How We Saved ₹4 Crore for a Leading Delhi NCR University — Network Optimisation Without Replacing a Single Switch

A leading university in the Delhi NCR region was about to spend over ₹4 crore replacing their entire access and distribution layer switching infrastructure. Users were experiencing chronic speed issues accessing university applications, and periodic malware infections were spreading through the network, sometimes bringing the entire campus offline for hours. The proposed solution: rip out all 10G uplink switches and replace them with 40G switches. Ogma was brought in for a second opinion. What we found changed everything.

The Symptoms

The university's IT team was dealing with two recurring problems that were disrupting academic and administrative operations:

• Chronic application slowness — faculty, students, and administrative staff all reported sluggish performance when accessing the university's internal applications: ERP, learning management system (LMS), library portal, and examination systems. The slowness was intermittent but persistent, affecting hundreds of users daily across multiple buildings
• Recurring malware infections spreading campus-wide — when a single machine got infected, the malware would propagate rapidly across the flat network, sometimes reaching dozens of machines within minutes. Containing an outbreak meant taking entire VLANs offline, disrupting classes and administrative work for hours at a time

The IT team's diagnosis was straightforward: the 10 Gbps uplinks between access and distribution switches were saturated, and the flat Layer 2 network had no segmentation to contain infections. Their recommended solution: replace all access switches (Cisco Catalyst series) with models supporting 40G uplinks, and add new distribution switches — a project estimated at ₹4+ crore in hardware, licensing, installation, and downtime.

Step 1: Deploy NMS — Measure Before You Spend

Before agreeing with the hardware replacement plan, Ogma proposed a 2-week network assessment using a Network Management System (NMS) deployed across the campus infrastructure. The NMS monitored every switch uplink, firewall interface, and wireless controller port — capturing bandwidth utilisation, error rates, packet drops, and traffic patterns at 5-minute intervals for 14 consecutive days.

The data told a clear story: the 10G uplinks were not even close to saturation. Average utilisation was just 600 Mbps — 6% of the available 10 Gbps capacity. Even at absolute peak, utilisation hit only 1.9 Gbps — leaving 81% headroom. The problem was not capacity. Spending ₹4 crore on 40G switches would not have fixed the actual issues.

Step 2: Root Cause Analysis — The Real Problems

With capacity eliminated as the bottleneck, Ogma's network engineers dug deeper into the NMS data and switch configurations. Three root causes emerged:

1. Speed/Duplex Mismatches on Access Ports

A significant number of access ports on the Cisco switches were set to auto-negotiate speed and duplex. In theory, autonegotiation works. In practice, many end devices — older printers, lab equipment, IoT devices, legacy desktop NICs — were failing to negotiate correctly. The result: ports running at 100 Mbps half-duplex instead of 1 Gbps full-duplex. A single half-duplex port on a busy access switch creates collisions and retransmissions that degrade performance for every device on that switch. The NMS showed high CRC error counts and late collision counters on dozens of ports across the campus.

2. No Quality of Service (QoS) — All Traffic Treated Equally

The network had zero QoS configuration. University ERP sessions, LMS video lectures, examination portal traffic, and YouTube/Netflix streaming from student hostels all competed for the same bandwidth with identical priority. During peak hours (10 AM – 1 PM and 2 PM – 4 PM), entertainment traffic from 2,000+ student devices would saturate the internet pipe, and the FortiGate firewall would queue internal application traffic behind internet-bound traffic with no differentiation.

3. Flat VLANs — No Isolation Between Machines

The campus network used a handful of large, flat VLANs — one for faculty, one for students, one for admin. Within each VLAN, every machine could see and communicate directly with every other machine at Layer 2. When a single student laptop picked up malware (often from USB drives or pirated software), the infection had unrestricted Layer 2 access to every other machine in that VLAN. ARP scanning, lateral movement, and worm propagation happened at wire speed across hundreds of machines before the IT team could even identify the source.

Step 3: The Fix — Zero Hardware, Maximum Impact

Ogma implemented a series of configuration changes across the existing FortiGate firewall, Cisco switches, and Aruba wireless infrastructure — without replacing a single piece of hardware.

Fix 1: Static Speed and Duplex on All Access Ports

We audited every access port on every Cisco switch across the campus. Ports connected to known devices (desktops, printers, IP phones, lab equipment) were statically configured to speed 1000 and duplex full. Ports connected to user-facing jacks where device types vary were configured with speed auto but monitored for negotiation failures. CRC errors and collision counts dropped to zero within 24 hours.

Fix 2: End-to-End QoS Across the Network

We designed and deployed a campus-wide QoS policy synchronised across all three vendor platforms:

• FortiGate firewall — traffic shaping policies that prioritise internal applications (ERP, LMS, examination portal) over internet traffic. Separate bandwidth pools for university working hours (8 AM – 6 PM) and off-hours, with download quotas per user that prevent a handful of heavy downloaders from impacting the entire campus
• Cisco switches — DSCP marking at the access layer, strict priority queuing for voice and ERP traffic on uplinks, weighted fair queuing for everything else. MLS QoS trust policies ensure DSCP markings are preserved across the switching fabric
• Aruba wireless — per-SSID bandwidth contracts, application-aware traffic classification using Aruba's AppRF, and airtime fairness to prevent slow wireless clients from degrading performance for fast clients on the same AP

The result: during peak hours, internal university applications got guaranteed bandwidth and priority queuing, while streaming and social media traffic was rate-limited to a fair share. Users noticed the difference within hours of deployment.

Fix 3: Private VLANs — Machine-Level Isolation

The most impactful change for security was converting the flat VLANs to private VLANs (PVLANs). In a private VLAN, each user port is an isolated port — it can communicate with the gateway (uplink/promiscuous port) but cannot communicate directly with any other isolated port in the same VLAN. This means:

• An infected laptop can only talk to the default gateway (the FortiGate), where IPS, antivirus, and application control inspect every packet
• ARP scanning, lateral movement, and worm propagation between machines in the same VLAN is physically blocked at the switch level
• No IP or subnet renumbering required — private VLANs operate within the existing IP scheme

The same isolation was applied to the Aruba wireless network using client isolation (per-user tunnelling to the controller), ensuring that wireless clients in student hostels and classrooms could not communicate with each other directly.

The infection spreading stopped immediately. The next time a machine got infected, the malware had nowhere to go — every lateral movement attempt was blocked by the private VLAN, and the FortiGate's IPS flagged the infection within seconds.

The Results

• ₹4+ crore saved — the 40G switch upgrade was cancelled entirely
• Application performance restored — ERP, LMS, and examination portal response times dropped by over 60% during peak hours
• Infection propagation eliminated — private VLANs and client isolation stopped lateral movement completely. Zero campus-wide outages since deployment
• Bandwidth fairness enforced — working hours prioritise academic and administrative traffic. Off-hours allow full internet access with per-user quotas
• Cross-vendor consistency — QoS and security policies synchronised across FortiGate, Cisco Catalyst, and Aruba wireless from a unified design
• Completed in 3 weeks — 2 weeks of NMS monitoring + 1 week of implementation, with zero downtime during configuration changes

The Lesson: Measure Before You Buy

This case study illustrates a pattern we see across Indian enterprises: the instinct to solve network problems by throwing hardware at them. Bigger switches, faster links, more capacity. But without data — actual traffic measurements, error analysis, and configuration audits — you are guessing. And guessing is expensive.

A ₹5 lakh network assessment saved ₹4 crore in unnecessary hardware. The ROI speaks for itself.

If your organisation is planning a network upgrade, ask yourself: have we measured the actual utilisation on the links we are replacing? If the answer is no, you are not ready to buy hardware. You are ready for a network assessment.

How Ogma Can Help

Ogma provides vendor-neutral network assessment, design, and optimisation services for Indian enterprises. We work with FortiGate, Cisco, Aruba, HPE, and Dell networking infrastructure. Our approach is always data-first: we measure, analyse, and recommend — before anyone buys anything.

• Network Assessment — NMS deployment, traffic analysis, capacity planning, and configuration audit
• QoS Design & Deployment — end-to-end QoS across firewalls, switches, and wireless
• Security Hardening — private VLANs, microsegmentation, IPS tuning, and access control
• Managed Network Operations — 24/7 NOC monitoring, change management, and incident response

Contact Ogma for a free initial consultation.