Before anyone in the town of Chelmsford, Mass., ever thought about dynamic policy and network segmentation, a springtime ritual would befall the town each year and choke its tangled broadband copper and fiber-optic cable hybrid network supporting 21 buildings divided into five data centers.
While town hall employees on their lunch breaks would frantically refresh websites offering real-time updates about their March Madness brackets, a high school teacher somewhere couldn't download a document or graphic for her lesson plan.
"It was like on a party line if everybody started talking at once," said Bruce Forster, the school district's executive director of educational technology and information services. "It became very, very hard to do business."
Two years ago, Forster's staff ripped out the town's "spaghetti clump" legacy hybrid network and trenched in 21 miles of fiber-optic cable, he said. Six pairs of fiber went into each of the 21 town and school buildings, with all lines leading into one data center in the central school building.
Last year, the town hired Andover, Mass.-based Enterasys Networks for the deployment. Forster chose Enterasys in part because the dynamic policy capabilities written into its switches could ensure that users logging into the network would have the same level of access everywhere, regardless of where they were located on the network.
"We had the fire department on the same fiber network as the high school. The library was on the same network as the kindergarten classes," said Brian Doe, senior solutions engineer at Enterasys. "They really needed a network to allow them to manage the network, but one that also identified the needs of each user."
Dynamic policy protects students but offers open access to adults
Axing Chelmsford's hybrid network and embracing dynamic policy has also ensured a higher level of security for one core group -- students -- while not compromising the needs and access of others, Forster said.
In order to receive federal subsidies to defray Internet subscriber costs, public schools must meet various requirements, including adherence to the Child Internet Protection Act (CIPA), according to the Federal Communications Commission (FCC). The law mandates that schools and libraries contain content-filtering for minors.
"So now what we have is a First Amendment rights issue. People at the public library really and honestly believe that we shouldn't filter content that's coming through our Internet service," Forster said. "But with the Enterasys network, I can set up a node [in the library] so that when [students] connect to that node, it's like they're connecting [with the same policy as they are] at school."
The Enterasys network will eventually allow Forster to extend those capabilities to protect not just students using a wireless LAN in the library but also the network itself from anything on the students' laptops. Two security software products -- Enterasys NAC and Enterasys SIEM – will enable Forster to detect and counter any threats to the network.
"We knew from the get-go this is not something you just open up out of the box and it works like that," he said. "This is something we have to highly customize, and it might seem difficult at first … but on the other hand, we need to be able to make this work the way we want it to. The more control we have over threats, the safer everybody is."
Network segmentation allows for smoother performance
Network segmentation and bandwidth aggregation have gone a long way in improving network performance in Chelmsford's schools and municipal buildings, Forster said.
"It became a much easier task to be able to share data across the network because we could then separate the data," he said. "We could have the school data on one side and the town data on the other side, so they wouldn't interfere."
Aggregating bandwidth from 11 cable modems in the school -- 10 of which are 16 Mbps up and 2 Mbps down, the eleventh being 50 Mbps up and 20 Mbps down -- has accelerated the network to a combined speed of 160 Mbps up and 18 Mbps down.
"That's an enormous thing because what that allows us to do is bring streaming video into the classroom," Forster said. "Our textbook budget has almost dried up. An advanced placement physics book in high school is almost $150 a book. However, if we can get our content online through a service, not only is the content up to date, but the kids can get it from home."
The core network uses Enterasys N-Series switches with distributed forwarding edge (DFE) blades, while G3 and B3 switches are used on the edge, Doe said. Small buildings with a handful of employees use D2 switches, which provide just 12 ports.
Meanwhile, the ability to customize security and bandwidth policies on that equipment down to individual user groups -- without any additional hardware, software or service contracts -- was what made Enterasys stand out among "the big three" vendors Forster considered, though he declined to name the other two.
"What was also very important to us was the lifetime warranty on the switches we had … and no service contract I have to pay," Forster said. "It's really important in education because my budget fluctuates so much. I really can't get myself in a position that I'm so tied up in service contracts that I can't [buy] anything."
Let us know what you think about the story; email: Jessica Scarpati, News Writer
Dig deeper on Network Access Control