Network Consulting Engineer

I came across a job ad for a Network Consulting Engineer. Its worth a blog because it shows whats happening in the market. The Ad states:

Alpha (renamed) is looking for an experienced Network Consulting Engineer to join during this time of growth.

Key responsibilities are set out below:

  • Consult with clients to design and implement network security technologies for example next-gen firewall, remote access, network access control, SaaS and public cloud networking and security services.
  • Work with a keen eye for detail within a network and security context across public, hybrid and private cloud environments
  • Proven network engineering project background with knowledge and skills in analysis, design and implementation for some or all of the following areas: LAN, SD-WAN, WLAN, Cloud and Network Security Technologies
  • Technical oversight for complex projects incorporating multiple technology streams.

Comprehensive subject matter expertise with at least 3 of the following technologies:

  • Routing and Switching solutions
  • Firewall and Network Security technology
  • Wireless LAN infrastructure and RF Design
  • SD-WAN and SASE Solutions
  • Network Access Control and Authentication systems
  • Cloud Networking technologies – AWS and Azure

The additions to the networking landscape is obvious. The old is still present. Routing and Switching for covering IP routes, LAN for L2 switching and Firewalls. These are stable technologies covering layers 2,3,4 communications and network security. They include MAC address tables, vlans, IP addressing, subnets, route tables, LAN, WAN, SP VPNs, Core/Agg Data Center, TCP/UDP port filters and access-lists amongst other things. This is basic networking.

Further after this is Wireless LAN infrastructure and RF Design. This covers Wifi Access Points and WLCs. So for example an enterprise could be upgrading there wireless coverage. To cover an area like an office RF design planning is required which includes RF signal strength considerations for AP placement in floor plans.

Further after this is SD-WAN and SASE. These are the new blokes in town due to changes in the landscape of networking. Two things cause SD-WAN:

  • Private MPLS WAN links being expensive
  • Public internet connections having become faster

Due to this WAN is shifting from MPLS VPN SP links to internet back-hauled links. This requires:

  • new branch edge devices
  • new branch edge design to include internet back-haul
  • new HQ design to include internet and SD-WAN HQ networking

That’s SD-WAN.

SASE is a Gartner term caused by new traffic sources and new traffic sinks. The enterprise traffic patterns have changed a bit. Traditionally all enterprise traffic would come to the HQ via a WAN and then it would go to the internet via a firewall from there. Enterprise applications would also be hosted in the HQ. Now increasingly cloud based applications are directly being accessed from the branch via internet connections and connections to the public cloud. This means new traffic patterns are present where the branch edge is talking to cloud applications directly without the HQ in between. Enterprise applications are now also in the cloud instead of an HQ PoP and the edge is the branch. Gartner saw this new traffic pattern and suggested that there needs to be secure access at the service edge in the branch (SASE).

For any enterprise which wants to move towards an internet based WAN network and has also moved its applications to be cloud-based then their whole traffic patterns have shifted away from the HQ PoP. This means these enterprises will go for SD-WAN and SASE solutions to use internet-backhaul and to secure the service edge. This is all new but makes sense and with sufficient push they can be implemented. Most work required for these will be:

  • new branch designs for SD-WAN internet back-hauled branches and
  • new HQ POP design to include internet-based SD-WAN HQ.

There are SD-WAN vendor providers which offer these MPLS WAN replacement solutions to either augment the MPLS WAN or replace it.

Most of the SASE work will be solution evaluation and vendor assisted implementation via GUIs as I see it.

Next on the list is Network Access Control and Authentication Systems. As I see it this is 802.1x, Radius Authentication and could also include Active Directory based Authentication/IAM. From a networking perspective 802.1x will need to be enabled on the LAN ports. Perhaps Radius based authentication will need to be integrated in systems and perhaps firewall rules will be required for Microsoft AD access.

The final item on the list is Cloud Networking which includes AWS and Azure connectivity. From my experience in hybrid and multicloud deployments much of the work is integrating new links into existing networks and configuring routes establishing IP connectivity between new endpoints. So some IP subnets and IP endpoints are on-prem and some are in the cloud. Routes are required and links are required. It still requires Layer 1 networking with new links and SFPs for say Megaport or Direct Connect. It still requires a semblance of Layer 2 where across the megaport or direct connect layer 2 is reachable. On top of these routing reachability is established with routes to be added in the relevant locations. So for example an on-prem firewall could be an L3 routing SVI location and routes pointing towards the cloud would be added there. Similarly routes would be added to routers and propagated so as to provide the cloud subnets reachability inside the on-prem network. On the other side in the public cloud side the VPC/Vnet would have routes pointing this way. There would be configuration items establishing the link between the relevant AWS direct connect or Azure expressroute to the VPC/Vnet. If its multicloud there could be multiple AS’s involved and BGP would be used to establish route exchange.

Most work on AWS/Azure side is GUI based unless Infrastructure as Code is used for large deployments. If infrastructure as code is used then Ansible, Terraform, Git and Bitbucket will be used instead of the GUIs to configure the routes and the the firewalls in the public clouds. Infrastructure as code has two main sections, one being version control of the config code and the other being the deployment of updated code to the public cloud.

The other non technical requirement in the job ad is:

  • Development of high quality technical documentation including, HLD, LLD, implementation plans, templates, standards, and knowledge base articles to assist with knowledge sharing for networking solution.
  • This is standard MSP or enterprise project work where design documents, implementation plans, standard configs and wiki articles are part of the project.

    Together all this makes a Network Consulting Engineer.


    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s