Let me know if you would be willing to answer 15 questions about your career.
Saturday, November 10, 2018
Feedback on our Ubiquity Set-up and Advice [Crosspost]
Original: https://www.reddit.com/r/ubiquity/comments/9vzw52/feedback_on_our_ubiquity_setup_and_advice/?
We're a wireless only office.
The Wi-Fi went down at a major event at work. Apparently it dropped to a crawl earlier in the day before it went down.
I wasn't there that day, so I didn't know what was going on and felt terribly. Why? I had just made changes to our wireless network to improve things.
Last month people we're complaining about wireless performance in a customer service area. All the AP's had high utilization.
3/4 of the AP's were AC-Pro's. I upgraded them to HD's.
People were happy for a while, but then started complaining again.
I saw all of them to have high utilization. So I turned off 2.4, but turned it back on again as people were on 5ghz anyways, and the Raspberry Pi's needed 2.4ghz.
So for all 4 aps in the area, I moved to their own 5ghz channel, far away from each other. I then dropped the transmit power to -14Db as a quick site survey (software on my laptop) showed the radios were interfering with each other.
I then enabled RSSI, and dropped the limit to anywhere between -65 to -50. Some APs were only 8-10 feet away from each other. For these I dropped them to -50.
My reasoning for this is people were connecting to one AP, and no matter how busy it got, or how poor the connection quality go, they weren't always flipping over to the nearest AP. Once I enabled the RSSI setting and tweaked it, people's laptops were doing this.
On Thursday, the CEO told me he had bad Wi-Fi. I pinged his laptop, and packets had high latency and were constantly dropping out. No matter what I did, his laptop wouldn't connect to the AP right outside his door. He would only connect to an AP 25ft away at 64% signal quality at -68Db.
To make him happy, I cranked the transmit power of that AP to 22 and raised the RSSI limit to -75. After monitoring his laptop throughout the day, he was able to connect OK.
No-one else in the area was complaining of wireless issues, and all the AP's were on their own channels, with low transmit power (14, can't go below) with a very strict RSSI policy (-50-65) to force people to load balance between APs.
Everything looked fantastic when I went home on Thursday. Did I goof up? My co-worker said there was saturation and one of the AP's went down. I felt terrible because I was making wireless changes to improve things! The auto settings on the AP's weren't really working, so I felt compelled to manually change them. Things seemed to work, but now I'm not so sure.
Did I go wrong anywhere?
tl;dr -- Sorry for the wall of text.
Cisco Firepower Rant II
Three months ago I wrote a Cisco Firepower rant (https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/). It received more attention than I imagined, not only from the /r/networking community but appearently also from the vendor side. I had a nice chat with a TAC engineer, got a PM from the supposedly new ngfw product owner, who decided not to return my PM after I told him I would be willing to write up some feedback, but not through a cisco customer program as he suggested, but only anonymously via reddit. And last but not least it looks like Mark Garrett (BoA @Cisco) also got the memo and even left a comment.
Before writing up my post I thought there might be different opinions on the product, but it was overwhelmingly one sided, with 96% upvotes out of ~ 27.5k views and comments that mostly reflected my own personal experiences. On one side it was quite satisfying to get so much matching feedback, but on the other hand it was quite frustrating to see everybody still struggling with a product that should be rock solid after so many years of development.
I would like to use this post to talk about some lessons I have learned in the last few years, but before that let's stick to Firepower for a few more paragraphs. As of today the newest stable release is 6.2.3.6 - basically the 6st patch release for the newest minor release 6.2.3 and let me just tell you one important thing. Nothing. has. changed. It's still the same mess that I described in my first rant and in the mean time I found even more issues that cost me quite some time.
As you might know Cisco introduced IPSec VPN in 6.1.0 (2016-09-29) and AnyConnect VPN in 6.2.1 (2017-05-15). Up until a few months ago I was able to avoid VPN features, because I was still fighting against basic features like HA (which by the way also break in 6.2.3.6, and also broke when upgrading from 6.2.3.5 to 6.2.3.6), but I finally had the honor of migrating several VPN services from ASA to a FPR4100 cluster and let me tell you it is a real mess. If you configure a VPN tunnel, make too many changes to the tunnel and re-deploy, the CSM code that is used to generate the required configuration (e.g. remove old configuration and replace with new configuration) gets totally confused resulting in out-of-order configuration commands (csm tries to delete config elements that are still referenced) and you will run into the typical rollback procedure where the configuration is wiped and basically reloaded - not very cool if you have a lot of VPN tunnels that die and must be re-established in the process. I have seen this phenomena with both classic ipsec site-to-site tunnels but also with AnyConnect client-to-site configurations... So by all means if you are in the situation of migrating VPNs think twice about migrating vpn configuration from asa to ftd, since apart from the buggy mgmt plane implementation there is neither an API nor a migration tool that will help you port the configuration... and now imagine what it is like to migrate a large installation with 100 tunnels and many anyconnect profiles, clicking through a painfully slow web ui, hoping that the changes you have made can be deployed and you won't need to delete your configuration and start from scratch again...
As mentioned earlier let me use this post to talk about a few things I learned during the last few years. Lessons learned over the last years of about 2000h of doing firepower deployment, upgrades and day-to-day operations.
1 Don't put your eggs in one basket
Just because you are already using product xy from vendor z, don't artificially limit your choices and prefer a product from your existing vendor. When I started in IT my mindset was to aggregate as much as possible (vendor wise). It's the pipe dream of having one-throat-to-choke, the belief that it will be easier to resolve issues because there is only one number to call, but from my experience it doesn't matter if it is different vendors or different TAC apartments, you will always have to go through the blame game. Apart from the support situation you create an over reliance on a single external entity that will push their own agenda to upsell you on stuff you don't need... or you really need the 2nd product that will fix operational challenges from their other product (I am looking at you cisco assurance center)
2 Don't mistake your VAR with a consultancy
Even though many VARs also do consulting you should keep their intentions in mind. They will try to up sell you on stuff that they are knowledgeable with. They are mostly bound to the vendors they partner with and will act in their own interest to achieve their economic goals (e.g. sell new product from vendor X to receive additional incentives). If your org is large enough and you lack technical expertise to make the right decision get somebody on board who gets paid to tell you the truth. I am not saying your VAR can't take the consultants role but keep in mind who you are dealing with and what their primary interest is.
3 Test before you buy
If you are spending a lot of money on infrastructure you must know what you want. Make a criteria catalog of features that you want to use and create a test suite that bidders must abide to. I know that this is more relevant to larger organizations that have the resources to articulate what they want and have the manpower to accompany POCs but if we are talking about new a product or a major architectural change this is something you should consider. See what the proposed solution feels like and rate them based on the criteria list you created. Even if your organization ends up making the wrong decision (maybe due to price or politics) you will end up with leverage against whoever screwed up and decided to buy the inferior solution. At the end of the day it is your organization that is spending money, you will own the faulty product and it is partly your fault for getting screwed over, if you don't do your homework and blindly trust another company.
4 Don't be a fanboy
To some degree we are all biased. If you have had good experiences with Palo Alto you will tend to trust them and might consider their Traps product over Cisco's AMP for Endpoint because you got totally screwed by firepower. Try to fight the urge of attaching yourself to some brand. While it is totally reasonable to be aware of a vendors strong and weak points (e.g. vendor x support has always been top notch, while vendor y support always ends up with you talking to an indian tac engineer who you cannot understand that contacts you right before his shift ends) you should try to focus on technical details and blend out the shiny powerpoint presentations, promises and marketing (I am looking at you Gartner for placing firepower into the leader quadrant - seriously do you have any credibility left?)
Don't be a vendor marionette and concentrate on the underlying technology. IMO if you want to have credibility as an engineer you should shy away from programs like Cisco Champion or VMware vExpert that basically reward you for having the "right" opinions. Having strong opinions on products is one thing, but what technical reason do you have to prostitute yourself for a vendor? If you value your integrity as a technical expert you should think about how you want to be perceived by the people around you. Do you want to be valued for your honest and objective view on things or as a fanboy?
5 Realize when it is time to move on
I would consider myself to be very resistant to learning from mistakes and it took me quite some time to realize that investing so much time in a product / technology that has no future was a mistake. I think I was over attached to Cisco, or rather vendors in general and a bit naive. Hopefully I will be able to move out of network security soon and focus more on technologies that are more rewarding. Realizing what it is you don't want to do is important, if you end up in the wrong field you shouldn't waste your time on something that only drags you down.
Thanks for making it through my post, let's hope this is the last time I had to write about firepower.
Power and Cooling Resources for IT Engineers
I wrote some articles on PacketPushers a few years back for engineers looking to understand the basics around power and cooling. They are by no means exhaustive, but can get you started on your journey to understand how it all works.
Back to Basics: Power and Cooling Cheat Sheet
How often do you test your redundancies?
Hey all. So, we all have redundancies on our network (if we don't, we really should get them). Whether it's a redundant router, redundant sup module, redundant cables in a LAG, or redundant ISPs, we have plenty of redundancies.
But, just like backups, if you don't test those redundancies, you might as well not have them, because you don't know if you can count on it.
Testing could be as simple as unplugging one strand of fiber to simulate a unidirectional link failure, or yanking the power cables on your core router to simulate a power failure. Or, you could simulate a failure scenario of a specific feature, like what happens if an access switch sends a superior BPDU?
We can all say with reasonable certainty what SHOULD happen in a specific scenario, but how often do you test to see what DOES happen? What testing methodology do you use?
What's up with ipv6, and why can't I resolve some information about an ipv6 address that my phone is connecting to?
What's up with ipv6, and why can't I resolve some information about an ipv6 address that my phone is connecting to?
fd00:976a:c006:cf10::1
Any information to learn about power?
Do any resources exist from a network perspective on power in our industry? Or if not any good videos/articles you recommend that teach an intro to understanding power + more?
AC/DC, relationship between amps/watts/volts, common outlets/circuits in DataCenter environment... etc.
I found a decent set of videos and reading material but if someone has something that truly helped them understand these topics i would love to know about it.
Thanks!
Huawei Security article
Saw this on r/worldnews and thought you all may be interested.
Pretty much says that Canada has been advised not to use Huawei because they will collect any useful information and send it back to China.
Frankly, not much of a surprise for me, but interesting nonetheless.
Ethernet Frame and IPv4 Confusion
I've been writing a program with raw sockets and finally got around to writing all the Ethernet Frame. IPv4 allows for just over 65000 bytes of payload yet Ethernet Frames only allow for about 1500. I've looked into jumbo frames, but they only allow 9000bytes and aren't even supported by all machines. How do I get around this issue?
Anybody seeing Withdrawal of prefix?
Hey guys,
Throughout the day I'm seeing my prefixes being withdrawn from peers worldwide. I use bgpmon and I'm getting alerts every few hours.
Contacted upstream and they everything is fine.
Is anybody else using similar services getting the same alerts?
I'm just paranoid and suspecting something big and bad is coming and just wondering if I should sign-up with cloud flare for "protection"
Ip camera question
Hope this is correct forum, and please help me explain and offers a fix for my ip camera access issue.
I can access my camera iphone app from outside but not from the home wifi where the camera connected because I use wan ip.
70.80.80.80:90000 (example of my public ip) and I used UPnp for port forward 192.168.x.x:8080(Lan) camera ip
When I am in same subnet I need to use 192.168.x.x to access my camera. Then when I am outside I use public ip. How I setup my network so only use WAN ip to access my camera regardless where I am?
Thanks.
Anyone peering with Vultr in AMS?
Hi,
I've got a router at Vultr in Amsterdam and I was wondering if any of you want to peer with me (AS204585) through a GRE tunnel.
Friday, November 9, 2018
Issue using Ubiquiti DHCP with Windows 2016 DNS and Domain
I hope this is not too amateurish of a question, but I am out of my depth in a big way... I have the unfortunate luck of being the "computer guy" at my church who they call for fixing stuff. I have a technical background so usually I can muddle my way through new issues, but this week their server took a massive dump and basically stopped working entirely. It still boots but it has major problems (NICs won't connect, power supply failure, hangs on boot or most services won't start) and it's server 2003.
Someone donated a new server and licenses for Microsoft Server 2016. I made the server a Hyper-V host with a VM for DNS/domain, one for file sharing, and one for networked programs. I created a new domain and dns server.
I recently replaced all the network hardware with Ubiquiti devices (USG Pro 4, Cloud Key, AP AC Pros, 48 Port POE and one 48 Port non-POE in the mdf room with the server).
My issue is that the DHCP is being handled by the Ubiquiti stuff, but it does not see the domain (e.g. devices handled by DHCP cannot ping it). The previous server handled this by the old "IT guy" statically assigning the DNS for every device on the domain. I know that this is probably not best practice.
Is there a way to get my DHCP assignments by Ubiquiti to use the domain DNS? Would it be substantially better to use the DNS server to handle DHCP instead of the Ubiquiti device?
My reluctance to move DHCP to the server is that I really like the statistics and ease of using the Ubiquiti gui. The deep packet inspection, etc. Windows I am not as familiar with...
I hope this made sense. Thanks for the help!
CAN IPFS SUBVERT THE HTTP PROTOCOL?
IPFS (InterPlanetary File System) network. This comical name is, on the one hand, a tribute to computer scientist Joseph Licklider.When Joseph Licklider served as director of the US Defense Advanced Research Projects Agency at Licklider, he proposed the Intergalactic Computer Network. It eventually became the world's first packet-switched network to operate, the global Internet ancestor ARPANET (developed by the US Department of Defense, officially put into operation in 1969).
On the other hand, the name IPF (InterPlanetary File System) also shows the ambition of IPFS: to provide people with reliable and efficient data transmission methods, even if humans immigrate to Mars, they can still transmit data between the stars.
The Internet protocol, which was launched in May 2015, is little known because it lacks an incentive layer. Therefore, the clever Protocol Labs has developed an incentive layer Filecoin based on IPFS.
Everyone said that EOS is the 3.0 era of the blockchain, but I think IPFS and Filecoin are the biggest Uranus projects in the blockchain 3.0 era. Interestingly, there are nearly a hundred blockchain projects based on IPFS, but IPFS itself is not a blockchain project. Filecoin is the blockchain project.
Although the popularity of Bitcoin, Ethereum, EOS, IPFS, and Filecoin is simply not worth mentioning, Filecoin's online time is unknown and may even fail. IPFS is still rare in the world, with fewer nodes in the country. Therefore, compared with the well-known head coin and head items, it is not too much to say. But why is it so embarrassing, I still choose Stud, and unswervingly recharge the faith, a steady stream of endless. Come to see the magic of it.
IPFS Can Bypass the Blockade
In May 2017, the Wikipedia ordered the blockade of Wikipedia as Wikipedia refused to remove the paragraph on the Turkish government and Syrian jihadists.
The Turkish people stored the Turkish Wikipedia in a distributed network and were able to circumvent the blockade.
In October 2017, the Catalonia region of Spain decided to hold a referendum on independence. The Spanish government blocked all Catalan domain names and blocked the referendum.
However, the Catalan government and the public have established voting sites in a distributed network, and finally, more than 40% of citizens have successfully participated in the voting.
The ambition of IPFS goes far beyond breaking the blockade, and its ultimate vision is to turn distributed storage into a part of the computer's file system. What this project wants to solve is the fundamental problem of current Internet data transmission. Data is over-reliant on a single node, and transmission efficiency is low; data is not effectively encrypted, and user privacy cannot be guaranteed. Web pages and links often fail in a few days, content can no longer be extracted, and human history dies.
Subversion HTTP Protocol
Connecting POE VoIP Phone to Google Talk or Traditional Analog Phone Line
Hello, I have a Mitel 5320e IP phone, which receives its power via an ethernet connection. I'm wondering if there is any way to connect this VoIP POE phone to either Google Talk through the use of a converter or somehow connect it to a traditional analog phone line? I know there are several converter boxes out there, but I'm not sure if they provide power via the ethernet connection.
SD-wan deployment done (Silverpeak)
Hello,
just want to follow up, from this thread https://www.reddit.com/r/networking/comments/8bes0e/sdwan_deployment_3_months_in_discussion_ideas_and/
We have completed our deployment in early october, and honestly the ISP held us up the most, we did find that 2xLTE from different carrier is a great stop gap though :) (one day we hooked up 8x lte in the lab and it worked great lol)
We are still waiting on some buildouts from from ISPs, others we gave up and orders some DIA fiber (was in the building already)
Currently very happy with the deployment, 100+ sites, 7 months, with 3 people (we use some pro service to help on remote sites) we did a have 4-6 week period in the middle where we were not doing much but waiting on circuits.
I'll be happy to answer and questions the best I can. I know this is new to the WAN world.
Some questions i may need a couple days if i need to test something for yah.
Obviously solutions are different, while we tested a few, only Silverpeak was deployed. That is where my answer would be based from.
DR starts in 90 mins, wish me luck guys.
Tonight could be very interesting, we are less than 90 days from an actual Disaster recovery scenario due to a natural disaster after which, we physically moved data centers, in the aftermath we identified a number of issues that need to be rectified but didn't get time to resolve all of them before tonight. Exec level is adamant however that we do a DR this weekend. Also the DC will be moving to new infrastructure in the summer and one of the DC's which we use as our BDC is being eliminated at that time.:( Edit:Tonight is a DR exercise
Cisco to Palo Policy based VPN issues
I have set up a number of policy-based vpn's today and all are having issues with one particular subnet behind the Palo Alto's. The Cisco routers are pretty old 800 series running 12.x, and ive been asked to keep them policy-based (note even sure if this version of ios will support tunnel interfaces tbh).
There are 3 subnets behind the Palo Alto FW, 2 of which succesfully come up, but one that does not.
Cisco Config:
crypto isakmp key KEY123 address 1.1.1.1
crypto ipsec transform-set OFFICE esp-3des esp-sha-hmac
crypto map MAP 8 ipsec-isakmp
set peer 1.1.1.1
set transform-set OFFICE
match address 120
access-list 120 remark OFFICE
access-list 120 permit ip 10.8.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 120 permit ip 10.8.0.0 0.0.0.255 10.4.60.0 0.0.0.255
access-list 120 permit ip 10.8.0.0 0.0.0.255 10.2.60.0 0.0.0.255
ip access-list extended 102
153 deny ip 10.8.0.0 0.0.0.255 172.16.0.0 0.15.255.255
154 deny ip 10.8.0.0 0.0.0.255 10.4.0.0 0.0.0.255
155 deny ip 10.8.0.0 0.0.0.255 10.2.0.0 0.0.0.255
ACL 102 is just being used as part of a route-map to include/exclude NAT. The entries for 10.2.0.0 do not establish, i get an as below on the Palo:
IKE phase-2 negotiation failed when processing SA payload. no suitable proposal found in peer\'s SA payload
On Palo Side of things the IKE and IPSEC crypto's include every option available, just as a test, but i still get this issue with the one subnet
Two modular switches instead of spine/leaf?
Couple companies have recommended that we should build spine/leaf architecture with 1U switches. Spines with 32x 40G or 100G, leaves with 48x 10G or 25G. However we currently don't need many server facing ports as we're mainly using HCI stuff in the DC. Something like 4x48 per DC would be fine for now, though I'm not sure how much we're going to expand.
Wouldn't it be better to just get something like 2x 2U modular switch with enough ports? We're considering a 2U switch that has 4 slots, and 16x40 or 24x10/25 cards for that. As for uplinks, our campus core is with 10Gbps ports.
If we just plug in 4*24x10Gbps cards, we get 96Gbps ports. So with two switches we could attach 96 servers minus the firewalls and uplinks etc. We could expand it by getting 2 more and do full mesh. Then we could connect 192 hosts with 2x10 LACP.
Due to mergers etc. we have a lot's of smaller data centers...
Any ideas? Thanks!
Edit: forgot to add that we'd need a way to migrate stuff from DC to DC, I guess for now it's going to be VXLAN until we figure out how the applications work. And get everything redundant on the app level
How do I wire my house with CAT5? Please help
I'm 17 but my parents are expecting me to do everything because my brother does networking stuff in the Air Force and I think I know more than the average teenager. The cables are all connected to ports around the house and lead back to a little room in my parent's closet. The CAT5 cables are exposed so I've had to put on the ends and do all the crimping and what not. From what I've learned, I need to either do a straight-through or crossover. I've done both but neither worked (maybe I wasn't doing it right). I also noticed that there are more wires than ports in the house. Also, to connect the router to everything, I plugged it into the CAT5 port in the wall. Is that right? I have a network switch in the room with all the wires but it never detected a signal. Sorry for all the information and questions. My next step is to FaceTime my brother and try to figure it out. I'm thinking we need to hire a professional but my parents don't want to because the Wi-Fi is fast enough. I want it because my gaming PC doesn't have Wi-Fi capability and I don't want to buy an adapter. Thanks in advance.
what is a good TxRetry % for wireless?
Wireless question for reddit. For 2.4 Ghz, what do you feel that a proper TxRetry percentage should be? I'm getting about 27 - 30% on 2.4.
What LAN cable to use for WiFi extender
I'm helping fix internet issues for a local organization. Their router is pretty far away from where they use the WiFi so they set up a WiFi extender. The problem is they didn't hardwire the extender to the router and it cuts out the internet a lot. This could be due to it trying to reach the router 50' away through 2 concrete walls.
I recommend to them to hardwire the extender to the router to see if that helps. If the cable doesn't help I suggested they change the WiFi extender to Google WiFi.
However there are a lot of different LAN cables. CAT5, CAT6, CAT7? What would be the ideal cable for running a 70' cable from a router to an extender?
If it matters the router is a Cisco DPC3939B and they have Comcast business internet.
Thanks.
Trying to integrate qemu IOS emulation or possibly GNS3 on Unity
This might seem like a weird idea at first and maybe not even suited for this sub but please hear me out first.
As a vive owner I thought about starting a side project on unity for an educational purpose in which the user/player would be able to learn the basics of networking fully in VR.
The user would be able to interact with a different set of cables, routers and switches and possibly even racks with servers and storage units.
Though in order to do this, I was face with two solutions: Solution 1: simulate the whole thing just like in packet tracer, though this would take me a lot of considerable time in order to flesh it out.
Or solution 2: wich is the best solution imo, hsing Qemu or GNS3 and integrating it to the unity engine via api calls maybe but is that even possible?
RDP on VPN Network Issue. Please Help. Cisco ASA
Hey Guys,
So I am coming to you because I am a bit stuck as to what to look for. I am having a problem with a few users. I don't know if this is just going to be an environment issue or maybe I am missing a config somewhere but just to give you the rundown of what is going on here it is:
I have a group of about 10 remote users who work out of a WeWork office in Los Angeles. These users have desktops that are connected to our network via their AnyConnect clients. The desktops can reach all network resources just fine this is not an issue. The problem is sometimes these users will work from home and they are trying to RDP into these systems. So from home they VPN into the network and then they are trying to RDP into another machine that is connected to the network via VPN as well.
The issue is that it won't RDP, and I can't even ping any machine on the VPN subnet. So I am not sure as to what to check here. We are running a Cisco ASA5520 which is connected to our Core Stack of 3850xs. Like I said from a machine connected on the VPN I can access ALL network servers/printers/AWS and all other subnets but I can't reach anything on the VPN subnet that I am on. This is kind of baffling me... because shouldn't I be able to talk to anything on the same VLAN without any issues?
If you have any ideas where I can start troubleshooting or what I should be looking at please let me know. Any help would be greatly appreciated.
Thank you!
Recommendations on what modem to pair with the Netgear XR500 nighthawk
This might be a slightly lengthy post but I would really appreciate the help and hope you guys can bare with me. Let’s start from the beginning. Ever since I could remember I loved gaming and ever since I could remember I’ve had terribly unreliable internet. So a couple months ago I bought the netgear AC1600 and its a modem router combo and i’m aware how it’s recommend not to go with combos but I figured it’d be better than the xfinity combo they gave us. So I set it up and it worked okay for the first month or so then my connection got extremely unreliable again. I want to state the speed i’m getting from the router isn’t really the problem, it’s the connection and reliability. I’m constantly getting kicked off and my router/modem seems to just have inconsistent hiccups with constantly kicking me off while i’m in games.(I also want to note i’m currently living in an apartment building. A small one at that so I don’t know how much it’ll affect my internet) So i’m just gonna pull the trigger on what looks to be one of the more reliable routers. I have a 150mbps package from xfinity which is pretty basic. And i’d like recommendations on what modem I should get to pair with the nighthawk, any insight on my problem or recommendation would be greatly appreciated. Thanks.
Guest WLAN access management - Cisco friendly
Hiya team.
I'm looking into replacing our old, fixed-PSK-based guest WLAN access solution (aka "PostIt-Shared-Key") with a dynamic solution that would allow, ideally, one-time/single-user access management approach.
Example : When vendor comes to a plant, we can generate a limited life (say, 24h), limited number of users (enough for his team) PSK or in some other way provide access without opening doors for everyone.
Our wireless platform is either 5500 series or 3500 series WLC-driven Cisco, with on-prem HA WLCs and 2700 and 2800 series WAPs at most locations.
Does anyone know of good available solutions for what we're trying to do?
Palo Alto vs Checkpoint Firewalls
What are some of the benefits/drawbacks of each platform when compared? I have some experience with both platforms and have my own opinions, however, I am curious what everyone else thinks...
3850 IOS XE from v3 to v16 - upgrading switch stacks
Hello there and happy friday!
So over a weekend i will be upgrading 5 stacks of switches and just wanted to double confirm i don't need to enable auto update on them if during OS upgrade i will use "software install flash:<OS.bin> new force switch 1-3" correct?
None of our stacks have auto update turned on, is it a good idea to do this before the upgrade just in case? Everything will be done remotely.
Sincerely.
WIFI Heat map software
Been tasked to do a site survey for a 1to1 at one of our schools. People who do this what software/hardware tools do you use/like. It looks like alot recommend ekahau. Not sure if i can get them to splurge for the paid version and hardware although i may try. What are you all using?
IPSec Tunnel; ASA5510 to Meraki MX64. Tunnel up, but can't access networks in either direction.
First off, not a network engineer. This built using guides from Meraki.
For the purpose of this, ASA is local, Meraki is remote. Also, I'm doing this via ASDM on the ASA.
Tunnel is up, at least according to Meraki dashboard. I get the little green light in the non-meraki peers section of VPN Status page.
Back at my ASA:
- I built the network objects for each remote network (4 in total) and put them into a network object group (Business-Office).
- I built an ACL listing all applicable Local Networks and the Remote Business-Office grp obj are permitted to talk.
- Created the Tunnel Group, CryptoMap (set to bi-directional), and applied everything to our External interface.
As I said, Meraki side says tunnel is up.
On Meraki Dash:
- Created a non-Meraki peer pointing to public ip of ASA
- Defined the private subnets that the ASA would be allowing over
- IPSec Policies are Default
- PSK same as set in ASA
- Availability set to entire Business Office tag (made sure to tag the network in the dashboard).
- Inbound/Outbound rules for tunnel set to Any across the board.
I can't for the life of me figure out why I can't access networks in either direction.
Any input would be greatly appreciated.
Cisco/other router recommandation
Hello everyone.
I am searching for a router that has some specific features and I really can't find exactly what I want, maybe some of you can help me with this. Basically, I need a router that will be installed in a location without internet access (so it needs to support SIM cards) and that will be permanently connected via VPN (site-to-site) to a Cisco router in another location, so it must support this type of VPN connection. So far, I found Cisco 819G-4G that has SIM card support and, being a Cisco router, I assume it can connect via cisco vpn with the other router. Am I right? Or can you guys recommend something else that meets these requirements?
Thank you!
OpenGear production/hardware issues of late?
A week or so ago someone posted about their recent OpenGear woes. Not sure if it was this sub or /r/cisco, but I can't find it at all. Anyone happen to have saved it for reference?
We've used OpenGears for years and recently have started having lots of problems with them. A brand new unit kept flaking out, and would need multiple power-cycles to come back up. Another unit that is also new crapped out after a firmware upgrade - network recovery brought it back up only to fail again moments later.
Many of our OG units have flaky connectivity - excessive PING drops. OG has suggested setting NICs to promiscuous mode which sometimes helps, sometimes doesn't.
Updating iptables firewalls rules using the config commands will result in the firewall rules being all jacked up a week later.
They used to be pretty good, and were only a tad flaky - PING drops and trying to make use of the redundant NICs was not stable. Our use of them is pretty light-weight - typically single-homed via RJ45 and just running as SSH console server. Can't really use them any less than that.
Advantages of VRRP over clone router with disabled port and monitoring.
I am looking into HA for a gateway/firewall and looking at VRRP and non protocol alternatives.
In a lab scenario i have tested a clone router,called backup, for the master router that has the same internal and external Ip's but the ports that link those interfaces with the switches,NAT side and WAN side, are disabled on backup router.
The backup router on a separate interface is monitoring connectivity to the master router and if it sees that master is down it enables interfaces picking up traffic.
The mechanism has been tested and it fails over in less then 10 sec(with some purging of the firewall connection table).
What are some disadvantages of this method over VRRP?
Unifi vs Ruckus - why is Ruckus perceived to be better?
Unifi is known for being reasonably affordable however it's perceived to be worse in certain scenarios than Ruckus.
What exactly does Ruckus do that makes it better than Unifi? Can anyone explain the technical differences in how they operate?
How to convert FTD to ASA?
I'm trying to take the Firepower shit off a firewall I ordered and put some proper code on there. I can't see how to get my ASA code on and make it boot. The options I have are below.
rommon 4 > ? ? Display this help menu or verbose command help address Set the local IP address boot Boot an application program dev Display a list of available file system devices dir File directory display command file Set the application image file path/name to be TFTPed gateway Set the default gateway IP address help Display this help menu or verbose command help history Show the command line history netmask Set the IP subnet mask value ping Test network connectivity with ping command reboot Reboot the system reload Reboot the system reset Reboot the system set Display or modify configured environment variable(s) server Set the TFTP server IP address show Display system device and status information sleep Stalls the processor for the specified number of millisecond s sync Save the environment variables to persistent storage unset Clear a configured environment variable
According to the documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_57458 it should have an erase option on there and a tftpdnld option. As you can see above, I have neither.
Transmit Discards across network and printers and MAC loses network connection
We have been experiencing a very frustrating issue where huge Tx Discards are seen on various ports on various switches across the network. Not always the same ports, not the same time of the day, and not every day. Recently though it has been every day. This is coupled with high utilization on those same interfaces 50% up to 80% and even over 100% utilization. When this happens, all the printers across the network lose network connection as well as the single Apple Mac we have in the organisation. The Windows workstations and servers don't seem to be affected.
I am desperate for an answer here as this is baffling even some senior network engineers I have spoken to.
Our current plan of action is as follows:
- Buy a new switch and swap it out with the existing edge switches one by one to see if it is maybe a switch causing this.
- Update all firmware on all switches
- Use Wireshark to capture traffic before and during spikes
- Create separate VLANs for printers
- Switch off IPV6 for all devices on LAN (saw a reference to MLD packets causing a similar thing)
- Last resort - update all network card drivers across the network (300 workstations!!!) - verylabor intensive....
Any advice is highly appreciated.
Thursday, November 8, 2018
New Networking Consultant Job
I am a CLI guy by trade and have been doing that stuff for 10 years. I am put in a recent role in a Govt IT job where I am doing mostly system engineering and paperwork engineer.
Any ideas of what I should do to prepare for my new gig? Any books to read to help me in my new role.
Fiber Optic to Ethernet? SC cord in fiber router but need to go to a router with Ethernet port? Not sure what I need, whether this works or not?
https://www.amazon.com/gp/product/B01M7TFP02/ref=crt_ewc_title_dp_1?ie=UTF8&psc=1&smid=AE2OZG2NN3099
https://imgur.com/9bWigCG this is the cord, I think it's an SC cord after I found a picture that shows all these different types of fiber optics. Then I found media converters, which I'm not sure if this/these are what I need to plug into a regular ethernet port router. Media converters usually come up with a spot that has two plug in ports, not a single port like the SC type. this is the only one i've found.
Is it necessary to explicitly block bogon networks if you already allow established/related, block invalid/drop everything else.
As the title says. Maybe I'm not understanding something but wouldn't bogon networks already be blocked if you only allow established/related?
Telecom engineers of networking, what are your opinions of Mitel's IP-PBX offerings?
I'm interviewing for a position that would include a certain amount of work with Mitel phone systems - though it's not my main job function, and I'm curious how similar/dissimilar it would be to CUCM, and I'd also like to know what people's general opinions on it are.
Freeradius vs ...
I work for a small telcom, and we are trying to move away from an AD setup on Windows to Ubuntu. We mainly use Mikrotik switches and firewalls, mixed with junipers SRX5400 and EX4600. I did some looking around and found freeradius but was not sure if there were better alternatives for the equipment I'm using.
Purchasing TACACS+ Servers.
If it were up to me I would go with Cisco ACS because it just works. But ACS is getting old and cannot be purchased anymore.
Does anyone know of any good TACACS server which supports AD authentication?
Prerequisites:
-AD authentication.
-Support backup server.
-Fairly easy web-GUI.
Network Core Switch Recommendation
I'm looking for recommendation regarding core switches. Our campus is due for a network upgrade, we currently have 1gb link through out each nodes. We're looking into upgrading our links to 20GB on each nodes, and we'll be using ubiquiti switches for our nodes. We're also looking into doing VLANS.
I've been asking around and people say not to get ubiquiti for core switch so if anyone has any good recommendation for 10GBase core switch.
What we currently have:
- ProCurve 5412zl (Core Switch)
- 4 x J9022A
- 11 x J9148A
Budget:
- $70,000.00 which will include getting
Blogpost Friday!
It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts
Feel free to submit your blog post and as well a nice description to this thread.
Which protocol is used for streaming media?
I found some information about RTP and RTSP but im not sure which of these two protocols is used for streaming. Can anyone clear this out for me?
Sonicwall Sorrow
I have a customer that is subletting in another customer's building. We are changing their internet connection to use a new isp (my employer's).
The building owner has a private fiber network that I am using as transport to their customer.
The topology is: current_isp --- accessport vlan 399-- me3800 ----trunk ------ 2960 ------- access port vlan 399 ---- sonicwall
The sonicwall has a public ip and works perfectly with current_isp.
I went and swapped out the isp patch cable to new_isp. I gave them a new public ip, mask and gateway. I verified that it worked at the fiber ont. I then called and said it was ready, they changed their static information on the sonicwall and they could not reach the gateway.
I added another access port to the backbone switch to access that vlan with my laptop and I gave myself a static ip in their new public subnet. I could ping the gateway and their firewall and the firewall could ping me.
I asked them to test with a laptop. They entered the static ip and subnet/gateway and could reach the gateway and internet just fine.
I suspected a bad subnet mask but they insisted it was correct. I loaded up wireshark and i could see the sonicwall sending out packets to the gateway but no replies. I did not try a span port, so its possible I just didnt see the replies but I doubt it.
I think it rules out all of my configuration and hardware but I have no idea what could be wrong on the sonicwall before I start blaming them.
They also claim that there are no acls or anything that would block the traffic. That is borne out by the fact that they can ping my laptop's public ip (inside the backbone switch so layer2 only) from the inside of the firewall.
I have allocated a /26 for static allocations for this area and I am using their ont to restrict them to their assigned ips.
The subnet is X.X.X.192/26
The gateway is X.X.X.193 and I have them X.X.X.196.
ipsec speeds are trash or im doing something wrong fortigate
Hey I have 1 D3000 in LA and 1 D3700 in NYC set up with a site to site ipsec tunnel, then bgp advertises all my routes for each site. I can traverse the tunnel. but the speeds are crazy slow. both sites have a 10g line. if i place 2 iperf box's straight on out pubic ip i can get at least 600MB across once the iperf box's get behind the fg my speeds max out at like 28MB.
I have 2 computers connected straight to my firewalls with 10g Ethernet.
.\iperf3.exe -c 192.168.205.2 Connecting to host 192.168.205.2, port 5201 [ 4] local 192.168.220.2 port 50293 connected to 192.168.205.2 port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 2.12 MBytes 17.8 Mbits/sec [ 4] 1.00-2.00 sec 3.62 MBytes 30.4 Mbits/sec [ 4] 2.00-3.00 sec 3.50 MBytes 29.4 Mbits/sec [ 4] 3.00-4.00 sec 3.50 MBytes 29.4 Mbits/sec [ 4] 4.00-5.00 sec 3.75 MBytes 31.3 Mbits/sec [ 4] 5.00-6.01 sec 3.38 MBytes 28.3 Mbits/sec [ 4] 6.01-7.01 sec 3.50 MBytes 29.2 Mbits/sec [ 4] 7.01-8.01 sec 3.62 MBytes 30.5 Mbits/sec [ 4] 8.01-9.01 sec 3.62 MBytes 30.4 Mbits/sec [ 4] 9.01-10.01 sec 3.50 MBytes 29.4 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth [ 4] 0.00-10.01 sec 34.1 MBytes 28.6 Mbits/sec sender [ 4] 0.00-10.01 sec 34.1 MBytes 28.6 Mbits/sec receiver tracert 192.168.205.2 Tracing route to MACMINI-15A2CC [192.168.205.2] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.220.1<<<<gateway on the fg 2 69 ms 69 ms 69 ms 172.30.1.1<<<<bgp ip of NY side 3 69 ms 69 ms 69 ms MACMINI-15A2CC [192.168.205.2] <<<<< Iperfserver in NY.
the 192.168.2xx.2 ip's are in my LAN zone talking to the VPN zone rules fallow
edit 200 set uuid 10f7ecc4-c2cb-51e8-f87e-ebf24a5238f5 set srcintf "VPN" set dstintf "LAN" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 201 set uuid 11234fb8-c2cb-51e8-5ace-4ba96a214c95 set srcintf "LAN" set dstintf "VPN" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
any info or things i should poke around in. also have had users try and move a few files back and forth and they see about the same max speeds i know this should be way faster whats going on?
WPA2-Enterprise Wireless set up (X post) r/sysadmin
I have set up a domain controller to provide WPA2-Enterprise authentication (GPO) to my wireless.
Most of the laptops connect and work fine, but I have a few that will not connect. Most seem
to be Windows 7.
I have checked the event log on the server and didn't find any related error messages nor any on the laptops.
Any suggestions on what I should look for?
Thanks!
PAN Pricing
Anyone willing to compare what kind of pricing they're getting from their VAR for a PA-820? Got a quote back from a new vendor this morning that I have a feeling is quite high.
Possible to count number and types of end devices connected to switches across a large network?
Hello Networkers!
I'm trying to build a spreadsheet that counts and displays the types of end devices we have distributed across a very large network.
Here is an example, assuming 2 buildings, with 1 switch in each building:
Building A has Switch A. Switch A has 15 Windows Computers, 13 Cisco VOIPS, and 3 Dell Printers.
Building B has Switch B. Switch B has 11 Windows Computers, 1 Unix Server, 4 Cisco VOIPS, and 1 Dell Printer.
Is there some toolkit or method that can help accomplish this?
I've found in the UDT (SolarWinds tool) the overall Vendor types distributed across the network, indicating some number of Windows devices across the entirety of the network, but it does not break it down to "under a given switch".
Thanks in advance!
Cisco 819 RSSI solid green, but signal is -100?
I'm trying to figure out why my Cisco 819 isn't connecting to the LTE network (Verizon), and I noticed the RSSI LED light is solid green. According to Cisco's website it means that the signal is "very good >-60" but when I do a "show cell0 radio" it says the signal is -100. I have another test router that's doing the exact same thing. It shows only a hexadecimal number in the cell0 hardware. I wonder if Verizon changed the 4G LTE coverage for my area.
DNS issue on Rukus R500
I just got a new Rukus Router and I am using a PPPoE auth and Rukus in gateway model. I cannot set the DNS to 1.1.1.1 the default DNS its receiving is the DNS that my isp is sending. How can i change it. my isp allows setting up 3rd party DNS.
These are the DNS its giving out
120.138.96.18
120.138.98.18
Ways to limit access to subsections of websites that I didn't create?
I'm not sure if this is the right place but it seemed the most reasonable place to start.
I want to give a third party access to a website where I am a user (not the creator). However, that 3rd party should only have access to one section. Imagine that I'm giving them my reddit login. I would want them to shitpost onto https://www.reddit.com/r/pics/, but wouldn't want them to access my preferences & change the password https://www.reddit.com/prefs. Hypothetically.
My ideas are
(a) I can somehow route traffic through a proxy & the proxy can fail to deliver the subsections that I don't want. It's a little difficult to set up & it also requires that I set up a desktop where they remotely connect to but don't have permissions to change proxy settings or see the stored password. Plausible, but not optimal.
(b) I did find a Chrome extension that does this however, I can't figure out how to stop the user from just removing the blocks.
Is there another option? Is there a common solution for this? Thanks!
Ruckus Switches for Enterprise
I’m having a hard time finding a way to search this subreddit using my phone app.
Is anyone using Ruckus switches in an enterprise environment? If so, what are your thoughts in general?
[Question] Client VPN on Cisco C892FSP
Is it possible to create some sort of client VPN (not site2site) on Cisco C892FSP without having a public CA (perhaps using self signed or Let's encrypt certificate), because our sysadmin tells me that it is not possible and I think it might be possible but I am not that experienced with Cisco.
Oldest tech you've seen still alive?
We got a customer which is now, in 2018 finally signing up to transfer their MAINFRAME-services, which have been live for 30 some years into the 21st century services. I'm amazed that stuff like that is still around. People see Frame Relay and ATM anywhere? I suppose if it isn't broken, don't fix it is a recurring thing in many places.
TL1 to automate xWDM tasks
Hi there
I've spent some time with TL1 scripts with the goal of lowering the amount of alarms in our xWDM network.
This far I've managed to write a script that scans our nodes for Client port LOS and puts the ports auto in service (Auto monitored) if the alarm has been active for more than 12h (the port goes back to service if it detects a signal for more than 5 minutes).
My other one is one that finds OPR high/low (optical power received) on client ports and automatically logs in, gets the low/high threshold and compiles a simple text file with the node, port, received power and a suggestion on what attenuator to add (or just clean/replace patch if the signal is to low) that I can forward to our delivery team.
Now that this is done I'm looking for other things to automate using TL1 and was hoping that you would have some suggestions?
Vendors; Infinera, Adva, Coriant 7300/7500/mTera(now Infinera), Ciena 5400 and BP, Huawei 1800/9800 and Nokia 1830.
Network Speeds?
Hi all, I'm a noob here... Excuse my ignorance... Got a question about read / write speeds across networks.
I have 3 systems connected via Gigabit ethernet switch. Testing Read / Write via Blackmagic Disk Speed Test.
When I test from machine 1 (Mac Pro) to Machine 2 (iMac with LaCie Thunderbolt Drive) I am getting:
Write = 81mb
Read = 68mb
When I test from machine 1 to Machine 3 (Old Mac Pro Cheesegrater - Internal WD Red) I am getting:
Write = 109mb
Read = 109mb
Any one know why there would be such a difference?
The reason I ask, is i'm looking at installing a shared NAS between these three systems, what's the best way to test required network speeds on a Mac, beyond what I'm doing with the Blackmagic app? I've concurrently streamed sessions around 20-40gb from one side to another at the same time fairly well, but trying to educate myself more before I take the leap. Post production sound if that's relevant.
IOS-XR - BGP conditional advertisement. How to?
I am familiar with this feature in the traditional IOS (https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/16137-cond-adv.html). However, I don't seem to be able to find how to configure this in IOS-XR. Specifically, how to advertise a set of prefixes to a given BGP neighbor if for instance, I stop receiving the default route from a given source.
How to setup a small-to-medium office network
Hi
Our company has ~11 Windows computers in the office and we're using the traditional Windows Home network with file and printer sharing. Its a mess. Some PCs have Windows 10, others Windows 7. Half the time User A can't access User C's hard drive or folder. Next day User D can't access User E's location. Next day Users A and G can't access Printer B.
I'm the designated "IT guy" and they always call me to fix these issues. No matter what I try - using correct IP addresses, the same workgroup, sharing settings, something always doesn't work right. Everyone else in the company are total IT layman and probably don't even know what kind of a mess they are in.
I'm wondering what would be a proper way to set up a network like this from the ground-up? Should we get a server, to host all the files and manage permissions? If yes, how would that work, how to connect everything properly?
I have plenty of experience with computers, but I'm no system engineer. Could I handle this, or should we call in a professional company?
I'm also thinking we should get some kind of a CMS, because right now all company data and files are fragmented between different employee computers and their hard drives. There is no central access place, no backups, no organization except on user-level. If you have any suggestions it would be greatly appreciated.
RHEL6 - Duplicate hostnames on a network
As part of a technology refresh project (already gone through CAB and being railroaded by management) we've had a developer mandate to clone some existing RHEL6 VMs on the network. No big deal.
One of their non-negotiatable requirements though is that these clones have identical hostnames to the originals. (i.e. Server 1 and ServerClone 1 will have identical hostnames but different IPS. Each server will only have one clone)
These cloned VMs will live in on a different VLAN than the originals and communication between the originals and clones will be forbidden at a firewall level. The originals and clones will both otherwise be able to communicate with the rest of the network (unless feedback from this thread forces me to change that too)
Is this going to cause any real issues besides just being generally messy? I know some versions Windows Server like to broadcast their hostnames across the network, not sure about RHEL though. So long as the originals and their clones never "see" eachother I'm hoping this will be fine? This will only last for one month.
These clones will not be added to DNS (/etc/hosts will be used on each clone to establish names of the other clones in order to simulate a production environment) and all network details on linux servers are defined via ifcfg (no automatic network addressing)
Replacing ASA 5555X to something better
Hey everyone.
We have several ASA units, ranging from 5505 to 5555X. Our 5555X is reaching about 55% to 60% CPU during peek hours and we are looking to replace it.
Can anyone help me with some tips on what to look at, are HW boxes still the way to go, or is SDN something to look at ?
Also, we should probably look at 10Gbe.
Thanx for any suggestions.
J
Please rate as helpful, if that would be the case. Thanx
Enterprise network forward proxy design
Hi all,
A bit of background. I work in Healthcare in the UK as a network engineer. This is my first senior networking position.
We have a mid to large, enterprise, Cisco based network with a connection to a private Healthcare network, another to the internet and around 20 remote sites connected over the private network with IP VPNs. I'm in the midst of an edge firewall redesign and deploy and got to thinking about our forward proxy. Currently we are using a Trend appliance which is on the internal LAN.
My thoughts are this device really ought to be on our DMZ that faces the internet but I can't find any good resources or network diagrams/designs with this level of detail.
Are there any good resources, blogs to give me ideas? How are you guys doing your forward proxying?
Thanks in advance for any replies.
IGMP subscription randomly dropping
https://i.imgur.com/syUwpFP.png
One large network. No routers.
S1 and S2 each have two streams: Stream 1 and 2 from S1, and Stream 1 and 2 from s2.
They use the same multicast groups, but different port numbers to distinguish streams.
-IGMP snooping activated on all switches. querier timeout 120 sec.
-2x static multicast address configured in all switches
Initially, all PCs can subscribe to all streams.
After a while, we start to see the IGMP subscription getting dropped randomly. Sometimes from 1 PC, sometimes from several, and occasionally from all. After 120 seconds they resubscribe and the feed returns.
Switches are moxa industrial eds 5 series running firmware 4.022. I know there is a newer, but the changelog does not state any changes regarding IGMP.
I don't see any IGMP unsubscribe packet get sent from the PC, before this happens.
any ideas to why this can be happening?
Wednesday, November 7, 2018
Modem and routers
Hi guys, have been going through some basics of networking.
Since i cannot upload any images, this is how i am going to explain.
In the first course it does not mention anything about Modem, it says that Router is the one that connects to the internet but in the other course its modem is the one that connects to the internet?
My conclusion is below:
Modem connects to the internet and then connect to the Router which routes or passses internet connection to all of your devices.
Switch is only needed if there is not enough lan ports on the router to connect to multiple device.
Is my conclusion correct ?
In the first course that does not mention anything about modem, is it because the router is says is also combined with a modem and its all in 1 device modem and router?
Ruckus R500/R600 Unleashed Dev
So,
I'm new to Rukus, my main aim is to replace my current TP link WR840N with R500/R600 APs, my ISP uses PPPoE to provide internet. I'm confused weather to configure the Rukus router directly to the WAN or have the current TP link router as the intermediate with radios disabled and use Rukus as the main Radio? Thank you. All help will be appreciated.
OpenVSwitch Help -- integrating with Cisco CSR
Trying to get OVS working with Cisco CSR subinterfaces. Have a KVM CentOS host, running several VMs, one of them being a CSR (which we want as a trunk to the ovs bridge. Have another two VM hosts that are just set up as access ports tagged to the ovs bridge. Setup is as follows:
(VM --> Port/Interface --> virtual bridge)
CSR --> csr0 --> br0 (trunk)
host --> host0 --> br0 (tag 1541)
host --> host0 --> br0 (tag 501)
CSR has just the one interface with two subinterfaces (encapsulated appropriately). This all works if I create several different interfaces for the CSR and map them to an access interface to the bridge, however I have a requirement to only have 1 interface on the CSR using subinterfaces only and a trunk to the bridge.
This isn't working for some reason on the router side. I can confirm my arp requests coming from the CSR have an ethernet header tagged with the correct vlan number, however it is not able to contact anything in the same segment. Any tips? CSR subinterfaces are set up with encapsulation dot1q vlan and the appropriate IP address (gateway for the host).
Some output:
Bridge "br0"
Port "vlan1541"
tag: 1541
Interface "vlan1541"
type: internal
Port "vlan501"
tag: 501
Interface "vlan1541"
type: internal
Port "csr0"
Interface "csr0"
type: internal
ovs_version: "2.10.1"
vlan_mode for csr0 is trunk and for vlans is access.
Fortinet Accelerate Conference
Has anyone been to Fortinet's Accelerate conference? We're a recent new customer and my boss asked me if I am interested in going in April. I've never even heard of it until he mentioned it. I see the format is almost identical to Cisco Live, just 2 days shorter. Worth going? Thanks! https://accelerate18.com
Anyone work(ed) for Booze Allen?
Just curious how the day-to-day is for a Network Engineer there. Not sure if it's one of those places where you rot away essentially doing nothing, a super stressful faced paced workload, or somewhere in between. Anything else you may feel worth mentioning. Sorry if this isn't the right sub
migrating VM's with VCenter
I have vCenter 6.0, an ESXi 4.1 host, and an ESXi 6.5 host. Is it possible migrate a VM from the 4.x host to the 6.x with vCenter? There is no SAN, all hosts use DAS.
Cisco IOS - How do I see cost for non-winning OSPF E1 route?
If I have an E1 route in my OSPF database that is not winning, how can I determine the cost of that route? I know how to calculate this by hand, but by checking the bandwidth of each port along the way, but is there a way to see this or calculate this from the output of show commands on IOS? I have found some pieces of the puzzle, but cannot find the whole picture:
- show ip ospf database external 10.1.1.0 - This will show me:
- The original metric when it was redistributed (Default 20).
- The advertising router
- The forward address
- show ip ospf database router [adv-router-from-above]
- This will show me the links on this router, finding one matching the forward address listed above will tell me the cost of the stub interface "TOS 0 Metric".
Now I'm getting somewhere, but I am still missing the cost of all of the links between the stub network and my router for the shortest path.
Aruba switches (3810) and trunking?
I'm trying to grasp the terminology differences between Cisco trunks and aruba, HP definition of a trunk.
We just got new Aruba switches and from what I'm reading their definition of a trunk is different from what I'm used to with Cisco.
If I have 4 uplink ports single Ethernet going to 4 seperate switches, I should not trunk them but just tag the required vlans to the port? I should not trunk them and add them to "Trk1" group even though they are passing the same vlans? I'm pretty sure this is correct but just wanted to be sure.
Cisco RV325K9NA and VPN and home network and lab (sorry long post, advice requested)
Hello.
I've never actually set up a VPN from scratch, and I'm wanting to cut my teeth doing it on my home network.
What I'm wanting to do is have a permanent mobile VPN so that no matter where I am, I'm "at home" and the same for my wife and kids. I want to be able to log into my Cisco Lab from anywhere with no effort as well.
A secondary motive is that if I'm forcing the kids cellphones to VPN through the Cisco, I can shut off their internet connection and force them to <<the horror>> join the 19th century for some good ol' socialization.
Naturally, I'm going to sell it to them as "its secure" (which it would be of course) and "its easy to find your phone if you lose it" (which is probably possible but whatever).
On the other hand, it <thinking maybe> would allow me to control the 'smart home' I just purchased from a distance locally without using the cloud. Conjecture.
Anyway.
I bought a Cisco RV325.
My network is going to consist of:
Wireless
3x Google Wifi Pucks
LAB - On its own
There's going to be a management VLAN here for the switches, but no outbound traffic allowed
5x Cisco 2950 Catalyst Switches
3x Cisco Routers
1x Fortinet Firewall
1x Ubiquiti AP
Wired Network
2 Unmanaged Gigabit Switches
Whatever happens to be right next to the router (4 ports for that)
2 Ports for a NAS
1 Unused LAN Port
WAN to Modem
WAN to backup Cellular connection
So this is the global.
Most of this is easy.
The VPN is where things get extremely hazy for me.
I'm assuming that the VPN is going to be its own network which will have to be bridged or routed over to the local.
I am also assuming that the VPN client will allow me to set user privileges for where they're allowed to go, as well.
The VPN traffic is of course, in bound from the cloud one way, and right back out another gate. So that means it'll have to be routed, which means I am going to need a catch all that does not include any of MY networks that I want to get to.
So if my networks are [examples] 10.1.1.0/24 (wireless), 10.1.2.0/24 (home network), 10.1.3.0/30 (cisco lab), 10.1.4.0/28 or /29 (VPN network), and 10.1.5.0/24 then I just need to route everything that is coming from 10.1.4.0 to 10.1.1.0/22 and call it good, and then do a catch all of 0.0.0.0 0.0.0.0 <gateway>.
Then theres the lab itself, which is going to have a L3 Route from the RV325 to the old ass Cisco Router ring (I have 3 in the lab). So I'm thinking of bouncing 10.1.3.1 to 10.1.3.2 on the first router and using a vlan with 172.20.1.0/28 for the management on my lab.
But there's another piece to this, too. I don't have a static IP, which means I have to do this using DDNS, probably through no-ip.com or namecheap dyndns changeip or whomever. According to the patch notes, the RV325 will do at least no-ip and dyndns.
So any traffic that I am passing while I'm not at home, is [I think] going to go.
[[[VPN][Cellphone-->Cloud-->DDNS (A name(?) to IP)-->Modem-->RV325]]]-->(Either Local Traffic or Modem)-->Cloud
Dunno! I have a feeling that I'm overthinking this.
Someone tell me if I'm barking up a crazy tree or if I'm close?
Recommendations on how to troubleshoot DHCP issues with adtran wireless and VLANS
I am having issues with adtran AP's and wireless DHCP.
I have two SSIDs, a native VLAN and a guest wireless network. The AP's are plugged into an HP switch with appropriate VLAN tagging
The issue I have is that when a client who was connected to the main network connects to the guest network, they retain their DHCP lease from the Windows server where DHCP is being handled by a fortigate firewall.
If I have them drop the connection on the phone for example and then drop the connection on the controller, they get the proper DHCP lease.
Remote print jobs taking 20 min to print and gets cut off
We are trying to print documents to a remote site. Sometimes the print job works just fine. We hit print and the remote site receives it within a few minutes. Lately it's taking 15-20min to print when a lot of users are trying to print at the same time. We hit print, job gets sent to our print server goes to our firewall, across the VPN to the remote sites printer.
We've made sure the drivers are up to date on all the PC's .
What may be causing the issue?
Anyone seen this on a 2960X before?
I ordered a batch of 11 48 port POE 2960X's to upgrade our back end network.
They have been running great however the switch on the 6th floor randomly stopped allowing any traffic to go through the main trunk port.
I was able to ping to other switches from the switches command line but nothing connected to the switch would get to the network.
I swapped it out with another identical switch that I had setup as my hotswap and attempted to do a factory reset on the switch in question.
After running through the baseline setup this is the error I receive through the com port.
I've already opened a ticket with Cisco and this is the only switch out of 11 that I have seen this message on. Is it possible that it's bad firmware? Also since doing a factory reset the switch is still having the identical issue as before. I can ping all other switches from the command line but I can not get any devices connected to the switch to get passed it.
Thanks again for everyone's help on these issues.
WiFi AP/Router Suggestion?
Have a client with multiple WiFi users, 80% are for phones. The rest are PC & security cams.
It's small shop with bad cellular signal(old factory with thick walls), thus allowing the phones to connect. But they do often stream music via the phones.
I would like to control the bandwidth usage of the phones.
I looked at Google WiFi but it seems I can only setup a maximum of 4 hours priority for devices. Though I do like how I could turn off the internet via "Family Time" for them too.
Basically I want the laptops/tablets to have full bandwidth. The cameras are mostly turned off during the day.
Suggestions for an AP or Router for easy maintenance of added devices? I don't want to have to code a new MAC addresses everyday. Optimally to mesh the units as I don't have ethernet ports everywhere.
Prefix Delegation with ISC DHCPv6
I'm trying to lab up an environment where my ISC DHCP server is handing out a /64 prefix to each router that connects to it. What I'm experiencing is really odd though. My Vlan100 works as I would expect. The end router grabs an address for its WAN port, and I see a /64 assigned to the LAN side. The static route is created on my cisco gear in this process, and traffic flows as I would expect.
However, on my other two - Vlan 101 and 102 - I can't get the same model of router with the same config to grab a prefix or WAN IP. I see the reply from the DHCP server, I see the static route entry created on the cisco equipment (relay), but the end device never accepts the IP or prefix.
I can take the same working router, move it to one of my problematic Vlans, and it will experience the same problem. I've tried multiple routers on my working Vlan with no issues except for Vlan 101 and 102.
Also to note, if I issue show ipv6 interface Vlan 101 will show something like this.
Global unicast address(es): fc00:aaaa:500::, subnet is fc00:aaaa:500::/64 [DUP]
The odd thing is I can remove that prefix and assign it to a different interface, and it will not show [DUP]. If I assign a different prefix to that interface [DUP] will go away for a while, but eventually return on the new prefix. I can remove those prefixes completely, and have no route in the routing table for that prefix.
I've been trying to figure out what is causing my grief for the past two days, and I can't seem to come to a resolution. IPv4 DHCP works just fine on those Vlans. Any guidance is greatly appreciated.
Here is my ISC config. -- Changed addresses for obvious reasons.
default-lease-time 2592000; preferred-lifetime 604800; option dhcp-renewal-time 3600; option dhcp-rebinding-time 7200; allow leasequery; option dhcp6.name-servers 2001:4860:4860::8888, 2001:4860:4860::8844; option dhcp6.domain-search "my.lab"; option dhcp6.preference 255; option dhcp6.rapid-commit; option dhcp6.info-refresh-time 21600; dhcpv6-lease-file-name "/var/lib/dhcpd/dhcpd6.leases"; subnet6 fc00:aaaa:0:1::/126 { } subnet6 fc00:aaaa:100:1000::/64 { range6 fc00:aaaa:100:1000::1 fc00:aaaa:100:1000:ffff:ffff:ffff:ffff; } shared-network vlan100 { subnet6 fc00:aaaa:100:1001::/64 { range6 fc00:aaaa:100:1001::1 fc00:aaaa:100:1001:ffff:ffff:ffff:ffff; prefix6 fc00:aaaa:101:: fc00:aaaa:101:7f:: /64; default-lease-time 1209600; max-lease-time 1209600; min-lease-time 172800; } } shared-network vlan101 { subnet6 fc00:aaaa:100::/64 { range6 fc00:aaaa:100::1 fc00:aaaa:100::ffff:ffff:ffff:ffff; prefix6 fc00:aaaa:101:10:: fc00:aaaa:100:1f:: /64; default-lease-time 129600; max-lease-time 129600; min-lease-time 86400; } } shared-network vlan102 { subnet6 fc00:aaaa:500::/64 { range6 fc00:aaaa:500::1 fc00:aaaa:500::ffff:ffff:ffff:ffff; prefix6 fc00:aaaa:501:: fc00:aaaa:501:: /64; default-lease-time 129600; max-lease-time 129600; min-lease-time 86400; } }
And here is my interface configuration.
interface Vlan100 ipv6 address fc00:aaaa:100:1001::/64 ipv6 enable ipv6 nd prefix fc00:aaaa:100:1001::/64 ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination fc00:aaaa:0:1::2 ipv6 eigrp 1 interface Vlan101 ipv6 address fc00:aaaa:100::/64 ipv6 enable ipv6 nd prefix fc00:aaaa:100::/64 ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination fc00:aaaa:0:1::2 ipv6 eigrp 1 interface Vlan102 ipv6 address fc00:aaaa:500::/64 ipv6 nd prefix fc00:aaaa:500::/64 ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination fc00:aaaa:0:1::2 ipv6 eigrp 1
rj11 to rj45 back to rj11
Hey Reddit,
Background:
I hope this is the right place for this but I recently started a new job in which they had an IT guy who quit and is no longer in contact with the company. They have a fax mach that isnt working (for who knows how long) and I have been tasked to fix it. I used a tone to find where it goes to and found the block/modem.
The problem:
From what I see this is how the cable goes, modem cat6 stripped down to blue/bluewhite to a block, from the block it splits into 3 cables 2 plugged into nothing 1 spliced to a splitter (https://imgur.com/a/M0vj8ZH). From this device it goes to a rj11 into the ceiling. from the ceiling I dont know where it goes but the tone of the final destination is an rj45 jack (https://imgur.com/a/K5J4xlL). I can hear the tone through the phone line but I do not get a dial tone. I have tried a few different wirings on the destination with no luck.
Other info:
I get a dial tone plugged into the modem, I get a dial tone plugged into the splitter device, I do not get a dial tone from the wall jack but I can tone the whole way through.
Cisco switch - routed interface with vlan subinterfaces?
In juniper world you can run flexible-ethernet-services on a router interface and then have subinterfaces which have an IP addresses, or subinterfaces which can be part of a vpls(so logically acting as layer 2 port.
Is there a Cisco equivalent? In this use case, we have an MX router which is connecting to a Cisco 9300 switch via tengig fibre.
We are passing a number of vlans through from a carrier, passing through an MX (vpls) and going into the switch.
We also have a a requirement for this switch to be layer3, so will have a number of point to point routed interfaces connected to our MX routers.
Basically I'm looking for a solution which saves us running extra fibre from our MX as Ports are getting scarce. Ideally I would like to be able to have a switch port acting as a routed port with subinterfaces and also have one of those subinterfaces acting as a bog standard switch port
Impossible or not?
RSA Radius
Hoping someone here has some experience with this.
Has anyone used RSA as their radius server? We use it as radius (and SecureID) for our network gear, and are planning to do a radius key change. This is an impossible task to do point and click, so does anyone know of a way to do it en-mass?
I can't access to specific one website, it looks to be blocked by my router!
This summary is not available. Please
click here to view the post.
Cat 6 jack wire layout is different in instructions.
The instructions of my cat 6 jacks are showing to place the wires in different spots than the actual jacks show. Which do I listen to to make sure I get working internet?! I don’t want to do my whole house and be wrong.
https://i.imgur.com/WEsGZ0O.jpg
Thank you for your time. This is my first time airing a house for Ethernet and using a patch panel/etc.
Edit: After looking at it, it seems if I flip it around the A/B are upside down compared to the instructions but the colors match.
The instructions even show solid colors being place where the picture shows blue/white should be.
I’m so confused.
How important is AP support for 4x4:4 MIMO vs. 3x3:3?
Comparing Aruba's AP-305 to AP-325, the major difference I'm not sure about is the MIMO chains.
Even though the vast majority of clients support only 2x2, there are (marginal) aggregate performance gains from more chains on the AP thanks to downlink MU-MIMO, beamforming, and lower rx error rates due to MRC.
But is the fourth tx/rx chain in the 325 really worth twice the price of the 305? My feeling is I'd rather have double the APs for better density/capacity with 3x3 APs, vs. half the APs with 4x4. Interested in input.
Edit This is an honest question without an obvious answer that I can see. Please explain instead of just downvoting, thanks.
SDWAN (Century Link with Versa appliance) and IPsec tunnel only communicating one way
So I'm brand new to the SDWAN environment and we have great communication between our other SDWAN sites. The problem is coming with creating an IPsec tunnel to a non-SDWAN site. I was able to create a tunnel and it becomes active. I can even start communication from my side and hit the remote site. The problem is that they cannot initiate communication with anything on our end. The web interface for this stuff is confusing to me and Century Link is looking into this but they don't seem to know much about creating tunnels on it either (going on day 3 of troubleshooting). Is there anyone here familiar with Versa appliances and Century Link SDWAN?
Also the other end of the tunnel is set up correctly, though I don't have access to it. We had this tunnel up and running before I switched my device to the Versa. I have a feeling there is some sort of access list that may be blocking the incoming connections. Whatever other information is needed just ask. I'm new to it so I'm not entirely sure what info is important.
Important Question About Configuring Users’ Working Environments
You have been told that all users in the Marketing Department must have a computer working environment that meets certain criteria. Marketing Department users don’t always sign in to the same computer every day, so these requirements should apply wherever they sign in. You have a Windows Server 2016 domain, and all computers are domain members. All Marketing Department user and computer accounts are in the Marketing OU. All desktops run Windows 10. The criteria follow: • Marketing users must be able to access documents they save in the Documents folder in their profiles from any computer they sign in to. • A company marketing application must be installed automatically when users sign in if it’s not already installed. • The marketing application they run leaves behind temporary files named mktapp.tmpX in the C:\MktApp folder (with the X representing a number). These files contain sensitive information and must be deleted when the user signs out. How can you make sure all these criteria are met? What should you configure to meet each criterion? Be specific about any options that should be enabled or disabled and how the configuration should be applied.
Dark Fiber Service Providers
To anyone working as a Dark Fiber service providers/vendor:
- When lending/selling fiber to telecoms or data centers, do you have fixed fiber SLAs? As in if the fiber is cut/broken are you the one who is supposed to fix it, or is it the telecom?
- Do you use any fiber monitoring systems/tools? If yes - what?
Thanks!
Huawei Knowledge Base
Hello guys.
Some here might know me, some might not.
I'm a Huawei Enterprise employee from the marketing department.
I joined this company like 4 months ago and I spend 3 of them trying to convince the HQ to improve the Community self-service and Knowledge Base platforms.
I'm based in Romania at the Huawei Enterprise GSC and if you ever drop me a PM with a Huawei Enterprise related issue I'll make sure to connect you with an engineer.
Now, going to the main point, we will soon move the Knowledge Base and Community production, maintenance and administration in Europe (this is totally not related to the fact that the HQ China guys have no idea how to run a forum/knowledge base :D ).
My question is, for the people that use Huawei equipment, what would you want from a Community platform or a Knowledge Base and how was your experience with it until now, if any?
Requiring some help with routed summarised (aggregated) address and subnet mask
Hi, so I am fairly new to networks and was wondering if someone could help me
I have the following networks
176.50.74.0/24 176.50.75.0/24 176.50.76.0/24 176.50.77.0/24 176.50.78.0/24
I understand that the subnet mask will start off as
255.255.x.x
And it will also be
176.50.x.x
Thanks in advance for any responses
TAC Engineer of Reddit. How did you survive? (Please share tips, strategies and ways you make it through)
This is open to anyone who works in a TAC (Cisco, Juniper, Dell, Cumulus) I started working in TAC a few weeks ago and I've noticed the job is insanely time consuming. Literally you've got 80 hrs a week of work with less than 40 to complete it, otherwise you're taking it home. Looking for some tips and strategies to work smarter.
Edit title: TAC Engineers*
Do Network Engineers Need to Be Developers?
The short answer to this question is “not really,” but they do need to be aware of the developer tools that are available and adopt a developer mindset.
For those who if they keep hearing "DevOps", "Python ", "Automation" are gonna kill somebody... read on.
Career-centric posts seem to be liked here judging by the average level of comments/upvotes VS other types of posts, probably due to the fact that career = $$$.
Anyway, I've recently changed jobs and I wanted to give my two cents when it comes to "up-skilling" oneself and what one should focus on, especially in today's environment.
Some of you seem to believe that a network engineer + automation (whatever that translates to for you) is not yet "worth the time" or that it's "just a fad", at least from a perspective of what's the salary difference?. It's true, you're probably not gonna earn double your current rate just by knowing some python. What is also true is that the ground is shifting, and while knowing some "automation" is not a kill-or-be-unemployed kind of situation (yet), it will get there with time.
Where I come from
A few months ago I passed my CCIE (R&S). I was working for Amazon for about 2 years as an NDE. As anyone that has worked in Amazon can tell you, a CCIE is pretty worthless in the sense that you're hardly ever gonna use any cisco-specific stuff. I did it because I had it among my goals ever since I got into networking.
Amazon is doing tons of recruiting for network engineers, they never seem to have enough. As a NE yourself, after about 6 months you are placed on the interview rotation as an interviewer, be it phone screens or on-sites. As you can imagine, generally people "throw themselves" to get into Amazon, yet the % of people that pass all interviews is miniscule. Rejections are the norm even after ~3 phone-screens and a 6 hour on-site. A few months before I left we got a directive where now scripting / coding or automation-oriented mindset is a mandatory requirement - before it was just a "nice to have" and while it was tested, you couldn't really be disqualified just because you don't know some python.
This change happened even though our rejection rate is already thorough the roof... and you can imagine what that number might look like now.
I wanted to move on from Amazon and explore something else, so I did some job searching. One thing I realized recently: NETWORKING IS IMPORTANT., and I don't mean the tech kind but the people kind. While before I couldn't give two shits about what other people do, never participated in any networking event, etc, I realized that that was a terrible mistake. Yes, I am still not as chatty as I'd like, nor can I really care about others, but forming relationships is important, especially when you are looking for a new job.
As an anecdot, I was talking with an ex colleague about the fact that I was looking for a new gig, and he immediately let me know that they were "kinda looking" for somebody for a position for which he's the hiring manager. This job was an 18-months contract with double the salary I used to have in Amazon, and since I had worked both with him and the project's tech lead, they were happy to skip formalities and start immediately. No interview, no anything. Mind that there was no way I was getting this offer from some website like Indeed. This role was never publicly published (which is reserved for a last-resord kind of thing in many companies) ( I later on decided not to accept, as the gig was very Cisco ACI-heavy and that's not something I want to focus on at this point in my career ).
After some other calls, I had two offers in my hand, one from a Fortune 500 company, and one from a smaller, leaner company. The F500 company's offer was 30% higher what they had in mind to pay as "the top" ( I got wind of this from a person I know which works at the same company ). They tossed this up to "it's extremely rare finding someone with both network and "automation" skills".
In the end I accepted the offer from the smaller company, mainly because:
- I've been in big companies my whole carrier and wanted to see the other side
- Money is not a big part of my life at the moment, as in, it's not my absolute number 1 focus when job-hunting (as long as it's on my minimun acceptable)
- Connecting to the point above, learning is my number 1 priority job-wise, and in my current role I can deal with Docker / Ansible / Jinja2 / YAML / Python / Jenkins / AWS / Azure / GC and more and I spend most of my day writing in python or fixing Ansible playbooks / jinja templates etc.
When you come from a company like Amazon, the use of free/open-source tools which form knowledge that you can then bring anywhere else is really refreshing. I am also relatively young, so knowledge/experience acquisition is my main focus at the moment.
After the first month on the job at my new company, I got into recruiting other network engineers, since we need more and quickly. We had the same requirements as Amazon (notice a trend?), the only difference is that, after 10s of rejections (and we rejected 100s without even an interview just because the CV didn't fit), we relaxed our search to somebody that has rock-solid networking experience and an automation mindset.
I've mentioned this before in the text, so what does having an automation mindset mean? It doesn't mean you know Docker or how to program in Python, nor that you know what an Ansible playbook is. What it means is "can this person in front of me think programmatically and would he/she be able to and is motivated to learn tools / languages?". Basically, if I ask you "how would you configure a description on the same interface on 10,000 devices?" your answer better not be "I open 10,000 SSH connections and multi-input the config on all at the same time". Having the ability to at least write some pseudo-code or describe how would you approach and resolve a problem programmaticly is crucial.
Is there a premium paid because you know Python / Ansible / Jinja / TextFSM / whatever ? The answer is YES. This generally comes in various forms:
-
It's your foot in the door for positions for which you would have been otherwise not even considered
-
You generally get a 10-30% premium in total comp
-
You generally spend more time in "high level stuff" than "low level stuff", or it's at least a combination of the two. This makes sense if you think about it - these companies want you to automate away boring stuff or build tools that remove the human from the equation (auto-remediation tools, config-generation / validation / deployment tools, etc).
Is there a learning curve? Absolutely. Are certifications dead? Far from it, but you better supplement with something else. Once I finally passed my CCIE I didn't just rest and stopped. I always like to remind myself that if you're not improving today in some way, then that means you've just gotten worse. What brought you till here won't bring you any further (God I sound like a motivational speaker...). (Sidenote, I still have plenty of INE tokens from my CCIE lab days, feel free to PM me if you're interested).
Look, you're not gonna be out of a job just yet, we all know it. 10 years from now you will probably still find job postings for "normal" network engineers. Many of you came into networking because "not much changes" over years. BGP is BGP, TCP is still the same TCP from 30 years ago (minus some improvements).
I doubt TCP will radically change in 10 years (for that, I doubt that IPv6 will globally catch on in 10 years too), but our interaction with network devices, how protocols are configured, how devices are monitored, etc is gonna change (it has already in many networks).
On learning new skills
Here's the deal: you don't have to learn 100 technologies / tools / languages top to bottom all in 1 week. It's extremely easy to get overwhelmed when you look at what should I learn now?. This is especially true if you, like me, just finished with a major "learning block" recently (e.g CCIE). The beauty of a certification program is that the requirements and sub-requirements are all listed there, you go through this list and poof, you can go and give the exam and you have a piece of paper that proves you "worked on this". It's much more difficult when everything is self-directed. You could choose to learn anything, but how do you know what's important and what's a fad? How do you know what skills will you need 5, 10 years from now VS skills which will become obsolete the next round of the hype-cycle?
If I've learned anything about learning any subject is the following:
1) Learn very well the basics, because anything you're gonna build on top of those foundations will make or break you (and your career). If you don't know how ARP works, forget about Python or Ansible or whatever. Go read some RFCs or some books. If you're 10 years in your career and still don't know all the TCP flags, I have bad news for you.
2) Don't follow hype / (pre)sales speak / vendor speak. You know what I can be reasonably sure of in 5 or 10 years? That BASH will still be here. It's also extremely probable that Python will still be here. Will Jinja2 be the templating standard 10 years from now? Probably not. When deciding where to move next, you probably will want to move to technologies or skills that will come in handy on the long run. Ansible is built on top of Python. If you knew Python, don't you think you'd be able to pick up Ansible very quickly? I'm not even suggesting you need to learn Python, but you should develop a programming mindset and exercise it in whatever language you want.
3) Don't forget. Impossible? Yes, remembering 100% of everything may not be possible nor desirable (do you really need to remember that last episode of GOT?) but you can achieve 90-95% for your most important information (you know, information that actually makes you money... ) and that's what you want. What I'm talking about is spaced repetition, which comes in the incarnation of a software called Anki (there are others, but that's what I use). This method of remembering works wonders especially for our field, where information is generally "certain", as in, there's a document specifying what's the intended behavior. You can apply this to both network engineering info and programming (generally you want to memorize some of the most used and useful base libraries of your language of choice). Have a read here for how one guy applied Anki to programming (but it can be generalize for almost anything).
4) Take it one step at a time and be reasonable. You can't learn everything at once - prioritize and chip away at it over a period of time. Knowledge compounds like compound interest. The more you know about something, the easier it is to learn something different but somewhat related because you already have references in your knowledge base to the underlying subject. If you know how a python dictionary works, then you can learn how to read a YAML file and make use of that data. If you know YAML or Python, then you can already correlate that to why Jinja2 allows you to access variables with the $PARENT_KEY.CHILD_KEY.SUB_CHILD_KEY construct or with $PARENT_KEY["CHILD_KEY"]["SUB_CHILD_KEY"] (which is the same thing).
Look, I'm not here to tell you that I have all the right answers or hell, even a majority. Like I said, I'm pretty young and my opinion might radically change in 10 years. What I am saying is that you should probably stop making excuses on why today you've not learned 1 more thing. I've seen plenty of network engineers that like to kind of "coast" and live off only of their current knowledge. These are the people that write in the resume "10 years of experience" when in reality it's 1 year of experience repeated 10 times.
Don't be one of them.
Cheers.
Subscribe to:
Posts (Atom)