Expert Reference Series of White Papers

Optimizing Your
Network on a Budget

1-800-COURSES www.globalknowledge.com
Optimizing Your Network on a Budget
Raymond B. Dooley, CEO, International Communications Management, Inc.,
CCNP, CCDP, and CCSI

Introduction
The purpose of this paper is to define the issues related to optimizing an enterprise network, identify several
new network technologies related to networking, and draw some conclusions on how best to satisfy the
requirements defined. The paper uses the following format:

1. Definition of roles and examples of the relationship of corporate objectives and goals to network tech-
nology and optimization

2. Mission-critical network technology examples

3. Importance of staffing and technical certifications in network optimization, compared to out-sourcing,

and use of consultants for each technology example

4. Role of a training provider in network optimization for an enterprise with a limited training budget

The role of an Information Technology (IT) Manager in an enterprise is to implement and maintain systems
and procedures to support the operational processes and strategic initiatives of the enterprise. One of the
most important (and costly) of the managed systems is the enterprise network, including the enterprise cam-
pus network, the enterprise edge, the service provider edge, and all the equipment and topologies that define
the network infrastructure. There are several forces that drive the process:

1. The enterprise develops new strategic initiatives that require the implementation of new technology

2. New technology is developed that offers an opportunity to lower costs, increase efficiency, or develop
new strategic initiatives

3. Growth, sometimes complicated by acquisitions, may occur

4. Changes in operational processes (such as manufacturing or accounting) may require a change in IT

technology or networking

5. Network solutions provided by network equipment and service providers change and evolve. For exam-
ple, Service-Oriented Network Architectures (SONA) is one of the latest approaches

If numbers one and two look a bit like the classic "chicken and egg" dilemma, they are. It is never certain
whether a business strategy drove a technology, or a technology drove a new business strategy. Luckily, the IT

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 2
manager does not have to solve this problem; instead, he implements the requirements and solutions created
by the new development.

All of this involves network optimization. Network optimization is implementing technology and service to
provide the most efficient network service to all users, meet all the organizational goals of the enterprise, and
minimize costs. It is much easier to define than implement. It has numerous components:

1. Create and update a comprehensive network plan and design, starting with an accurate baseline of
existing systems.

2. Implement new systems to meet new strategic initiatives without any network outages before, during,
or after implementation.

3. Evaluate new technologies and network architectures (solutions), such as SONA, to determine if they
will contribute to network optimization.

4. Utilize all available features of network equipment and services to support high availability networking,
security, network management, and quality of service.

5. Prevent network outages. This will include a network design for high availability and a comprehensive
network management system. Insure that the operating systems and other software for all network
devices are installed and maintained based on a compatibility standard to avoid costly version and fea-
ture mismatches.

6. Provide network security for the enterprise.

7. Recruit and train a staff to implement steps 1 – 6, troubleshoot, and maintain the optimized network.
Use of outsourcing, consultants, and the technical level of the network staff must be analyzed and com-
pared based on networking objectives versus cost.

A CEO of a Fortune 100 Company once said (paraphrased), "I consider Information Technology to be a weapon
in the battle to win global market share." While a firm believer in corporate missions and vision statements, the
CEO thought that an enterprise achieved success by following no more than four simply stated strategic initia-
tives. An IT or network manager in the various corporate divisions was required to understand these initiatives,
how to implement the systems to support them, and how to optimize the network for them. This had to be done
at the lowest possible cost, because lowering costs was always one of the initiatives. Using various methods,
most enterprises work the same way. All CEOs may not be as successful in articulating the requirements as this
one was, but the idea is the same: creating identical challenges for IT and network managers.

The implementation of Automatic Teller Machines (ATMs) in the banking industry is a classic example of the
impact of a new strategy on technology, and it provides a lead-in to a description of new network technolo-
gies and the importance of network optimization. In the early 1970s, a bank or banker (no one knows who
had the idea first) visualized a machine that would provide banking services separate from a teller window.
The vision included machines in non-traditional locations, 24-hour banking, and added services. Of course,
these are things taken for granted today.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 3
The challenge to implementing the new idea was that none of the requirements already defined for the IT and
network managers in the previous paragraphs were met.

1. The banking industry could not agree on the location and contents of the magnetic stripe on the bank
card.

2. There were no technology or network standards for ATMs; it was all vendor-driven.

3. The networks were optimized for IBM mainframe-to-terminal communications. The network managers
were not consulted about the idea of ATMs and how to attach them to the corporate network.

4. The ATM machines contained a mini-computer that could only be networked with low-speed asynchro-
nous communications protocols, which were incompatible with the mainframe and the existing net-
work. However, the mainframe had to "talk" to the ATMs for them to work properly.

This is not a short story, but a saga, greatly shortened. During five years of trial and error, costing millions of
dollars and countless man-hours, the ATM strategy was a total loser. The cost to implement, maintain, and net-
work the machines was far greater than the revenue. The Return on Investment (ROI) was a large negative
number. One banking executive was quoted, "If I could, I would take every ATM machine out, but I cannot
because the other banks will leave them in, and I won't be competitive." This statement sums up why the
banks continued to pour millions of dollars into this project. The war for market share dictated it.

Not surprisingly, the vision and strategy was valid. Once the banking customers accepted the ATMs and actual-
ly began to prefer them over going into the bank during banking hours, the banks were able to cut the teller
force up to 70 percent and the ROI shot up dramatically.

If today’s managers were able to go back and use modern IT and network management techniques for the
project, most of the errors and much of the cost could have been avoided by proper planning and deployment
of IT and network technology. However, this is a smug view. The author was involved in the implementation of
ATM machines and will verify that all of the techniques available at the time were utilized. From today's view,
those techniques seem archaic and costly. The question any IT or network manager must consider is, "Are the
techniques and technologies in place for the network suitable to handle a completely new corporate strategic
initiative?" In other words, is there an ATM-like project in the future for this enterprise? And if so, can it be
implemented and optimized at the lowest possible cost?

The previous example is a description of actual events. Several years from now, similar business cases will be
written about network technologies that are emerging now, such as IP telephony, wireless, and virtual private
networks (VPNs) related to new developments such as medical multi-media, and virtualization of business and
technology functions (SONA). Modern solutions are based on the idea that hardware, software, and network
applications are “built-in” to network technologies and can then be implemented (turned on) as needed. It is
important for IT and network managers of today to avoid the technology traps shown by the banking example.

One point becomes paramount from the information presented so far. Optimization and cost are two of the
most important items for a network manager to consider. Before any conclusions are made about the best
ways to meet optimization and cost requirements, several new and important network technologies must be
described. Each of these technologies could have an impact on optimization, costs, or both. The first issue is
determining if the technology is appropriate to meet the objectives of the enterprise, and the second is having

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 4
the expertise to properly plan, design, and implement the new technology into the existing network. The fol-
lowing technologies will be considered:

1. Security
2. Virtual Private Networks (VPNs)
3. IP telephony and Quality of Service (QoS)
4. Wireless networking
5. IP Multicasting and IPv6

Many additional technologies such as high-availability networking, content networking, and storage network-
ing could also be included, but this paper would become a textbook—much too long.

Security
If the CEO of Boeing Company were asked what the financial loss associated with Airbus obtaining the design
plans for Boeing's newest airplane would be, he would respond with a number in the billions of dollars, proba-
bly over $100 billion.

The next issue would be the odds of such a break-in: 1,000 to 1; 10,000 to 1; 100,000 to 1; or 1,000,000 to 1?
The amount of corporate resources and budget allocated to security should be directly related to the value of
the loss and the probability. If it is not, the corporate security policy is lacking.

There is consensus that the one best practice in designing and implementing network security is first to define
a security policy. This is based on the idea that money allocated for security in the network will be wasted if
the system is not optimized. This will be explored further in the certification and training section. There are sev-
eral parts to a security policy:

1. Corporate Information
a. Identify assets
b. Assess risk
c. Identify areas of protection
d. Define responsibilities
2. Network Access Control Policy
3. Acceptable Use Policy
4. Security Management Policy
5. Incident-Handling Policy

Cisco’s Security Architecture for Enterprise (SAFE) defines four steps in their security wheel after the security
policy has been defined:

1. Secure
2. Monitor
3. Test
4. Improve

Two elements of network security will be explored: firewalls and intrusion detection/prevention. Neither of
these is new, but there are new features and capabilities being introduced regularly.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 5
The first step of the network implementation consists of four parts: user and data authentication; encryption;
vulnerability patching; and firewalling. Firewalling includes three primary functions: user authentication, denial
of service (DoS) prevention, and packet filtering. A good number of firewalling solutions offload the user
authentication to specialized servers called Authentication, Authorization, and Accounting (AAA). The DoS pre-
vention is offloaded to specialized solutions for Intrusion Detection Service (IDS) or Intrusion Prevention
Service (IPS). Firewall devices then specialize in filtering network traffic to allow only valid packets to cross
firewall interfaces.

The firewall hardware is located between the outside filter (the router connected to the Internet) and the
inside filter (the router connected to the enterprise campus). One type of firewall interface is untrusted (a De-
militarized Zone - DMZ), connected to such devices as web servers, DNS servers, E-mail servers, VPN concentra-
tors, or access servers (for dial-up users), and the connection to the Internet. Trusted interfaces are connected
either to the enterprise campus, or with application and database servers associated with the web servers on
the non-trusted interface. In a network design, the systems described in this paragraph are called the Internet
Connectivity Module and the E-Commerce Module. A firewall system should support:

1. Packet filtering (main job)

2. Network Address Translation
3. Fail-over and hot standby
4. AAA—Authentication, Authorization, and Accounting (usually offloaded)
5. Virtual Private Networks—VPNs may terminate on the firewall as one option)

One major security vendor, Cisco Systems, has offered the Private Exchange (PIX) firewall system for many
years. It includes:

1. Finesse operating system

2. Adaptive security algorithm
3. Cut-through proxy operation
4. Stateful fail-over and hot standby
5. Translations
6. Access control
7. Object grouping
8. Attack guards and intrusion detection
9. AAA
10. VPNs
11. PIX device manager

The cost of firewalls varies widely, depending on the size and complexity of the design, and the speed and
number of firewall interfaces required and the size of the network. In addition, the cost must be weighed
against the cost of a major break-in. As a manager is optimizing the network for an enterprise, he should be
aware of the present level of network security threats, have a valid security policy, and implement the latest
solutions. As a philosopher once said, “The devil is in the details,” and it has never been more accurate than
when trying to keep up with “the latest solutions.”

Cisco Systems has recently announced the Adaptive Security Appliance 5500 (ASA 5500), which has the ability
to replace the existing PIX firewall, the VPN concentrator, the AAA server, and, perhaps, the Intrusion
Prevention System. The ASA 5500 has the following abilities:

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 6
 1. Layer 2 transparent firewall allows implementation transparency with no address changes. It also pro-
vides integration with existing complex routing, high-availability, and IP multicasting.

2. Services virtualization enables the logical partitioning of a single ASA 5500 into existing networks into
virtual firewalls, each with its own unique policies and administration. It allows consolidation of multi-
ple firewalls into one device.

3. Standard IEEE 802.1Q Virtual LAN (VLAN) trunking support.

4. OSPF routing support.

5. Support for Protocol Independent Multicast (PIM) for IP multicast

6. IPv6 support

7. QoS support for Low-Latency Queuing (LLQ) and traffic policing to support real time traffic

8. IP telephony support for IP phone deployments

9. Stateful active/standby for fail-over

Intrusion detection/prevention systems operate at step two of the security implementation to detect and auto-
matically stop intruders at the enterprise edge, as the first line of defense. IDS/IPS solutions are used to inspect
packets traversing network links and may be deployed in network modules within the enterprise campus, as
well as at the enterprise edge. The server farm module is another prime candidate for these solutions. IDS
deployed as an application on a server is called Host IDS (HIDS). IDS/IPS also can ensure that the security
devices in step 1 (secure) have been configured properly. There are three basic types of attacks:

1. Reconnaissance
2. Access
3. Denial of Service (DoS)

Many times, a reconnaissance attack will precede an access or DOS attack. The Cisco IPS 4200 series is one
system for intrusion detection/prevention. It would be part of the enterprise implementation in the Internet
Connectivity/E-Commerce module of the network design.

The cost of these systems will vary and must be weighed against the cost of an outage. A denial of service
attack, for example, may cause the corporate servers to be down for a day or more. These are launched against
companies like Yahoo and Goggle on a regular basis with a wave of publicity. For example, suppose the cost of
an IDS/IPS system is $40,000, including $10,000 for training of key personnel. The gross profit lost from a day
of server outage is $75,000. The ROI for the IDS system, based on this one outage, is 50 percent. A ROI exam-
ple for an individual enterprise would reflect actual system cost and the cost of a server outage, but security
falls into the category of "not being able to afford to not do it."

Trained and competent network personnel are absolutely necessary to make security systems work. Not only to
implement the system, but also to decide if it is needed, select which system to purchase, alter the network
plan and design to include it, and optimize the network after implementing it. The manager now faces some

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 7
difficult and important choices related to network security optimization, which will be covered in more detail
in the conclusion portion of this paper.

Virtual Private Networks

A Virtual Private Network (VPN) allows a "tunnel" to be constructed through a public network such as the
Internet, for the purpose of transporting private data. The tunnel must be secured by public and/or private keys
and a combination of a data integrity hash and encryption. A typical data authentication is either Secure Hash
Algorithm (SHA) or Message Digest 5 (MD5). The encryption method can be Triple DES (3DES) or Advanced
Encryption Standard (AES). The entire process of key exchange, data authentication, and data encryption is
included in IP Security (IPSec). VPNs are being used for many purposes in the enterprise.

1. Remote Access VPNs, when used with PC, router, or VPN appliances, as the client in homes or small
offices (usually with DSL or cable modem access to the local ISP) are rapidly replacing the traditional
modem and Integrated Services Digital Network (ISDN) dial-up remote access solutions.

2. Site-to-site VPNs are being used to replace traditional WAN services such as frame relay and leased
lines. The major drawback is the absence of a Service Level Agreement (SLA) from a provider to support
QoS requirements.

3. Peer-to-peer or “Turnkey” VPNs are being offered by providers such as SBC, Verizon, Qwest, and
BellSouth to replace traditional WAN services and offer a SLA to support QoS. The technology is Multi-
Protocol Label Switching (MPLS) over BGP and is defined by Request For Comments (RFCs).

The VPN endpoints can be any of the following:

1. At the client end:

a. PC
b. VPN appliance (Cisco VPN 3002)
c. Router

2. At the corporate end:

a. VPN concentrator, such as Cisco 30xx
b. Router
c. Firewall
d. Cisco ASA 5500 (mentioned earlier)

One of the reasons for the growing popularity of VPNs is low cost and implementation flexibility. It is true that
VPN terminations are either inexpensive or already built into existing equipment such as routers, VPN concen-
trators, and security systems. In Europe, Multi-Protocol Label Switching- (MPLS) based VPNs are usually pre-
ferred for the enterprise WAN as opposed to traditional WAN services. Of course, in Europe, these types of
VPNs are universally available. The Europeans do not have to deal with branch offices in Montana and New
Mexico where advanced technologies may be scarce. Moreover, there are several issues related to network
optimization:

1. Cost for additional bandwidth to the ISP at both remote and headquarters locations
2. Cost of developing network personnel skills to negotiate SLAs and pricing contracts or consultants

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 8
 3. Costs related to designing, implementing and maintaining VPN networks
4. Selection of terminating equipment
5. Use of VPNs in the IP telephony environment to support QoS

IP Telephony and QoS

For years, it has been said that voice and data are converged on the same network. The first time was when
voice analog signals from a telephone and analog signals from a modem were sent over the same wire using
frequency division multiplexing (Voila!). The second time was when analog signals from telephones and analog
signals from modems were both digitized with a common method and sent over the same wire using Time
Division Multiplexing (Double Voila!). The third time was when the modem was eliminated and digital tele-
phones were introduced so everything could be digital end-to-end (ISDN was developed at about the same
time). The digital voice was also compressed. (Another Voila!)

During all these developments, data was in packets and voice was in bits. Today, voice cannot only be com-
pressed, but also constructed into packets, frames, or cells (IP, frame relay, or ATM). The idea was to move
away from circuit switching (Time Division Multiplexing [TDM]) and to packet switching to converge the net-
work. (All still over one wire, by the way.) It was a terrific idea because existing data switching and routing
equipment can be utilized to move the packets, frames, or cells, and the enterprise network infrastructure used
to support voice traffic can gradually be removed.

Voice over X (FR, IP, ATM) can be implemented on the gigabit Ethernet campus, the enterprise WAN, and over
the Internet and the Public Switched Telephone Network (PSTN). The technology was integrated into Ethernet
switches, WAN switches, routers, and access servers. The driving force of the first phase of IP telephony (VoX)
was cost of transport. The next step in the evolution of the solution is IP telephony.

1. The common factor for IP telephony convergence is IP. Voice over frame relay and voice over ATM are
not current solutions.

2. IP telephones are now heavily implemented. The cost of IP telephones is low (on par with digital hand
sets $600 - $900).

3. Costs of legacy PBX equipment are high – traditional phone switches and the maintenance contracts
are very expensive.

5. The legacy PBX is replaced with a Call Manager (or cluster) that is a PC platform.

6. The IP telephony solution must include voice messaging and third-party applications.

7. Consolidation of support staff into IT could reduce costs.

8. Additional applications for the IP telephone are being developed daily.

9. The entire enterprise network infrastructure must be redesigned to support IP telephony and QoS.

Voice and video traffic are real-time protocols. IP was not designed to transport them with the proper controls
on latency, packet jitter, and packet loss. The solution to this problem is to provide additional features in the

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 9
network equipment to overcome this limitation and provide the proper controls. This process is called the
implementation of QoS.

The first step in QoS is to identify a QoS policy, which involves ranking all of the packet flows traversing the
enterprise networks related to their latency, jitter, and packet loss parameters, as well as their importance to
the enterprise. No solution can be implemented without this policy. A typical ranking would be:

1. Voice traffic
2. Voice signaling and video
3. Mission-critical data
4. Important data
5. Default data
6. Scavenger data (less than best effort)

With the policy in place, congestion avoidance, policing, traffic shaping, and congestion management tech-
niques may be implemented. However, the methodology to implement a consistent end-to-end QoS policy may
vary for a Layer 2 switch, a multi-layer switch, and a router. To optimize the network, technicians and network
professionals have to be able to properly configure an end-to-end QoS policy using LLQ on routers, Weighted
Round Robin (WRR) on multiplayer switch routed ports, and IEEE 802.1p on Layer 2 switches accurately and
with effective cost control.

Once again, trained, experienced, and extremely creative network personnel will be required to evaluate,
select, implement, and optimize an IP telephony solution and the QoS to support it.

Wireless Networking
When wireless networking is mentioned, most networkers think of cellular telephones or other hand-held
devices, microwave or satellite. Wireless solutions use radio frequencies, usually in the unregulated FCC fre-
quencies (which means anyone can use them). Wireless is a viable enterprise networking solution. Wireless
LAN standards are in place from the IEEE (802.11), wireless bridges provide inter-building connections, and an
entire set of WiFi specifications are evolving under the 802.11 standard. Security has improved with the advent
of IEEE 802.1x and a new encryption key to replace Wired Equivalent Privacy (WEP).

The advantages of not requiring copper wire for a LAN environment and the mobility possible for users are
obvious. Cisco Systems offers a group of products (Aironet) for Wireless LAN and has just acquired another
wireless company, Airspace. This is a highly competitive marketplace with many start-up companies offering
products and solutions.

An early study commissioned by Cisco revealed that using Wireless LANs to improve connectivity to the corpo-
rate network saved workers an average of 70 minutes per day. .

Once again, the importance of technically qualified personnel to implement this solution is critical, not only to
configure wireless solutions and appropriate security measures, but also to decide where and how much wire-
less technology is required in an enterprise network.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 10
Multicasting
In the past, a one-to-many networking topology was implemented using multi-point dedicated analog circuits.
As one-to-many applications evolved (conference calling, video conferencing, electronic mail multicasts, and
interest rate announcements in the banking industry) schemes to split the bandwidth from a source to the many
points were devised. These systems worked as long as the "many" in the many-to-one was a fixed, unchanging
group. There was no way to dynamically create a group or to have potential members dynamically join a group.

With IP multicasting, it is possible to define a multicast group with an IP address that can be used by a multi-
casting source to send packets. Routers can be configured to dynamically poll potential members of the multi-
cast group and keep track of "joiners." Once the members of the group are located, the routers will construct
a "tree" so that each multicast packet can be forwarded on the router interfaces where users are active. This
process requires the following:

1. A multicast server application

2. A multicast client application

3. An IP multicast address and an equivalent Ethernet multicast address

4. A protocol for users to join and leave the group (Internet Group Message Protocol [IGMP])

5. A routing protocol to create and control two types of trees, source trees and shared trees (Protocol
Independent Multicast [PIM]—dense, sparse, and sparse-dense modes)

6. A method to keep layer two multicast frames from flooding layer two switches—IGMP Snooping and
Cisco’s Group Management Protocol (CGMP).

Multicast applications are usually specific and can provide a benefit to an enterprise. A few examples are:

1. Distance learning for education institutions and companies needing training

2. Tibco Software for stock traders and for specific categories of stock ticker information
3. Data warehousing for management of inventory to and from remote locations to headquarters
4. Corporate communications for video and/or audio conferencing
5. Streaming audio and video on demand for entertainment and simulation training
6. Internet gaming for interactive entertainment and simulation training
7. Data collection for polling information and multicast auction

There are many more, such as radio and TV broadcasts to the desktop and a number of financial applications.

A simple cost-benefit analysis of IP multicasting versus normal IP unicasting for a data warehousing provides a
concrete example of the benefits of IP multicasting. At headquarters of a typical company like Toys ‘R Us, there
is a warehouse full of inventory. Also, there are stores all across the nation that have inventory. The inventory
in the remote locations needs to be known at headquarters on a daily basis and vice versa. Also, the size of
the database to update the remote locations is 250 megabytes (actual size of Toys ‘R Us data base would be
much larger), and there are 200 stores nation-wide, (Toys ‘R Us would be many more than that), and head-
quarters has a T-1 WAN connection at 1.544 megabits per second.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 11
Therefore, since 250 megabytes equals 2,000 megabits, the T-1 would transfer the database in 1,295 seconds or
just less than 22 minutes. Now that does not seem like a problem until headquarters needs to send 200 differ-
ent unicast data streams to the 200 individual stores on a daily basis. The T-1 would need just less than 72
hours to transmit to 200 stores, and it could not be done in a day. Even a T-3 would need almost 2.5 hours
using unicasting. With an IP multicasting application, only one data stream needs to be sent from headquarters
to a pre-defined group (in this case the 200 stores). Cost savings will vary, depending on the monthly cost of the
WAN, the savings of 22 minutes on a T-1 versus 2.5 hours on a T-3 to perform the same task are obvious.

There are numerous issues for the implementation and optimization of IP multicast:

1. Application requirements - unidirectional or bi-directional; reliable or best effort; intra-domain or inter-

domain

2. PIM Dense mode with flood and prune, sparse mode with shared tree, or sparse-dense mode

3. Session directory services

4. An evolving standard

If multicasting is required, IP multicasting will be less expensive than other alternatives, such as unicasting or
broadcasting.

IP Version Six (IPv6)

This has been announced many times:

1. The IPv4 address space is exhausted

2. Many new applications require many, many more IP addresses to function correctly
3. Something must be done

The following are hard facts:

1. Cisco is shipping all router IOSes with dual-stack IPv4 and IPv6
2. Microsoft, Sun, and Linux platforms are supporting dual-stack
3. Several IPv4 to IPv6 transition strategies are in place
4. There is an ISP open for business in Japan offering only IPv6

The following are network optimization issues:

1. Determine how IPv6 will affect the enterprise network design and staffing
2. Determine the impact of IPv6 on DNS, IP address assignment, and IP routing protocols
3. Determine if IPv6 will lead to higher costs

IP multicasting and IPv6 are two more technologies that will require highly trained and competent network
personnel to design and implement.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 12
Training
The point has repeatedly been made that a technically competent network staff is a major concern of a network
manager (if not the major concern). To meet the technical, design, and administrative challenges of the tech-
nologies described previously: Security, VPNs, IP telephony and QoS, wireless networking, as well as IP multi-
casting and IPv6, two major challenges must be overcome to achieve network optimization within a budget.

1. Network services and products must be obtained at the lowest possible cost of ownership, and the net-
work must be properly designed. These costs are partially fixed, partially variable, and possibly capitalized
and depreciated.

2. The selection and deployment of network personnel is one of the largest and most controllable costs
under the authority of the network manager.

Most network managers deal well with item 1, but item 2 is more of a struggle. The following are two exam-
ples of strategies used by large enterprises.

1. Recruit and train network specialists in all of the technology areas described and in others such as content
networking and storage networking. Maintain a core staff of intermediate to advanced general networking
personnel, with entry-level programs for beginners. The specialists only get involved in major designs or
redesigns, major procurements of equipment, big upgrades, and mission-critical troubleshooting. The core staff
handles everything else. This is an ideal approach, and proper training and accurate deployment of specialists
can minimize staff costs.

2. Recruit and train a network staff with minimal skills and outsource all of the complicated technical require-
ments to site-management companies or to consultants. The local staff handles only simple day-to-day prob-
lems. This is the same concept as “just in time” inventory systems, where costs are only incurred when there is
a need. In a large modern network, the costs could still be high due to extensive use of consultants and out
source companies. In some cases, it is much higher than option 1.

Mid-size companies are rarely able to implement either of the two options above and must find another way.
The most common method is a combination of the two approaches. A core staff of intermediate to advanced
technical personnel in general networking is the starting point. The other specialized functions may be out-
sourced selectively to consultants and vendors. For example, the large providers offer several “turn-key” securi-
ty, IP telephony, and VPN solutions, and will provide expert technical support while working with the local
staff.

Management studies conducted by numerous independent companies have concluded that middle managers
lack the skill to objectively and completely evaluate the technical skills of members of their staff. Because of
this lack, industry technical certifications are viewed as an objective method to determine at least baseline
network-related skill sets.

The most critical aspect with any certification is to ensure that the certification is meaningful. There are a num-
ber of different certifications that focus upon different areas of the network, ranging from certifications
designed for entry level to advanced network engineers to managers. Certifications can come from independ-
ent third parties, like Comptia, ISC2, and TruSecure, to corporate industry-accepted certifications, such as those
provided by Cisco or Microsoft.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 13
One thing common to all of the alternatives listed is an absolute requirement for technical training, mentoring,
and on-the-job experience.

Listed below are some common third-party certifications and some vendor authorized certifications. Details are
provided for the Cisco Certifications.

Networking Certifications
• Network + (entry level)

Security Certifications
• TICSA (entry level)
• Security+ (entry level)
• CISSP (expert level)

Operating Systems Certifications

• MCSA (entry level)
• MCSE (expert level)

Web Certifications
• I Net+ (entry level)
• CIW (entry level)

In the Cisco arena, for example, the following certifications are common:

• Cisco Certified Network Associate (CCNA)

• Cisco Certified Design Associate (CCDA)
• Cisco Certified Design Professional (CCDP)
• Cisco Certified Network Professional (CCNP
• Cisco Certified Internetworking Professional (CCIP)
• Cisco Certified Security Specialist (CCSS)
• Cisco Certified Voice Specialist (CCVS)
• Cisco Certified Internetworking Expert (CCIE), several specialties
• Other Cisco Specialist certifications

The Cisco certifications are regarded in the networking field as fair, objective, and valuable in determining the
skills of an employee or contractor and their pay rate. However, there are additional issues from the perspec-
tive of the network manager.

In many cases, training for certification is given to employees as a reward for long service, a job well done, or
simply passed out in a round-robin fashion. In many cases, the employee enjoys the benefit of the company pay-
ing for the training necessary to achieve the certification and then leaves the company for a better paying job.

The role of the network manager is to include certification training as part of a career plan for the employee
that will insure that the employee sees a reason to stay with the enterprise. This requires thought, planning,
and creativity on the part of the manager. Promising job security is not an acceptable approach. Markets and
economies change so quickly that even government jobs are no longer secure.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 14
The results of a recent survey revealed that the average salary of a CCNA is $75,000 per year and the average
salary of a CCNP is $88,000 per year. A CCSP is worth $96,000 per year. If the network manager is successful
in properly utilizing the certification and training process, optimizing the network is more possible and cost
benefits are realized. For example, if three CCNPs can do the work of four CCNAs, the following cost model is
possible:

• Salary for a CCNA is $75,000

• Salary for a CCNP is $88,000
• Cost of training each CCNP is $10,000

If the training and certification are accomplished in one year, in the second year, the salary paid is $264,000
versus $300,000 for a saving of $36,000. A ROI of 120 percent is reached in one year and a savings of
$36,000 per year accrues after that. Whatever the model, there is no doubt that well-trained, experienced per-
sonnel are going to be better able to optimize the network than inexperienced personnel.

All of the facts presented regarding employees would also be true of contractors with one additional proviso.
Recently, it was reported by a representative of a company that was paying about $10,000 per month for con-
sultants, that the network manager had identified another method to achieve a high ROI by effectively utilizing
training. The idea was to provide additional training to employees, eliminate the consultants, and eliminate
$10,000 per month in expense without adding any fixed cost. In this example, the cost of training was
recouped very quickly.

Attributes of a Training Provider

It is relevant that the idea of training has appeared many times in the description of professionals capable of
achieving and managing network optimization. Training and certification, along with on-the-job experience
should be part of any network management and optimization strategy. For maximum results, a training
provider should become a strategic partner in reaching the objectives defined. An appropriate training provider
should meet the following requirements:

1. The training provider should assist in developing the training plan to meet the goals of the network
manager to maximize network optimization and minimize costs

2. The training provider should provide a complete range of training solutions

a. Self-paced e-learning
b. Web-based training
c. Instructor-led general training
d. Customized e-based or instructor-led training
e. Contractors and consultants as required

3. The training provider should offer competitive and volume-discount pricing

4. The training provider should stand behind the skill development promised

If a training provider meets these requirements, developing the staff competence to meet the stringent
demands of optimizing modern networks is within the reach of all network managers, even with the restriction
of reduced spending.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 15
Conclusion
Network optimization cannot be achieved without a professional, well-trained group of network professionals
designing, implementing, managing, and troubleshooting the enterprise network. Maintaining the appropriate
level of training and technical certification of the network staff by the network manager is extremely challeng-
ing with reduced budgets. IT managers can develop a strategy for training and certification of personnel that
will reduce costs. A training provider is an important part of the strategy.

Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
Understanding Networking Fundamentals
TCP/IP Networking
Essentials of Network Security
Telecommunications Fundamentals

For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.

Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use.
Our expert instructors draw upon their experiences to help you understand key concepts and how to apply
them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms,
e-Learning, and On-site sessions, to meet your IT and management training needs.

About the Author

Raymond B. Dooley is CEO of International Communications Management, Inc. (ICM), a training company
headquartered in Redmond, WA. In the past, he has led a team that designed, developed, and implemented a
network-related training curriculum for United Airlines, Ameritech, and General Electric. More recently, he has
led a team of instructors focused primarily on Cisco-certified training. His academic and technical credentials
are BS, MBA, CCNP, CCDP, and CCSI. Mr. Dooley was assisted by David Stahl, Debby Phelps, BK Jones, William
Treneer, Jason Wyatte, and Carol Kavalla, all of whom are experienced network instructors, along with Norma
Douthit as editor.

Copyright ©2006 Global Knowledge Training LLC. All rights reserved. Page 16