Transforming Network Segmentation and Automation with Cisco SD-Access and Cisco DNA Center

CISCO

Automation is radically transforming every aspect of IT, including networking. Today’s network managers often no longer need to provision and manage devices. Instead, they can leverage rule-based tools that use tags, AI, and automated scripts to configure and secure their infrastructure. It’s an incredible journey that’s only just begun, and the possibilities are endless.


I’ve been with Airbus Helicopters Germany since 2014 and I am one of only four network engineers. My team is in charge of network management and security. When I started here, we had a traditional three-tier network comprising access, distribution, and core layers. All our devices were tied to an IP address on one of our VLANs. Consequently, we had to do everything manually, including Firewalls configuration to segment our network. 


This approach was time consuming and taxed the limited resources of our small team. The four of us managed switches, routers, firewalls, proxies, and every other networking hardware and software component comprising our IT infrastructure. If that weren’t enough, there was an explosion in requests for IoT devices to connect at our main German campus, an industrial facility that manufactures helicopters. Our workload was increasing from day to day, and we had reached a breaking point: We either had to hire more people or change the way we ran our network. 

A Data Center Upgrade Led to a Campus Network Upgrade

In 2017, we updated the hardware at our data center and replaced our 15-year-old Nexus 2000 switches with brand new Nexus 9000-series hardware. As part of the upgrade, we transitioned from a traditional hardwired configuration to Cisco Application Centric Infrastructure (ACI), the company’s industry-leading software-defined networking (SDN) solution.

Software-defined networking recognizes the need for flexible and secure access to accommodate the growing number of mobile devices and IoT endpoints.


We worked with the German office of Cisco global partner NTT to architect and deploy the data center. When it was time to refresh our campus network infrastructure two years later, we called NTT again to discuss our needs. We were inspired by the success of our software-defined data center and recognized the need for flexible but secure access to accommodate the growing number of mobile devices and IoT endpoints at our campuses. We held a series of meetings within our department to study the best replacement for our existing old infrastructure. We decided to go for a software-defined solution, and concluded that Cisco was the best option. So, we built the foundations of our new campus infrastructure on Cisco Software-Defined Access (SD-Access) with Cisco Catalyst 9000 Series Switches and Cisco DNA Center.

  

Months before the PoC, during Cisco Live 2020, our team engaged in extensive sessions around SD-Access integrations, configuration, and best practices. We also benefited from 1:1 sessions with Cisco engineers. Cisco Live offered us the opportunity to learn how to run an SD-Access by ourselves and have Cisco experts weigh in on our specific scenario. 


NTT was instrumental in bringing SD-Access to our campus network. They worked with Cisco to offer us guidance and support from November 2019 to May 2020 as we designed the solution. We had five or six meetings during that time to iron out the details, including the architecture and the best migration process. NTT set everything up and led the proof of concept (PoC) from May to July 2020. With the help and the supervision of NTT through on-site and Webex Meetings, we implemented the initial configuration. All training, knowledge transfer, and documentation was shared during the PoC, and our team took over when we transitioned to our production environment. 

  

We decided to go with an Enterprise Agreement (EA) for the Cisco DNA Advantage Software for the Cisco Catalyst 9000 Switches and Cisco DNA Center because of the flexibility it offers. We are ramping up the deployment of switches, but that’s not our only priority so we knew the number of installed switches could vary. With an EA, we only pay for the switches that are up and running at the end of a set period. The process to create, release, and assign licenses to different switches makes it more flexible and easy to share licenses between different teams, thus making it more efficient.


This initial deployment connected two buildings and 400 users to our new infrastructure, and that number continues to grow. To date, we have added more buildings, connected 1,500 users, and replaced 43 of our 200 switches, which is roughly 20% of our existing infrastructure.

Cisco SD-Access and Cisco DNA Transformed Our Campus Network

Moving to Cisco SD-Access and Cisco DNA Center transformed how we manage our campus network. These industry-standard platforms allow us to easily configure our Cisco switches and play well with other vendors’ products. They seamlessly integrate with our Palo Alto and Checkpoint firewalls, allowing us to configure and set rules for these devices from a single pane of glass within Cisco DNA Center. Cisco has also given us unparalleled flexibility in defining the fabric of our campus network. 


As I mentioned, each of our network devices was previously tied to an IP address on one of our VLANs, which required us to manually configure every switch and made it impossible to re-architect our network to meet changing needs. We were getting an increasing number of requests from management to accommodate, integrate, and provide proper connectivity to devices via the LAN, Wi-Fi, and even Bluetooth. At the same time, we were under pressure to better secure and segregate the campus network to minimize risk and better monitor every device connected to our infrastructure. Cisco SD-Access and Cisco DNA Center automate these repetitive tasks, saving us a lot of time and making our network more secure in the process.

Defining Network Segments as SGTs

Thanks to Cisco SD-Access, we have stopped validating network devices using IP addresses. We now define logical network segments as SGTs in Cisco DNA Center and then use Cisco API calls to define third-party firewall rules that govern network devices. This approach allows us to control and monitor what devices can connect to a given SGT without manually configuring them. Once we have defined an SGT, authorized business users can add or delete devices autonomously, automatically, and in real time. 

Once you define an SGT, authorized business users can add or delete devices autonomously, automatically, and in real time.


When we add a device to an SGT, it is propagated to the network and the correct firewall rules are applied. Because SGTs are entirely independent of IP addresses, a simple DHCP configuration is all we need to authorize a device regardless of its physical location. We can move the device to another building or campus, but it will always connect to the right network segment as long as we have assigned it to the right SGT. 


Configuring network segments as SGTs has simplified network management and given IT Security people deeper visibility into the network. We can now create granular rules to define and restrict how devices within an SGT communicate with each other. We can add or subtract permissions as needed instead of redefining an entire network segment or rewriting the firewall rules for everybody. 

Expanding Our Use of Cisco APIs

On top of using Cisco APIs to set third-party firewall rules, we are looking to simplify and automate other processes. One potential use is generating tickets in ServiceNow, our IT support workflow automation tool. 


Cisco DNA Center includes out-of-the-box ServiceNow integrations. We can use Cisco APIs to automatically open and close technical support tickets when physical and logical issues arise on our campus network. For example, should the temperature of a switch rise to a certain level, the API will trigger an alarm and generate a ServiceNow ticket advising our facility managers to check the air conditioner in that location.

A Paradigm Shift in Networking

Our approach to network implementation and management has changed, and traditional troubleshooting or CLI has become almost obsolete. This paradigm shift requires a mindset shift, especially for those of us who have been doing things the old way for so long. My team has had to be more open-minded to this new way of working, and we have been rewarded in our efforts.


Cisco SD-Access and Cisco DNA Center have revolutionized how we approach networking at Airbus Helicopters Germany. We put aside old ways of thinking, embraced new ways of working, and opened our minds to defining network segments as SGTs and coding API or Python scripts over a GUI. The resulting paradigm shift helped us simplify network management, tighten security, tackle ever-increasing workloads, and embrace IoT and BYOD connectivity. Instead of simply provisioning and managing devices, my team now unlocks our network’s full potential.