Growing School District Automates Infrastructure Operations, Enhances Security
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Douglas County School District is Colorado's third largest, serving almost 70,000 students from preschool through 12th grade. The district includes 89 schools spread across an area of 850 square miles. Support and coordination take place at the district level, but each school has the flexibility to build its own instructional programs, giving parents a variety of educational choices. For more information, visit dcsdk12.org.
| Executive Summary |
|
| Customer Name: Douglas County School District Industry: Education Location: Castle Rock, Colorado Number of Employees: 70,000 students |
|
| Challenges |
●
Reduce infrastructure and application deployment time
●
Improve data segmentation and security
●
Standardize device configurations
|
| Solutions |
●
Application-centric, software-defined network
●
Integrated, multi-layer security
●
Centralized, policy-driven management and automation
|
| Results |
●
Standardized and automated infrastructure deployments
●
Integrated network management for VMware
●
Increased protection of student data
|
Challenge: Increase automation to stay lean
Douglas County School District has a small IT team tasked with a big job. The infrastructure and application environments are more dynamic every year, and security threats to schools everywhere continue to mount. The team needed a way to reduce deployment time, stop configuration drift, and better protect personally identifiable information (PII) while limiting IT headcount growth.
“There are a lot of days when it’s just hard to keep up,” says Nick Morgan, director of IT operations at Douglas County School District. “If a teacher wants to use a new learning tool, we have to quickly figure out the best way to provision it—and integrate it as part of our operations.”
“Cisco ACI makes our students’ PII much more secure. We can now isolate databases and protect sensitive applications, segmenting the data center with different security zones that tie into our firewall architecture.”
Dustin Bench, Lead Network Engineer, Douglas County School District
Automating with infrastructure as code
Faced with a move to a new data center several years ago, the Douglas County IT team had an important decision to make. Should they continue using legacy networking or move to Cisco ACI, the industry’s leading software-defined networking (SDN) solution? At the time, few public sector organizations were using SDN.
“We had a strong understanding of what an SDN-based data center could offer us,” says Dustin Bench, lead network engineer at Douglas County School District. “We really needed to automate our operations to get more bang for the buck. After reviewing SDN products from various vendors, we decided Cisco ACI provided the most robust solution. This said, the data center move was the opportune time to adopt Cisco Nexus 9000 Series Switches and Cisco ACI and put ourselves on a path to programmability and automation.”
Today, the IT team is cultivating a DevOps mentality and working to program the entire data center using an infrastructure-as-code approach. When a network configuration change is needed, an in-house program uses open APIs to push the configuration to the Cisco Application Policy Infrastructure Controller (APIC). Changes take effect immediately without disrupting production. Tasks that used to take a week are often completed in five minutes or less. Many routine tasks take just seconds.
“Our ability to optimize and automate operations using Cisco ACI is one of the main reasons we’ve been able to remain a lightweight team, even as we manage more heavyweight tasks,” explains Morgan. “This allows us to allocate capital to education needs versus spending on infrastructure and operations costs.”
“Our ability to optimize and automate routine operations using Cisco ACI is one of the main reasons we’ve been able to remain a lightweight team, even as we manage more heavyweight tasks. This allows us to allocate capital to education needs versus spending on infrastructure and operations costs.”
Nick Morgan, Director of IT Operations, Douglas County School District
The programmability of Cisco ACI has been the catalyst for additional automation efforts. The IT team now uses Python scripts to push configuration changes to 2,000 legacy switches across the district, and load balancers are also programmatically configured. The goal is a single program that will do all the necessary infrastructure configuration for a new application, including networking, load balancers, and spinning up VMs.
“Approaching infrastructure as code is changing our mindset. We are starting to speak in application development language instead of just IP addresses and ports. This enables us to work more effectively with our developers and improves team collaboration,” says Morgan.
Streamlining VMware operations
A new VMware cluster was also deployed during the data center move, combining Cisco ACI with hyperconverged infrastructure. Cisco ACI gives VMware servers automated access to data center infrastructure. ACI virtual machine manager (VMM) domain integration enables the networking team to configure all connectivity policies for the VMware cluster.
Fifty percent of the applications in the VMware cluster, including critical education applications such as Infinite Campus, have migrated to application-centric operations, eliminating the need to manually configure network devices.
“We’ve taken the burden of managing VMware networking off the system engineering team’s hands, making life easier for everyone,” says Bench. “Endpoint groups (EPGs) now have names that are meaningful to VMware admins. This makes it easy to drop a server into the correct port group and get the right networking and security policies automatically.”
Enhancing security and protecting PII
Douglas County School District relies on Cisco ASA firewalls, Cisco Firepower Next-Generation Intrusion Prevention System (NGIPS), and the isolation and segmentation that Cisco ACI provides to help ensure security and data privacy.
A legacy subnet architecture, with different applications sharing the same subnets, made it nearly impossible to segment applications from each other using traditional methods. Cisco ACI makes it easy to segment these application environments while keeping the impact minimal for application and system engineering teams. Contracts are used to segment applications that run only in production. Applications that have both development and production environments are protected with microsegmentation.
“Cisco ACI makes our students’ PII much more secure,” says Bench. “We can now isolate databases and protect critical applications, segmenting the data center with different security zones that tie into our firewall architecture.”
· Cisco® Application Centric Infrastructure (Cisco ACI™)
· Cisco Nexus® 9000 Series Switches
· Cisco Firepower® Next-Generation Intrusion Prevention System (NGIPS)