Background

A leading Energy Utility Company in East Africa operates a hybrid revenue model where electricity is sold through:

• Direct customer purchases (mobile money, cash offices, online portals)
• Third-party vendors such as banks, private agents, and retailers

These external partners access backend systems through VPNs, making network availability, cybersecurity, and identity-based access control critical.

The environment supports 24/7 high-volume token generation, meaning any downtime directly affects revenue collection nationwide.

As the organization expanded geographically, it faced serious challenges:

• Increasing cyber threats, unauthorized access attempts, and phishing
• Legacy switching with single-point-of-failure risks
• Poor network visibility and weak access policies
• VPN instability affecting partners and token sales
• Branch networks without unified authentication or security compliance

To transform reliability and security, the company partnered with our engineering team for a complete network overhaul.

Solution Overview

1. Cisco VSS Collapsed Core (High-Availability Core Network)

We designed and deployed a Cisco VSS (Virtual Switching System) architecture at the headquarters to eliminate downtime and provide:

• Active-active core switching
• No STP blocking (full link utilization)
• Sub-second failover, ensuring token vending remains uninterrupted
• Simplified management of what behaves like one logical switch

This collapsed core became the backbone supporting all services, applications, and security controls.

2. Branch Connectivity with Cisco Access Switches

Over 40 Cisco access switches were deployed across multiple branches, providing:

• Standardized, centrally aligned network design
• Support for 802.1X and identity-based access
• Consistent VLAN and QoS policies
• Enhanced stability for customer service centers and call-center support

This created a uniform enterprise-grade LAN across the entire country footprint.

3.  Identity-Based Security with Cisco ISE (LAN, WAN, and WiFi)

We introduced Cisco Identity Services Engine (ISE) across HQ and all branches to enforce:

802.1X network access control (NAC)

• Every user and device authenticates before gaining any network access.

Centralized policy management

• Role-based access for employees, contractors, field technicians, and vendors.

Guest WiFi + BYOD control

• Secure onboarding for mobile devices and visitors.

Visibility into endpoints

• Automated identification of: PCs & laptops, Field devices, IoT/OT equipment, and Mobile devices

ISE enabled zero-trust network access, vital for a utility company whose operations affect millions of households.

4. Perimeter Security with Firewall (HA Cluster)

At the HQ, we deployed two Firewalls in High Availability (HA) mode acting as:

• Unified Threat Management (UTM)
• Secure VPN gateway for all external partners
• IPS / Anti-Malware / Sandboxing engines
• Web & application filtering
• WAN failover and load balancing

This ensured always-on connectivity for:

• Banking partners
• Private agents
• Payment aggregators
• Remote staff
• Core application access

Most importantly, the HA setup eliminated downtime for token vending systems, which process thousands of transactions per hour.

Business Impact

 1. Increased Network Uptime

• Token vending systems achieved 99.98% uptime
• VSS eliminated single-points-of-failure
• HA firewalls ensured uninterrupted services even during maintenance

2. Improved Security & Compliance

• Unauthorized access reduced by over 90%
• Role-based access eliminated internal lateral-movement risk
• Partner VPN access became more secure and more stable

 3. Higher Revenue Protection

Reliable network → uninterrupted token generation → no revenue loss during outages.

4. Better Operational Transparency

• ISE provided full visibility into user and device identity
• UTM provided full reporting of threats, malware, and attempted attacks
• Cisco stack made troubleshooting up to 60% faster

 5. Scalable for Future Smart-Grid and Digital Services

The architecture now supports:

• AMI (Advanced Metering Infrastructure)
• SCADA segmentation
• Future IoT/OT security integration
• Cloud migration & remote operations

Summary of Technologies Deployed