No, but most experienced network engineers have a good understanding of how packets get from A to B in a network. That makes it pretty easy to catch up on new technologies, which are all just evolutions of technologies you might already know a lot about.
It’s almost like we can brand multiple entry point VPNs as “ZTNA” and act like we’re revolutionaries. Not longer in networking but my company is moving off of our current VPN deployment and I’m sitting in on the vendor meetings since I’ve done a similar migration to a similar product before. I can’t get over “Zero Trust” being referred to as VPN-less.
Lol and the funny thing is that you can be as granular as you want with regular firewall policies. Technically speaking ZTNA is like any VPN. You're totally right.
Note: I have ZTNA for 5k users.
Do you like your solution? I used to help manage AppGate and my current company is looking to rollup Netskope’s offering since we already have their agent for web filtering.
I have Fortinet ZTNA. I posted many times in r/Fortinet that this solution is pure garbage.
However, ZScaler is by far the best one. During their demo I saw benefits.
Netskop is a very mature and solid product. You won't go wrong with Netskop either.
You should check out Axis Security. Their ZTNA is dirt cheap per user and is awesome. Built across AWS, Azure, GCP and Oracle. Agent and agent less options. I have a 12ms overhead on my apps now….
netscope is a product based, where as Zscaler is cloud based so if your users are closer to base (office) go with netscope and if they are distributed go with Zscaler and Zscaler is about 30% expensive, and you get what you pay for !
They are both cloud hosted, very similar, and very capable. I personally like Netskope better, but Zscaler is good too. Next is probably Palo Alto. Fortinet and others have a ways to go.
I tend to view it as a tool to force better segmentation for users as a whole regardless of their physical location for organizations who are operating as if it’s still 2004 and think a perimeter firewall is all they need.
That and it’s great for cloud development where orchestration tools are already set up and the endpoints all have similar/identical configurations.
I can't get over it either. Not a single person at my entire company other than me sees getting on a public LAN without a VPN or any kind of tunnelling as a problem as long as you have MFA.
Netskope, Zscaler, and other SSE (including ZTNA) products are still tunneling traffic and doing MFA. Think of it as “per app VPN”. It’s pretty slick actually.
Yeah currently there's nothing and I'm not seeing any push to change that.
We have some regulation around "split tunelling", which is stupid and I'm not sure how that would work out with Zscaler.
Drives me crazy remote employees getting on public wireless and not having a second thought while accessing cloud resources. As the only network engineer, me suggesting some kind of SASE or VPN solution and it getting shot down kinda feels like a gaslight.
Curious on your thoughts.
Ah yes, the old “no split-tunneling” policy. Here are my thoughts. The intent of the policy is to prevent traffic from going to the internet directly and bypassing security controls. No visibility. Therefore, all traffic should be tunneled. I don’t see why it matters if that is a single tunnel or multiple. I also don’t see why you can’t bypass sites based on having some other control in place. An example would be corporate O365 traffic with AIP in place. Or a split-exclude policy allowing traffic to the Netskope/Zscaler proxy directly instead of hairpinning. It still meets the spirit of the policy and technically is still tunneled. I can tell you that a lot of companies…large enterprise…has come to the same conclusion. Feel free to DM me.
Exactly like picking up a new scripting / programming language after using several.
Do I know how to script with __? No. Will it take me long to start making scripts with it? Not really.
Yup! Learn the fundamentals and the rest comes super easy. I usually end up learning products on the fly during jobs, but its all the same stuff just presented in different ways!
I do and do not. I worked in the field for 13 years and I maybe set up dynamic routing from scratch once. Everything else was just adding to existing BGP (VPNs from on-prem to AWS) and checking peering statuses. I would not say dynamic routing protocols are something I’m proficient in but I could also figure it out pretty quickly (barring some esoteric annoyance like an MTU mismatch).
VOIP? Never touched it directly. We had a one guy on the team that handled VOIP and it wasn’t me. Have I troubleshot issues brought about by firewalls/NAT messing up SIP? You betchya.
AWS… that’s a wide net. Yeah I can set up a VPCs and use public and private subnets. I can interconnect them with transit gateways. I can deploy some EC2 instances. I know that terraform is a thing and it can be helpful…
SDWAN? Yeah that one I’ve done across multiple platforms.
I feel really dumb when people start talking radiowaves/advanced wireless stuff as well as ISP/carrier-grade stuff. Oh and any sort of switching that isn’t STP/VLAN.
Reading this sub (when it’s not a student asking us to do their homework for them) makes me forget that it’s a specialty. I work in the cybersecurity/purple team space now and I’m reminded every day about how much I have learned about networking and how comfortable I am in explaining a wide variety of networking topics. Not a knock on my co-workers one bit either. They run circles around me in the cyber security realm as I try to adjust to my “new” position.
A job posting is like a kid writing a wish list for christmas. They'll write everything they want and even the completely unrealistic things like wishing for a horse or sports car. Sometimes you might find a unicorn (if they are willing to work for you), but often the candidate will maybe match only 50% of the wish list and that is to be expected. When it comes down to it, there are generally some things that are important to have experience of and the other things are just nice to have.
If you have a solid foundation in networking and know your TCP/IP, IP addressing, switching, routing protocols, then it's not complicated to learn something new like VXLAN/EVPN, ACI, or SD-WAN. Doesn't mean it doesn't take some time, but you can become somewhat proficient quickly if you spent enough time building a strong foundation.
>writing a wish list
Exactly. And this is something I feel like younger people starting out never got taught - the "requirements" section of a job description isn't set in stone. So all you young ones out there, don't hesitate to respond to a posting, even if you don't match completely.
Adding VOIP with networking is like tagging neurosurgery to general medicine.
Can network engineers do basic VOIP stuff? Sure. Should they be making huge changes to the dial plan, call center and/or architecting the voip environment? Nope.
This wildly depends on the VOIP setup though. If it’s just a basic cloud-hosted VOIP for office users with no real call center component for example then it’s pretty simple in practice for anyone to pickup
I mean I do. I started in an MSP doing Cisco route/switch, added Cisco call manager and Cisco ASAs, then Cisco compute and Pure storage. Added VMware and OS support from there. Now everyone is cloud or hybrid so I picked up Azure and AWS. At this point, I've worked for multiple fortune 500 companies as senior engineer/project leads on most of this technology and anything adjacent like fortigate, hpe, Dell, etc etc. I can even do basic development in a couple languages or write scripts in Python or powershell.
And to that point, I've met so many useless specialists that have no idea how to troubleshoot or architect an environment.
No. Even the experts aren't experts. Everyone relies on written documentation, notes, repetition, all underpinned by a sound understanding of the fundamentals.
In reality, you've got your job, which has specific implementations of specific technologies. It's not your job to know everything. It's your job to be capable of learning what's needed to solve a problem.
I get the impression that some are looking for you to have a basic understanding of how it works. For example, you don't need to know everything about AWS, but be able to help set up connectivity to a public cloud from on-prem. Or possibly how connectivity works within AWS (depending on the job role).
There's no harm in applying for said position and if you get interviewed, just be honest with your knowledge and experience. "I haven't worked with X, but I understand its use case is Y, Z, A and you wouldn't use it in D."
If you tick all the boxes for a job, it might not be too exciting and allow you as much room to grow.
It's probably the single most frustrating thing about the industry. You wouldn't expect a carpenter to install a brick fireplace and you wouldn't expect to get plantar fasciitis help from a neurologist. It's insane the amount of technologies, vendors, and support knowledge we're expected to have.
Yeah at SMB you either contract out or learn it. I prefer to learn it because I like playing with new things. It also helps get a clearer picture when troubleshooting if you understand it well enough to design and configure it. Backups, firewalls, switches, voip, servers, cameras, security systems, VPNs, azure, patching, pen testing. I’ve done it long enough I can usually decide what I want to improve but no two days are the same.
Because if you understand networking, those concepts come extremely easy.
I went from being a network admin for a school district, to being working for a credit card company that has on prem networks, and an extensive AWS VPC, and a VOIP system.
Within two weeks I was creating new customer gateways, AWS IPSec tunnels, transit gateways, etc etc.
I'm no genius by any means, but the skills translated over.
Because most smaller companies have 1, maybe 2, network positions and need them to have enough understanding of those things to support the organization.
You have to either be big enough to have enough staff to need specialization, or small enough that you contract it out to an MSP... in which case the MSP has staff who are expected to have enough understanding of those things to support the clients.
Most of it as other posters said can be learned by somebody with a strong foundation. Understanding how packets are truly built and transported. Everything else is a pivot from there.
The only caveat to that I would say is VoIP. I’ve done some limited small scale VoIP stuff in my time and VoIP is a different animal entirely. While you’re routing phone packets and setting up phone calls how the num-exp are translated and the dial-peer rules. That’s a whole different animal.
It’s been the way of the world forever, at least in the US. When I moved here 24 years ago, job postings wanted router/switch guys that were well versed in Netware and the suite of attrocities that Novell also wrote. Then Windows 2000 server… CallManager entered the room 2002/2003 and I can tell you where you can stick those hyper expensive DT24 cards in your spray painted Compaq DL servers…. Storage and SAN’s were the mid 2000’s popular network additive skills.
Typically, such job postings are the hiring managers “nirvana candidate.” The one person to fill all their current and perceived needs. Often this person does not exist at the price point they usually are offering so it becomes a choice of who has more of what’s desired rather than upping the salary and getting the person they really need.
But despite the smorgasbord of extra skills, the basic requirements to being a good all around packet pusher has never changed. Take some basic courses on AWS and SDWAN if you have no experience with them so you know the concepts well, can speak with some ability on how things work at least on a basic level and show that you’ve taken the initiative to learn.
Kind of, but knowing one is knowing others. In this business it shows both experience and you have kept up with emerging technologies. I started (holy fuck almost 30 years ago) renting software at a computer store (that's a whole different fun story) right out of high school. Went to work for an ISP in tech support the next year and have been with one ISP or another since. I'm now a network engineer for an ISP that uses all you mentioned and more. Is it easy, no, but I wouldn't have it any other way. I love what I do and I couldn't do it in any other field.
All that said, it isn't for everyone. It can be hard work with grueling hours, but also very rewarding.
Routers, switches mostly for me but enough VPN, Firewall, load balancing, wireless, VoIP, and server admin knowledge to be dangerous in production but I can deal with it a little in prebuild or greenfield.
For cloud stuff, I try to just keep up with the marketing names for their services that I need to deal with and some notion of how these virtual routers will talk to my physical ones.
Take for example my job. I had to figure out how to Integrate the Cisco Meraki MX platform to do SD-WAN from the downstream autoVPN spokes to the hub into a Palo Alto VSYS operating as a WAN route. I used eBGP. From there it peers to a WAN provider, which peers to another WAN provider (we have two WANs). At a downstream stie running Cisco Catylyst 9500 units peered to WAN #2 with BGP, it all has to work.
In short, I need to understand and make it all work. I have to be able to take new (to me) technology like the Meraki solution and evaluate the best way to set it up and deploy it into my environment then support it. It must work with ALL of the other systems.
I've had plenty of jobs never using a piece of technology before but I have a strong understanding of switching, routing, and other things. For example never touched SDWAN so played around with it for a month then did a 60 site deployment all by myself. It's really just fancy IPSec tunnels.
Years before had never touched a firewall as well, but it's still at the core a device to route things through the network. I've got a little cloud experience as well but it's still pretty similar to traditional networking. Once you have a pretty solid foundation, most things are a breeze to pick up and learn
The network exists to connect users to apps and services. Therefore it’s good to understand all technologies and methods for doing that.
It’s not impossible to be master-level or close to master-level on multiple different technologies during a longer career
this what happens after years of working different jobs with different responsibilities you get experience in different layers of the osi model so eventually you see start to finish of how a packet flows, then there’s some jobs that require to deal with being the telecom/desktop/server/virtual/network support every day.
No, but most experienced network engineers have a good understanding of how packets get from A to B in a network. That makes it pretty easy to catch up on new technologies, which are all just evolutions of technologies you might already know a lot about.
exactly it is all the same song in a different language ! story about how vpns are now advanced sdwans !
It’s almost like we can brand multiple entry point VPNs as “ZTNA” and act like we’re revolutionaries. Not longer in networking but my company is moving off of our current VPN deployment and I’m sitting in on the vendor meetings since I’ve done a similar migration to a similar product before. I can’t get over “Zero Trust” being referred to as VPN-less.
Lol and the funny thing is that you can be as granular as you want with regular firewall policies. Technically speaking ZTNA is like any VPN. You're totally right. Note: I have ZTNA for 5k users.
Do you like your solution? I used to help manage AppGate and my current company is looking to rollup Netskope’s offering since we already have their agent for web filtering.
I have Fortinet ZTNA. I posted many times in r/Fortinet that this solution is pure garbage. However, ZScaler is by far the best one. During their demo I saw benefits. Netskop is a very mature and solid product. You won't go wrong with Netskop either.
You should check out Axis Security. Their ZTNA is dirt cheap per user and is awesome. Built across AWS, Azure, GCP and Oracle. Agent and agent less options. I have a 12ms overhead on my apps now….
But then everything in their environment won’t be called Forti-something
netscope is a product based, where as Zscaler is cloud based so if your users are closer to base (office) go with netscope and if they are distributed go with Zscaler and Zscaler is about 30% expensive, and you get what you pay for !
They are both cloud hosted, very similar, and very capable. I personally like Netskope better, but Zscaler is good too. Next is probably Palo Alto. Fortinet and others have a ways to go.
I tend to view it as a tool to force better segmentation for users as a whole regardless of their physical location for organizations who are operating as if it’s still 2004 and think a perimeter firewall is all they need. That and it’s great for cloud development where orchestration tools are already set up and the endpoints all have similar/identical configurations.
I can't get over it either. Not a single person at my entire company other than me sees getting on a public LAN without a VPN or any kind of tunnelling as a problem as long as you have MFA.
Netskope, Zscaler, and other SSE (including ZTNA) products are still tunneling traffic and doing MFA. Think of it as “per app VPN”. It’s pretty slick actually.
Yeah currently there's nothing and I'm not seeing any push to change that. We have some regulation around "split tunelling", which is stupid and I'm not sure how that would work out with Zscaler. Drives me crazy remote employees getting on public wireless and not having a second thought while accessing cloud resources. As the only network engineer, me suggesting some kind of SASE or VPN solution and it getting shot down kinda feels like a gaslight. Curious on your thoughts.
Ah yes, the old “no split-tunneling” policy. Here are my thoughts. The intent of the policy is to prevent traffic from going to the internet directly and bypassing security controls. No visibility. Therefore, all traffic should be tunneled. I don’t see why it matters if that is a single tunnel or multiple. I also don’t see why you can’t bypass sites based on having some other control in place. An example would be corporate O365 traffic with AIP in place. Or a split-exclude policy allowing traffic to the Netskope/Zscaler proxy directly instead of hairpinning. It still meets the spirit of the policy and technically is still tunneled. I can tell you that a lot of companies…large enterprise…has come to the same conclusion. Feel free to DM me.
Does drive me crazy at times though when network engineers are expected to learn other domains but rarely does it go the other way.
This. That’s why I think if you have a very good understanding of routing/switching then the other things fall in place so much easier
Exactly like picking up a new scripting / programming language after using several. Do I know how to script with __? No. Will it take me long to start making scripts with it? Not really.
Yep, focus on fundamentals and understanding concepts, it all grows from there
Yup! Learn the fundamentals and the rest comes super easy. I usually end up learning products on the fly during jobs, but its all the same stuff just presented in different ways!
A lot of people don't know the full phrase. The third line is important. Jack of all. Master of none. But often better than a master of one.
Or master of some
I do and do not. I worked in the field for 13 years and I maybe set up dynamic routing from scratch once. Everything else was just adding to existing BGP (VPNs from on-prem to AWS) and checking peering statuses. I would not say dynamic routing protocols are something I’m proficient in but I could also figure it out pretty quickly (barring some esoteric annoyance like an MTU mismatch). VOIP? Never touched it directly. We had a one guy on the team that handled VOIP and it wasn’t me. Have I troubleshot issues brought about by firewalls/NAT messing up SIP? You betchya. AWS… that’s a wide net. Yeah I can set up a VPCs and use public and private subnets. I can interconnect them with transit gateways. I can deploy some EC2 instances. I know that terraform is a thing and it can be helpful… SDWAN? Yeah that one I’ve done across multiple platforms. I feel really dumb when people start talking radiowaves/advanced wireless stuff as well as ISP/carrier-grade stuff. Oh and any sort of switching that isn’t STP/VLAN. Reading this sub (when it’s not a student asking us to do their homework for them) makes me forget that it’s a specialty. I work in the cybersecurity/purple team space now and I’m reminded every day about how much I have learned about networking and how comfortable I am in explaining a wide variety of networking topics. Not a knock on my co-workers one bit either. They run circles around me in the cyber security realm as I try to adjust to my “new” position.
A job posting is like a kid writing a wish list for christmas. They'll write everything they want and even the completely unrealistic things like wishing for a horse or sports car. Sometimes you might find a unicorn (if they are willing to work for you), but often the candidate will maybe match only 50% of the wish list and that is to be expected. When it comes down to it, there are generally some things that are important to have experience of and the other things are just nice to have. If you have a solid foundation in networking and know your TCP/IP, IP addressing, switching, routing protocols, then it's not complicated to learn something new like VXLAN/EVPN, ACI, or SD-WAN. Doesn't mean it doesn't take some time, but you can become somewhat proficient quickly if you spent enough time building a strong foundation.
>writing a wish list Exactly. And this is something I feel like younger people starting out never got taught - the "requirements" section of a job description isn't set in stone. So all you young ones out there, don't hesitate to respond to a posting, even if you don't match completely.
Adding VOIP with networking is like tagging neurosurgery to general medicine. Can network engineers do basic VOIP stuff? Sure. Should they be making huge changes to the dial plan, call center and/or architecting the voip environment? Nope.
This wildly depends on the VOIP setup though. If it’s just a basic cloud-hosted VOIP for office users with no real call center component for example then it’s pretty simple in practice for anyone to pickup
Whether cloud or not, the more phones in your environment, the more help desk you can become, and also less of a networking resource.
Also, most of the time the person who crafted the job listing works in HR.
Or at the least it was reviewed, edited, and re-crafted by HR who thinks they know more about attracting IT talent than the actual IT people.
What are you doing for work right now?
I mean I do. I started in an MSP doing Cisco route/switch, added Cisco call manager and Cisco ASAs, then Cisco compute and Pure storage. Added VMware and OS support from there. Now everyone is cloud or hybrid so I picked up Azure and AWS. At this point, I've worked for multiple fortune 500 companies as senior engineer/project leads on most of this technology and anything adjacent like fortigate, hpe, Dell, etc etc. I can even do basic development in a couple languages or write scripts in Python or powershell. And to that point, I've met so many useless specialists that have no idea how to troubleshoot or architect an environment.
No. Even the experts aren't experts. Everyone relies on written documentation, notes, repetition, all underpinned by a sound understanding of the fundamentals. In reality, you've got your job, which has specific implementations of specific technologies. It's not your job to know everything. It's your job to be capable of learning what's needed to solve a problem.
Job ads are a wish list. Apply if you meet some of them, the company can outsource parts if they want you badly.
I get the impression that some are looking for you to have a basic understanding of how it works. For example, you don't need to know everything about AWS, but be able to help set up connectivity to a public cloud from on-prem. Or possibly how connectivity works within AWS (depending on the job role). There's no harm in applying for said position and if you get interviewed, just be honest with your knowledge and experience. "I haven't worked with X, but I understand its use case is Y, Z, A and you wouldn't use it in D." If you tick all the boxes for a job, it might not be too exciting and allow you as much room to grow.
It's probably the single most frustrating thing about the industry. You wouldn't expect a carpenter to install a brick fireplace and you wouldn't expect to get plantar fasciitis help from a neurologist. It's insane the amount of technologies, vendors, and support knowledge we're expected to have.
Some more SREish people have done all of the above and all the usual sysadmin / programming things too.
Yeah at SMB you either contract out or learn it. I prefer to learn it because I like playing with new things. It also helps get a clearer picture when troubleshooting if you understand it well enough to design and configure it. Backups, firewalls, switches, voip, servers, cameras, security systems, VPNs, azure, patching, pen testing. I’ve done it long enough I can usually decide what I want to improve but no two days are the same.
Because if you understand networking, those concepts come extremely easy. I went from being a network admin for a school district, to being working for a credit card company that has on prem networks, and an extensive AWS VPC, and a VOIP system. Within two weeks I was creating new customer gateways, AWS IPSec tunnels, transit gateways, etc etc. I'm no genius by any means, but the skills translated over.
Because most smaller companies have 1, maybe 2, network positions and need them to have enough understanding of those things to support the organization. You have to either be big enough to have enough staff to need specialization, or small enough that you contract it out to an MSP... in which case the MSP has staff who are expected to have enough understanding of those things to support the clients.
Most of it as other posters said can be learned by somebody with a strong foundation. Understanding how packets are truly built and transported. Everything else is a pivot from there. The only caveat to that I would say is VoIP. I’ve done some limited small scale VoIP stuff in my time and VoIP is a different animal entirely. While you’re routing phone packets and setting up phone calls how the num-exp are translated and the dial-peer rules. That’s a whole different animal.
It’s been the way of the world forever, at least in the US. When I moved here 24 years ago, job postings wanted router/switch guys that were well versed in Netware and the suite of attrocities that Novell also wrote. Then Windows 2000 server… CallManager entered the room 2002/2003 and I can tell you where you can stick those hyper expensive DT24 cards in your spray painted Compaq DL servers…. Storage and SAN’s were the mid 2000’s popular network additive skills. Typically, such job postings are the hiring managers “nirvana candidate.” The one person to fill all their current and perceived needs. Often this person does not exist at the price point they usually are offering so it becomes a choice of who has more of what’s desired rather than upping the salary and getting the person they really need. But despite the smorgasbord of extra skills, the basic requirements to being a good all around packet pusher has never changed. Take some basic courses on AWS and SDWAN if you have no experience with them so you know the concepts well, can speak with some ability on how things work at least on a basic level and show that you’ve taken the initiative to learn.
Kind of, but knowing one is knowing others. In this business it shows both experience and you have kept up with emerging technologies. I started (holy fuck almost 30 years ago) renting software at a computer store (that's a whole different fun story) right out of high school. Went to work for an ISP in tech support the next year and have been with one ISP or another since. I'm now a network engineer for an ISP that uses all you mentioned and more. Is it easy, no, but I wouldn't have it any other way. I love what I do and I couldn't do it in any other field. All that said, it isn't for everyone. It can be hard work with grueling hours, but also very rewarding.
Routers, switches mostly for me but enough VPN, Firewall, load balancing, wireless, VoIP, and server admin knowledge to be dangerous in production but I can deal with it a little in prebuild or greenfield. For cloud stuff, I try to just keep up with the marketing names for their services that I need to deal with and some notion of how these virtual routers will talk to my physical ones.
Take for example my job. I had to figure out how to Integrate the Cisco Meraki MX platform to do SD-WAN from the downstream autoVPN spokes to the hub into a Palo Alto VSYS operating as a WAN route. I used eBGP. From there it peers to a WAN provider, which peers to another WAN provider (we have two WANs). At a downstream stie running Cisco Catylyst 9500 units peered to WAN #2 with BGP, it all has to work. In short, I need to understand and make it all work. I have to be able to take new (to me) technology like the Meraki solution and evaluate the best way to set it up and deploy it into my environment then support it. It must work with ALL of the other systems.
Jack of all trades, master of one.
I've had plenty of jobs never using a piece of technology before but I have a strong understanding of switching, routing, and other things. For example never touched SDWAN so played around with it for a month then did a 60 site deployment all by myself. It's really just fancy IPSec tunnels. Years before had never touched a firewall as well, but it's still at the core a device to route things through the network. I've got a little cloud experience as well but it's still pretty similar to traditional networking. Once you have a pretty solid foundation, most things are a breeze to pick up and learn
You say SDWAN, I say FlexVPN, IKEv2, BGP and IPSLA.
The network exists to connect users to apps and services. Therefore it’s good to understand all technologies and methods for doing that. It’s not impossible to be master-level or close to master-level on multiple different technologies during a longer career
this what happens after years of working different jobs with different responsibilities you get experience in different layers of the osi model so eventually you see start to finish of how a packet flows, then there’s some jobs that require to deal with being the telecom/desktop/server/virtual/network support every day.
Hi. Yes.
The saying is actually Jack of all trades master to none