Ask Slashdot: Becoming a Network Administrator?

J. L. Tympanum writes "After many years as a star programmer, I have taken a position which involves maintaining and rebuilding the in-house network of a small company. There are maybe 100 machines, a mix of blade servers running Linux and desktop PCs running Windows of all flavors. Basically, I have to learn networking from scratch. I have been given an 'unlimited' budget to buy routers, switches, etc., to set up my own little test network as part of the learning process. So the question is: what's the right strategy here? What routers or switches or other equipment should I acquire? What books should I read? Should I take classes from Cisco, Global Knowledge, my local community college, or somewhere else?"

Step 1

[nuintari]

Run, run as fast as you can, and don't look back.

Re:Step 1

[RenHoek]

1) Why does the network need rebuilding?
2) Where the hell are they getting an unlimited budget from?
3) Why, if they have money, would they hire somebody who never did any admin work?

I'm not saying you won't be able to do it, I'm saying you try and figure out their motives and cover your ass with asbestos!

Re:Step 1

[nuintari]

And then, in all seriousness.

Deploy Juniper products where you can. Commit confirmed alone will help keep you sane.

As for learning how this stuff all glues together and works, that really depends on how you learn. I learn by trying things, and reading the manual, not from a classroom. YMMV, but I have never seen a class that did anything short of an awful job of explaining how networking works. I rely heavily on my peers and Google for ironing out issues that I cannot solve in my lab. Consider attending talks on subjects relevant to your needs, and anything that sounds even remotely interesting. Find someone more skilled than you who can explain shit in your native tongue and attempt to osmosis some talent bit by bit. Oh, and get yourself an O'Reilly Safari subscription, a nook/kindle/whatever, and start, as my friend Jeff says, consuming massive quantities of text.

And seriously, consider running, you are in for a long, dark road of evil.

Re:Step 1

[MightyMartian]

What I find is that you'll start out with one plan, meticulously formulated through research and consultation and even after management has signed off on it... And then you'll find out that a half of the plan didn't make any sense or didn't in fact work the way those FAQs or sales people said it would, and the other half will be trounced by new demands from the departments you consulted because they neglected to tell you a part of their needs, or changed their minds, or read some article they read somewhere.

Re:Step 1

[pvera]

I don't understand why this is modded funny, it is the correct plan of action assuming the move was voluntary. If this is a programmer that is trying to bail out of a sinking ship and this was the only job available at equivalent pay, then it is a completely different issue.

The biggest red flag is the "unlimited budget" that doesn't cover hiring a properly trained network admin, instead pushing him/her to learn the whole thing from scratch at the same pay.

Re:Step 1

[poetmatt]

Underpaid, underappreciated and overworked? Get back to work!

Network admins, unless they are basically amazing, are in for a typically rough ride through trying to get things to work, as things perceived as small changes can have enormous impact on network stability. Then you get to things like bad password policies, bad hardware policies, bad security policies, bad corporate policy and a good portion of the time network administration is just not worth the time.

If it were $75-90k a year maybe, but otherwise definitely not worth more stress than pretty much any job that exists today including hard sales.

Things to do: buy enterprise grade hardware, do not ever compromise on best buy/off the shelf hardware, restrict access as much as possible (and lock down ports as much as possible), make sure all devices go through a firewall (outbound) and all inbound connections go through their own separate firewall (inbound). Make sure that all requests inbound have to be requested from internal. Make sure that as much of inbound connections as possible are over a vpn if external.

Basics: make use of forwarding, proxies, reverse forwarding, nat. Make sure that all of your DNS addresses which are assigned to computers point to internal DNS only, and that the same applies to the servers. No server should have any DHCP or DNS assignments from the local ISP.

Redundancy: You must have it. At all levels. Check for cable backups, keep spare parts for everything - power supplies, cables, extra routers, extra server ISO's and images, extra copies of VM's, etc. Make sure you have redundant UPS's. Do not daisy chain UPS's (or maybe you can, someone else will comment- I'm no UPS genius).. Make sure things are not physically linked in a way that when one thing fails, so cascades the rest. This means UPS's with hot swappable batteries. Make sure you have multiple switches and all servers have at least 2 NICs for both load balancing and additional fallover.

Check for shit people don't think of - check where the servers are located, what cables are running overhead, dust situation, etc. Make sure that the cooling for the server rooms is appropriate and is set up such that if the leak plate (forgot the proper term) floods it won't drip directly on the servers. Check for maintenance schedules, physical and software, check for licensing being followed, check for PCI compliance. Check security requirements for the server room, for the pcs.

Additional redundancy: virtualize wherever possible, hardware permitting. Offsite backups, offsite hardware backups.

Additional: prepare for hilariously large amounts of fucker trying to deal with authentication between linux and windows. Linux is well documented and complicated. Windows is well documented and complicated.

Lastly:
Keep at least 3-6 full bottles of hard alcohol on hand, a 2 week resignation notice, and a mini-fridge full of beer in addition, and depending on the state you're working in, maybe keep a gun on hand if you're licensed and it's legal.

Oh and don't forget, being a network administrator has basically NOTHING to do with being a network administrator. It's more like managing a circus of crying babies who have no idea what the fuck they're doing.

Re:Step 1

[bberens]

I dunno, seems like a cake job to me. As a programmer I can assure you that the problem is never the network. Just ask the network guys, they'll be sure to tell you. Never mind the trace-route, pings, and FTP client log showing 100 byte/sec transfer speed I have provided, the single green LED graphic on the monitoring tool indicates with absolute certainty that all things on the network are working swimmingly.

Re:Step 1

[DuoDreamer]

This is the best description I have read regarding the Network Admin position.

When I started as an admin 5 years ago, the company didn't know to care about redundancy, or security. When I started, neither did I. I could build PCs, do some light programming, and had a knack for finding solutions with Google. In that time, I've replaced all network hardware and fixed the topology, expanded from 6 to 20 servers, added virtualization wherever possible, added battery backup to everything (many servers didn't have any UPS), replaced 100 windows 2000 desktops, added 100 more desktops, upgraded the domain from 2000 to 2008, Exchange upgrades twice, migrated all storage to redundant RAID on server or via NAS, maintained DAILY tape backups of all servers, network monitoring via free Linux tools, expanded the network via T1 to include 7 satellite facilities and WAPs with VPN/firewall, and locked down every damned machine so that nobody can install anything. All while providing these people and locations with 24/7 tech support and software instruction. Monitoring scripts are all Perl and PowerShell, depending on OS. All of our network hardware is either Adtran or 3Com (now HP) and I've only had one switch failure in 5 years. No training seminars or certification taken, just lots of reading.

It pays shit, but its steady.

FML.

Re:Step 1

[mjwx]

As a programmer I can assure you that the problem is never the network.

Damn straight,

It's never an easy job because we keep everything working so well.

Never mind the trace-route, pings, and FTP client log showing 100 byte/sec transfer speed I have provided

Takes end users machine, turns off torrent clients, twitter clients, RSS feeds and streaming radio on the users machine and watches the speed increase to normal levels. Finally I hit the user with a rather large wrench for wasting my time.

First rule of net admin, The problem is always the user.

the single green LED graphic on the monitoring tool indicates with absolute certainty that all things on the network are working swimmingly.

Second rule of net admin: The user lies. The user always lies.

However Nagios does not lie. Nagios does exactly what I tell it to (that includes not running torrent clients at work)

So when it comes down to you or Nagios, Nagios wins hands down.

Don't Do It!!!

[rwv]

Administering networks is best left to wizards and warlocks.

Step #1

Hire a professional :)

Welcome to management

[characterZer0]

1) Use your unlimited budget to hire a network administrator.
2) Go golfing.

This isn't a boon. It's a curse.

I have this job now and my girlfriend tells me I wake up almost nightly screaming. I can't help but think they're connected.

Re:This isn't a boon. It's a curse.

[PrimalChrome]

Haven't you seen Inception? You're still sleeping....the girlfriend should have given it away.

Re:This isn't a boon. It's a curse.

[dkleinsc]

That's clearly crazy talk. Admins don't have time for girlfriends.

you just need to learn one thing

[roman_mir]

All you need is the cloud.

What you do is get a cloud. Just connect all your machines and networks and cables to the cloud and you will be aaaaalright.

Re:Odd choices

[0racle]

It was a very dim star.

Whatever you do...

[Bobfrankly1]

...don't take any lessons from anyone employed by Sony.

Did you hear that?

[DomNF15]

It's the can of worms popping open... You don't necessarily have to "buy" physical routers, switches, etc. These days, you can simulate pretty much any network setup you want via software and see how things work out: http://www.gns3.net/ Also, asking "us" what hardware you should buy is like asking someone what kind of computer you should buy, the question is too general and the answer will depend largely on the business/security needs of the company. Tannenbaum wrote a very good book about TCP/IP networking which you may want to read: http://www.amazon.com/Computer-Networks-Andrew-S-Tannenbaum/dp/0131651838 Aside from that, you should look into the basic requirements for network administration/security and make sure you understand and know how to apply them, the topics listed here could be a good starting point: http://en.wikipedia.org/wiki/CISSP

Run...

[dakkon1024]

I am a 12 year veteran of the field. My official title is Sr. Technical Engineer. I work for a small (15 person) consulting firm. I’m being completely straight w/ you. Start looking for a programming job. This is the end of my advice.
If you need to fake it for a while, setup w/ a well-respected school in your area for your CCNA. If you have no budget concerns schools w/ equipment stacks and solid instruction will beat out any other option.
But seriously, you’re making a bad career move, this isn’t meant to be funny.

Hire someone who knows what they're doing

[Sir_Sri]

Seriously. If you're learning networking from scratch you are not prepared to be in charge of a network with 100 computers. If you screw it up, you could mess things up for days. Start at the bottom and work your way up, or hire someone who knows wtf they're doing, you could contract in someone (there are always going to be consultants who do network around). Bring one of them in, have them go over some of it with you.

The 'go read a CCNA book' advice isn't far off. But if you're already in charge CCNA is at least one step down from where you want to be.

I reiterate: use your money to hire someone else. Either hire them to actually do the job and become network manager, or hire a consultant in (be prepared to see this person regularly for a year or so) to come in and help you get things going. Make sure you have people on staff who actually know what they're doing, and can tell you when you're being an idiot.

Going from programming to network administrator may as well be going to predator drone pilot. You use computers and networks, and familiarity with computer skills is great, but they are very, if not completely different skills. And while you're at it you need to learn to be a manager, because most programmers don't learn about budgets, HR practices, setting security and devices on the network policy and all that but from the sounds of it you have to decide how to spend money.

Views from a New Entrant

[imlepid]

what's the right strategy here?

Proceed with caution. Make sure you enjoy networking and that its challenges interest you. Networking is very different from programming and also different from desktop support.

What routers or switches or other equipment should I acquire?

I have extensive experience with HP Procurve equipment and I have been satisfied with their stuff. (In the network I manage we have about 120 HP switches.) They are pretty reasonable in price and have a lifetime warranty on their switches and routers (I just got a replacement for a part for something that was manufactured 10 years ago, no hassle). Cisco is good if you like features, have a large network, and enjoy spending money. I would avoid Netgear switches (unless you need a small desktop switch (e.g. GS108) to provide more ports) as I have heard bad things but I have no first-hand experience. Expect to pay around $1000-1800 for a good 48-port Gigabit switch.

What books should I read? Should I take classes from Cisco, Global Knowledge, my local community college, or somewhere else?

I would look to achieve a "CCNA level" knowledge. For a network of about 100 devices you won't need much more. You can do that by simply reading a book (e.g. the CCNA prep by Lammle or Cisco Press), self-study (e.g. books alone or with video) then trying to pass the test, or taking a classroom course with Cisco or GlobalKnowledge. The material covered in CCNA is useful even if you use Procurve devices (although vocab will be different, such as "vlan trunking" (Cisco) vs. "vlan tagging" (Procurve, IEEE 802.1Q))

Background: I managed a network at a scientific research center (1000+ end user devices and a couple hundred servers). Its a mix of Cisco (core) and Procurve (edge). I have been working in networking full time for 2 years (I was in the poster's shoes not long ago) and with computers for about 5 years in a professional setting.

Basics

[g00head]

Assuming you didn't leave out VoIP or Video Conf equipment:

1. As above, take a CCNA course or find the materials. That will give you a good basis.

2. Read everything you can in regards to VLANs and how they work/best practices/management by hardware OS

3. Read everything you can about switch port management (i.e., access port vs. trunk port, again relies heavily on the chosen hardware OS)

4. Choose your hardware: If money is no object, Cisco is reliable but more upfront and much more for yearly support. HP ProCurve is a very good economical option.

a. Either way, use two stacked Layer 3 switches for core routing with Layer 2 switches for access layer.

b. For Cisco products, I'd recommend a pair of stacked 3750X's, with 2960 for access layer switches.

c. Save yourself pain later - have each access switch trunk to the core stack with an aggregated trunk, one port to each half of the core stack. (if half your core stack goes down, most of your network stays up. If one line/port of the trunk goes down, whole network stays up but speed may be affected depending upon bandwidth used)

5. Use one VLAN for infrastructure (i.e., switches, servers, printers, appliances), use one VLAN for workstations, use one VLAN for wireless if necessary.

a. Avoid using VTP, even if it seems like a good idea to you

b. Do all routing between VLANs on the core stack, access switch trunks should carry all VLANs however

c. Test the hell out of your config in a lab if you have time, lot less pressure telling them that the project is delayed by testing than telling them all work is delayed because you can't find the problem on the prod network

d. Thank god you get a test network

4. Once everything's built, configured, and running well - BACK ALL OF THE CONFIGS UP, and repeat whenever a config change is made.

Good luck, and you'd really better love troubleshooting problems with very little info to go on...

This is how I read it...

[canadiangoose]

Dear Slashdot,

I'd like to become an expert in a field in which I have no experience.

It takes many years for most of the folks working in this field to gain the knowledge required to be effective, but I am very, very smart. So much smarter than most people, infact, that it shouldn't take me more than a month or two to get a firm gasp on things.

There's just one small problem that is preventing me from teaching myself everything that I need to know to be able to do my job well. See, I'm not smart enough to know how to even begin to teach myself anything about this field. I'm sure if someone could just point me in the right direction, I'm quite sure that I'll be able to make sense of things.

Also, which vendors provide "easy" buttons on their gear?

Please advise.

MrGenius

Here's what to do.

[Stargoat]

I'm buried so far down here, I'm sure no one will read this. But here is what you need to do.

1. Before you begin, attend a Cisco / Global Knowledge CCNA bootcamp. You may not leave able to program routers like a master, but you'll learn how networks work.

2. Visit every PC, Server, Router, Switch. Put eyes on everything. Create a master spreadsheet. Document model numbers, IP addresses. Create Visio documentation of the way your network is set up. Document everything. You need a good deal of cabinets to store it all.

3. Decide what is the most deficient part of the network, fix it with the simplest solution. If you're using hubs, buy switches. If the routers need to be rebooted constantly, buy new routers. Above all, keep it simple. If possible, stay away from V-Lans, encryption software, Linux, or anything else complicated. Do this every year.

4. Buy one third of the total number of PCs of the network plus ten percent. Buy only one model. Create a central image with Acronis and modify that image as necessary. Deploy these models. Repeat for the next three years.

5. Outsource security. That way, when it breaks you can blame someone. At the same time, make sure you can monitor security to prevent breakage.

6. If possible, outsource your main application. You don't want to support the product that everyone in the institution depends on. You need to keep the network up, not software.

7. At the end of year one, bring in a network assessment. Tell the assessor what he needs to find before he arrives. Use that the next year to justify your new purchases.

8. Make sure you stay friends with the president / CEO. When it is necessary to reorganize the server, etc, it will be necessary to have his good will.

9. Be prepared to work like a sunuvabitch for two years. Take your spouse / GF out when you can.

10. Don't let them make you program again. You're a network admin. You cannot support your old programming team.

Re:Why?

[billcopc]

Small businesses tend to have rapidly-changing needs and few staff. If they have less development work coming in, and a pressing need to replace a sysadmin, it's perfectly sane to ask the developer if he can switch hats, given sufficient resources and support. For the employee, it keeps him in a job. For the company, it saves them from having to hire a new guy, which is neither cheap nor enjoyable, and they'd have to train the new guy anyway, which is freakin' hard when the senior sysadmin is already long gone.

I don't think it's such a stretch, the two roles tend to complement each other quite well. A good programmer-analyst already possesses 2/3rds of the knowledge required to be a competent sysadmin. You know the shell scripts will be a work of art :) I don't know why you think it's at the bottom of the ladder, because I see it the other way around. Programmers are a dime a dozen (see China). Good sysadmins are damn hard to find, which is why I have no shortage of contracts coming in from past employers and acquaintances. Trust is a big factor, because really, the sysadmin controls access to every resource, and thus by necessity has unlimited access to all your data and equipment. Who would you trust more, some kid walking in off the street with the price tag still hanging off his jacket, or an employee you've known for years ?

Re:Odd choices

[FictionPimp]

My story in a nutshell.

Hired to program. Soon after system admin leaves. Server's need patching, junior admin screws up some compiles, etc so I step in and fix the server environment. Congrats, you are not a system admin (doh). A few months later, network admin is gone as well. New network guy is hired, but sucks at his job and for some reason doesn't get fired (still can't figure that out). I need the SAN to function properly, and I need the network to function properly. Congrats again, you are a network admin.

Now the title outside my office says "Programmer", but I haven't written any programs in at least 2 years. I've wrote a dozen scripts to make my life easier, but mostly I spend my time managing, install, patching, supporting, and planning the network and server infrastructure. Somehow I've also managed not to screw it up and have finally gotten to a point where I think I might be good at this. But I miss my compiler....