As many of you know, I’m not always all about technology. In fact, I have a lovely soap box which I like to stand upon and shout out to the world about the business side of networking. It is far too common that I encounter IT professionals who explain to me about how their boss won’t allow this type of purchase or another because the capital expenditure is too high. After this, I tend to break out my soap box and explain that the problem isn’t the cost of the devices; it’s the way it is presented to the guy with the money.
Networking and IT in general is a huge business challenge. CEOs and presidents of companies are really just wasting their time if they are trying to make informed decisions about whether to buy a Cisco switch or a Juniper switch. Their job is to either be the figurehead of the business or to manage the overall business. IT has been a tremendous problem for business owners and operators. This is because we make it a problem for them.
I was lucky enough in the past to be developing MPEG multiplexers for use within film post production and while I was working on coding, I often helped out in the actual post production itself. While doing this, I ended up watching a series of business management videos called “The Unorganized Manager” featuring John Cleese. It was 3 hours of my life well spent. I began to understand what it means to actually properly manage a business. In fact, since that time, I’ve suggested to anyone who is in an IT position that they should watch it as well. These videos, if they present nothing else teach the importance of active and reactive management. It also teaches that we shouldn’t be making excuses for failures within our departments; we should instead focus on fixing the problems and work towards not having similar problems again by actively managing our part of the company.
Let’s point out that our #1 goal should be nothing more than being able to provide a budget to our bosses before the start of the fiscal year which says one simple thing, “You should budget for X amount per user this year and expect to account Y and Z per user for the next two years.” Then, at the end of the year, you should provide a report showing how accurate your predictions were. Predictability is critical to operating a company.
When calculating the cost per user, there are three primary calculations which need to be made.
What does it cost for the IT staff and services company wide? This divided by the overall number of users supported by this staff and these services. This also means server and software licensing costs. Don’t forget to add in “Lab cost” which is where new technologies are tested, designed and implemented before being placed in production.
What does it cost for each individual user directly? This includes the cost of owning and maintaining a laptop, docking station, monitor, keyboard, mouse… it includes the cost of one smart phone (think iPhone or Android) plus insurance. It includes monthly bills like cell phone, internet access at work, home and mobile. It includes the cost of printing (this means X number of pages at X per page). It also means… most importantly for us, what does it cost to have them on the network?
What does it cost per square foot or square meter to operate the network? This means cabling, wireless networking, additional telephones in unused offices, network switches, management systems, site-to-site VPNs etc…
In the end, our goal in IT should be very clearly “How do I build and operate the networking within the organization with a fixed budget of…” I’ll make my case for how this method of operating can improve business agility within the IT department and keep costs low.
The fun stuff
Network technology is still moving at an amazing rate. Examples of key technologies we should all be running are VoIP, 802.1x port authentication, Cisco TrustSec, 802.1ae MACSec, 802.11ac wireless, and SSL VPN. These technologies aren’t strictly about selling a new switch or a new appliance - it’s almost all about cutting costs. As a matter of fact, simply implementing Cisco ISE with 802.1x and TrustSec is in my opinion (and experience) one of the biggest cost cutting tools that a networking department has available to it today. They depend, however, on a few major budget breakers.
802.1x works on most Cisco switches, but TrustSec really needs newer switches to shine.
ISE with the advanced license can be quite expensive for initial cost outlay.
Newer firewalls (or at least software versions) is required.
To make it most profitable, we need one network port per jack on the wall. The bigger the office, the more port we need even if they’re not used.
The root of these two problems is that costs are generally calculated based on what is the capital expenditure or CapEx. This means what is the initial cost of purchasing the system. To clarify that the problem, it’s because we purchase hardware based on new features and technologies. We don’t properly budget the return on investment which is when we consider:
How much does it cost to operate the current devices we have in the network with the current limitations?
What does it cost to replace the equipment?
What will it cost us to operate the new equipment over the lifespan of approximately 3-5 years?
How much did we save by replacing the old equipment as opposed to running the old technology?
Operating networking equipment is generally the most expensive part. Sure, a 48 port switch costs a few thousand dollars. But what does it cost to
Manage network ports based on the users and devices which are plugged into the ports? To calculate this, it is important to go into your ticket management system and identify the number of hours per year and amount of money per year involved in moving cables, configuring VLANs, troubleshooting problems at a port level, troubleshooting layer-1 problems related to Move, Add, Changes…
Secure those ports? What did it cost to properly provision and manage VLANs for data and voice for each of the users? How often did someone have to login to a switch to make a move? What did it cost to manage specific broadcast domains which users belonged to? How many problems occurred from security related issues because someone typed the wrong VLAN number? What did it cost to make sure the users had access via the network to the right printers and scanners? What did it cost to make sure that a VPN user can access the same network resources from the outside as they did from the inside?
Having different configurations for access ports across the network?
Implementing just Cisco ISE with TrustSec, 802.1ae MACSec, 802.1x port authentication, 802.1x wireless authentication, Cisco ASA with TrustSec termination and SSL VPN can cut costs dramatically because every single access port on the network will always have precisely the same configuration for each user. The Cisco solution will make it possible to run AnyConnect on every client PC on the network and provide a single unified means of logging into the network from wired, wireless or remote access. ISE will then push the appropriate configuration to the ports which the user logged in to ensure that all traffic from those users is identified by the Active Directory groups they belong to.
Cisco ISE with TrustSec and MACSec when properly deployed:
Manages traffic based on the user’s groups as opposed to the IP addresses of the traffic. This allows for access control and broadcast domain flood limiting based on the user not the VLAN.
Provides end-to-end encryption of traffic on the wire.
Active Directory integrated logging and monitoring of traffic based on the users’ groups.
Completely removes ALL configurations at the access port level.
Completely removes ALL move, add, change requests
Completely removes ALL cable mess from wiring cabinets
Decreases the costs of cooling in our wiring closets by optimizing airflow
User-based authentication :
Integrates with Microsoft Active Directory meaning that new users added to the network by the user administrator (think Help Desk) can simply be added to Active Directory and attached to groups and then from whatever PC on the network they login with, even if it’s one of their person devices on the wireless network will be properly configured for all traffic from end-to-end without any additional administration.
Eliminates the need to configure separate broadcast domains on each port. A single VLAN is good enough for everyone since their traffic will be limited as far as scope based on their user accounts.
How do I get it in my network?
Ok, so you’re seeing this as the ultimate tool in networking. The cost of purchasing and deploying this technology costs A LOT! But this is an opportunity to gain control over your network and do it right this time. It all starts with leasing instead of buying. Leasing is extremely scary to many IT people since it requires establishing financing agreements with companies to make it happen. If you’re not comfortable getting started with this, talk with Cisco or your authorized Cisco dealer. They are really good at this. They are always willing to go that extra mile and they are constantly running campaigns which make it cheaper and easier. Let them help you get started.
Leasing is the only smart way of acquiring enterprise networking equipment since technology moves and devices like switches by nature of their fixed function hardware cannot be upgraded via firmware updates to add additional cost cutting features in the future. Consider that technology like TrustSec which makes regulation compliance for SOX, HIPPA and others much easier and cost effective. These features could not be effectively added to existing hardware. In a few years, Cisco will have implemented other technologies. It is no secret that Cisco is moving all their enterprise networking to IOS XE from IOS. This means that while many features will still make it into IOS, the real features will come in IOS XE only. For an excellent example, consider NAT64, a mandatory tool for IPv6 transitioning. Also, consider 802.1ac, which is a disaster when not using switch integrated wireless controllers. These features are only available on IOS XE and will not be coming to IOS any time soon.
If we plan from the first day that the realistic lifespan of a switch or router is 5 years or more realistically a little less, then simply knowing beforehand that to be agile within business, we should plan from the start to replace networking devices in 5 years or less. Then we can work with Cisco or another financing source to provide a reliable and predictable monthly plan which meets our budget of cost per user or cost per square meter.
I feel that while this blog entry feels more like a sales presentation than a technology presentation, it sets the groundwork for my future blog entries which will be focused primarily on how to enable business with technology. In those articles, I hope to make a business case for each topic and then show the implementation.
I hope you enjoyed this. I promise that future entries will be more on content and less on fluff