Final Solution (Part 1)
Hello everyone again!
The following two posts are going to be the last ones of our case study, where we will summary all the aspects of what our final solution would be.
Specifically, in this first part, we will recapitulate the sections of Topology, Network requirements, Management, Security and Facilities.
We decided for a Leaf-Spine topology for the advantages that it provides. It consists in two differentiated layers interconnected between them, the Leaf layer where the final devices are connected and the Spine layer composed by level 3 switches with routing capacity. The advantages of that kind of topology are the following:
- Uniform latency: All devices are at the same distance.
- Redundancy and availability: Multiple paths for each destination.
- East-West traffic.
- Scalability: Increase Spine layer for bandwidth, increase Leaf layer for more access ports.
The devices provided by Arista Networks that we would use for the spine layer are Arista 7500 series for their layer 2 and 3 capabilities and support for protocols like ECMP, MLAG or VXLAN. For the leaf layer, we would use Arista series 7160 Series for their high performance and low latency.
We would implement a Top of the Rack architecture for the final devices for their better efficiency in communications of level 2 inside the same rack.
We are going two focus in two specific protocols that will provide to our Data Center load balancing and redundancy:
- ECMP (Equal-cost Multi-Path Routing): It allows to balance traffic by using the multiple routes to the same destination. It doesn’t block ports so we eliminate STP.
- MLAG: It allows to interconnect two different switch to see them like a single logical device. That provides redundancy and resiliency.
We will provide network differentiation in order to improve the management and security. We will have different nets for Management, Applications and services, Storage and pre-production.
Arista Networks provide a solution called Arista EOS, it’s a Linux based OS compatible with all Arista devices and multiple partners like Palo Alto, VMware, etc…
Provides a set of software tools for:
- Network management, level 2 and level 3.
- Dynamic replacement and integration of new devices.
- Telemetry, network monitoring.
It supports a big volume of data and allows you to hire the needed tools and not as a pack.
This is one of the most important points of our case study for the sensitive data that a bank manages. First of all, we will implement a firewalling policy with core firewalls to prevent incoming traffic and internal firewalls to differentiate between zones and prevent propagation of malicious traffic.
The device provided by Palo Alto Networks that we have chosen is PA-7080, it’s a new generation firewall of high performance.
It supports the following software functionalities:
- NGIPS: For detection and blocking of intrusions.
- DLS: Prevent and control sensible data breaches.
- Security profiles for malware, spyware and antivirus
We will also perform periodic vulnerability scans and will provide a security access policy for both physical and remote.
In terms of facilities, our Data Center will be placed underground for a better temperature conditions and extra physical security.
We will hire a backup electrical supplier company in order to ensure full power availability. We will also provide double alimentation for all devices. All the cables will be placed in the ceiling and will be properly labeled.
In terms of fire prevention, we will implement a gas fire extinguishing system for its non-conductive properties in order to protect the integrity of the equipment. There will be smoke detectors all over the room to detect visible and non-visible smoke particles.
Finally, we will talk about access control. Only authorized personal will own an access card and fingerprint authentication will be necessary to access the data center. We will implement a full net of security cameras both inside and outside the center.
Thats all for us, hope it has been useful for you.
See you soon!