Skip to content

1.1 Business Case for Network Automation

Abhavtech Networks operates a global enterprise infrastructure spanning 19 sites across APAC, EMEA, and Americas regions, supporting over 15,000 users with 854+ managed network devices. The existing documentation suite — covering SD-Access (LISP/VXLAN fabric), SD-WAN (vManage/vSmart/vBond), ISE 3.x (14-node distributed deployment), Zero Trust Architecture (XDR, Duo, FTD), Webex Calling/Contact Center, and AI-enabled observability (Splunk, ThousandEyes, AppDynamics) — represents hundreds of hours of manual configuration engineering.

This document transforms that entire manual deployment into an automated, repeatable, auditable Infrastructure-as-Code framework. Where the manual documentation describes WHAT to configure and WHY, this document describes HOW to automate the same deployment using Terraform, Ansible, Python, and Git — treating network configuration the same way software engineers treat application code.

What Changes from Manual to Automated Deployment

Manual Deployment Reality

In the traditional approach:

  • SD-Access Fabric Deployment: 3 weeks of engineer time configuring 12 fabric nodes (2 Border Nodes, 2 Control Plane, 8 Edge switches) across Mumbai hub site
  • SGT Policy Matrix: 2 days manually creating 150+ SGACL rules across 25 Security Group Tags in ISE Policy GUI
  • Branch Site Onboarding: 6 hours per site configuring cEdge, local fabric-in-a-box, and Webex endpoints
  • Configuration Drift: Inevitable when 5 different engineers make manual changes
  • Rollback Complexity: Recreating known-good state requires finding last backup and reverse-engineering changes

Automated Deployment with Infrastructure-as-Code

With this framework:

  • SD-Access Fabric Deployment: 4 hours (Terraform provisions DNAC hierarchy → Ansible deploys IS-IS/LISP/BGP → automated validation)
  • SGT Policy Matrix: 15 minutes (terraform apply pushes all 25 SGTs and SGACL rules to ISE via API)
  • Branch Site Onboarding: 30 minutes (Terraform deploys vManage templates → cEdge discovers vBond → ZTP completes)
  • Configuration Drift: Eliminated (daily compliance checks detect unauthorized changes)
  • Rollback Complexity: git revert <commit> + ansible-playbook restores previous state in minutes

Time Savings Summary

Task Manual Automated Savings
SD-Access fabric (12 nodes) 3 weeks 4 hours 92%
SGT policy matrix (25 SGTs, 150 rules) 2 days 15 minutes 95%
Branch site onboarding 6 hours 30 minutes 92%
VLAN/SVI deployment across fabric 4 hours 5 minutes 98%
ISE NAD bulk onboarding (854 devices) 1 week 2 hours 96%

Risk Reduction and Audit Trail Benefits

Every configuration change in the automated framework produces a Git commit — an immutable audit record showing who changed what, when, and why. This directly addresses compliance requirements for PCI-DSS, SOC2, and GDPR that Abhavtech must maintain across its global operations.

Compliance Benefits

PCI-DSS Requirement 10.2: Track and monitor all access to network resources

  • ✅ Every Terraform apply and Ansible playbook execution creates Git commit
  • ✅ Pull request workflow requires peer approval before production deployment
  • ✅ Audit trail shows: user ID, timestamp, changed files, approval chain

SOC2 CC6.1: Logical access controls

  • ✅ Terraform state managed in encrypted backend (Terraform Cloud / S3)
  • ✅ HashiCorp Vault enforces RBAC for credential access
  • ✅ No credentials stored in Git repository (secrets retrieved at runtime)

GDPR Article 32: Security of processing

  • ✅ Version control of SGACL policy matrix (25+ SGTs, 150+ rules)
  • ✅ Every policy change traceable through pull request approvals
  • ✅ Automated validation prevents policy errors that could expose data

Example: SGT Policy Change Audit Trail

Traditional manual process:

  1. Engineer logs into ISE GUI
  2. Navigates to Policy → Policy Sets → SGACL Rules
  3. Manually creates/modifies rule
  4. No automatic record of what changed
  5. Change ticket updated manually (if remembered)

Automated framework process:

# 1. Engineer modifies Terraform code
vim terraform/ise/sgacl_rules.tf

# 2. Git commit creates audit record
git add terraform/ise/sgacl_rules.tf
git commit -m "feat(ise): add SGACL rule for Contractors → Corporate_Servers (allow HTTPS)"

# 3. Pull request submitted for review
git push origin feature/sgacl-contractors-https
# PR #147 created: "Add SGACL rule for contractor web access"

# 4. Architect reviews and approves
# PR shows exact code diff, testing results, validation logs

# 5. Merge to main creates permanent audit record
# Commit: a1b2c3d - Author: john.doe - Date: 2026-03-15 14:23:00
# Message: feat(ise): add SGACL rule for Contractors → Corporate_Servers (allow HTTPS)
# Approved-by: jane.smith (Network Architect)

Result: Immutable audit trail showing who requested change, who approved it, what exactly changed, and when it was deployed.

Time Savings Quantification

Network Architect Note

These time savings compound dramatically over the project lifecycle. Each SD-Access fabric expansion, SGT policy update, or new branch onboarding follows the same automated workflow — reducing ongoing operational cost by 80-90% compared to manual methods.

Real-World Example: Mumbai Fabric Expansion

Scenario: Add 4 new access switches to existing Mumbai SD-Access fabric

Manual Approach (Pre-Automation):

  1. Planning (2 hours): Document switch placement, VLAN assignments, uplink ports
  2. DNAC Configuration (1 hour): Add devices to inventory, assign to fabric
  3. Per-Switch Config (6 hours):
  4. Log into each switch via console
  5. Configure IS-IS underlay (loopback, interfaces, authentication)
  6. Configure LISP overlay (instance, database-mapping, EID prefixes)
  7. Configure NVE interface (source, VNI mappings)
  8. Configure BGP (if border node)
  9. Configure 802.1X (AAA, ISE RADIUS servers, per-port config)
  10. ISE Integration (2 hours): Add NADs manually, configure RADIUS shared secrets
  11. Validation (3 hours): Manual show commands on each device, verify adjacencies
  12. Documentation Update (2 hours): Update network diagram, IP address spreadsheet

Total: 16 hours of engineer time

Automated Approach (With This Framework):

  1. Update Terraform Variables (15 minutes):
# terraform/dnac/variables.tf
variable "mumbai_edge_switches" {
  default = {
    "ED-05" = { mgmt_ip = "10.252.10.105", loopback = "10.252.1.105" }
    "ED-06" = { mgmt_ip = "10.252.10.106", loopback = "10.252.1.106" }
    "ED-07" = { mgmt_ip = "10.252.10.107", loopback = "10.252.1.107" }
    "ED-08" = { mgmt_ip = "10.252.10.108", loopback = "10.252.1.108" }
  }
}
  1. Run Terraform (10 minutes):
cd terraform/dnac
terraform plan   # Review changes
terraform apply  # Provision in DNAC + ISE
  1. Run Ansible Playbooks (20 minutes):
cd ansible
ansible-playbook -i inventory/hosts.yaml playbooks/underlay-isis.yaml
ansible-playbook -i inventory/hosts.yaml playbooks/overlay-lisp-vxlan.yaml
ansible-playbook -i inventory/hosts.yaml playbooks/dot1x-trustsec.yaml
  1. Automated Validation (5 minutes):
ansible-playbook -i inventory/hosts.yaml playbooks/validate-fabric.yaml
  1. Git Commit (5 minutes):
git add terraform/dnac/variables.tf ansible/inventory/hosts.yaml
git commit -m "feat(fabric): add 4 edge switches to Mumbai fabric (ED-05 through ED-08)"
git push origin main

Total: 55 minutes of engineer time (96% reduction)

Operational Cost Impact

Metric Manual (Annual) Automated (Annual) Savings
Fabric modifications 40 hours 4 hours $12,600
SGT policy changes 80 hours 8 hours $25,200
Branch onboarding 120 hours 12 hours $37,800
Compliance audits 60 hours 6 hours $18,900
Total Annual Savings $94,500

Assumes $350/hour fully-loaded network engineer cost

Non-Financial Benefits

Beyond direct time savings:

  • Consistency: Same Terraform code produces identical configs across all sites
  • Reduced Errors: Ansible playbooks eliminate typos, VLAN mismatches, incorrect LISP EID prefixes
  • Faster Onboarding: New engineers contribute via pull requests without needing deep CLI expertise
  • Better Testing: Lab validation environment mirrors production (same Terraform code)
  • Knowledge Retention: Git repository becomes single source of truth, survives staff turnover

Related Sections: