Wu Zhongjie: How to become an excellent network engineer

[51CTO.com original article] Today I want to share with you how to become an excellent network engineer. There are several steps: First, a good technical level, that is, hard power, which is the foundation of everything. Second, standardized design awareness. After the hard power is acquired, the problem is standardization. Not only must the technology be learned, but it must also be used in a reasonable position. Third, careful and meticulous thinking. Meticulousness is a necessary quality for a network engineer. Fourth, a flexible and adaptable mind, which mainly tests the accumulation of experience and psychological quality. After arriving at the customer site, as a network engineer, you need to make calm judgments and flexibly respond to any emergency.

1. Good technical level .

1. Where is the technical level reflected?

The technical level is mainly reflected in two aspects: one is whether you are familiar with these theories and know their principles, and the other is whether you can implement them on the equipment. First of all, for the commonly used technologies in traditional networks, you must know their principles and application scenarios, and then for the equipment of different manufacturers, you must also be familiar with their respective configurations.

Do you know how to configure VLAN and Trunk on Cisco equipment? Do you know how to configure OSPF, BGP, and MPLSVPN on Huawei equipment? Your technical level is made up of these two aspects.

2. How do network engineers acquire knowledge?

I have two suggestions for students and working people.

Before joining the workforce: As a student, the most important thing is the textbook . There are many traditional network textbooks, and I recommend Cisco. The best lecturer at Cisco is Qin Ke, the leader of the Mingjiao. Remember all the theories in the textbooks, and then use simulators to do experiments to verify the theories, so as to achieve the effect of mutual reinforcement. In addition, you can also read some technical blogs, and classmates can also have healthy exchanges.

After joining the workforce: You may not have much free time, so here are 4 suggestions.

(1) Inspection. Whether you are doing implementation or operation and maintenance, you must pay attention to inspection. Inspection is the best way to improve your skills and it also provides the most opportunities for you to participate in cutover. What you find from inspections are all serious templates that can be applied. In addition, if you find any problems that you don't understand during inspections, you can solve them in a timely manner.

(2) Pay attention to the manual cases provided by the official website . Generally speaking, official documents are authoritative. For example, if you come into contact with the H3C 10512 switching product, you can find the H3C official website link through Baidu, click on it and you will find the "Related Manuals" and view the typical configuration examples. Through these cases, you can become familiar with its scenarios and commands at the same time.

(3) Accumulate practical project experience. If you have the opportunity, participate in more practical projects, go to the computer room more often, stay up more late, and participate in more cutovers. This will also help you improve yourself.

(4) Ask the experts for guidance. You should listen carefully to what the experts who have been in the computer room and on the battlefield say to you.

Tip: The best way to learn Cisco is to read textbooks. Cisco simulators are numerous and powerful with few bugs. Once you have learned Cisco, understood the theory, and done the experiments, it will be easy to learn Huawei and H3C through the manual. After mastering this idea, you can easily use equipment from any manufacturer. This is the first step - to lay a good foundation.

2. Standardized design awareness

Standardized design awareness means that every technology can be used in a reasonable place. As a network engineer, when designing a network, you must always grasp the key points of the entire network design.

1. Introduction. First, please observe the network in the picture. This is a student's graduation project. The core layer provides DHCP services, but the PCs below cannot obtain the correct dynamic addresses. This is equivalent to DHCP being on the core. He wants to use the DHCP function on the core to assign IP addresses to the hosts below, but he cannot. After I tell you a few general specifications, let's take a look at this design: What are its advantages and disadvantages? What are the key points it does not grasp, and what are its highlights?

2. A few general rules.

(1) The second-layer connection should be designed as a triangle . This is my personal conclusion, and you may not agree with it. In my many years of practical experience, if the second-layer structure is designed too complicated, it is very likely that the spanning tree will not converge.

(2) If the core does not act as a gateway, try to configure as few other functions as possible on the core. Basically, the design points of the core layer are high efficiency and stability, so the core layer is usually only configured for routing, path selection, etc. Apart from that, I suggest not to add some fancy functions to the core. Taking the above figure as an example, it is not advisable to do DHCP in the core layer. Although it is a very simple function of allocating IP addresses, DHCP actually takes up a lot of resources. Try to let the core accept as few things as possible that are inefficient and not what the core should be responsible for.

Tip: If you actually need to use network equipment to implement some miscellaneous functions, you can move it to the aggregation layer. The aggregation layer equipment has both convergence and gateway functions. I suggest that spanning tree, basic ACL, DHCP, etc. can be configured on the aggregation layer. In addition, the access layer directly faces the terminal, so spanning tree, port security, MAC filtering, 802.1X authentication, etc. are all configured on the access layer.

(3) Switching routers and firewalls have their own responsibilities and should not be used interchangeably. The above is about the hierarchy, and this one is related to the equipment. Switching routers are mainly for data forwarding and are suitable for interactive routing, so routers such as OSPF and BGP are generally placed only on switches or routers. Firewalls are security devices and are usually suitable for configuring ACLs, security policies or NAT, but are not very suitable for interactive routing. Generally, during the network design process, when traffic passing through the wall encounters a firewall, static routing is basically used, which means that firewalls are usually configured with static routing. Therefore, switching routers and firewalls have their own responsibilities.

(4) IP address usage rules. Try not to use addresses starting with 192.168; use /30 addresses for Layer 3 interface interconnection; use /29 for hot standby interconnection; pay attention to planning the loopback address because the router-id is very important.

(5) Rules for using routing protocols . The network type of OSPF is generally P2P; it is best to use the interface address when configuring IGP neighbors; it is generally recommended to use only one IGP neighbor between two devices (making good use of silent interfaces); iBGP generally uses the loopback interface as the update source, while eBGP generally uses the physical interface as the update source and turns on BFD; develop the habit of configuring descriptions on the interface.

3. Solution analysis.

[Case] ​​A branch office plans to build a local area network, requiring the separation of internal and external networks. The network equipment purchased by the customer is: a Huawei AR3260 router, two Huawei S5720 switches, two Huawei S3700 switches, and a Huawei USG6600 firewall. Now all the equipment has been installed and connected.

【Requirements】 Please meet the following network construction requirements based on this structure:

1. Huawei AR3260, as the uplink device connected to the central organization network (intranet), established a BGP neighbor relationship with the network equipment on one side of the central structure to collect the headquarters intranet routes.

2. Use the USG6600 firewall to connect to the external network directly, and use PPPoE dial-up to obtain the IP address.

3. Two S5720s are used as gateway devices for the LAN, and two S3700s are used as access layer devices for the LAN.

4. The LAN requires two network segments, one that only allows access to the external network and the other that only allows access to the internal network.

5. The total number of hosts in a branch office shall not exceed 200.

[Solution] Let’s look at the three design solutions one by one according to the needs.

[Solution 1]

l Assign two IP network segments, VLAN10 is 10.101.1.0/24, and VLAN20 is 10.102.2.0/24. Allow 10.101.1.0/24 to access the intranet, and allow 10.102.2.0/24 to access the extranet.

l 10.101.1.0/24 can only access the intranet, so NAT cannot be performed on this network segment on the USG6600; and 10.102.2.0/24 can only access the extranet, so on the AR3260, use ACL to deny this network segment from accessing the intranet.

l MSTP+VRRP is implemented on the two S5700s. SS700-1 is the root bridge of VLAN 10 and serves as the root bridge and master device of VLAN 10: 10.101.1.0/24. S5700-2 is the root bridge of VLAN 20 and serves as the root bridge and master device of VLAN 20: 10.102.2.0/24.

l Run OSPF between AR3260 and S5700, and perform bidirectional redistribution of OSPF and BGP; write a default route in the direction of USG 6600.

l You can consider swapping the locations of the USG 6600 and AR3260 so that the AR3260 can support DMVPN and the firewall and intranet interconnection can support general routing functions.

[Question]: The purpose of swapping the positions of USG 6600 and AR3260 is just to adapt to the backup channel of DMVPN. This is putting the cart before the horse and is the undesirable part of Solution 1. Moreover, Huawei does not have DMVPN, but DSVPN, which requires additional license purchase to support. Moreover, after swapping the positions of the firewall and the router, the firewall will run both OSPF and BGP, which will definitely become an access bottleneck. In addition, exposing the router directly outside the firewall also reduces security.

[Solution 2]

l Allocate two IP segments, VLAN 11: 192.168.1.0/24, VLAN 12: 192.168.2.0/24. Allow 192.168.1.0/24 to access the intranet, and 192.168.2.0/24 to access the extranet.

l To allow hosts to access the intranet, write an ACL on the USG 6600 to deny them access to the extranet. To allow hosts to access the extranet, write an ACL on the S5720 to deny them access to the intranet.

l On two S5700s, perform MSTP+VRRP, with the root bridge and master both on S5700-l.

l Run OSPF between AR 3260, S5700 and USG 6600, and then inject a default route into the network in the always mode on USG 6600.

[Problem]: Use of junk IP addresses; letting the firewall run OSPF and injecting static routes, which reduces firewall performance; writing ACL on the S5720 and the firewall, which increases the difficulty of later operation and maintenance, and not considering whether the S5720 can support complex ACLs. This solution is a typical textbook solution, which uses various technologies without considering the characteristics of the device.

【Scheme 3】 (Standard design)

l Allocate two IP network segments, VLAN10: 10.101.1.0/24, VLAN20: 10.102.2.0/24, so that 10.101.1.0/24 can access the intranet and 10.102.2.0/24 can access the extranet.

l 10.101.1.0/24 can only access the intranet, so when writing static routes on USG6600, do not write 10.101.1.0/24. And 10.102.2.0/24 can only access the extranet, so on AR3260, do not send 10.102.2.0/24 to BGP, so that the headquarters cannot receive this route.

l On the two S5700s, perform MSTP+VRRP. SS700-1 is the root bridge of VLAN 10 and serves as the root bridge and master device of VLAN 10: 10.101.1.0/24. S5700-2 is the root bridge of VLAN 20 and serves as the root bridge and master device of VLAN 20: 10.102.2.0/24.

l Run OSPF between AR3260 and S5700, write a large Null0 static route on AR3260, and then use network to inject the large route into BGP.

3. Careful and detailed thinking

If a customer has two core devices Cisco6509 and wants to replace them with Huawei S12708, what do you think should be considered in the early stage? This question tests whether you are serious and meticulous.

If you only consider: HSRP to VRRP, PVST to MSTP, EIGRP to OSPF... it is far from enough. First of all, if HSRP is changed to VRRP, the core must be changed to VRRP if it has one, but the most important difference between HSRP and VRRP is the multicast address. The multicast address must be remembered first, and then how to change it? You must also consider it clearly. Generally, you must perform the operation steps of shutting down first and then changing it; secondly, if EIGRP is changed to OSPF, there is an essential difference between the two, and their AD values ​​are different, so how to change it specifically is also very particular; thirdly, the spanning tree issue. A regular network will not allow you to put the spanning tree on the core. So you must consider the problem comprehensively.

In addition to the above technical issues, what other factors should be considered?

First, site survey. This includes the research of the computer room environment, the rack location, the length of the spare cables, etc. For example, Cisco6509 and Huawei S12708 are both large devices, which will occupy a lot of the height of the cabinet, so before changing, you should go to the computer room to investigate whether the original Cisco6509 can be placed in S12708 and whether there is enough space.

Second, test. Can the new equipment start normally after it arrives? Generally, the equipment is transported to the site by logistics. If it is damaged during transportation, if the board is broken, if it cannot be started after being lifted to the rack, it will cause great trouble. Therefore, it is necessary to test whether the equipment can start normally and whether the equipment software functions normally.

Third, data collection. This data collection is mainly for the equipment before replacement. On the one hand, you need to collect the show run on the previous equipment. In this example, you need to write down the configuration before replacing the equipment and configure it according to the original Cisco6509 configuration. Of course, you also need to translate the configuration, that is, translate the Cisco command into the Huawei S12708 command. This is the process of collecting and translating the configuration. On the other hand, you also need to collect the original routing information, that is, show ip route, and capture the routing table for comparison before and after the equipment is replaced. In addition, the operating status of the old equipment, such as CPU, memory utilization, and whether the board is working properly, all need to be collected. Therefore, before the cutover, you must inspect the equipment to prevent you from shutting down the old equipment and finding that the network needs to be rolled back, but the equipment cannot be started after the rollback. The more careful the preparation work is, the easier it will be to use it later.

Tip: After the acquisition is completed, testing is required before the cutover . This includes: testing the hardware functions of new equipment, upgrading the software functions of new equipment, and the differences in the protocol interpretations of Cisco and Huawei for the same equipment. If conditions permit, you can do a simulation experiment.

Finally, you need to consider carefully that you must pay attention to the configuration order . Always remember not to lock the device before the network is delivered , that is, to prevent you from communicating or logging into the device. These things must be configured last. Operations such as interface authentication, AAA, and login source address restrictions must be configured after the network services are normal. Another point is that if there is a firewall in the cutover, the firewall should first open all policies. Make sure that the network is unimpeded and test the communication before adding firewall policies.

4. Flexible and adaptable mind

How to be flexible? This has something to do with the psychological quality of network workers. Let's take a look at an example.

A customer's Cisco ASA firewall was configured with A/S mode failover. One day, the customer said that the firewall's failover suddenly broke, causing network disconnection. Upon inspection, it was found that the failover split was caused by inconsistent software versions of the two Cisco ASAs.

Facing this problem, the first thing you should do is not to analyze the reasons for the inconsistency of the Cisco ASA software versions, because the network is disconnected, and the most urgent thing is to open the network. In any case, you should first consider solving the network disconnection problem, and then carry out subsequent optimization. In many cases, you can "use local materials" to deal with network failures. In this example, calmly analyze how to deal with it flexibly? First, disconnect all connections on the Cisco ASA with a lower version, resolve the IP conflict, and open the network. Then, copy the higher version of IOS to your computer, and then install it into the lower version device, and the problem will be solved.

To keep a flexible mind, you must develop good work habits and good psychological quality. Collect genuine IOS (.bin), VRP (.CC), Comware (.ipe) files and carry them in a USB flash drive for easy use; the operating system of the device

Back up files regularly or remind customers to back up files. Collect configuration commands for various types of equipment. It is best to capture common configurations and templated configurations to form your own configuration ideas. Stay calm in any situation. Get a reminder from the customer's person in charge when restarting the device or cutting off the power.

For more exciting content, please follow 51CTO's "Big Names Are Coming" column http://aix..com/activity/index.html

[51CTO original article, please indicate the original author and source as 51CTO.com when reprinting on partner sites]