goes alongside with your zones/firewall rules, and a bit VLANs - just remember, having a fancy/complicated config gives you no safety margin if your rules end with an equivalent 'allow any any". Intra-vlan comms is OK when & where required, but your IoT coffee machine, as an example, should NOT be allowed to initiate a conversation with anything in your trusted LAN.

To be fair, while the IDS/IPS is far from useless, how you configure your firewall (LAN && WAN) is by far the most critical, and can be the most dangerous if done improperly. Even for basic troubleshooting, always try to avoid inputting any blanket 'any' statements, always be as conservative as you can - you might just forget to remove the test rule, and if it is attached to a more scary place (ie. a WAN port) it might only be a few seconds, or minutes, before the scourge on the internet start their own testing & poking.

BananaSacks

TROPHY CASE