I’ve been called certifiable before – a sysadmin’s developing thoughts on certification

I’ve been a system administrator in some form or another since, I suppose, Summer 1988 when I provided ad hoc support for the RSTS/11 system at my college. I made a few bucks doing it as a lab assistant for two years, but I was probably too much of a proto-BOFH to stay on the payroll. I still fielded more questions than most of the lab assistants, and it prepared me moderately well for the following 25 years of user, system, and platform support.

One thing I’ve rarely ever done is get formally trained, or even less often, certified in a technology. I was three classes short of a computer science undergrad major just for fun, which should tell you I’m certifiable (didn’t take RPG, COBOL, or Calculus, but I did a bit of recreational Discrete Mathematics and two doses of Machine Structures).

Around the turn of the century, I took the Legato Certified Administrator (Data Protection) class and exam, and got certified on a technology I’d been deploying and managing for a few years at the time. In 2010 I took the Cloudera Hadoop Administrator course. I almost passed the certification exam then, but didn’t have time to go back and retake it before the retake offer expired. And that’s the extent of my formal training to date.

So what’s changed now?

Having been welcomed into the communities around Cisco’s datacenter technology and VMware’s virtualization platforms, I’m feeling an unnatural desire to work toward certifications in both of those areas. I have the 200-120 box set for CCNA Routing & Switching, although I’ve been leaning toward the datacenter path. I’m still trying to figure out what path to take with VMware, but we’ll have to see.

I was reading the Cisco Learning Network post “6 Reasons Employers Value Cisco Certifications” and it made me think about my aversion to certification over the last few years. So what’s wrong with certification, and what might be right about it?

What could possibly go wrong?

For one, some people collect certifications the way I collect old computers and soho routers. The cert may be representative of being able to complete a vendor’s exam, but may not reflect feet-on-the-ground (or hands-on-the-keyboard) skills, much less big picture architectural thinking. This was common when we were searching for a full year for a network admin at one job a few years back. No matter how many network certs you have, if you can’t at least give a shot to explaining subnetting, you’re probably not ready for the real world.

Another issue is that most certifications are vendor-specific, and may impart an undue bias toward that vendor over others. I’d like to think this isn’t the case, and a truly good network administrator/architect would know a broad swath of the market and be able to fit technology to an identified and triaged problem/business need, rather than trying to squeeze the business need into a given technology.

But what’s right?

For one, there are different skill levels and foci, and tiered/niched certifications can give a hint as to what level someone is. If I come in to an interview with a CCNA R&S, for example, I probably won’t be asked to provide in-depth explanations of SS7 or 802.11ac. There will always be bad interviewers, like the guy a few years ago who wanted me to explain in depth how BGP worked, after I had said twice that I wasn’t a network engineer and had only worked on LANs. So this isn’t foolproof on either end.

More important to me, now that I’m thinking about the process, is that pursuing a certification gives you a roadmap to study and prepare, and a somewhat finite goal to achieve. I never learned Perl because I didn’t really have a scope or a fixed goal. Making a personal goal to “learn me some networking,” alas, probably won’t get me anywhere.

Having a goal to, say, “take the CCNA DC exam at Cisco Live in May” gives me a framework and a finite goal. I can set aside time every week, study some of the Cisco Learning Network materials, watch some Pluralsight programs with Chris Wahl, and have a fixed time frame for preparation for the exam.

So where do we go from here?

For one, I think that box set of the 200-120 CCNA R&S library will probably sit in the closet for a few more months. It was on sale with an extra coupon at Barnes and Noble last summer, so I don’t feel too bad about it.

I will be plotting out my Cisco Certification Written Exam at Cisco Live in May, as hinted above. I blew off the free exam last year, which was probably good considering I’d had Tech Field Day 9 the week before (Tech Field Day events are great for scrambling the brain, and the 90-100F temperatures were leaning toward poaching my brain along with it).

I’m going to get more involved with Cisco Learning Network, as I’m sure Matt Saunders won’t let me slip on this. Hopefully some of my fellow Cisco Champions will cheer, jeer, prod, or otherwise support me on the journey as well.

And I’ll be sure to share my adventure with you fine readers… feel free to poke at me here if you have suggestions or haven’t heard from me on the certification path in a while.

Do share any certification feedback, suggestions for me, or warnings for other readers… in the comments below. 


Sorta Sad Panda – End Of Support Life for Some Netscreen/SSG routers

I was just looking up some Juniper gear I saw in a local auction… and discovered that the wheels of progress are indeed rolling along.

According to the Hardware EOS Milestone page, the NetScreen 5XT and 5GT, cute little firewall/vpn boxes that seem to be all over the place, reach their end of support life on June 30th and December 31st, 2013, respectively. Considering they were announced as EOL about 5 years ago, this isn’t a big surprise.

I was a bit concerned when the same page reported that the replacement products, the SSG-5 and SSG-20, had their EOL announced in December 2011, and their “Last Date to Convert Warranty” and “Same Day Support Discontinued” date is April 29th of this year (4 weeks away). But it looks like this only applies to the Japan, Korea, and Taiwan versions. Whew.

However, some further digging… and I see ScreenOS is on its own End Of Life path… 6.1 is gone, 6.2 has through the end of 2013, and 6.3 is gone at the end of 2015.

I actually use an SSG-20 with the ADSL2+ PIM for my store’s Internet connection… and while it’s not under warranty and I don’t expect to need support, this did make me wonder what I should consider for my next CPE need.

I’d be tempted to put together an SRX240 with DOCSIS and ADSL2+, but best price I can imagine for that is $2k or so, which is more than I want to spend on this project. So maybe I’ll drive the SSG-20 into the ground, and deal with the problem when it arises. There’s always a spare ADSL2+ modem in the cabinet just in case…

Why so blue, panda bear?

I’m not all that sad, to be honest. But I have a habit of going with old technology until it no longer does what I need. Or until it’s cheaper to replace than to maintain, which can be the same thing.

Heck, I have actually installed Windows XP in the past month… and it stops getting updates any day now. And I’m used to far worse support prognoses–I’m looking at you, Cisco Linksys, with the “it’s a year old? Oh, no updates for you!” policies on a lot of your home network gear (wouldn’t be so bad if it was stuff that can run DD-WRT or OpenWRT… but RV042 and the like aren’t a fit there).

Anyway, this gear has had a good run, in the market and in my own environment. So I’ll keep an eye out for new and better gear within a minimal budget, and see where the world takes my networks.

Looking forward to Cisco Live 2013 in Orlando!

Welcome to those of you coming here through the Cisco Live 2013 Twitter List.

It looks like I’ll be able to make it to Cisco Live this year.

If you’d asked me even ten years ago if  I’d ever be doing something like this, I would have asked if you’d gone off your meds. I was not a Cisco fan, partly because I worked in what became Nortel’s Ethernet switching division (the old Rapid City Communications group, which brought the Accelar/Passport 1000/8000 lines to market and pushed Cisco’s hand in bringing out Gigabit Ethernet).

(If we meet at CLUS, and if the rum is good, maybe I’ll tell you the Alidian story. Or not. Depends on who’s buying the rum.)

But I’m expanding my horizons, and I’ve spent over a year working in a UCS C-series (rackmount) environment, becoming sort of a subsistence expert on the platform (with lots of help from friends at Cisco of course). And I could see myself building on this experience in the future.

So I’m looking forward to my first big vendor event, meeting up with new and old friends, learning more about my new “home” platform and more about what’s around it as well.

It’ll be a busy June for me, as I’m headed for Austin to participate in Tech Field Day 9 the week before… and conveniently my company has a facility just outside Orlando that I’ll be able to bring the family to for a couple of days after Cisco Live.

Thanks for visiting… hope to see you in the comments, on Twitter, and at Cisco Live.

How many Internets do you need?

I’m a big fan of redundancy when it comes to Internet connectivity. Sometimes your provider has maintenance, or random cablemodem reboots, or routing issues. And sometimes the hardware fails… I once had an enterprise colo site go down because, of all things, a SFP module for the Internet uplink failed.

There are two roads you can go down…

So for quite a while I’ve had two Internet connections at home. The primary one is ADSL2+ through Sonic.net, a local Bay Area ISP who offer service limited only by the laws of physics. With Annex M turned on, I get about 25mbit down/4mbit up — Annex M trades a chunk of download speed for a smaller chunk of upload speed, and with things like Bitcasa, Dropbox, and so forth, upload speed becomes more important.

My secondary connection is a Comcast cablemodem… we have to have television for the little one anyway, so the additional cost for 25mbit-ish cable service is negligible.

For the longest time, I had separate wireless routers behind each connection. Sonic was the default, but if I had issues with that connection or just wanted a full 25mbit (or 15mbit at the time), I’d switch my laptop to the other wireless. What this meant was that most of the time, I had a 25mbit connection sitting idle.

As I mentioned, the cablemodem service could be justified away as free, if I accept the usual price for a modest tv package, and remember to renegotiate every 6 months or so. But still, it seemed like a waste.

Throwing hardware at the problem sometimes helps…

So I got the new-at-the-time Cradlepoint MBR-1200. This is a Wireless-N router that supports up to 5 broadband wireless modems (USB and ExpressCard), as well as up to two Gigabit Ethernet WAN connections. It will load balance across them, or a common option is to have the broadband cards serve as failover in case the wired WAN fails. So I set up the two connections that way, each getting DHCP settings from the respective providers, and started using it.

I found the connection was not reliable in load balancing mode, primarily due to DNS. Generally an ISP allows its customers/netblocks to use its resolvers, but doesn’t leave them open to the world. So if the router got one provider’s DNS, but the connection went out the other provider’s line, I’d have problems resolving DNS records.

I didn’t think about it at the time–just went back to the manual failover method with separate networks–but when I found a good deal on a Cisco Linksys RV042 dual wan router, I started thinking about it again. About that time I’d started using OpenDNS, a third party DNS provider that provides metrics on your DNS use.

Or maybe throwing the cloud at it will help?

Then it hit me. Third party DNS would get around the split-brain networking issue I’d been experiencing before. I set up the RV042 with Comcast on one side and Sonic on the other, plugged in the OpenDNS resolvers in place of the provider DNS, and gave it a try. It worked.

I have still run into at least one problem that can be traced to the dual WAN configuration. Vonage, my phone service, gets terribly confused if client connections come in from multiple IPs, and was making me log in again for every frame and page I viewed. I haven’t seen this for any other sites, including banking and e-commerce. The solution for this was to set a static route to their subnet through one WAN connection, and now I can view my account again.

And there are two other things I’m disappointed with in this configuration. One is that the RV042 is 10/100, and in theory Comcast could go faster than that would allow. The other is that the RV042 is too old for IPv6, but as I recall the Cradlepoint routers don’t support IPv6 either (even the ones that didn’t EOL last year like mine, sigh), so it’s not a specific pain to the RV042.

I expect that when Sonic.net comes out with native (non-tunnel) IPv6 I will start looking around again for a load balancing option. Maybe Peplink Balance 20/30 would do the job (100mbit, but IPv6 is supported even in the lower-end models).

As an aside, there are newer versions of the hardware above… and the links do add to my toy budget, if you choose to use them.

Have you done small network load balancing? What caveats and eurekas did you run into? And what hardware do you recommend?