Came in to check on something and heard the droning alarm of an Areca card. Fan failure, but the fan is spinning just fine. Logs show it's done this every hour or so all weekend.

I'll replace the fan, but why is it alarming when the fan spins?

Hi everyone,

I’ve been in the training field for three years, focusing on networking courses, primarily Cisco’s Enterprise track and Meraki. Teaching has been a rewarding experience, but I’m feeling a bit lost and unsure about what my next step should be.

Here are the paths I’m considering:

1.	Explore a new track like cybersecurity, virtualization, or cloud technologies, and continue teaching.
2.	Pursue the CCIE certification to deepen my expertise.
3.	Transition into a more hands-on, expert-level technical role, though some have warned this might feel like taking a step back, and if so which positions I should apply for to use my knowledge?

I’d love your insights on which direction might be the best fit, especially if you’ve faced a similar crossroads. Any advice or guidance on roles or certifications to aim for would be much appreciated!

Thanks in advance for your help!

I am working on designing a new test automation structure. My goal is to create a flexible test network using a managed switch capable of dynamically reconfiguring and combining various network topologies, including HSR, PRP, and other protocols. The switch should isolate and encapsulate traffic using VLANs, enabling seamless testing of redundancy protocols and specific configurations without the need for rewiring. This environment will validate redundancy, traffic behavior, and encapsulation under different fault and reconfiguration scenarios.

I understand that HSR cannot be directly tunneled using VLANs, but I considered achieving this with QinQ. However, I suspect that QinQ might not be suitable for this structure because when QinQ is selected, the PVID format is automatically set to tagged, which I believe is incompatible with the structure I am using.

I have implemented the topology shown in this link: https://imgur.com/a/8EkTuQP

Unfortunately, I cannot ping any device in this setup. I have tested configurations with VLAN type set to Edge and PVID format as untagged, as well as VLAN type set to QinQ and PVID format as tagged. I am unsure whether the issue lies with the configurations I have implemented or if such a design is fundamentally unachievable.

I would greatly appreciate your insights on this matter. Thank you in advance!

I'm looking at Fortinet EMS for ZTNA, this secures remote workers and on network users, so this is making me question the need for Cisco ISE NAC? Is it overkill using both? The network will be predominantly wireless users accessing via meraki APs with a fortigate firewall.

I have an SDWAN fortigate deployment in my company. The initial config was done by an integrator but we have taken over it. We have the usual hub and spoke setup, where hub and spokes have two different ISPs connected.

We are doing IPSEC VPNs over the two ISPs and running BGP over IPSEC to advertise routes from one site to the other. I have a few configuration questions that i am not able to answer myself:
- Do i need to "set network-overlay enable" in the IPSEC phase 1? I don't really understand what this command does. It seems to work fine without it (as it is now). We don't use ADVPN, where i understand you need to use the command.
- Should i use active checks or prefer-passive checks for the SDWAN overlay IPSEC tunnels? I understand that passive checks need to proccess traffic with the CPU (no offloading) which means that this traffic shouldbe minimal.

- What are the average failover times can be achieved? I need realistic values. I did an iperf test between hub and a spoke with multiple streams and it took something over 30sec to stabilize.

- Any specific recommandations for an SLA configuration for TEAMS traffic? This should be able to failover within a few secs and not more...

thanx,

St

Sim using GNS3

I have an MPLS core connecting 8 or so branches. At the moment, OSPF is enabled on every router (P, PE & CE) so every device can ping everything else.

I need to segregate that a little using VRF, BGP, and MPLS VPN.

After configuring VRF, BGP & MPLS VPN on each of the PE routers I was originally just getting U's in my pings but fixed that by adding `router ospf 2 vrf vrf-name`. But then I couldn't reach the none directly connected interface of the PE router from the CE.

Not really sure on how to fix this as I have spent the best part of today trying to debug and haven't gotten anywhere so was just looking for some advice i.e. should I even bother with global OSPF on the CEs and PEs if they're just going to be using VRFs later on anyway etc. etc. or anything I should be checking for to try and debug why the connections wont work.

For reference, everything else still works - anything not using VRF can ping everything else, MPLS core works, and BGP works.

It is only the VPN clients that have been locked out of communicating with everything.

Yeah you heard me, and BEFORE you go telling me with tears in your eyes about how the termination should be properly weather-proofed etc, that is not something under my control and there are frequent activities by gardeners etc that can leave the connector exposed to the elements.

I would like to go into a factual discussion about how a Meraki/Cisco that provides PEO (af/at) to its endpoints react when an RJ45 on the other end of the wire gets moisture.

Are there built-in mechanisms to mitigate this, or is it more a case of say a prayer and cross your fingers? Impact on over-all switch power budget? Damage to the switch?

A story or 2 about how you got some battle scars because of this is also welcome.

Hey all,

I've recently taken over our small networking team of 5 people and every day I'm learning more about what we don't know.

I've been lurking this sub since I took over a few months back but I have to say my network knowledge is... rudimentary still. I'd like to hear from you guys how you'd approach addressing the issues we currently face.

We have 3 campus networks with 100+ buildings at each site. This is managed by a provider, but they only came in last year so it's not like they know everything already.

Due to reasons in the past, our whole documentation is spotty. We don't have reliable monitoring in place, we don't know the architecture in all places. The architecture diagrams are incomplete and often outdated. There are redundancy concepts in some places, but we often don't know about them and don't immediately understand how they work. Also they are sometimes stupid, see below.

Last week we had an outage in one location where we later found out there where 2 lines going through. But they weren't setup as active/standby lines, but rather some traffic was going over both lines. After line A went down, we noticed that line B was throttled for the past X months. Needless to say, our outage could have been fully prevented if we better understood our redundancy setups.

My current idea is to put together a reliable monitoring system that includes ALL 4000+ components (we only have some of them in our provider's monitoring).

How would I go about figuring out our wonky network architecture? Currently, we are looking at how line A and line B from above example were setup. Our hope is that we might identify other lines in our network that have a similar setup.

TLDR: I hate only learning about the crazy stuff in our network due to incidents. How can I proactively understand what the hell is going on and move closer to an ideal setup?

Any ideas or caveats are highly welcome. If my plan is unsound, let's hear why. I'm here to learn.

Hi there,

I finished my "official" engineering career when Cisco ASA ruled the world. I do support some small companies here and there and deploy things but I have read a lot of bad reviews here about Firepower. My friend got a brand new 1010 for a client and gave it to me for a few days to play with it.

I cannot see an obvious reason why there is so much hate. I am sure this is due to the fact I have it in a lab environment with 3 PCs only but I am curious if anyone could be more specific what's wrong with it so I could test it? Sure, there are some weird and annoying things (typical for Cisco ;)). However, I would not call them a deal-breaker. There is a decent local https management option, which helps and works (not close to ASDM but still). Issues I've seen:

- very slow to apply changes (2-3 minutes for 1 line of code)

- logging - syslog is required - annoying

- monitoring very limited - a threat-focused device should provide detailed reports

Apart from that I have tested: ACL, port forwarding, SSL inspection, IPS (xss, sqli, Dos).

I have not deployed that thing in a production environemnt so I am missing something. So. What's wrong with it, then? ;-)

i have some devices with cortex xdr agent installed and i would like add some policies in prisma using the device identification information from the agent. Is this possible? If so how?

Hello, everyone! I am seeking advice on my cloud journey and or IT career. I've been in desktop/network support for over 10+ years, Finally decided to purse my CCNA in 2021 and passed. Since 2021 to 2023 I worked as a Netowrk administrator. Later in 2023, I was promoted to Network Engineer. Great accomplishment, no doubt!

Since, then I have gain interest in becoming a Cloud network engineer. I have put my self thru Cloud bootcamp from UT Austin. Then immediately took my AWS Solution Architect, Azure Administrator and Google cloud exams. Which are the topic that were covered in the bootcamp. Pass all three cert's then 3 months later passed my CCNP. Yes, its' been a busy 2024 for me. With that said, I have continously been applying for Cloud postion but no Cigar. I am wondering if it's lack of patience or lack of experience in Cloud and networking, since I have only been a network engineer for almost a year at the time of writing this post. So, to make a long story short what advice can you provide that would help me regain my confidence in my purse of greatness in the IT Cloud space.

Oh, just recently(2 days ago..lol) passed Multicloud Network Associate certification from Aviatrix !

Thank you for your time and Happy Holidays!

Kelvin

Hi all,

I'm looking to refresh our network. Single site, about 110 users but most work hybrid.

I'm coming down to either full Fortinet Stack i.e Firewall, switches and aps. Or a Palo Alto and Juniper (or HPE Aruba) switch/AP. HA Active / Passive firewalls

Few things I'm debating. We've a small team and use a Network MSP. There's more Forti ones here than PA.

Forti gives full visibility which even though we use a Network MSP, I think that full visibility into the network is useful. In comparison, finding a Palo Alto provider is a bit more constrained (just in our location)

I much prefer Juniper or Aruba switches. We're looking at ones that can be stacked (or VSF/VC). The Fortiswitches aren't great design wise and I'd be paying more for more extra SFP+ ports just to mimic some stacking.

Anyway I welcome any thoughts. Forti just seems easier but that's not everything. Cheers

Hello, this is a new sensation for me. For the last ten years I've been steadily moving up in my career. I have about 6 years of dedicated network engineering experience, and now work for a software company that automates firewall policy management.

I've got 4ish years of Python as well, and have been sharing my projects on my resume. I've been writing custom cover letters from scratch for each role I apply for.

In the past, this has always worked for me. Within maybe 10-20 applications I'd have a few companies lining up interviews and I would get hired.

Now in late 2024, I've applied to at least 25 roles and I have not had even a phone screening. I honestly don't know what to do. The roles I've applying for are a bit of a reach - I don't meet all requirements. But that's how I've always done it. Is that no longer viable?

Also, my pay is around 110k so I feel like that is hurting me as well. I am not even trying to get a raise, I'm just trying to find a role I enjoy doing and a mission I care about at 100kish.

I am applying for hybrid/remote roles, mostly centered around network automation or early dev roles asking for 1-3 years experience. I think my Python skills are pretty decent now, but maybe I'm lying to myself?

My biggest weakness is that I don't have much experience in huge enterprise networks. I've mostly worked in city gov and small business where the largest networks had a few hundred network devices. I'm not sure how to fix this now if this is the problem, though.

I can share my resume, cover letters, or code projects if anyone wants to see, but just in general, does anyone have advice for mid-career people trying to move into automation or devops roles? At 39 I'm now wondering about shit like being too old to hire lol.

Thank you for any thoughts. If you need more info and are willing to chat with me I can share whatever you'd like.

Edit: I had a CCNA from 2016-2019 but haven't had a certification since. Are certs still as important when you're mid-career?

Edit 2: Wow, the responses here have been far more helpful and people have given me a lot more feedback and time than I anticipated. I am humbled.

We are a entertainment agriculture farm so we have a lot of events like a light show fall fest so on so forth. On our event nights our iPads that run Shopify POS keeps giving a network error however speedtest says we should have a fast enough connection with a good enough ping to run our iPads. Even on some of our slowest days with a handful of people on property we still get these errors Our network runs off of comcast business with deco's as the main point where all of our iPad's connect to wirelessly. I know little about network hopping and we have about 12 hops between us and Shopify servers. I have already reached out to Shopify and it wasn't on there end. Is there any way to fix these errors or is there anything I am missing.

So I earned the CCNA and am looking to get more hands on. I Found a great course by David Bombal on Udemy titled Python for Network Engineers: Netmiko, NAPALM, pyntc, Telnet. It's weird, it really sounds like it's focused on GNS3 but it has a couple small sections on CML and EVE-NG.

So I'm wondering two things; would CML work just as well as GNS3 for the course? And which do members of this sub prefer between the three? From what I've read I'm partial to CML. Sounds like the easiest to set up by far and it sounds like if you get legit IOS's for GNS3 it'll end up being just as expensive if not more than.

What is the possible issue for some OLT that can't query the information on NMS? These OLTs are accessible but some information on ONT is loading only like physical information and configuration. It is non-service affecting. Thanks

Looking for interview details of Principal network engineer in OCI IC4 Level. Mostly, what topics are covered in python and the automation part of it ? Anyone recently gone through Principal NE loop ?

How do you guys tackle IP exhaustion when it comes to many devices connecting with MAC randomization enabled by default? Does this have to be solved on AP level or a network level (router which is handing out DHCP leases)? My customer is a local college and they offer guest WiFi for visitors and students.

In the past few years almost all vendors started to randomize MAC by default so I've noticed DHCP leases get exhausted much more often lately.

Thanks in advance!

I am looking at replacing a Checkpoint 5900 firewall as it is starting to become EOL. What would some like for like firewalls be for Fortigate, Cisco, checkpoint and Palo Alto?

It's Read-only Friday! It is time to put your feet up, pour a nice dram and look through some of our member's new and shiny blog posts.

Feel free to submit your blog post and as well a nice description to this thread.

Note: This post is created at 00:00 UTC. It may not be Friday where you are in the world, no need to comment on it.

This is for a small business supporting 15-20 wired PC’s and laser printers, plus security cameras and WiFi.

I’ll be handling the install and maintenance. I recommended a Echogear 15U open frame server rack mounted to the wall. Someone recommended to them to mount everything to a piece of pegboard. I’m trying to talk them out of that.

What’s your opinion? What are some pros & cons going the pegboard route?

It's Thanksgiving for people in the USA. Just wanted to know what technologies you are thankful for.

How have they made your lives easier? What has it done for you?

For me, it's virtualization and containerization technology. They have let me get massive amounts of experience on various platforms without having to spend a fortune on gear. It opened up a world of opportunity for me, limited only by my work ethic and desire to learn.

It has democratized technology for the masses and for that I am forever greatful.

I have 3 networks comming to a router through vlans, 1 network is 192.168.1.0/24, 192.168.1.2 is a port address for the router while this network has an internet gateway 192.168.1.1

Second network is 192.168.2.0/24 (port address of the router is 192.168.2.1)

And third network is 192.168.3.0/24 (port address of the router is 192.168.3.1)

I can ping through networks as I intended them to be, but I'd also like to allow the 2.0/24 and 3.0/24 to be able to access internet through the 1.0/24 network. I tried setting the destination ip of 0.0.0.0/0 to next hop of 192.168.1.1 and 192.168.1.2, but none of these seem to do what I want.

What should my route be set to?

Hi everyone. We recently got alerted by Microsoft that our IP is blacklisted by UCEPROTECTL3 (level3). Seems like the IP the office building uses (provided by their ISP) is blacklisted. I'm not sure how to navigate this as it's hard to reach out the the right person to help. From my research the ISP of the building is not even an original ISP, but they are just resellers.

How can I make sure that I sort this out?

Thinking of adding everyone through a VPN - will that help? We currently have issues with email deliverability due to this.

ps. we are a MS365 client so emails and cloud, all based on MS.

Thank you!

We have 802.1x enabled on our switchports and I can see that we have issues with some devices.

the 802.1x process is 7sec x 3 retries (21sec total), and after that MAB or profiling kicks in.

I can see the devices being properly profiled but some of them just stop requesting DHCP.

I have tried to experiment with the port bounce CoA radius feature with no luck.

Has anyone managed to resolve this? I really do not want to allow everyone to request DHCP before authenticating to the network.

I'm pretty new in the networking scene and my network engineer cannot help me either, we've encountered an issue we cannot explain logically :

Here is the situation, we have moved a team of people from an office to another with 4 PC's (All in One's) at the 3rd floor, they are all connected to RJ45 ports on the wall that goes directly to the rack on the 5th floor. There all the cables are connected to a "manageable" CISCO switch. I've used a NetScout and checked the length of the cable (it's less than 50m).

Everything when smoothly at first but after a few weeks we started to get complaint about network disconnection. It happens for a few seconds then reconnects but the network share gets disconnected and they have issues reopening it (they have an old Access database on it) -> >!I know it sucks!<

We've tested ping -t commands directly from the computers (3rd floor) and saw packet loss, then up again after a few seconds. We checked with our own laptops as well and same issue is happening with DHCP.

To counter the issue we had to remove the DHCP and have fixed IP on all 4 computers -> It seemed ok for approximately 2 months, but since today on one computer we had to re-do the process of giving a different fixed IP. I thought it was an "ok" fix, but apparently not.

To make sure it's not a switch config issue : I've connected my PC directly to the switch (5th floor) and no packet loss... My colleague is convinced it's not a configuration issue. I'm not and but he doesn't want to dig further because the fix was working 'till today. He told me it's probably the cables in the walls that are bad, but then why it worked for a few months and they had no issues with the fixed IP either ?

Maybe some of you guys are more experimented and know what can be the root cause ?

Please help me as I get harrassed by the customer since the problem is back.

Sincerely,

I have a client who has a trailer they bring to various locations.

This post is going to blur some lines so please bear with me.

Goals:

- Stable Wi-Fi Network for IoT devices, light switches, controls, cameras and NAS

- WAN can must be able to connect to local Wi-Fi

- WAN should be easily configurable to switch between Wi-Fi networks - for example - office Wi-Fi as WAN uplink or trade center Wi-Fi

- WAN should support LTE failover

Why?

- Using LTE only would create a large bill for the times the trailer is located at the office or trade show.

- They want always available internet as best possible regardless of the location of the trailer.

I have found some that could sort of work using commercial RV stuff but I'm not confident in the networking ability or the ability to have lan segmentation

On a Cisco ASA, there is a feature called the "tunneled default route," for example:
route inside 0.0.0.0 0.0.0.0 x.x.x.x tunneled

This allows VPN traffic to be sent to a specified next hop, separate from your standard default route, which handles regular ISP traffic.

Is there an equivalent on a FortiGate? As far as I know, there isn’t a direct equivalent command. However, it might be possible to achieve similar functionality using a policy route.

If anyone has implemented something similar, I’d appreciate your insights.

Thanks!

Hi everyone, I’m new to networking and recently heard some engineers at work discussing load balancing across multiple wan links. It got me curious

how can you set up proper load balancing for WAN links on Cisco Catalyst switches (9300 To be specific) Are there specific configurations to ensure traffic is evenly distributed? Would love to learn more. Thanks!

P.S. Load balancer is not an option, and the routers are basic ones

I’m a network engineer at an ISP, and upper management wants to create a support team to handle troubleshooting for our business services (L3, L2, SIP, EoMPLS, etc.) and technologies. However, the team has zero networking knowledge, and I’ve been tasked with training them—in just 3 weeks.

This feels unrealistic, like turning an accountant into a network troubleshooter overnight. These services and tools require deep technical understanding and hands-on experience, which can’t be developed in such a short time.

Has anyone dealt with something like this? How do you approach training non-technical teams for such complex roles? Would love advice or shared experiences!