Reference Projects
Designed, deployed, and managed 802.1X port-based authentication across the ministry's entire access network. The project involved building authentication policies in Cisco ISE, profiling and classifying a diverse endpoint population, and rolling out configuration to access-layer switches in a phased approach to avoid disruption. Covered both wired and wireless segments. Following the initial rollout, ongoing management included policy tuning, handling exceptions, certificate lifecycle management, and ISE upgrades.
When the COVID lockdown forced the entire organisation to work remotely overnight, the existing VPN infrastructure was not sized for that load. The challenge was scaling Cisco ASA capacity with no permitted maintenance window — changes had to be made live, without dropping active sessions. Licensing, session limits, and connection profiles were reconfigured in a running production environment, allowing all 2,000 users to connect simultaneously without service interruption.
Long-term operational responsibility for the Cisco ISE deployment, including recurring security patching, version upgrades performed without downtime, and ongoing management of authentication and authorisation policies for all 750 users and their devices. During a wider network revitalisation project, access policies were updated in parallel with infrastructure changes to maintain continuous enforcement without gaps or disruptions.
Ongoing management of the full DMZ stack for a national financial authority whose systems process the tax obligations of all legal entities in the Czech Republic. Responsibilities covered the Firepower firewall cluster, ISR-based internet edge routers with BGP peering to upstream providers, and ASA-based VPN concentrators serving both site-to-site tunnels to branch locations and remote access for end users. Given the transaction volumes and regulatory sensitivity, stability and change control were paramount.
Day-to-day operational management of a nationwide branch network spanning postal offices across the Czech Republic. Work included routine changes, troubleshooting, and customisation of the client's internally developed network orchestration tooling. In the data centres, managed Nexus-based fabric and ACE application delivery controllers. Daily tasks included applying updates to internal firewall rule sets to support application changes and business requirements across the organisation.
Consulting and implementation work across the network infrastructure of the Hyundai manufacturing plant — the sole Hyundai production facility in the Czech Republic. Any network outage directly impacts production output, making reliability the primary design constraint. Delivered firewall configuration and policy work on Cisco ASA alongside switching infrastructure on Cisco Catalyst, with a focus on segmenting production, office, and guest traffic appropriately.
Designed and deployed a new point-to-multipoint branch connectivity solution connecting 12 regional investment promotion offices to the headquarters, replacing an aging setup. Cisco Firepower was deployed as the central security gateway, providing next-generation firewall capabilities alongside VPN termination for branch traffic. Following delivery, provided ongoing operational support covering security patch cycles, policy updates, and incident response for the full 3-year engagement.
Long-term management of two Cisco ASA high-availability clusters acting as VPN concentrators. The clusters served three distinct user populations: internal employees working remotely, third-party vendors requiring controlled access to internal systems, and 20 external partner organisations with their own dedicated connection profiles and access policies. Managed cluster health, certificate renewals, firmware updates, and access policy changes throughout the engagement.
Tier 3 long-term network engineering and operations across all data center locations of a global Tier 1 bank. The environment spanned Cisco Nexus data center switching, Cisco ASA and Checkpoint firewalls, F5 load balancers, and CheckMK monitoring. Operating at this level meant strict change control processes, 24/7 availability requirements, and deep familiarity with the bank's internal procedures and approval chains. Covered routine operations, complex changes, and escalation support.
Revitalization of the bank's ATM network connectivity, migrating from the legacy Cisco EasyVPN solution to modern IKEv2 IPSec tunnels with new hardware encryption devices at each ATM site. The migration required careful phased execution to avoid impacting ATM availability for bank customers. Delivered updated VPN profiles, headend ASA configuration, and coordinated cutover of ATM endpoints while maintaining fallback capability throughout the transition.
The client was running a Mikrotik router as their perimeter firewall — a solution originally chosen for cost reasons that had grown beyond its capabilities as the business scaled to 150 employees. Performed a full assessment of the existing rule set and traffic flows, then designed and implemented a Cisco Firepower replacement. The migration brought proper NGFW capabilities including application visibility, IPS, and URL filtering, while preserving all required connectivity for the existing environment.
End-to-end delivery of a new on-premise server environment for a company that needed to run the Pohoda accounting and ERP system under their own control rather than a third-party hosted solution. Built a Proxmox virtualisation platform, deployed Microsoft SQL Server for the Pohoda database backend, and set up CheckMK for infrastructure monitoring. Configured secure remote access so employees could connect to business systems from home. Handed over a fully documented, production-ready environment.
Five-year operational management of the entire internal network for one of the largest hospitals in the Czech Republic. The environment included Cisco ISE for 802.1X-based network access control across both clinical and administrative segments, multiple physical and virtual firewall instances (ASA and Firepower), Cisco Umbrella for DNS-layer security, and approximately 30 logical Catalyst switches including the Core layer. Healthcare environments carry strict uptime expectations and data sensitivity requirements — all changes were planned and executed accordingly.
A decade-long partnership covering the full lifecycle of the city's internal IT network. Ongoing responsibilities included managing Cisco Nexus core switching, Firepower perimeter security, Meraki WiFi infrastructure across municipal buildings, and CheckMK monitoring. Over the engagement, also introduced and integrated Authentik as an open-source identity provider for centralised authentication across internal services. The relationship extended beyond maintenance into active strategic development — regularly proposing and implementing improvements to network architecture and tooling as the city's needs evolved.
Long-term support and development of the security perimeter for a state health insurance provider. Managed the primary Cisco Firepower firewall, which also served as the VPN concentrator for remote employee access. Separately, implemented and incrementally expanded a Cisco ISE-based network access control system, building out 802.1X enforcement across the internal network. Regular activities included policy updates, security patching, version upgrades, and responding to compliance or audit requirements.
Five-year engagement covering the network access control environment for the operator of the Czech Republic's international oil pipeline infrastructure. Optimised the Cisco ISE deployment for performance and policy accuracy, maintained regular update cycles for both ISE and the underlying Catalyst switching estate, and led the generational hardware refresh — replacing end-of-life equipment while keeping the pipeline control and business networks continuously operational. Given the facility's role in national energy infrastructure, change management and risk mitigation were central to every activity.
Comprehensive network and infrastructure modernisation for a primary school operating with an oversized and inefficient on-premise server estate. Replaced and optimised the perimeter firewall with Cisco Firepower, deployed Cisco Meraki access points for managed WiFi, and activated EDUROAM — making the school's wireless network accessible to students and staff holding academic credentials from other institutions. The server consolidation was a significant win: reduced 15 physical servers down to 2, with workloads migrated to the City of Brno's data centre, cutting hardware costs and maintenance burden substantially.
Rapid deployment of Cisco ASA-based VPN remote access to allow all employees to work from home during the COVID-19 pandemic. The organisation had no existing remote access infrastructure in place. Delivered a working solution quickly, covering ASA configuration, client deployment, split-tunnelling policies, and user authentication — ensuring business continuity for a utility provider whose operations could not simply pause.
Greenfield implementation of 802.1X network access control using Cisco ISE across the district heating company's internal network. Covered endpoint profiling, policy design for different device categories (corporate, OT, guests), RADIUS integration with the switching infrastructure, and phased enforcement rollout to avoid disrupting operational systems. Delivered full coverage across 2,000 endpoints by end of the project.
Full implementation of a Cisco SD-ACCESS fabric covering both wired and wireless infrastructure, built on Cisco DNA Center. Cisco ISE was deployed as an integral component of the fabric, handling 802.1X authentication and dynamic policy enforcement for both employee and client-facing segments. The project delivered consistent, identity-based access control across the entire network — with policies defined centrally and enforced automatically at the fabric edge, regardless of where a user or device connected.