Working with cities across the world, we’ve started to notice a familiar pattern of challenges and we believe we’ve come up with a solution and unique innovations to address these. So, in the story below I’d like to share the perspective of a typical municipal leader who’s facing these challenges and how Cisco can help. Perhaps this tale will be familiar to you; and who knows, maybe Cisco can help you modernize your city like we’re doing with countless others.
* * *
The mayor had announced a plan to make our city smart – starting with using IoT technologies to monitor and improve traffic flow. I understood the potential value, but I wasn’t sure how we would get there.
My mind wandered to a number of incidents that had shown the shortcomings of our current network. For one thing, I remembered the time a traffic crew went out for routine maintenance at 5th and Maple Streets. Who knows why they needed to pull some of the Ethernet cables, but what a mess they made putting them back into different positions! Everything stopped working: no more cameras, and traffic optimizations stopped working, which affected traffic across the whole region. It took us two days to track down the root cause because we couldn’t find the right wiring diagram records. And the time it took to reverse engineer the IT setup? That was a nightmare.
Another time, a savvy school kid wired up an illegal Wi-Fi access point by simply jimmying open a street cabinet and plugging into one of our switches. He would have gotten away with it a lot longer, too, if a road maintenance crew hadn’t accidentally dug up the fiber optic for that cabinet, requiring someone to go out and take a look. (Of course, we were lucky the kid only wanted free Internet access; otherwise, we might have ended up like the billboard on I-75 in Auburn Hills, Michigan with nefarious content on our variable message signs.)
To truly modernize and connect our community, we would need better connectivity at our intersections, more cameras, more sensors and new public Wi-Fi services. This would also enable wireless broadband services for lower-income citizens – giving that school kid what he wanted all along! And I knew that investment would also help us prepare for future connected and autonomous vehicles.
Ultimately, for security, we had known what we needed all along: much more detailed security policies and configurations plus well-defined access control lists (ACLs) on every switch, in every cabinet and in every junction; all linked up, coordinated and managed back to a set of virtual local area networks (VLANs). We’d also need strict control over which devices plug into which switch ports and maybe even MAC address authentication of every device plugged in (although MAC addresses can be spoofed, too).
The challenge? It would be a Herculean task just to do the security design, even more difficult to implement and pretty much impossible to maintain. The odds that some device in a street cabinet switch would be misconfigured weren’t just astronomically high. It was inevitable. And when it happened, things would stop working. Even if we wanted to take on this mammoth task, who would do the work? We were not staffed for that type of complexity. We didn’t have the necessary IT and security skillsets and expertise, and couldn’t afford to find and acquire that talent.
A design tailor-made for connected communities
I guess that’s why I was so fascinated (and grateful) to meet Sam, the Cisco account manager who told me about Cisco’s Intent-based Networking and their fully validated solution called Connected Communities Infrastructure. It seemed tailor-made to address our issues. I was skeptical at first, but in the follow-up meeting with Sam’s sales engineer, we all started to see the power of network automation, centralized policy for security consistency and simplicity, and analytics to tell us when there is unexpected activity or behavior on the network.
What really blew us away was Software-Defined Access (SDA). It would let us take security to the next level while using a single physical infrastructure for multiple services and departments – each with their own dedicated virtual network. With no more manually configured and maintained per-box ACLs, we could tap into the power of those best practices but with the simplicity of administering and automating it all centrally from Cisco DNA Center. We also felt more confident knowing that Cisco already tested all these capabilities specifically for our Smart City and Connected Roadways use cases and documented all the best practices and design guidance in the Connected Communities Infrastructure CVD (Cisco Validated Design). Of course, the overall project effort was still significant. It isn’t easy coordinating so many new systems, sensors and devices, but we had a good partner who managed that for us.
Connectivity that’s simple AND secure
We’re now rolling out a true next-generation network with the security and flexibility we need for the future. And while we’re doing it all with our original staff, we’re also able to do so much more. We can now provision virtual network connectivity and services for other departments, leveraging their budgets to continue expanding our network and capabilities. We did this recently when we enabled (all in software!) a new virtual network on our public Wi-Fi access points to enable the police to automatically and instantly upload their police body camera footage to a secure central location. Looking ahead, when we need to roll out a network or services upgrade, the task will be much simpler. Take, for example, that intersection at 5th and Maple that used to give us such headaches. We’re now installing a new traffic management system with traffic and pedestrian sensors, variable message signs, environmental sensors and public Wi-Fi services. We’re even planning to test vehicle-to-infrastructure communications like DSRC/ITS-G5/C-ITS and integrate this with our new traffic management system.
What truly amazed me, however, was how straightforward network connectivity proved to be. Our engineer simply took two new Cisco Catalyst IE3400 Rugged Ethernet switches to the site. There he unboxed them, fitted accessories like SPF connectors for the fiber, hooked up power, connected the street fiber and clipped the switch to the street cabinet’s DIN rail. Straight away we saw the box come up in Cisco DNA Center back in our control center. At a push of a button, that new street-side Ethernet switch was configured – and secured!
In fact, our engineer plugged in his laptop thinking he could check for connectivity, but straightaway it flagged a warning on our system and isolated his network connection and laptop. We actually laughed when he called and said the switch wasn’t working and that he wasn’t even getting an IP address! Just to show him the power of this new Intent-based Network, we instantly took his isolated connection and laptop and gave him full Internet access. He quickly said, “Wow, it’s working now. Did you guys do that?” Then we turned it off again just to show him.
The rest was equally straightforward: The engineer plugged in the traffic control system, cameras, sensors and Wi-Fi access points. The cameras, Wi-Fi access points and some of the sensors run on Power-over-Ethernet (PoE) so they didn’t even need any other cabling or separate power. Each device authenticated with the network using well-established, secure protocols, such as 802.1x and MAC Authentication Bypass (MAB). One by one, they got the connectivity and network services they needed and were assigned to. It didn’t really matter which connections went into which ports on the IE3400, as each port auto-configured based on the devices’ authentication. Even when the engineer swapped some Ethernet cables to tidy up the wiring, the system automatically and securely re-configured the ports. It just WORKS.
We had never seen anything like it. Our city – and our network – are truly “smart,” and we can’t imagine ever returning to per-box configurations and ACLs.
* * *
Ready to write a similar tale for your own city? Learn more about Cisco CVDs. We’ll show you how the Connected Communities Infrastructure CVD can work for your town, too.
This is very well worded and quite frankly I’m dumbfounded by Mr Elberse’s work in this matter of interest. Another amazing Cisco employee.
Network Access Control and Access Control Lists have been crying out for automation and orchestration tools that make them tenable to use in large IoT networks and the AI based network intent system does this so well avoiding the human error mistakes and burnout in maintenance where it all gets too hard and just isn’t done with enough care anymore.
Thank you for the comment. We couldn’t agree more ! 🙂
This, I think you all know is not designed to resist Quantum capabilities and will fail security hacks virtually on an ever evolving sophisticated 0/1 platform and less than the highest level frequencies protections and infrastructure vulnerabilities as well. This artificial connectivity however makes an easy all in one(or more inclusive) conduit though for subversion. Security doesn’t have to supercede archaic ideas or sells. In this age it requires much more than what looks new, affordable, easier and “fascinating” because you can have it. Instagram marccolarelli
Comments are closed.