2.3 Role Separation¶
The automation framework defines clear boundaries between the Network Architect (design authority), the Automation Engineer (tooling expert), and the Network Operations team (execution).
Three-Role Model¶
| Role | Responsibility | Permissions | Accountability |
|---|---|---|---|
| Network Architect | Network design authority | • Approve pull requests • Production deployment authority • Read-only code access |
Correctness of network design |
| Automation Engineer | Write automation code | • Write Terraform/Ansible/Python • Submit pull requests • Lab execution only |
Code quality, idempotency, safety |
| Network Operations | Execute approved automation | • Run approved playbooks • Production execution • No code modification |
Proper execution procedures |
Why Separation Matters¶
Security Principle: Separation of Duties
No single person can both write automation code AND approve its deployment to production. The Git pull request workflow enforces peer review — the same change control discipline that network engineers already follow with change tickets, now embedded in the tooling.
Traditional Change Management¶
Before Automation:
Engineer: Writes change request ticket
Manager: Reviews and approves ticket
Engineer: Executes change during change window
With Automation:
Automation Engineer: Writes Terraform/Ansible code
Network Architect: Reviews code, approves pull request
Network Operations: Executes approved automation
The separation is identical — only the medium has changed from "change ticket" to "Git pull request."
Network Architect Role¶
Responsibilities¶
Design Authority: - Define network architecture (SD-Access fabric, SD-WAN topology, ISE policy model) - Approve all configuration standards - Review automation code for correctness - Final sign-off on production deployment
Code Review: - Review pull requests for: - Adherence to design standards - Correct VLAN assignments, IP addressing, routing protocols - Proper SGT/SGACL mappings - Compliance with security policies - Reject code that violates design principles
Production Gatekeeping:
- Approve merge to main branch (production)
- Schedule change windows
- Rollback authority if issues arise
Permissions¶
Git Repository:
- Read access to all branches
- Write access to main branch only (via pull request approval)
- Cannot directly push to main without review
Infrastructure Access: - Read-only access to DNAC, ISE, vManage, FMC - View dashboards, policies, device inventory - No direct configuration access (forces automation workflow)
HashiCorp Vault: - Read access to view policies - Cannot retrieve production credentials directly - Credentials only accessible via Terraform/Ansible at runtime
Example Workflow¶
# Network Architect reviewing a pull request
# 1. Check out the feature branch
git checkout feature/add-branch-site-dallas
# 2. Review the code
cat terraform/dnac/dallas_site.tf
# Validates:
# - Correct site hierarchy: Global/North-America/Dallas
# - IP pool doesn't overlap with existing allocations
# - DNS/NTP servers match corporate standards
# - Fabric site settings align with design template
# 3. Test in CML lab
cd terraform/dnac
terraform plan # Review planned changes
# Architect confirms plan matches design intent
# 4. Approve pull request via GitHub/GitLab UI
# Add comment: "Approved - Dallas site follows HQ design pattern"
# 5. Merge to staging branch
git checkout staging
git merge feature/add-branch-site-dallas
# 6. After staging validation, approve merge to main
# This triggers production deployment
Automation Engineer Role¶
Responsibilities¶
Code Development: - Write Terraform HCL for infrastructure provisioning - Write Ansible playbooks for device configuration - Write Python scripts for complex API workflows - Maintain code quality (linting, testing, documentation)
Testing:
- Validate all code in CML lab environment
- Run terraform plan and review output
- Execute ansible-playbook --check (dry-run mode)
- Fix bugs identified during testing
Documentation: - Document playbook parameters - Maintain README files for each module - Update runbooks for operational procedures
Permissions¶
Git Repository:
- Write access to lab and staging branches
- Create feature branches
- Submit pull requests to main
- Cannot merge own pull requests (requires Architect approval)
CML Lab Environment: - Full access to lab DNAC, ISE, vManage instances - Deploy/destroy lab topology freely - Test destructive operations safely
No Production Access: - Cannot access production DNAC/ISE/vManage directly - Cannot execute automation against production (enforced by network ACLs) - Production deployment requires Network Operations execution
Example Workflow¶
# Automation Engineer developing new automation
# 1. Create feature branch
git checkout -b feature/configure-802.1x-access-ports
# 2. Write Ansible playbook
cat > ansible/playbooks/configure-dot1x-access.yaml << 'EOF'
---
- name: Configure 802.1X on Access Ports
hosts: fabric_edge_nodes
tasks:
- name: Enable 802.1X globally
cisco.ios.ios_config:
lines:
- dot1x system-auth-control
- name: Configure access ports
cisco.ios.ios_config:
parents: "interface {{ item }}"
lines:
- switchport mode access
- switchport access vlan 100
- authentication port-control auto
- dot1x pae authenticator
loop: "{{ access_ports }}"
EOF
# 3. Test in CML lab
cd ansible
ansible-playbook -i inventory/lab.yml playbooks/configure-dot1x-access.yaml --check
# 4. Execute in lab (remove --check)
ansible-playbook -i inventory/lab.yml playbooks/configure-dot1x-access.yaml
# 5. Validate configuration
ansible-playbook -i inventory/lab.yml playbooks/validate-dot1x.yaml
# 6. Commit and push
git add .
git commit -m "Add 802.1X access port configuration playbook"
git push origin feature/configure-802.1x-access-ports
# 7. Create pull request via GitHub/GitLab UI
# Request review from Network Architect
# Explain: "Configures 802.1X on access ports per design doc v2.3"
# 8. Address review comments
# Architect requests: "Add VLAN validation check"
# Engineer updates playbook, pushes changes
git commit --amend
git push --force-with-lease
# 9. Wait for approval
# Architect approves → merges to staging
# After staging validation → Architect merges to main
# Network Ops executes against production
Network Operations Role¶
Responsibilities¶
Production Execution: - Execute approved Terraform plans - Run approved Ansible playbooks - Monitor execution logs - Report failures to Automation Engineer
Change Window Management: - Schedule maintenance windows - Communicate outages to stakeholders - Execute rollback if deployment fails
Operational Monitoring: - Verify automation execution success - Check device reachability post-change - Validate service availability
Permissions¶
Git Repository:
- Read-only access to main branch
- Clone repository to execution environment
- Cannot modify code or create branches
Production Infrastructure: - Execute Terraform/Ansible via approved scripts - No direct GUI access to DNAC/ISE/vManage - SSH access to devices for emergency troubleshooting only
HashiCorp Vault: - Retrieve production credentials via Terraform/Ansible - Credentials auto-expire after playbook execution - No ability to view or export credentials manually
Example Workflow¶
# Network Operations executing approved automation
# 1. Clone repository (main branch)
git clone https://github.com/abhavtech/automation.git
cd automation
git checkout main # Confirmed approved by Architect
# 2. Review Terraform plan
cd terraform/dnac
terraform plan -out=tfplan
# Save plan output to change ticket:
# "Terraform will create 1 site, 3 IP pools, 2 fabric sites"
# 3. Execute during scheduled change window
# Change Ticket #CHG0012345 approved: 2024-03-15 02:00-04:00 UTC
terraform apply tfplan
# 4. Verify execution
terraform show | grep 'resource "dnacenter_site"'
# Confirmed: dallas_branch site created
# 5. Document in change ticket
# "Deployment successful. Dallas site visible in DNAC GUI."
# "No errors in terraform.log"
# "All fabric nodes reachable via ping"
# 6. If failure occurs
# Initiate rollback procedure:
git revert HEAD
terraform apply # Reverts to previous state
# Notify Architect and Engineer via Slack/email
Enforcement Mechanisms¶
Git Branch Protection¶
main branch settings:
- Require pull request before merging
- Require review from Network Architect role
- Dismiss stale reviews when new commits pushed
- Require status checks to pass (linting, terraform validate)
- No force push allowed
- No deletion allowed
staging branch settings:
- Allow Automation Engineer direct push
- Require successful CI/CD pipeline
- Auto-delete branch after merge to main
Feature branches: - Any engineer can create - Auto-delete 30 days after last commit
Network ACLs¶
Automation Control Node:
- lab branch execution → Routes to CML lab subnet (10.252.100.0/24)
- staging branch execution → Routes to staging subnet (10.252.150.0/24)
- main branch execution → Routes to production subnet (10.252.0.0/16)
Role-Based IP Filtering: - Automation Engineer workstation → Can reach CML lab, cannot reach production - Network Operations workstation → Can reach production, cannot push to Git - Network Architect workstation → Can reach all environments read-only
Vault Policies¶
# Automation Engineer policy: Lab credentials only
path "secret/data/lab/*" {
capabilities = ["read"]
}
path "secret/data/production/*" {
capabilities = ["deny"]
}
# Network Operations policy: Production credentials via automation only
path "secret/data/production/*" {
capabilities = ["read"]
# Requires valid Terraform/Ansible service account token
# Human users cannot retrieve directly
}
Audit Trail¶
Every action is logged and attributed:
| Action | Log Location | Retention | Who Can View |
|---|---|---|---|
| Git commit | GitHub/GitLab audit log | Indefinite | All team members |
| Pull request approval | GitHub/GitLab | Indefinite | All team members |
| Terraform apply | Terraform state history + syslog | 1 year | Network Architect, Ops |
| Ansible playbook execution | Ansible Tower logs | 90 days | Automation Engineer, Ops |
| Vault secret access | Vault audit log | 1 year | Security team only |
| DNAC configuration change | DNAC audit log | 1 year | Network Architect |
Sample Audit Query¶
# Who deployed the Dallas site?
git log --all --grep="dallas" --pretty=format:"%h %an %ad %s"
# Output:
# a3f21c9 John Doe 2024-03-15 Add Dallas branch site (Architect approved)
# b8e44f2 Jane Smith 2024-03-14 Initial Dallas site Terraform code (Engineer)
# What credentials were accessed during deployment?
vault audit list
vault read sys/audit/file
# Shows:
# Terraform service account accessed secret/production/dnac_api_creds
# Timestamp: 2024-03-15 02:15:33 UTC
Related Sections: - 2.1 High-Level Architecture - Automation workflow - 2.2 Tool Responsibilities Matrix - Terraform vs Ansible vs Python - Chapter 5: Git Workflow - Branching strategy details - Chapter 4: Secrets & Security - Vault policies and RBAC