Case Study: City of Modesto Cisco DNA Deployment
"I give Telcion an A+ in the delivery and implementation of this project. It was well done, and the City received the value that was promised."-Kevin Harless, IT Director, City of Modesto
About the Client
Name
Location
Modesto, CA
Industry
Government
Number of Employees
1000+
Main Outcomes
Increased bandwidth
More security
Better network visibility
Solution
Firepower Threat Defense Firewalls
The Problem
City of Modesto’s aging network infrastructure was more than 10 years old in some areas and it was time to invest in a new network architecture that would last for another decade.
Outdated Security Architecture
Their security architecture had worked well but was turning end-of-life. It needed to be re-architected to support modern firewall technologies and faster throughput for bigger internet pipes that would be needed in the near future.
Limited Bandwidth
There was limited 10gig capability within the core, and only 1gig connections to off-campus locations. They needed a scalable backbone with 10gig to the edge, 10gig connectivity to servers, and 40g/100g in the core to handle the increased traffic capacity. High resiliency was still an absolute requirement.
Lack of Network Visibility
Another issue that needed to be resolved was the lack of good network visibility. It was imperative that the solution include a solid network management platform that would provide network visibility and easy administration.
The Challenge
There were many challenges that needed to be overcome for a successful outcome.
Lack of Advanced Features on Very New Hardware
In order to provide the longest possible life, the new architecture would be early in its lifecycle meaning that many of the advanced features may not be available when it was time for production. We needed to navigate through this carefully to make sure the new system stayed current on software to maximize new features, and that a lack of features wouldn’t hinder a successful outcome.
Multi-Phase Rollout
With approximately 40 sites across the City, the upgrade wouldn’t be able to be completed in single cutover. Instead, it would need to be rolled out in phases and co-exist with the existing production network. Support for both the existing network and the new network would need to be provided during this transition. This would be a multi-phased rollout of technologies, starting with the edge, then the core, wireless, security, and finally network management.
Outdated Fiber Cable
Some of the fiber in use wouldn’t support 10gig due to media limitations over distance, and needed to be replaced and upgraded. Every IDF closet needed to be retrofitted with new thin patch cables, wire management, and in some cases completely overhauled and cleaned up, adding significant time to the project and requiring longer outages.
Small Maintenance Window
Remote locations generally had more flexible maintenance windows, but on the main campus downtime would need to be minimal. The infrastructure would have to be well tested and integrated with the existing network first, and then all services transitioned from the old core to the new core, with the final removal of the old core from production.
Budget
Finally, due to the project approval process, the project budget limit was $1.5mil. We needed to design a solution that would fit within these financial constraints and still meet all of the needs and requirements.
The Solution
The City was clear that they wanted to pick an architecture that would last for another decade and wanted to make sure that any investment they made would have this in mind.
Cisco DNA
As they began the evaluation process of available Cisco technology, it became clear that the long-term investment needed to be based on the Cisco Digital Network Architecture (DNA). This was where Cisco’s strategic R&D dollars were being invested, and all products were being migrated to support this platform. If the City chose this platform, there was a high probability of long-term support within this product suite.
New Switches, Access Points, Server, Storage, and Cisco ISE
In order to support Cisco DNA, all network switching products had to specifically support this architecture to be managed under the DNA umbrella. This meant that all access switches would be based on the Cisco Catalyst 9300 platform. The data center core would be based on the Cisco 9500 switches with a 100gig backbone and 40gig uplinks within the data center. The wireless infrastructure, including about 75 access points, were upgraded with new AP’s and controllers. A Cisco UCS server infrastructure with Nimble storage system was deployed to facilitate numerous virtual machines required for this deployment, including the network management platform, Cisco Identity Services Engine, and the Cisco DNA appliances.
Upgraded Fiber
Fiber was upgraded where necessary in order to provide 10gig capability between the edge and the core. Every IDF was cleaned up as new equipment was rolled out, with a final clean up occurring within the data center after all the old equipment was decommissioned.
Firepower Threat Defense
The security platform, based on older Cisco ASA technology, was upgraded to the FirePower Threat Defense platform, with dual firewalls in the City data center and an additional firewall at the Police Department in order to provide an additional layer of security. All internet traffic for the police department would flow first through the City firewall, and then through the police department’s firewall, creating additional obstacles for the implementation. A workable solution, albeit more complex.
LiveAction Network Management
The network management was deployed using LiveAction with vendor training provided to the staff to bring them up to speed.
Results
The entire solution was deployed in multiple phases over a 15-month span. Telcion provided ongoing support after the cutover and for the first full year after project sign-off. As a result of this upgrade, the City now enjoys significant increases in bandwidth within it’s core (100gig) data center and directly connected switch stacks (10gig), the latest security hardware and software that will enable better protection now and in the future, and new network monitoring tools that provide much improved visibility to the network.