Improved Visibility and Better Control of Network Devices Through Software-Defined Access
People think managing a university’s IT is like steering a big ship: It takes ages to make a turn. But a university is much more like a flotilla of little ships, each with its own captain. The challenge is to turn all of those ships in the same direction.
is a mid-sized higher education institution based across two campuses in Loughborough in the East Midlands of England. We have 18,000+ students and about 4,000 staff, and have consistently ranked within the top 10 higher education institutions in the UK for the past decade.
Sports is a big focus for the university, and several UK sporting organisations—such as British Triathlon and UK Sport—have their administrative base at the school. It’s been a large part of why we’ve sent so many athletes to the Olympics. Loughborough is also home to one of the few national centres for exercise medicine in the UK, so we base a lot of research on athletes and sports injuries.
Unlike at a city university, we do most of our IT in-house from end to end. As a Senior IT Services Specialist who has been with the university for almost 19 years, I like to think a large part of that success is due to our IT team and the foundations we’ve built.
Part of that foundation includes our network. It has served us well, but a few years ago we were coming to the end of life for our network infrastructure and had arrived at a point of opportunity. Did we carry on the way we had always done—which would have been the easy and obvious path—or did we make a call to steer all of our ships in a different direction and solve some of the annoyances that had piled up over the decades?
A Network That Wasn’t Designed to Scale
There are two big things to put in context about our network. First, we have seen an increase in the number of devices on the network, particularly wireless and IoT devices. Over the past five years, wireless devices have outnumbered wired devices by quite a bit. And the two networks for those different devices were completely separate. We had a wireless and a wired network, which used two different infrastructures.
Second, you could clearly trace the design of the network back to its first iterations, when it was just an IP network for computer scientists. But the scale of the network today is unrecognisable from what it was 20 years ago. We are talking about a tenfold difference just in the number of connected devices and places to connect to the network. And the ways you might have addressed issues in 2002 are no longer applicable in 2022 at that scale. These security and troubleshooting issues layered upon one another to the point where they became a headache to manage.
A prime example of this was security. On an extensive IP network, you would typically have access control lists granting permissions to various systems on the network. As Senior Networks Specialist Jonathan Oakden puts it, some of these lists were written by previous generations of staff and people just kept adding to it. Nobody could remember the original purpose for a certain list, but we didn’t dare touch them because they might be important.
When we added a new device to the network, we had to think about the problems the device might cause and try to limit its exposure as a vector for attack. Everything was manual, and our starting position was that every device was allowed to talk to everything else until there was a problem. This position was probably acceptable in the era when the network was created. Security wasn't a top priority at the time, and it mainly happened on devices at the edge, less so on the network itself. But today, universities receive hefty fines for data breaches. We need to learn about a problem before it's too late. We required increased automation, improved visibility, and better control of the network and its devices.
Without end-to-end visibility on the network, troubleshooting was always a problem because we couldn’t look back in time or spot trends. We treated every situation like an isolated incident. If a user came to us with a network issue, someone two desks over might pipe in and say, “I had that exact problem in the meeting room last week.” We had the tools to look at problems as they happened, but nothing to tie information together into something meaningful. That meant we couldn’t address the underlying issues to solve these problems for good.
We had reached the point where our network had scaled as much as it could organically, but demands dictated it should grow further. Jonathan described the situation as "scary" because we couldn’t understand the network in any meaningful way or manage it well. Either we threw more human and financial resources at the problem or changed our approach to networking.
A Software-Defined Solution That’s Ahead of the Pack
At the very least, we wanted to know what was on our network, apply security policies in a way that would be manageable for our existing team, and automatically add new devices to the network. To do that, we would have to rebuild the network with a more robust platform. Replacing hardware is easy, but it wouldn’t solve our problems. It was time for us to take a software-defined approach.
Fortunately, we're a very technically skilled team and could have created a homegrown solution that could achieve our security aims using software-defined architecture. But it would have taken a lot of people a lot of time to complete. And why reinvent the wheel? At a certain scale, it’s quicker and cheaper to buy something that someone has already done. It would also be supported, meaning we wouldn’t have to worry about tech assistance or the knowledge transfer if key people left our team.
- We had a long-term relationship with Cisco going back to the early 2000s and had built up a lot of in-house knowledge of Cisco technologies during that time.
- We had just invested in a new Cisco wireless network, and we wanted a fully integrated solution that would simplify wired and wireless network management. We couldn’t have that with another vendor.
- From a technical standpoint, Cisco’s SD-Access solution was the most advanced. They were the only ones to offer a complete product, including automated security profiling. SD-Access was the only solution that was anything close to a full product when we started our search.
SD-Access Delivered the Security and Visibility We Needed
To date, we’ve deployed 80% of our end-to-end Cisco SD-Access network, and we’ve already started to see the benefits.
Now, every device on the network is identified. We know if it’s a managed Windows device belonging to an engineering professor, for example. SD-Access also automatically applies security policies to all devices. In the past, a person could plug in a card machine to make payments with a credit or debit card, and it would start working because all they needed was internet connectivity. But process data quickly (PDQ) machines need to comply with the Payment Card Industry Data Security Standard (PCI DSS), and if it joins our network, it means our entire network needs to then comply. With SD-Access, when someone plugs in a PDQ machine, it gets automatically profiled as a PDQ, joins our PCI network, and gets assigned a PCI security group tag (SGT). This allows us to have a better idea of where our PCI devices are and stop them from falling into our general network.
Regarding troubleshooting, by using Cisco DNA Center assurance we can now drill down to the user level and see what’s happening on their devices. In the past, our only option was to look at the network for issues. Being able to look back in time also makes a big difference because we can see that some issues didn’t simply impact one user—there was a larger trend that needed addressing. We’ve given our second-line support access to Cisco DNA Center assurance, and they’re becoming more engaged in identifying issues rather than kicking things up the chain.
For example, if a student reports a problem with wireless connectivity in their residence, our second-line support can check the signal strength in that room. However, if we see a recurring issue with multiple people, we can address the wireless performance within the entire residence. Triaging these issues is easier because we have historical data within Cisco DNA Center assurance.
It also happens that users often blame the network when something else is at play. We had a case in the Vice Chancellor’s office where they had issues with Office 365. They were convinced it was a network issue. Using Cisco DNA Center assurance, we could demonstrate that it was another problem, which we could then address.
Heading in the Right Direction
The university has done more than renew our network. Since the pandemic started, we have also reorganised the campus. With more people working remotely, entire departments are moving buildings, and we are shifting to more of a hot-desking model. In the past, this would have presented a headache for IT—especially as our devices include things like MRI machines and microscopes. We couldn’t have easily supported this campus reorganisation on our old network. Without a SD-Access network, you can’t automate security profiling, which would result in more manual intervention and time. Now, we can grow and continue to support our network without adding more people to the team.
With our new SD-Access network, people can work from anywhere and get the same experience regardless of location or device. Student expectation is already there: They want to sit down anywhere and work on any device, knowing that the network will support them without issue. But one change that Jonathan has noticed is that we're seeing a big shift in staff expectations. Where their demands were once static, now they are becoming a more exciting group of users. Years ago, they would have picked up a phone to talk to a colleague at another building. Today, we’re seeing more staff members making videoconferencing their first choice. A more powerful network is opening their eyes to new possibilities.
Many university departments operate autonomously, and if you’re not careful, any captain—or department chair—could take their ship off course. Cisco SD-Access gives us the end-to-end management and security to ensure everyone in IT and across the university is moving in the same direction, safely and securely.