Some projects and personal Milestones
NGINX Load Balancer running on top of LXD Containers
Benefits: The project success ensured a much quicker deployment for new VIPs and contexts on the load balancer, with the added benefit of a future-proof solution by means of NGINX's powerful restful API. This improved the developer satisfaction and lowered the costs incurred in maintaining the old setup.
The project's scope consisted in finding a suitable replacement for our aging LB setup, based on Cisco ASA. The deployment involved NGINX Plus, running on top of LXD containers. The containerization ensured a segmentation of the exposure of the load balancer (internal network vs external network). The deployment is entirely done via Ansible and is now succesfully running in production. The NGINX part was handled by a colleague, while I supervised the LXD part.
Migration of production firewalls/routers to new hardware with no downtime
Benefits: Replacement of the old core router/firewalls, ensuring more up to date hardware. At the same time we decommissioned the old configuration deployment procedure by introducing an Ansible-based configuration playbook.
The operation required the replacement of the old devices while still guaranteeing traffic in production. The project required pre-planning and pre-configuration of the hardware in the remote office, shipment of the devices and on-premises setup. The deployment and was a success.
Centralized Infrastructure Monitoring with Zabbix 2.x
Benefits: The project success ensured a more scalable monitoring, providing at the same time a centralized point of configuration and observation. The aggregation of the previously isolated monitoring systems in a single dashboard/webgui, in addition to the introduction of a dedicated Postgres cluster, ensured faster response times and an overall more pleasant experience with the Zabbix GUI.
The setup is based on Zabbix 2.x in a "master/proxy" architecture: the collection of monitoring data from each host is done by our Zabbix proxies, strategically spread in each of our sites. The data is then aggregated and sent to the central server for processing, thus lowering the bandwidth consumption. The single frontend provides an effective mean for our NOC team to assess the health of the entire infrastructure in an efficient way and to react to incidents in a timely manner. At the same time, the data gathered by the system provides metrics useful for capacity planning and business analytics. The central server is redundant by means of HA via Corosync/Pacemaker and of a Postgres 9.x DB active/passive cluster. The project has been developed with the foundamental help provided by Reiner Peterke who took care of the design of the database side. Great help has been also provided by the other members of the Operations and NOC teams which handled migration from our old setup and designed custom monitoring checks and templates for our specific needs.
Cisco ASA Remote SSL VPN
Benefits: The setup provided the company users with a robust and multiplatform SSL VPN, allowing remote work to be done seamlessly.
The design and implementation involved multiple Cisco ASA gateways and is integrated with LDAP to leverage different policies to assign specific access rights to the user depending on the group she/he belongs to.
Office switching setup in multiple branch offices
Benefits: migration to a leaner, more manageable switching setup on Cisco Catalyst switches.
The project was part of the initial stages of the infrastructure separation from our parent company. I took care of the design, cabling, configuration and maintenance of the office switching equipment with a set of Cisco Catalyst 2960 access switches and Cisco Catalyst 3560 distribution switches in a collapsed-core topology. The objective was to migrate from old HP Procurve switches, while still retaining the same vlan setup. This was done outside office hours not to impact the office workers. The setup has been further expanded with additional vlans, strict network security features (bpduguard, TACACS+, DHCP snooping) and then replicated across multiple branch offices.
AAA Infrastructure setup with TACACS+
Benefits: Switches, routers VPN concentrators and Load Balancers authentication, authorization and accounting integrated with LDAP, providing a more scalable, secure and modern setup compared to single password based access.
Setup of a TACACS+ authenticated infrastructure with tacplus daemon running on Ubuntu Servers, integrated with LDAP via PAM backend. The tacplus daemon serves the role of authentication server for multiple types of NAS (Cisco Catalyst, Cisco ACE, Cisco ASR), allowing specific IOS commands depending on the user class (admin, NOC operator, etc.). The daemon is deployed via Puppet. The automation part takes care of setting up the necessary configuration files and of configuring rsyslog to redirect the accounting log to a central rsyslog server.