Overview

As the Lead Network Architect, I was responsible for the design and delivery of the backbone network architecture supporting the Bank of Canada’s three primary datacenters: DC1, DC2, and DC3. This initiative formed a key component of our ongoing legacy infrastructure modernization program, with a strong focus on achieving enhanced scalability, improved security, and robust operational resilience.

Objective

The main objective of this project was to develop a high-performance, policy-driven network fabric capable of supporting seamless workload mobility, centralized governance, and multi-site availability across all critical datacenter environments.

Solution

To address these requirements, I architected a Cisco APIC/ACI multi-pod fabric spanning DC1, DC2, and DC3. This solution enabled the following capabilities:

·         Unified policy enforcement across all datacenters, ensuring consistent security and operational standards.

·         A scalable fabric design utilizing VXLAN overlays and an EVPN control plane to support current and future growth.

·         High availability and effective fault isolation between pods, minimizing the impact of potential failures.

·         Integrated security zones and segmentation, achieved through the use of contracts and endpoint groups.

·         Optimized routing and redundancy by integrating BGP and OSPF protocols.

Technologies Used

·         Cisco ACI with APIC Controllers

·         VXLAN/EVPN Fabric

·         BGP and OSPF Routing

·         Next-Generation Firewall (NGFW) Integration

·         High Availability Design Patterns

·         Architecture Governance, including High-Level Design (HLD), Low-Level Design (LLD), standards, and segmentation models

Impact

·         Enabled centralized control and distributed enforcement across all datacenters, streamlining network management.

·         Reduced operational complexity and increased network agility, supporting rapid adaptation to changing requirements.

·         Strengthened the organization's security posture through micro-segmentation and the adoption of Zero Trust principles.

·         Delivered a future-ready backbone infrastructure, positioned to support hybrid cloud integration and ongoing modernization initiatives.

Role

I led the end-to-end architecture process, encompassing requirements gathering, the creation of high-level and low-level designs, vendor engagement, lab validation, and implementation oversight. Throughout the project, I collaborated closely with cross-functional teams, security architects, and cloud engineers to ensure full alignment with the broader enterprise strategy and objectives.

Situation

The Bank of Canada’s datacentre environment required a scalable and secure firewall fabric to accommodate increasing traffic demands and advanced segmentation needs. The previous setup lacked flexibility for both east–west and north–south traffic patterns, which limited agility and the ability to enforce robust security.

Task

As Lead Architect, I was tasked with designing and deploying a next-generation firewall fabric that would deliver cloud-like scalability, support micro-segmentation, and integrate seamlessly with Cisco APIC for multi-tenant environments.

Action

I implemented Check Point Maestro technology to build a firewall fabric with elastic scalability and high availability. A “firewall on a stick” architecture was designed, deploying multiple virtual firewalls aligned with east–west and north–south traffic flows. The firewall fabric was integrated with Cisco APIC contracts, utilizing its multi-tenant capabilities to enforce granular security policies across various environments. Governance models were established to ensure compliance and consistency throughout datacentre operations.

Result

This solution delivered maximum security and cloud-like scalability, enabling the datacentre to scale elastically with demand. Traffic isolation and segmentation were improved, reducing the risk of lateral movement. The compliance posture was enhanced by aligning with enterprise security standards, positioning the datacentre for future growth and enabling flexible segmentation and seamless integration with modernization initiatives.

Role

I led the architecture and deployment process from design and validation to implementation oversight, ensuring the firewall fabric was aligned with enterprise strategy, security requirements, and operational resilience objectives.

Situation

Remote sites were backhauling all internet traffic through the datacentre, resulting in increased latency, inefficiencies, and single points of failure. This architecture could not support modern cloud applications, SaaS adoption, or the growing demand for remote connectivity. The organization required a more resilient, scalable, and distributed internet architecture to improve performance and reduce dependency on centralized infrastructure.

Task

I was responsible for designing and implementing a secure local internet breakout solution that would improve application performance, reduce latency, enhance VPN reliability and throughput, maintain compliance with enterprise security and routing standards, and provide a scalable foundation for future SD-WAN adoption. Additionally, I worked to align stakeholders through the creation of clear and comprehensive Solution Architecture Documents (SADs).

Action

To address the requirements, I evaluated multiple architectural approaches, including SD-WAN, and recommended an initial deployment using DMVPN tunnels with local BGP routing for cost efficiency and operational simplicity. I designed and implemented dual internet connections at each remote site to ensure redundancy and high availability, and integrated MPLS connectivity for datacentre-bound applications to maintain predictable performance for critical workloads. Detailed Solution Architecture Documents were authored, outlining design principles, routing models, security controls, and operational workflows. Collaboration with internal teams was key to supporting deployment, providing knowledge transfer, and ensuring alignment with enterprise governance.

Result

The solution enabled local internet breakout at remote sites, significantly reducing latency and improving performance for cloud and SaaS applications. Resilient connectivity was achieved through dual internet circuits and MPLS integration. VPN performance improved and dependency on centralized datacentre infrastructure was reduced. The established DMVPN/BGP design provides a clear path for future SD-WAN migration, enhancing overall network efficiency and strengthening reliability for critical datacentre applications.

Role

I led the architecture, design, documentation, and implementation oversight for the new enterprise internet services model, ensuring the solution met security, performance, and governance requirements while positioning the organization for future modernization.

Situation

The enterprise needed to extend its on-premises network into the cloud to support hybrid workloads and evolving application demands. A secure, scalable, and high-performance virtual routing solution was required to ensure seamless connectivity between datacentre environments and Azure-hosted services. Cisco Cloud Services Router (CSR) was selected as the strategic platform for this integration.

Task

My responsibility was to work with the network engineering team and subject matter experts to design and deploy Cisco CSR in Azure, analyzing bandwidth requirements, validating routing models, and ensuring alignment with enterprise performance and security standards.

Action

I led the end-to-end deployment of Cisco CSR within Azure, ensuring proper integration with virtual networks, subnets, and routing constructs. Collaboration with solution integration teams enabled validation of connectivity patterns, routing policies, and security controls. Detailed bandwidth usage and throughput analysis was conducted to optimize CSR performance and ensure support for enterprise-grade workloads. High availability, failover behaviour, and routing convergence were validated to ensure reliable hybrid connectivity. Architecture decisions and operational considerations were documented to support long-term governance and scalability.

Result

The deployment delivered reliable and high-performance CSR in Azure, enabling secure hybrid connectivity for critical workloads. Efficient bandwidth utilization reduced latency and improved application performance across cloud and on-premises environments. The solution provided a scalable foundation for future cloud expansion and hybrid architecture initiatives, strengthening the organization’s ability to support enterprise-grade workloads with consistent routing, security, and operational visibility.

Role

I served as the lead architect and technical coordinator, guiding the deployment, validating performance, and ensuring alignment with enterprise cloud and network strategy.

Situation

The datacenter relied on a legacy Bell-managed Fortinet firewall and edge routing design, which created performance bottlenecks and limited scalability. As traffic demands increased and critical applications expanded, the existing architecture could no longer provide the resiliency, security, or throughput required for modern enterprise operations. A redesigned internet edge was essential to support growth and ensure reliable access to cloud, SaaS, and external services.

Task

·         Replacing legacy firewalls with a next-generation security platform

·         Improving routing efficiency and traffic engineering

·         Implementing multi-ISP connectivity for high availability

·         Ensuring the new design aligned with enterprise security and performance standards

Action

·         Deployed Cisco Firepower FTD firewalls, significantly strengthening the security posture with advanced threat prevention and modern policy frameworks.

·         Implemented Cisco NCS enterprise-grade routers to provide high-performance edge routing and carrier-class reliability.

·         Designed and configured dual ISP connectivity to eliminate single points of failure and support intelligent traffic distribution.

·         Implemented BGP routing for internet peering, optimizing inbound and outbound traffic flows.

·         Fine-tuned routing policies to improve load balancing, enhance failover responsiveness, and ensure predictable performance during link degradation or outages.

·         Validated the architecture through testing and collaborated with operations teams to ensure smooth transition and long-term maintainability.

Result

·         Delivered a high-performance, resilient internet edge capable of supporting modern application demands.

·         Dual ISP connectivity significantly reduced downtime risk and improved service continuity.

·         Optimized BGP routing enhanced traffic efficiency, reduced latency, and improved overall user experience.

·         Strengthened the organization’s security posture with next-generation firewall capabilities.

·         Positioned the datacenter for future growth, providing a scalable, enterprise-grade foundation for cloud adoption and evolving business needs.

Role

I led the architecture, design, and implementation oversight for the new internet edge, ensuring the solution met enterprise requirements for security, resiliency, and performance while enabling long-term scalability.