Delaware Department of Technology and Information deploys ACE modules to improve application scalability and manageability.
Challenge
Instituted in 2001, the Delaware Department of Technology and Information (DTI) has responsibility for providing a true customer service culture and a spirit of collaboration that fosters centralized technology leadership statewide. DTI's mission is to provide leadership in the selection, development and deployment of technology solutions throughout the State of Delaware. Since its formation, DTI has clearly established a new direction that has focused on strong relationships with stakeholder groups and service-oriented leadership in technology. DTI's team of the "best and the brightest" has solidly proven its ability to bring projects in on time and under budget.
DTI has two data centers: in Dover and Wilmington, Delaware. The state agency has web servers that use nine Blue Coat proxies with 15,000 connections on each proxy and users are made up of state employees and K-12 students. DTI also supports 25 agencies and 19 school districts within the State of Delaware. The agency has Cisco Catalyst® 3560 Switches as top of rack, Cisco® Catalyst 6500 Series Switches for core switches in the data center, and Cisco GSS 4492-K9 Global Site Selectors to manage much of the load balancing between the two data centers. On the storage side, DTI has two Cisco MDS 9509 Multilayer Directors, four Cisco MDS 9216 Multilayer Fabric Switches, and two Cisco MDS 9134 Multilayer Fabric Switches in the SAN.
According to Scott Huffman, telecommunications tech at DTI, the organization serves as an ISP for the State of Delaware and hosts several agencies by using load-balancing to segregate security zones. But when DTI's load balancing solution was reaching end of life, Huffman began evaluating a replacement.
"We had a couple of load-balancers from another vendor that were at end of life and end of support, and we wanted to replace them with something new that had more horsepower," said Huffman. "Also, for our upgrade, we were hoping for a solution that could be easily managed by other groups within the agency to lighten the burden of DTI having the responsibility of managing everything."
Solution
Huffman conducted an evaluation of a Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 Series Switches to assess whether it was a good candidate to replace DTI's incumbent load-balancing solution.
"We really didn't look at any other vendor solutions since we were already getting great results with the Catalyst switches that we were using in the data center, and decided to test Cisco's load-balancing and application acceleration solutions," says Huffman. `We did a mock-up and tested an ACE module in the Cisco Malvern labs and decided ACE was a good candidate for replacing our load-balancing solution. The fact that ACE was less expensive than our previous solution and that we could leverage ACE in the chassis that we already owned was the tipping point in our decision."
Huffman selected eight Cisco ACE modules in the 8 Gbps configuration for the core and in the network edge firewall configuration, and says the manageability of the ACE was crucial in their decision.
"We deployed the ACE Modules in our core and DMZ and have web applications on them, as well as the state proxies behind them," says Huffman. "So, basically, we have a two Catalyst 6500s and an ACE module in each of our data centers, and all web traffic and browsing, which consists mainly of state agencies, which goes through ACE, which load-balances a set of proxies, and then they're sent out to the Internet. We perform SSL termination, so when a user lands on the webpage, it terminates on the ACE and starts encryption to get to the backend server. It was a pleasant surprise to discover how much easier the ACE interface was to interact with than our previous solution and the ability that it gave us to manage different roles and to ultimately allow our other agencies to manage for themselves."
According to Huffman, the ACE modules help create a redundant and highly available load-balancing solution while consolidating devices.
"Our original idea was to be as redundant as possible," says Huffman. "By using the ACE modules and the GSS combined, we've begun to add more redundancy between our two data centers. Cisco ACE modules were also a much cleaner install, and it was so convenient to be able to route through the Catalyst 6500 Series Switches that we already had in existence and not have one more device sitting in the rack, unlike our previous solution that took up a lot of rack space."
The GSS and ACE deployment enhanced the functionality of DTI's Microsoft Exchange environment, according to Huffman.
"The combination of GSS and ACE enabled our Microsoft Exchange environment to achieve automatic and almost instantaneous Exchange failover between data centers," says Huffman. "Microsoft had no offering to `enhance' DNS and failover was a 30 minute task per their normal DNS methodology. Microsoft engineers were so impressed, they documented our GSS & ACE setup and have a made it a recommendation."
Huffman says the virtualization features of the ACE modules were a top selling point.
"No one wanted to add much more to our previous load-balancing solution, and when we brought the ACE modules on board, we were in a creative phase of design, and several people on the team got the idea that, rather than ripping out the aging equipment and immediately replacing it, we could leverage it through the ACE and move the older solution completely to one context," says Huffman. "We were able to take several of the older devices, collapse them down into one ACE module and virtualize it, and we quickly found that we no longer needed separate hardware. We were able to make virtual instances and were even able to take some of the devices from our previous load-balancing solution and virtualize them in ACE. That was definitely a winner for us."
Results
Huffman says the ability to utilize the virtualization capabilities was the number-one decisive factor for DTI and was a direct result of the Cisco ACE deployment.
"Virtualization was high on our list, as was the role-based access control, and we haven't even fully utilized ACE to its full potential," says Huffman. "The ability to perform virtual context was really one of the main reasons that we selected ACE because we would have had to purchase roughly 16 devices from the other vendor to perform the virtual context that we can do with a single ACE module. The ability to use the role-based access control is also a feature that we have great expectations for in the future that we anticipate will be used to offload some of the work to other agencies within the State of Delaware."
According to Huffman, the SSL terminations through ACE have been easy to manage and are another benefit from the upgrade.
"Our application wear-out time is significantly less with ACE," says Huffman. "SSL terminations with our previous solution were a royal pain in the neck to deal with and were part of the reason that we leaned towards ACE when we saw that SSL terminations were a breeze without all the redundancy and duplication efforts that we had to deal with for our previous load-balancing solution."
The ability to extend the use of DTI's previous load-balancing solution from another vendor and consolidate devices into the ACE modules was another key benefit from the deployment, according to Huffman.
"Having the ability to find another purpose for our end-of-life load-balancing solution and get a little more mileage out of it was an added bonus from our upgrade to ACE," says Huffman. "Given the state of our current economy, anywhere I'm able to find savings in the IT budget puts our group in a good light. And the fact that we were able to package several of the older devices down into one ACE module was huge."
For More Information
To find out more about the Cisco ACE module for the Cisco Catalyst 6500 Series Switches, as well as Cisco MDS Directors and other Cisco products, go to http://www.cisco.com.