Security, Agility, Design, and Deployment

Security

Some of the largest security breaches occur because telnet is open on a port with a public-facing IP address. Security standards and best practices can now be hard-coded into templates guaranteeing the enforcement of policies. Often complex configurations are required on interfaces at the access layer to address security risks.

Consider the access layer and all the following security standards that should be implemented:

• Spanning-tree toolkit commands
  • Bridge Protocol Data Unit (BPDU) controls
  • Portfast
• 802.1x or port-security commands
• Data and voice VLANs
• QoS settings
• CDP settings
• Power over Ethernet (PoE) settings
• Native VLAN established
• Native VLAN applied on trunk ports
• NTP source
• Security banner presented at login
• AAA
• RADIUS / TACACS+
• ACLs on management ports
• VLAN 1 disabled

Security requirements, if missed or incorrectly applied, lead to vulnerabilities and threats within the network. These vulnerabilities can be exploited, lead to outages, or bring about data loss in certain scenarios. Having a guaranteed templated configuration ensures that important security components are hard-coded into every template and applied to the device’s global configuration as well as to every interface configuration. Every access port throughout the campus can now be configured the same way and will automatically include security posture standards.

Agility

In an on-demand world, networks continue to be the bottleneck of many projects. One of the driving factors for moving to automation is the agility it offers. Most of the common changes to the network become updates to existing data models. When new feature requirements arise, such as the need for multicast, new templates, and new data model variables are developed. The feature is then released and incorporated into the orchestration of playbooks as a new task. A very repeatable and modular process evolves, which provides the agility to deliver projects more efficiently.

Design

Traditional network design often revolves around device configuration commands. While these commands are essential at implementation, it is the data that should drive network design. Network engineers’ new responsibilities include crafting human-readable data models and the logic that drives the dynamic templates.

Existing or new dynamic documentation should reflect new features as templates are added or updated. By thinking about data first, and the configuration second, network designs evolve.

Deployment

The biggest advantages found in network automation are often on the operational side of network management. Large-scale changes are often very difficult to roll out to an enterprise.

Introducing QoS to a network, for example, means touching all devices in all layers of the network- often with different code per platform. Devices using Multi-Layer Switching (MLS) or Modular Quality of Service Command Line (MQC) lead to different requirements and configuration commands by platform.

Operations receive approved, finalized, network designs, along with deployment steps, from the network engineers. This often requires weeks or months to then complete the delivery to campus from start to end. Network automation- even a hybrid model where operators run Ansible playbooks manually- solves operational headaches related to deploying configurations to the network. Deployment time is drastically reduced when using Ansible playbooks while quality and accuracy significantly increase.