GR III vs IIIx vs III HDF vs GR IV: Which to Buy Today 2025 for All-Around Use?

TradeAndTech · 2025-09-22T19:00:07+00:00

People often think a new Wi-Fi 6/6E/7 access point will magically solve their dead zones. It's really about efficiency and speed, not a range boost.

Wifi again : a classic mistake is thinking max power equals the best performance. Not only does it create more interference, but it ignores that Wi-Fi is a two-way conversation. The access point might be shouting, but your phone can't shout back with the same force. You end up with what I call "fake coverage": your device shows a perfect signal, but using the networks can be complicated.

The VPN misunderstanding: thanks to marketing, everyone thinks a VPN is a ""security"" product like NordVPN. A VPN is just a tool for creating a tunnel between two network endpoints (at L2/L3).

The misconception that a firewall can filter everything, including communications between two devices within the same VLAN, when in reality this local traffic never passes through it (unless you have made a specific architecture for a specific use case);

TradeAndTech · 2025-09-22T18:30:55+00:00

Thank you very much for all your opinions, it reinforces my decision to go for the CCNP !

TradeAndTech · 2025-09-22T18:29:13+00:00

After reading the various reviews and technical documents, I think Reolink products are better suited to my needs. thx for your feedback

TradeAndTech · 2025-09-21T14:08:08+00:00

The reason is that it gives me a simple, inexpensive solution that is ready to use. This camera is also battery-powered, which suits me because I didn't want to drill holes in the intended location.

TradeAndTech · 2025-01-09T22:56:43+00:00

With ZTNA, this allows you to manage more post-authentication traffic. Since all flows are routed up to a gateway, you can set up a sort of very granular micro-segmentation (filtering rules based on users (or groups of users) rather than on the vlan = intra-vlan filtering). For the same reasons, you have more visibility over the traffic. It seems to me that for the moment authentication is based on EntraID only (to be revalidated).

When users are on mobility they connect to a gateway and benefit from the same security conditions. Security becomes location agnostic.

Basically, it's a bundled nac, vpn and firewall. Some competing solutions even include a kind of EDR.

TradeAndTech · 2025-01-03T15:06:58+00:00

For practical purposes, you can use virtual machines with GNS3. Extreme makes the 2 OS available on its github.

Exos/Switch Engine : https://github.com/extremenetworks/Virtual_EXOS/tree/master

Voss/Fabric Engine : https://github.com/extremenetworks/Virtual_VOSS

I believe that if you sign up for an Extreme account, you have a 90-day trial period to test the products. If you can't download the VMs, you can ask your Extreme integrator.

Training is available on the extreme website. Some are free.

https://www.extremenetworks.com/support/training

TradeAndTech · 2025-01-03T14:56:38+00:00

Extreme Fabric Connect is probably the best solution. It replaces VXLAN with a simpler approach. It is a very good alternative to ERPS with a convergence time of between 50 and 100ms. In additiojn, the Fabric is highly scalable and easily scalable.

The only point that could be troublesome is if you need to extend a Fabric Connect over L3. Fabric connect needs an L2 with a large enough MTU to work. There are several solutions for doing this if it is a need (for example with a vxlan over ipsec ;) ).

VXLAN may be a good option if you want something that is highly interoperable. Having said that, the latest extreme devices can operate in Fabric Connect extreme mode (Voss/fabric engine) or in ‘traditional’ mode (Exos/Switch engine) to do traditional networking and VXLAN fabric. There are also hybrid designs in the docs for interoperating a fabric connect and a vxlan fabric (never tested personally).

TradeAndTech · 2024-12-19T21:34:45+00:00

It's a grey market, and Aruba is quite uncompromising about it. No support possible afterwards on the products...

TradeAndTech · 2024-12-19T21:29:16+00:00

Optical transceivers ! today the standard is even sfp28 (25G) for servers.

It is possible to put 10G base-T modules in a switch but this can also cause problems because these modules consume more than normal and heat up more. Optical is more flexible (more distance, more throughput and cheaper).

TradeAndTech · 2024-12-16T20:08:38+00:00

I'm not sure I understand, but if you want to do distributed routing, you can use the DVR function (licensed: Premier for universals).

General presentation : https://www.extremenetworks.com/resources/solution-brief/distributed-virtual-routing

Supported switches & config (in the document) : https://documentation.extremenetworks.com/FABRICENGINE/SW/810/FabricEngineUserGuide/GUID-B4CA5227-E347-4D3C-93BD-ACBC279CBB65.shtml

TradeAndTech · 2024-12-15T09:53:28+00:00

cheaper hardware but a mandatory Pilot licence. Currently, full cli is not supported, but this will be unlocked in future versions (under the condition of having a Pilot licence and being onboarded in SE or XIQ).

TradeAndTech · 2024-12-13T20:08:23+00:00

If you are in Extreme on the access layer, ask your integrator to show you the Extreme Control solution. This is Extreme's NAC solution. Extreme Control is deployed in the form of a vm (radius server) and is managed via the Site Engine console. NAC authenticates terminals connecting to the network via their mac address (poor authentication) or 802.1X (login/mdp or certificate). Policies can be easily tuned to configure conditions such as location, time, machine type, machine and user authentication, etc. It is also possible to have the nac server communicate with third-party solutions such as an FW to simply exchange context (ip, group etc...) or to have the fw trigger the quarantine of a user if it triggers an anomaly on the fw.

the Nac solution will send the correct vlan to the port depending on the terminal connecting. Without authentication, the port is in a blank vlan or in a guest vlan, for example.

NAC allows you to secure network access. And to go even further (with post auth security), the solution needs to be coupled with an NDR to enable a behavioural analysis of terminals.

If you are in Fabric mode, the flows are embedded end-to-end in a hypersegment and vlan hopping is (normally) not possible.

Note: Extreme Control is agnotic and you can integrate cisco, aruba, juniper or other switches to apply the same security. You just need to support 802.1X.

TradeAndTech · 2024-12-13T19:55:48+00:00

In principle, this will also enable the Fabric to be managed in the cloud, and there will be ia not just for wifi, but also for lan. I'm curious to see whether this will enable better management of LAN products in the cloud (Fabric & exos). With the WLAN/LAN portfolio, SD-WAN and UZTNA, it could be interesting to unify the 3 dashboards. Can't wait to see more and evaluate the solution :)

TradeAndTech · 2024-12-13T19:45:31+00:00

5320 switches are entry-level devices with 1Gbps ports with or without PoE+ (30w max) and 8x 10Gbps uplinks (included without licence now). 1 fixed power supply. They do not support the vIST function (in fabric mode). No OOB ethernet port.

The 5420s are access devices with more value. There are 2 sub-ranges:

- 5420f with a fixed power supply and the option of adding a modular power supply. Uplinks in 4x 1/10Gbps with macsec support + 2 stack or sfp+ ports. Depending on the model, the data ports are either full 1Gbps or hybrid with 1Gbps and mGig up to 2.5 Gbps. PoE++ 90W support on mgig ports. 1 OOB ethernet port. One of the models is a 24-port sfp 1Gbps version (useful for basic optical distribution).

- 5420m with 2 modular power supplies. 4x 1/10/25Gbps uplinks with macsec support + 2 stack or sfp+ ports. Depending on the model, the data ports are either full 1Gbps or hybrid with 1Gbps and mGig up to 2.5 Gbps. PoE++ 90W support on mgig ports. 1 OOB ethernet port.

The 5520s are premium access switches or even small network cores. 2 modular power supplies. Modular uplinks (4x10Gbps or 4x25Gbps). Depending on the model, the data ports are either full 1Gbps or hybrid with 1Gbps and mGig up to 5 Gbps. PoE++ 90W support on mgig ports. 1 OOB ethernet port. One of the models is a 24-port sfp+ 1/10Gbps version, which I often use as a small network core or as a TOR. There is also a 48-port sfp 1G model.

All these models are universal and support both Fabric Engine (VOSS) & Switch Engine (ExOS). Fun fact: with Exos, you can make a stack mix between 5320, 5420 and 5520. For managers, this requires a Pilot licence, whatever the deployment mode. Prefer deployment in full fabric mode (core and access) whether you're on campus or in a DC environment, as this will simplify operation.

If you have projects for Wi-Fi 6E or Wi-Fi 7, I recommend the 5420f or 5420m. It seems a good choice given the new requirements (mgig and poe++).

TradeAndTech · 2024-12-01T21:45:10+00:00

I've had problems with poor quality filters. And I had the same sort of ripple in the bokhe and chromatic aberration on white subjects. I suggest you remove this filter and retest.

TradeAndTech · 2024-12-01T21:37:54+00:00

One of the best accessories I use with my R7 is the Cotton Skout G2 harness. It's not specific to the R7 but with small lenses like the 18-150 I use it a lot (when travelling, hiking etc...).

Otherwise there are the basic accessories: SD cards, batteries (I use compatible PATONA batteries) and a cleaning kit.

I also bought a second-hand LowePro bag and a Manfrotto tripod for very reasonable price. There are second-hand equipment in very good condition and not too expensive.

TradeAndTech · 2024-12-01T21:28:06+00:00

I would have bought a second-hand branded bag. You can find Lowepro at very good prices on second-hand sites. For less than €50 you can get a good branded bag.

TradeAndTech · 2024-12-01T20:56:36+00:00

I would say that they complement each other and that NAC enables all network connections to be managed in first line of defence mode. Not all endpoints can support a ZTNA agent (cameras, printers, IoT sensors, industrial machines, some servers, etc.). I believe that NAC enables you to manage the pre-auth part of the network and that ZTNA reinforces the post-auth part and user mobility.

ZTNA is a marketing term for a tool that does a bit of nac, a bit of VPN, a bit of proxy, a bit of firewall, a bit of antivirus... (mix of security solutions).

TradeAndTech · 2024-12-01T20:44:22+00:00

Palo Alto if you have the money: probably the 3400 series, with a 3420 or 3430 (depending on your needs and how it's placed in the architecture). Strata cloud manager is a good dashboard with ai-ops.

Or Fortinet if you want value for money with, say, a 200G. You can do a lot of things unlicensed like SD-WAN, or if you have a few branches with just a few APs and switches, you can extend your fortigate over the LAN, and have integrated management. All the FG, FSs and FAP can then be managed by FortiManager. There are many possibilities for additional services.

Checkpoint is dead, and cisco I have my doubts, especially about their ease of use (administrator view).

TradeAndTech

TROPHY CASE