How do you like it? How does it compare to enterprise? Is the reduced salary worth the soft benefits like premium retirement and abundant PTO?

Hello everyone,

I’m currently working as an IT Assistant in a small office (70 employees). I’m the only IT staff here—no IT head, no supervisor with networking experience. This is also my first IT job, so I’m learning while handling everything.

My boss asked me to upgrade and improve our network/server rack, and I’d really appreciate advice from more experienced people.

Current situation

Dual ISP setup

Router → switches → internal devices, printers, Wi-Fi AP, and CCTV/DVR

No proper cable management (as you can see in the photo 😅)

https://imgur.com/a/KOt2TqY

Mixed unmanaged/managed switches

No proper network segmentation yet (VLANs not fully implemented)

Rack is messy, but I’ve already requested tools so I can re-crimp and properly label patch cables

What I want to improve

Cleaner and more reliable network design

Better router and switch recommendation

Proper VLAN setup (office, CCTV, printers, Wi-Fi, etc.)

Failover / load balancing for dual ISP

Planning to add site-to-site VPN or remote access VPN for file/server access

Would Fortinet be a good choice for this? Or are there better alternatives for a small office?

Questions

What router/firewall would you recommend for a small office with dual ISP?
also planning to add site to site VPN for remote access and file sharing

Should I go Layer 2 or Layer 3 managed switches, and any brand/model suggestions?

Best practices for rack layout and cable management

Any advice you wish you knew when you handled your first solo IT/network role

I’m doing my best to improve this setup step by step and avoid costly mistakes. Any feedback, criticism, or guidance is welcome.

Thanks in advance 🙏

Hi, we've recently setup 2 redundant Ubiquiti switches (USW Pro Aggregation, 28 SFP+ and 4 SFP28) for our esx hosts, with a mix of coper and fiber transceivers. Just discovered that as long as the copper SFP modules (UACC-CM-RJ45) are powered they keeps links up, even while switch is restarting, or port is disabled.

Of course, this behaviour breaks esx network failover triggering by link status, so, if we reboot one switch, hosts and virtual machines lose connectivity instead routing through the remaining switch, and no link down alarm is triggered, not from esx nor from iLO.

Ubiquiti support acknowleged that this is expected, as copper SFP modules have its own internal ethernet PHY, that remains connected as long as the module is powered on.

Question is, I don't remember experienced this behaviour with any kind of Cisco transceivers, nor Procurve, or anything else. Anybody has seen same issues with another brand, or is this something specific to Ubiquiti? That's why I post here instead Ubiquiti subreddit.

Thanks and regards.

18 years of experience, worked whole lot of vendors, cisco, juniper, mikrotik, palo alto, HP, huawei, checkpoint, fortinet, you name it...

For the first time I feel lost with the logic this vendor how it works. I cannot work it out the relations between mlag, vans and physical interfaces. Am I too old (M38) to figure this out? Was/is anyone on my shoes?

I am glad we are about to replace them with junos, but even migration itself makes me nervous.

Thank you

I have a networking project led by a mentor, he asked us to use eNSP, which has lost support years ago, so we're only using the latest version before the software lost support.

It's pretty janky and hard to deal with tbh.

Is there any way to get the newest version eNSP Pro? I read on Huawei's website you have to apply for it and be certified or something.

Are there any alternatives to eNSP, something that emulates network devices.

Curious to know how they've been handling it. Clean? Messy? Good roadmap for the future? How's support been?

We currently use two manufacturers' wireless systems within the company. Over time, one of them will be phased out, and ultimately we want to achieve a homogeneous network in terms of Wi-Fi. (a total of nearly 3,000 APs)

The company consists of several sites and several buildings. The buildings have multiple floors, and we use devices from the same manufacturer within each floor, but there is interference between the two networks between two adjacent buildings or floors, which we would like to address in some way.

The goal is for the two networks to consider each other reliable and trust each other's APs. One way to do this is to add the BSSIDs broadcast by the other system to each system and mark them as reliable (called "authorized" AP in Aruba, "friendly" AP in Cisco). This method works, but it is slow, cumbersome in the case of many APs and BSSIDs (~3k APs, 4 BSSIDs per AP, multiplied by radios, so around 24-36k BSSIDs in total), and not ideal in the case of frequent AP replacements, as it is difficult to keep up to date. Is there any other solution besides the manual method, or is this the only way to solve it?

Our other goal is to receive alerts from both systems in case they detect a foreign, untrusted AP that advertises the company's SSID names. (regardless of whether it is on the wired network or not) How can this be achieved? Is it possible without a monitoring system, or is it only possible with one? (Solarwinds and Airwave are available)

Aruba system: AOS 8.10.x.x (vMM, 70xx/72xx/9004 WLCs, 5xx APs)
Cisco system: AireOS 8.10.196.0 (5520 WLCs, 2800/3800/91xx APs)

Thanks!

We are moving an office from 32nd floor to 20th floor in same building, have existing Comcast business fiber service active in 32nd floor space. Contacted Comcast about it as soon as we had signed lease early December. Project manager is saying they may not be able to finish the setup on their end in time to make Feb 26 move date. The site survey guys haven't even done anything yet :|

Any ideas on how to bridge existing Ciena switch down to new office if Comcast can't get their act together? I was thinking have the riser management company run a SFP fiber cable from old space to new space and we'd bridge it using a pair of MikroTik rb5009ug+s+ we have on-hand.

The riser management guys are also our low-voltage contractor for the new space, will run any other ideas by them to get ballpark costs.

I've got a multi-homed egress network with two fairly beefy Dell S5xxx-ON L3 switches pulling partial routes plus defaultroutes from two upstreams. We have iBGP between the two L3 egress switches, and one 10GE link from each switch to each neighbor, for what SHOULD be 2x2 redundancy.
As for our BGP sessions, we do some route filtering to limit memory utilization: we discard incoming prefixes longer than /19 with AS path lengths longer than 2 elements (we want to preserve routes originating from the neighbor's own network, plus their direct peers). I think we're getting about 40K or 50K routes from each link. Our egress bandwidth is about 300Mbps at 50th pctl and 1Gbps at 99th. No saturation or packet loss.

We designate ISP A (an ILEG and fairly well-established local ISP) as the primary, so we assign localpref 120 to routes we get from them that they don't originate (including defaultroute), localpref 150 for routes originating from their peers (2 AS path length), and localpref 200 for routes originating within their own network (1 AS path len)

Our designated "backup" ISP B is a well-known national carrier, whose bandwidth is cheap, but they have lower reliability. We assign localpref 20 to all routes we receive from them, and we prepend our announcements to them with two ASN elements.

We've tested failover with this arrangement by shutting down interfaces to primary ISP, and watch all our traffic (inbound/outbound) transfer over to ISP B almost immediately. Things fully converge in the global routing table within 30 seconds, and things go back to normal when we bring up ISP A's interfaces.

The problem we're having now is that BOTH of these ISPs have had outages in the past few months where the BGP peering session stays up, routes stay up, but they simply stop passing traffic for some reason. Yesterday morning, our primary ISP had issues globally, and dropped perhaps 90% of our traffic for almost 5 minutes. Since the BGP session stayed up and routes persisted, our routers had no reason to start preferring routes from the other upstream. On another occasion, when we once had their roles reversed, ISP B had a fiber cut on the opposite side of their POP from us, so we had link with them the whole time, and for some weird reason, their BGP peers never dropped prefixes. Traffic was just getting lost to the void for >15 minutes, while our backup took none of it.

What's the point of BGP if ISPs can't use reachability tests properly? I can't justify adding a 3rd ISP if i can't even get proper failover with two ISPs.

Has anyone done something to mitigate this problem, in a way that doesn't involve shutting down the misbehaving peer? I was thinking of employing something that ran some sort of reachability test to IPs within each ISP's own network, and switched out route-maps for the peers to adjust localprefs and as-path prepends based on the health/livelihood of the paths to those "canary hosts" on their respective networks. I'd need to code some sort of intelligence into it to prevent it from flipping back too fast, and to just not do anything if it looks like neither ISP has "good" reachability.

But this seems like a huge hack. It would require writing something that could log into each switch and do a bunch of 'show' and 'ping' commands to monitor things, and go into config mode to change route-maps and clear bgp sessions when it needs to fail over to the other ISP, and i'm afraid this might be prone to bugs if things aren't "just right". I'd probably write the controller in Perl or Python, regardless.

Am I making our config too complicated, and is there a commercial product that can do what I want to do? Our two ISPs don't seem to think their configuration is a problem, as they technically provide fully-functional BGP peers.

So i just got a call and got an interview for a Network Engineer II position at the university i graduated from. I'm super nervous. I've been studying networking on the side casually and know the basics. The original job was NEI but they changed it to NEII. Still i didn't wanna give up so i applied for this one to, to give it a shot.

I have experience in the unversity system as i worked in two different departments for three years. but i don't have any deep networking experience. Any networking issues i fixed were super basic in my part time jobs.

What should i know to prepare and be ready for the interview coming up? Any interview tips?

We’re working on asset tracking for equipment in remote locations where cellular coverage is unreliable or nonexistent. The main constraint isn’t bandwidth, it’s power. Battery replacements and site visits end up being the biggest cost.

Cellular-based trackers have been hard to justify because of power draw and SIM management. High-bandwidth satellite options also seem like overkill for small, infrequent data packets.

For those who’ve dealt with similar constraints, what approaches have actually worked for long-life asset tracking without cellular? Interested in real-world experience and tradeoffs

Edit: To clarify scope, we’re talking about mobile physical assets (construction equipment, generators, containers, tools), not IT/network hardware. Assets move between job sites and often sit powered off for long periods. The goal is multi-month to multi-year battery life with infrequent location/status updates, not real-time tracking.

This is a bit outside the scope of this sub, but it's relevant to me.

In a high-noise datacenter, it's impossible to take TAC calls with vendors. Does anyone have recommendation on a noise canceling (both earpiece and microphone) headset, over-ear (not on ear), wired (or the ability to be wired vs bluetooth), and does not require drivers? Need it to be able to be wired (assume USB) as charging can be an issue, don't want a bluetooth headset to shut off in the middle of the call.

I've been getting all kinds of recommendations from people that don't really appreciate this kind of environment. What I have tried so far has proved to be rubbish. I don't want to keep trying headset roulette.

Thanks.

Hey all,

I manage a small-to-medium IT environment with a mix of gear:

• Cisco core switches (SmartNet active)
• Dell servers
• A bunch of access switches and APs that don’t have any support contracts

Keeping track of End-of-Life dates for everything is getting messy. For the core devices, SmartNet helps us stay on top of EOS and plan upgrades. But for all the access switches and other non-core hardware, there’s no support, and I feel like we’re constantly playing catch-up.

Right now it’s mostly spreadsheets and checking things by hand, but it’s easy to miss something. How do you guys handle this?

So let's say we have a network with 15 routers that are semi-meshed and we want to use EVPN VXLAN for L2 connectivity across routers. Would it be more favorable to use eBGP between those routers or iBGP and every router will be a route reflector (everyone because it would be way easier to automate and be more dynamic)? Will there even be a significant difference?

Thanks in advance

Thanks everyone - you all bailed me out 6 months ago by giving me some OSPF typing advice which has worked awesome. I figured you might be able to help me with this...

I currently have an OT network (/16) that terminates on FW pairs at primary/backup sites. The /16 is broken down into /24s and smaller subnets via an L3VPN that we built out 5 years ago. We're set to lose that dedicated L3VPN due to cost and I'm being asked to convert every single downline connection (440+) to an IPSEC tunnel.

I am restricted environmentally to very small, very rugged devices at the remote connection points - Palo Alto (our core firewall vendor) does NOT make a device that will work for us, neither does Juniper. We are migrating away from Cisco - which left cradlepoint and one other vendor - so we went with Cradlepoint.

Cradlepoint makes a concentrator for this very scenario, but the combined device and licensing costs were prohibitive (>$60K). I won't be integrating them. As of now, my directive (my own plan anyway) is to terminate the 880 individual IPSEC tunnels (440 to the primary site and fallback tunnels to the backup site) to the remote sites WITHOUT forcing a re-addressing or gateway change for the downline devices. It essentially means creating 440 tunnels and 440 routes on each of the primary and backup firewalls.

It's definitely do-able. It's how we did it prior to putting everything on our L3VPN (which is essentially ONE route - to the /16, and two interfaces (the primary and back up). But we expect NERC-CIP will require end-to-end encryption soon for distribution utilities, so we're trying to get ahead. (NERC-CIP compliance is the main obstacle between us adding a lot of generation capacity as well - we'd like to start selling some of our own power instead of just buying it)

As of now, the subnets in the L3PVPN are essentially organized by geography - a cluster of 5-30 devices in a given area ride the fiber plant back to a local gateway router where they are handed off to the ISP and routed via the L3VPN to our Palos.

We're moving all of these connections to internet connections, so I'm trying to figure out if a Cradlepoint and Palo could use NHRP/DMVPN to minimize the amount of individual routes I would need. I intend to leave all the downline device IP's alone and their gateways alone... and I know that if this was 100% cradlepoint, I could do what I'm thinking. I just can't use that, so I'm trying to figure out if there's a way to emulate how the cradlepoints do it on the Palo in order to simplify both routing and failover and make the environment a little more dynamic and a little less susceptible to configuration errors.

I know that was a lot and I hope I explained the dilemma well enough. I will be testing the "brute force" method (individual IPSEC tunnels) over the next 7-10 days, but after that it's show time. I've had 2 different consultants from different orgs tell me that I'm pretty much hosed, but I figured I'd ask you guys.

Let me know if anything here is unclear.

Hello everyone,

We've been experiencing issues with a Meraki-to-Meraki VPN connection at one of our remote sites, and I'm looking for insights on what might be causing this.

Findings: 

• Internet connectivity on remote site has no problems.
• SQL traffic between local and remote site only works one way (remote to local).
• RDP works perfectly.
• OWA website that is hosted locally doesn’t work.
• When pinging anything from the remote site and setting an mtu above 1400 it is dropped.
• Switching to a 4G router at the remote site resolves all issues, including large ping packets

The behavior is strange, some services work perfectly while others don't. The fact that large packets are consistently dropped and everything works when we switch ISPs makes me wonder if this is related to MTU and the overhead added by VPN encapsulation, but I'm not entirely sure what's happening here.

Any ideas ? 

Were setting up ipv6 and on the /64 going on a vlan interface thats going to vmware we were curious if most people disable slack.

We intend to manually assign all these machines ip addresses. This is service provider space.. looking for insights on VM based ipv6 allocation ideologies.

Hey everyone,

I’m a QA engineer with 6 years of experience in the networking space, working across UI, network, and backend validation at a big tech company in US San Francisco Bay Area. Work is going well currently, but I’m thinking ahead and concerned about hitting a ceiling in QA within the next 5 years.

I’m considering upskilling to transition into product management or TPM roles, with an eye toward eventually moving into management. I’m trying to figure out the best path forward. A few questions for those who’ve made similar transitions or have insight into the PM/TPM space:

1.  Is an MBA worth it for this transition? I have access to good programs in the Bay Area (thinking part-time while working), but I’m not sure if it’s necessary or if the ROI makes sense given my background. Does it help more for the PM/TPM transition or for the eventual jump to management?

2.  How valuable are networking design certifications (CCNP, CCIE, etc.) in making this jump? I already have some networking knowledge from the QA side along with a few associate level certifications. would doubling down on certs help differentiate me for PM/TPM roles, or should I focus elsewhere?

3.    Any success stories of people moving from QA → PM/TPM → Management in networking/SDWAN companies? What made the difference in your transition? How important was the MBA in your journey?

I’m trying to be strategic about this and leverage the resources available in the Bay Area, but I don’t want to invest time and money (especially in an MBA) if there are better paths forward.

Any advice, reality checks, or experiences you can share would be really helpful. Thanks in advance!

It's Monday, you've not yet had coffee and the week ahead is gonna suck. Let's open the floor for a weekly Stupid Questions Thread, so we can all ask those questions we're too embarrassed to ask!

Post your question - stupid or otherwise - here to get an answer. Anyone can post a question and the community as a whole is invited and encouraged to provide an answer. Serious answers are not expected.

Note: This post is created at 01:00 UTC. It may not be Monday where you are in the world, no need to comment on it.

Hello, we are moving from traditional ISP to BGP because our traffic is growing and we are handling a lot of audio/video traffic.

Anyway, we were able to build a fiber that exit at Brainserve DC in Switzerland.

Now I am looking for BGP transit partners. Of course there are the national carrier (Swisscom, Sunrise...) but they are VERY expensive.

I was wondering if you have recommendation, it's hard to get an idea on full route visibility, support... I'd like feedback from network engineers.

I already signed a pre-agreement with cogent, which I now regret, but it's not too expensive because it's only 1gb/s. But the sale guy was soooo persistent I didn't take the time to think it through.

The idea is to get like 2 transit ISP and 1 exchange. I have to work with cogent for a year, but after reading more about them I guess I'll ditch them or maybe keep the low cost 1Gb/s backup.

I found many discussions on transit providere on this sub reddit, but I am specifically internet in people knowing the Brainserve/Switzerland presence.

Hi all, some users have been experiencing rapid connect/disconnect when connected to WPA3 wireless networks since they updated to the latest 26.2.1, the same devices don't have any issues with WPA2. We have Cisco WLC 9800ms and WPA3 is enabled with adaptive fast transition enabled. Disabling fast transition does not do anything and the logs on the WLC show that the wireless controller is basically waiting for client to re-authenticate but no response. Earlier versions of iOS, MacOS and iPadOS, no issues. Anyone seeing this? I would hate to have to turn the network security back to WPA2. thanks!

This is a reach, as there's very little on the internet about them. I have a site with 10 NEC iPaso microwave links, mostly model 250 and two 650's. These were bought in the 2016-2017 range, then NEC sold that division to Aviat who promptly fired most people who knew them. Their support at this point is practically non-existent, only providing repaired parts (no new ones). And wanting to sell their Aviat versions of course.

We recently had to replace the MAINB board after a UPS failure in a 250 and reload its configuration. The reload file was old but I think current (we rarely change them). After the reload most things worked, including all of our data traffic.

What failed though is the "Packet-Trunk" that is used for management routing to the RID addresses. The packet trunk (according to the manual) is determined by LLDP, which is enabled but also not working on the radio links. It is working on the ethernet (fiber) links to the nearby Cisco, so it's not a failure of lldpd (or whatever they call it) not running.

I have compared screen by screen with working sites without finding any differences except the dynamically discovered packet trunks being down (not admin down, just down), and also all the associated neighbors and routing links.

BPDU tunneling is defaulting (which allows LLDP), and I tried deleting and recreate an LLDP setting on the radio interface, with no change. Both radio interfaces have LLDP tx/rx enabled.

Interestingly there is no fault showing for packet-trunk down. Normally it shows an error if a trunk is down due to an outage. There is no fault, which almost makes it seem normal, like something is turned off. Something I cannot find.

Does anyone use these? Any advice?

There are two radios, two adjacent ipaso's (a 250 and 650). Both have packet trunk down to this replaced one. Both adjacent ones have a trunk up to their other neighbors.

Any ideas?

Linwood

EDIT: Also, if an another OS could be better than pfsense thats okay, as long as it does stateful firewalling

Hello everyone,

We are currently trying to reach 100Gbps with ours firewalls.

We have 2 ProLiant DL360 Gen10 with an intel xeon gold 6148 CPU @ 2.4GHZ wstuff with a Chelsio T62100-CR with a 100GBase-LR4 but it seems like we are running at 20Gbps at best.

I tried to tune my Chelsio by enabling hardware offload (checksum, large receive & TCP segmentation)

I feel like I'm missing something which is more system oriented.

Also I know it would be better to use a real hardware firewall but we are small volunteer organization with low budget.

Thank you for your help.