BBVA Banks on Secure, Agile Operations

Easier access

BBVA Argentina’s traditional network was holding the bank back, and Oscar Ledesma knew it had to change.

As a network architect at the Buenos Aires headquarters, Ledesma viewed his role as helping improve employees’ work, so customers would do business with the bank. But with slow, error-prone processes, network operations had become as much a hinderance as helpful. Moving an employee’s location between one of its 245 branches or within its main campus required careful configuration planning and several days to execute. “Employees move between buildings and branches all the time,” says Ledesma. “Maintaining consistent access policies was complex and highly manual.”

To adapt to the bank’s needs, Ledesma sought a better way to manage the network and securely provide access to employees. He found it in Cisco Software-Defined Access (SD-Access) through Cisco Catalyst Center, turning Argentina into the proving ground for how other BBVA entities can transform the way they connect people, places, and services.

“With Cisco SD-Access, access policies follow the user, regardless of where they connect,” says Ledesma. “That means consistent security, simplified segmentation, and seamless mobility without the IT headaches.”

Infrastructure as code

For Ledesma, SD-Access was the natural next step in a multi-year digital transformation journey. In 2017, the BBVA group decided strategic technology investments were necessary to improve productivity and agility in the face of change. Within the banking group, each national corporate entity operates separately, giving local teams the autonomy to implement solutions that best meet their needs, while following the holding company’s technical recommendations.

At BBVA Argentina, Ledesma’s networking team chose to pursue automation. “We decided it was time to put the concept of Infrastructure as Code into practice,” says Ledesma. They began building functionality for software-defined networking (SDN) from the ground up. A first step: deploying Cisco Application Centric Infrastructure (Cisco ACI) in its data centers to build network policies around applications rather than individual devices. “We became the first national bank in Argentina to implement Cisco ACI in both data centers,” says Ledesma proudly.

Ledesma and the Argentina networking team then turned their attention to the campus and branches. They wanted to make it easier to operate the network efficiently, while maintaining the bank’s critical security. “Security is always top of mind, but we needed automation,” says Ledesma. “The goal was to keep the same security standards as users move around, without the IT manager having to do anything.”

Secure flexibility

At the main campus and bank branches, micro‑segmentation and secure mobility had to come together. In evaluating Cisco SD-Access, Ledesma and the networking team recognized the potential of using a software-defined fabric to attach policies to users and devices, not to individual ports and subnets.

As it was, whenever someone changed buildings or branches, network engineers had to trace originating and new subnets, analyze firewall rules, and map the networks and services the user needed at the new location. They then manually updated firewall rules and segmentation, verifying that the changes did not unintentionally block or open access, and troubleshot any misconfigurations. “We needed a more flexible way to manage segmentation and mobility while maintaining our security standards,” he says.

Cisco SD-Access provides that flexibility for Ledesma and BBVA Argentina. Using the centrally controlled Cisco Catalyst Center, integrated with Cisco ISE (Identity Service Engine) and third-party security components, the team replaced static rules with dynamic, identity-centric policies. In practice, that means when a user authenticates, the system assigns a tag that travels with their sessions. Security decisions are based on that tag rather than specific IP addresses or physical locations, so the same rules apply to that user no matter where they connect.

The result is consistent micro‑segmentation and mobility. Access policies follow employees across locations automatically, keeping bank‑grade security intact without manual intervention by network engineers. “We apply the same security standards across all platforms,” says Ledesma. “It’s all part of creating a secure, end-to-end experience.”

Hear more from Oscar on Software Defined Access

Automated provisioning

After a successful two-year project implementing the software-defined architecture across the campus, Ledesma shifted his team’s focus to BBVA Argentina’s branches, integrating Cisco SD-WAN. “The same seamless and secure experience extends across our entire network,” Ledesma says. “There will be no difference if you connect in a building here or if you move to a branch a thousand kilometers away, you keep the security and free mobility concept.”

Network operations gained other benefits as well. Prior to the implementation, planning and configuration consumed hours of engineers’ time, and they struggled to keep software updated across all network devices. Now with Cisco SD-Access and Cisco Catalyst Center, many of these tasks are automated. “Consistent policies are implemented across the network, and software updates are automatically provisioned to all devices,” says Barcelona-based BBVA network engineer Daniel Buldón, who collaborated with Ledesma on standardizing campus-branch network architectures.

This zero‑touch provisioning means a new switch will automatically pull down the correct configuration and join the fabric within minutes. Template‑driven changes push consistent updates across many devices at once, triggering security fixes and image upgrades in just a few clicks. “Deploying switches throughout Argentina used to take three months,” says Buldón. “When we moved to the automated deployment, we finished the deployment in three weeks.”

Cisco Catalyst Center has transformed how the network team supports the bank with real-time visibility and reduced configuration errors.

“The less time you spend troubleshooting network issues, the more time you can think about how to improve it,” says Buldón. “In the end, it brings a more secure and more reliable experience to the end users.”

Extending the architecture

Ledesma and Buldón’s efforts in Argentina represent a significant contribution to BBVA’s broader push for agility and productivity, now supported by a Strategic Whole Portfolio Agreement signed with Cisco in 2024.

The Argentine network modernization has created a reference model for the entire BBVA banking group. Ledesma has moved into a new role as global network architect to help BBVA banks in other countries get similar results. “We want to get the same seamless, secure, unified end-to-end experience in campuses and branches everywhere,” says Ledesma.

BBVA banks in other countries, such as Colombia and Peru, have begun exploring variations of the Argentine network architecture, each at its own pace with unique operational constraints. “Every country has particular needs,” says Ledesma. “We have to identify what common issues we can resolve with one architecture. It’s an interactive process with local teams.”

As competition for customers has intensified in Argentine banking, BBVA believes a flexible, automated network offers strategic advantages. More workplace flexibility for employees helps attract talent, while the bank is better able to operate more efficiently and respond to change, even as the broader economic environment remains volatile.Embracing SDN was a long-term strategy that demanded resolute focus in the face of shifting demands and business conditions. From the first Cisco ACI deployment in Argentina to now building a multi-bank strategy, Ledesma’s work demonstrates how one country’s determination to reinvent its network can set the standard for an entire global bank.