Page 1 of 285 Confidential &

RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
REQUEST FOR PROPOSAL
FOR PROCUREMENT, INSTALLATION, COMMISSIONING, MAINTENANCE
AND FIVE YEARS WARRANTY SUPPORT
OF NETWORK INFRASTRUCTURE FOR HYDERABAD DATA CENTRE
Ref: SBI/GITC/TECHOPS/2016-17/320
dated: 06.12.2016
DEPUTY GENERAL MANAGER
Technical Operations Department
STATE BANK GLOBAL IT CENTRE,
2nd FLOOR, C WING ,
SECTOR 11, CBD BELAPUR
NAVI MUMBAI- 400 614
PART 1: INVITATION TO BID
Page 1 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
State Bank of India (hereinafter referred to as SBI / the Bank) is having its Corporate Centre at Mumbai and
other offices (LHOs, RBOs, AOs etc.) in various cities across the country.
In order to meet the hardware requirements for its Data Centres/ Disaster Recovery Centres, the Bank
proposes to invite tenders from selected
OEMs/nominated SIs by the OEM (hereinafter referred to as ―Bidder‖) to undertake supply of
equipments/components as per details listed out in this document.
The Bidding Document is being issued to the OEMs/Nominated Partners of OEMs and the bid should be
submitted to the office of:
Deputy General Manager,
Technical Operations Department
STATE BANK GLOBAL IT CENTRE,
2nd FLOOR, C WING ,
SECTOR 11, CBD BELAPUR
NAVI MUMBAI- 400 614
 Please note that all the information desired needs to be provided. Incomplete information may lead
to non-consideration of the proposal.
 All Bids must be accompanied by Earnest Money Deposit as specified in the Bid document.
 Bank reserves the right to change the dates mentioned in this RFP document, which will be
communicated to the bidders.
 The information provided by the bidders in response to this RFP document will become the property
of SBI and will not be returned. SBI reserves the right to amend, rescind or reissue this RFP and all
amendments will be advised to the bidders and such amendments will be binding on them.
Page 2 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
SCHEDULE OF EVENTS
Bid Document Availability
05.12.2016
Last date for requesting All communications regarding points / queries requiring clarifications shall be
clarification (optional)
given in writing to (name & designation of SBI Official) or by email at (email
address) dgm2.core@sbi.co.in, sucharita.mallik@sbi.co.in, and copy to
vikas.sehgal@sbi.co.in;devesh.gupta@sbi.co.in
Pre - bid Meeting at (venue)
(optional)
From 11.00 hrs to 12.00 hrs on 16.12.2016 at GITC, Belapur
Clarifications to queries
raised at pre-bid meeting to
be provided
22.12.2016 by 20.00 hrs
Last date of submission of
bids
15.00 hrs on 10.01.2017
Opening of Technical Bids
15.30 on 10.01.2017
Authorized representatives of Bidders may be present during opening of the
Technical Bids. However, Technical Bids would be opened even in the absence
of any or all of the Bidders representatives.
Reverse Auction
On a subsequent date which will be communicated to such bidders who qualify
in the Technical Bid
Contact Details, Address for
Communication and
submission of bid.
Deputy General Manager,/Asst. General Manager
Technical Operations Department
State Bank Global IT Centre,
2nd Floor, C Wing, Sector 11,
CBD Belapur, Navi Mumbai-400614
Telephone
+91 9920205601/9987852540
All correspondence relating dgm2.core@sbi.co.in;sucharita.mallik@sbi.co.in;
to this RFP should be sent to & CC todevesh.gupta@sbi.co.in;
following email ids
rathin.sengupta@sbi.co.in &
vikas.sehgal@sbi.co.in
Page 3 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
PART – 2 DISCLAIMER
The information contained in this Request for Proposal (RFP) document or information provided
subsequently to Bidder(s) or applicants whether verbally or in documentary form by or on behalf of State
Bank of India (Bank), is provided to the Bidder(s) on the terms and conditions set out in this RFP document
and all other terms and conditions subject to which such information is provided.
This RFP is neither an agreement nor an offer and is only an invitation by Bank to the interested parties for
submission of bids. The purpose of this RFP is to provide the Bidder(s) with information to assist the
formulation of their proposals. This RFP does not claim to contain all the information each Bidder may
require. Each Bidder should conduct its own investigations and analysis and should check the accuracy,
reliability and completeness of the information in this RFP and where necessary obtain independent advice.
Bank makes no representation or warranty and shall incur no liability under any law, statute, rules or
regulations as to the accuracy, reliability or completeness of this RFP. Bank may in its absolute discretion, but
without being under any obligation to do so, update, amend or supplement the information in this RFP. No
contractual obligation whatsoever shall arise from the RFP process until a formal contract is signed and
executed by duly authorized officers of the Bank with the selected Bidder.
Page 4 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
PART-3:
INSTRUCTIONS FOR Bidders (IFB)
TABLE OF CLAUSES
Clause
No.
Clause
No.
Topic
Topic
A. Introduction
3.1
Broad Scope of Work
3.2
Eligibility Criteria
3.16
Sealing and Marking of Bids
3.3
Cost of Bidding.
3.17
Deadline for Submission of Bids
B. Bidding Documents
3.18
Late Bids
3.4
3.5
3.6
3.7
D. Submission of Bids
Documents constituting the Bid
3.19
Clarification of Bidding
Documents
Modification & Withdrawal of Bids
E. Bid Opening and Evaluation
C. Preparation of Bids
3.20
Opening of Technical Bids by the
Bank
Language of Bid
3.21
Preliminary Evaluation
3.22
Technical Evaluation of Bids
Documents comprising the Bid
3.8
Bid Form
3.23
Evaluation of Price Bids &
Finalisation
3.9
Bid Prices
3.24
Contacting the Bank
3.10
Delayed Schedule & Penalty for
Delayed Deliveries
3.25
Award Criteria
Documentary
evidence
establishing Bidder‘s
Eligibility and Qualifications
3.26
Bank‘s Right to Accept Any Bid and
to Reject Any or All Bids
Documentary evidence
establishing eligibility of
products & conformity to Bid
documents
3.27
Notification of Award
3.13
Earnest Money Deposit
3.28
Performance Guarantee
3.14
Period of Validity of Bids
3.29
Signing of Contract
3.15
Format & Signing of Bid
3.30
Miscellaneous
3.11
3.12
Page 5 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A. INTRODUCTION
3.1 Broad Scope of Work:
3.1.1 Brand new equipments/components along with 3 years warranty support as detailed in Annexure-5.1.1
should be supplied, delivered, installed, commissioned within overall 10 weeks (8 weeks for delivery and 2
weeks for installation and commissioning) from the date of purchase order at the locations tentatively detailed
on Annexure-5.8 during normal office hours and as per the time schedules mentioned in the respective
Purchase Orders. All the equipments/components must be dual stack (IPv4 plus IPv6) compliant and should
be able to support both IPv4 plus IPv6 without any upgrades.
3.1.2 This requrirement is for the upcoming data centre in Hyderabad. This DC has got four server rooms with
total capacity of around 1000 racks. Bidder need to provision switching, routing, VPN, Load Balancer, cabling
with services in the DC. We intend to use the prevelent spine leaf architecture with IP Clos wherein minimum
two spine switches (with required number of leaves) will form the switching network in a single server room
and the spine switches will be again connected to the minimum two super spine switches. For deployment of
leaves, we shall form a cluster of four server racks (number is flexible as per requirement) and will deploy
leaves in middle racks. In outer two racks, network will be expanded through LIU cassettes and modular patch
panel.
3.1.3 Bank intend to procure the material in phases as per the requirement. However bidder has to provide all
necessary hardware and software required to make the solution work strictly as per technical specifications for
around 1000 racks. The specifications given are minimum. Bidders can quote equivalent or higher technical
specifications to meet the Bank‘s requirements. However, no weightage would be given for higher
configurations.
3.1.4 Order will be placed in phases and the price offered to be valid for the total 1000 racks till the completion
of the project from the date of Reverse Auction.
3.1.4 The Purchase Order may be placed in part or full by State Bank of India or any of its
Associates/Subsidiaries. The quantity or number of equipment to be purchased is only indicative. No
guarantee or assurance is being provided hereby as to the exact quantity of equipment to be purchased or the
minimum order quantity. The Bank, however, reserves the right to procure extra quantity during the validity
period of the offer. The different parts of same equipment should be delivered in one lot only and part delivery
of the equipment covered in the Purchase Order is not permitted unless otherwise agreed to by the Bank. The
movements of their shipment should be advised to the NI and the Bank, well in advance.
3.1.5 Vendor has to arrange to transfer the five year OEMs Warranty support/support to Bank‘s Network
Integrator (NI) and in case of a change in Network Integrator during the contract period, the vendor should
arrange for transfer of support to the new Network Integrator identified by the Bank. Such transfer shall be
done by mutual agreement between the Vendor and Bank‘s NI within 60 days from the date of shipment of the
above products. Warranty support transfer is required for the convenience for the Bank so that in the event of
malfunctioning of any equipment during the period of warranty, the NI of the Bank will lodge a claim with
OEM to seek support. OEM‟s internal systems should accommodate such a transfer from the Vendor to NI.
Successful Bidder will be informed by NI about details of complaints lodged with the OEM. Successful Bidder
to abide by the SLA terms and conditions.
3.1.6 As the new Data Centre is undergoing the construction phase, the vendor will be working along with the
fit-out construction vendor simultaneously in the same site. The bidder need to plan his project execution in
co-ordination with the other vendor.
3.1.7 SITE VISIT : Bidder is advised to visit and examine the site, its surroundings and familiarise himself with
the existing facilities and environment, and collect all other information which he may require for preparing
and submitting the bid and entering into the Contract. Claims and objections due to ignorance of existing
conditions or inadequacy of information will not be considered after submission of the Bid and during
Page 6 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
implementation. Contact person for Site visit is Mr. Paparao (M – 9705363299) & Mr. Setti Guravaiah (M –
9987902757).
3.2 Eligibility Criteria
3.2.1 Bidders meeting the criteria (Annexure 5.9) are eligible to submit their. Bids along with supporting
documents. If the Bid is not accompanied by all the required documents supporting eligibility criteria, the
same would be rejected. Bid is open to all Bidders who fulfill the eligibility criteria. The bidder has to submit
the details of eligibility criteria as per Annexure 5.9
3.3
Cost of Bidding:
3.3.1 The Bidder shall bear all costs associated with the preparation and submission of its Bid, and the Bank
will in no case be responsible or liable for these costs, regardless of the conduct or outcome of the Bidding
process.
B. THE BIDDING DOCUMENTS
3.4
Documents constituting the Bid
3.4.1 The Bidding Documents include:
(a) PART 1 - Invitation to Bid (ITB)
(b) PART 2 - Disclaimer
(c) PART 3 - Instruction for Bidders (IFB)
(d) PART 4 - Terms and Conditions of Contract (TCC)
(e) PART 5 - Bid Forms, Price Schedules and other forms (BF)
3.4.2 The Bidder is expected to examine all instructions, forms, terms and specifications in the Bidding
Document. Failure to furnish all information required by the Bidding Document or to submit a Bid not
substantially responsive to the Bidding Document in every respect will be at the Bidder‘s risk and may result
in the rejection of the Bid.
3.5 Clarification / Amendment of Bidding Document
3.5.1 Bidder requiring any clarification of the Bidding Document may notify the Bank in writing at the address
or by e-mail indicated in Schedule of Events as indicated therein. Bidders are supposed to send the
clarifications in the prescribed format Annexure 5.1.4. No clarifications/queries will be accepted or considered
other than the prescribed format.
3.5.2 A pre-bid meeting is scheduled as per schedule of events.
3.5.3 Text of queries raised (without identifying source of query) and response of the Bank together with
amendment to the bidding document, if any, will be sent to all the OEMs/Partners of OEMs (Bidder) through
mail. It is the responsibility of the bidder to check with the concerned in the department before final
submission of bids. Relaxation in any of the terms contained in the Bid, in general, will not be permitted, but if
granted, the same will be sent to Bidders through e-mail.
3.5.5 All bidders must ensure that such clarifications / amendments have been considered by them before
submitting the bid. Bank will not take responsibility for any omissions by bidder.
3.5.6 At any time prior to the deadline for submission of Bids, the Bank, for any reason, whether, at its own
initiative or in response to a clarification requested by a prospective Bidder, may modify the Bidding Document,
by amendment.
Page 7 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.5.7 In order to enable Bidders reasonable time in which to take amendments into account in preparing the
bids, the Bank, at its discretion, may extend the deadline for submission of bids.
C . PREPARATION OF BIDS
3.6 Language of Bid
3.6.1 The Bid prepared by the Bidder, as well as all correspondence and documents relating to the Bid
exchanged by the Bidder and the Bank and supporting documents and printed literature shall be submitted in
English.
3.7 Documents Comprising the Bid
3.7.1 Documents comprising the Technical Proposal Envelope, should contain following:
(a)
(b)
(c)
(d)
(e)
(f)
(g)
(h)
(i)
(j)
Bid Form as per Annexure-5.2.1
BOM & Compliances - Annexure-5.1.2
Undertaking of Authenticity - Annexure-5.1.3
SLA T&C – Annexure-5.3
EMD Bank Guarantee – Annexure-5.4.1
MAF – Annexure-5.5
Masked Price Bid listing all the components as per Price Breakup Schedule
(Annexure-5.2.3) without indicating any prices.
Compliance Certificate for Eligibility Criteria- Annexure-5.9 along with all related
documents as per RFP required to establish the eligibility.
Bidder‘s organization profile_ Annexure 5.10.
Technical specifications Compliance Annexure 5.1.1
3.7.2 While submitting the Technical Bid, literature on the software / hardware if any, should be segregated
and kept together in one section / lot. The other papers like EMD, Forms as mentioned above etc. should
form the main section and should be submitted in one lot, separate from the section containing literature.
All pages of this RFP document must be stamped and initialed by the authorized signatory of the bidder
confirming acceptance to all terms and conditions of this RFP and should be submitted as part of the
technical bid.
3.7.3 Any Technical Proposal not containingthe above will be rejected.
3.7.4 The Technical Proposal should NOT contain any price information. Such proposal, if
received, will be rejected.
3.7.5 The Indicative Price Proposal Envelope, should contain a single sheet as per Annexure-5.2.2 on
the Bidder‘s letter head wherein the “All Inclusive Indicative Price” except VAT / sales tax / service
tax/ LBT / Octroi, which will be reimbursed upon production of original receipts, at actual, under the
signature and seal of the Bidder. The Indicative Price must include all the price components mentioned in
Annexure-5.2.2.
3.8
Bid Form
3.8.1 The Bidder shall complete both the Envelopes of the Bid Form furnished in the Bidding Document
separately and submit them simultaneously to the Bank. Bids are liable to be rejected if only one (i.e.
Technical Bid or Indicative Price Bid) is received.
Page 8 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.9
Bid Prices
3.9.1 Prices are to be quoted in Indian Rupees only.
3.9.2 Prices quoted should be inclusive of all Central / State Government levies, taxes, excise duty, custom
duty, NMMC Cess etc., as also cost of incidental services such as transportation, insurance etc. but
exclusive of VAT / sales tax / service tax/ LBT / Octroi, which will be reimbursed upon production of
original receipts, at actual.
{Bidder should take into account Navi Mumbai Municpal Corporation
(NMMC) cess / LBT for while submitting their Bids, in case Bank is liable to pay NMMC cess / LBT, the
cess amount will be deducted by the Bank while making payments to the Vendors }
3.9.3 Prices quoted by the Bidder shall be fixed during the Bidder‘s performance of the Contract and shall
not be subject to variation on any account, including exchange rate fluctuations, changes in taxes, duties,
levies, charges etc. A Bid submitted with an adjustable price quotation will be treated as non-responsive
and will be rejected.
3.10
Delivery Schedule & Penalty for Delayed Deliveries
3.10.1 Delivery ,installation, and commissioning within 10 weeks from date of purchase order.
3.10.2 In the event of the equipment not being delivered within a period of 8 weeks from date of Purchase
Order, a penalty of 0.50% per week of the total contract value for the delay, subject to maximum amount of
ten (10) percent of the total consideration will be charged to Bidder.
3.10.3 This amount of penalty so calculated shall be deducted at the time of making final payment after
successful installation and commissioning of hardware and transfer of Warranty support to Banks‘ NI.
3.10.4 The Bank also reserves the right to cancel the Purchase Order and forfeit the EMD. In the event of
such cancellation, the Bidder is not entitled to any compensation. PLEASE NOTE THE DELIVERY
SCHEDULE SHALL BE FOLLOWED STRICTLY AS STIPULATED. ANY DELAY SHALL BE VIEWED
SERIOUSLY AND PENALTIES LEVIED.
3.11 Documentary
Evidence
Establishing Bidder’s Eligibility and Qualifications
3.11.1 The documentary evidence of the Bidder‘s qualifications to perform the Contract if its Bid is accepted
shall establish to the Bank‘s satisfaction:
(a) that, in the case of a Bidder offering to supply products and/or Systems under the Contract which the
Bidder did not produce, the Bidder has been duly authorized as per authorization letter/ form (Annexure5.5).
(b) that adequate, specialized expertise are available to ensure that the support services are responsive and
the Bidder will assume total responsibility for the fault-free operation of the solution proposed and
maintenance during the warranty period and provide necessary maintenance services.
3.12 Documentary Evidence Establishing Eligibility of Products and Conformity to Bidding
Documents
3.12.1 The Bidder shall submit point by point compliance to the technical specifications and it should be
included in the Bid.
3.12.2 Any deviations from specifications should be clearly brought out in the bid.
3.12.3 The Bidder should quote for the entire package on a single responsibility basis for hardware /
software / services it proposes to supply.
Page 9 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.13
Earnest Money Deposit (EMD)
3.13.1 The Bidder shall furnish, as part of its Bid, an EMD of Rs. 10,00,000/(Rupees Ten lakh only)
3.13.2 The EMD is required to protect the Bank against the risk of Bidder‘s conduct, which would warrant
the EMD‘s forfeiture.
3.13.3 The EMD shall be denominated in Indian Rupees and shall be in the form of a Bank Guarantee as
per Annexure-5.4.1 issued by Associate Banks of State Bank of India or any Scheduled Commercial Bank in
India payable at Mumbai and should be valid for a period of 6 months. In case, SBI is the sole Banker for
the Bidder, a Letter of Comfort from SBI may be accepted.
3.13.4 Any Bid not secured, as above, will be rejected by the Bank, as nonresponsive.
3.13.5 The EMD of the unsuccessful Bidders shall be returned within 2 weeks from the date of bid
finalisation.
3.13.6 The successful Bidder‘s EMD will be discharged upon the Bidder signing the Contract and
furnishing the Performance Bank Guarantee (PBG) equivalent to 15% of the value of the contract as per
format in Annexure5.4.3. The PBG will be for the period of the contract with claim period of 3 months after
date of expiry of PBG.
3.13.7 The EMD may be forfeited:
if a Bidder withdraws his Bid during the period of Bid validity specified in this RFP; or
if a Bidder makes any statement or encloses any form which turns out to be false / incorrect at any
time prior to signing of Contract;
or
c)
in the case of a successful Bidder, if the Bidder fails;
(i)
to sign the Contract; or
a)
b)
(ii)
to furnish Performance Bank Guarantee
3.14
Period of Validity of Bids
3.14.1 Bids shall remain valid for a period of 180 days from the date of opening of Bid. A Bid valid for a
shorter period may be rejected by the Bank as non-responsive.
3.14.2 In exceptional circumstances, the Bank may solicit the Bidders‘ consent to an extension of the
period of validity. The request and the responses thereto shall be made in writing. The EMD provided shall
also be suitably extended. A Bidder may refuse the request without forfeiting its EMD.
3.14.3 The Bank reserves the right to call for fresh quotes any time during the validity period, if considered
necessary.
3.15 Format and Signing of Bid
3.15.1 Each bid shall be in two parts:Part I- Technical Proposal. (as per clause 3.7.1 above)
Part II- Indicative Price Proposal. (as per clause 3.7.5 above)
Page 10 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
The two parts should be in two separate sealed NON-WINDOW envelopes, each superscribed with
“Network infrastructure for Data Centre at Hyderabad ”as well as“Technical Proposal” and
“Indicative Price Proposal” as the case may be.
3.15.2 The Bid shall be typed or written in indelible ink and shall be signed by the Bidder or a person or
persons duly authorized to bind the Bidder to the Contract. The person or persons signing the Bids shall
initial all pages of the Bids, except for un-amended printed literature.
3.15.3 Any inter-lineations, erasures or overwriting shall be valid only if they are initialled by the person
signing the Bids. The Bank reserves the right to reject bids not conforming to above.
D. SUBMISSION OF BIDS
3.16 Sealing and Marking of Bids
3.16.1 The Bidders‘ shall seal the NON-WINDOW envelopes containing one copy of ―Technical Bid‖ and
one copy of ―Indicative Price Bid‖ separately and the two NON-WINDOW envelopes shall be enclosed
and sealed in an outer NON-WINDOW envelope.
3.16.2 The inner envelopes shall be addressed to the Bank at the address given in Part-I above and marked
as described in Clause 3.15.1 above.
3.16.3 The outer envelope shall :
a) be addressed to the Bank at the address given in Part-I ; and
b) bear the Project Name ―PROCUREMENT, INSTALLATION, COMMISSIONING,
MAINTENANCE AND FIVE YEARS WARRANTY SUPPORT OF NETWORK
INFRASTRUCTURE FOR HYDERABAD DATA CENTRE”
3.16.4 All envelopes should indicate the name and address of the Bidder on the cover.
3.16.5 If the envelope is not sealed and marked, the Bank will assume no responsibility for the bid‘s
misplacement or its premature opening.
3.17 Deadline for Submission of Bids
3.17.1 Bids must be received by the Bank at the address specified, no later than the date & time specified in
the ―Schedule of Events‖ in Invitation to Bid.
3.17.2 In the event of the specified date for submission of bids being declared a holiday for the Bank, the
bids will be received upto the appointed time on the next working day.
3.17.3 The Bank may, at its discretion, extend the deadline for submission of bids by amending the bid
documents, in which case, all rights and obligations of the Bank and bidders previously subject to the
deadline will thereafter be subject to the extended deadline.
3.18 Late Bids : Any Bid received after the deadline for submission of Bids prescribed, will be rejected
and returned unopened to the bidder.
3.19 Modification and Withdrawal of Bids
3.19.1 The Bidder may modify or withdraw its Bid after the Bid‘s submission, provided that written notice
of the modification, including substitution or withdrawal of the Bids, is received by the Bank, prior to the
deadline prescribed for submission of Bids.
Page 11 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.19.2 The Bidder‘s modification or withdrawal notice shall be prepared, sealed, marked and dispatched. A
withdrawal notice may also be sent by Fax, but followed by a signed confirmation copy, postmarked, not
later than the deadline for submission of Bids.
3.19.3 No Bid may be modified after the deadline for submission of Bids.
3.19.4 No Bid may be withdrawn in the interval between the deadline for submission of Bids and the
expiration of the period of Bid validity specified by the Bidder on the Bid Form. Withdrawal of a Bid during
this interval may result in the Bidder‘s forfeiture of its EMD.
E. Opening and Evaluation of Bids
3.20 Opening of Technical Bids by the Bank
3.20.1 The Bidders‘ names, Bid modifications or withdrawals and the presence or absence of requisite EMD
and such other details as the Bank, at its discretion, may consider appropriate, will be announced at the
time of technical Bid opening.
3.20.2 Bids and modifications sent, if any, that are not opened at Bid Opening shall not be considered
further for evaluation, irrespective of the circumstances. Withdrawn bids will be returned unopened to the
Bidders.
3.21
Preliminary Examination
3.21.1 The Bank will examine the Bids to determine whether they are complete, required formats have been
furnished, the documents have been properly signed, and the Bids are generally in order.
3.21.2 Prior to the detailed evaluation, the Bank will determine the
responsiveness of each Bid to the
Bidding Document. For purposes of these Clauses, a responsive Bid is one, which conforms to all the terms
and conditions of the Bidding Document without any deviations.
3.21.3 The Bank‘s determination of a Bid‘s responsiveness will be based on the contents of the Bid itself,
without recourse to extrinsic evidence.
3.21.4 If a Bid is not responsive, it will be rejected by the Bank and may not subsequently be made
responsive by the Bidder by correction of the nonconformity.
3.22
Technical Evaluation
3.22.1 Only those Bidders and Bids who have been found to be in conformity of the eligibility terms and
conditions during the preliminary evaluation would be taken up by the Bank for further detailed evaluation.
Those Bids who do not qualify the eligibility criteria and all terms during preliminary examination will not
be taken up for further evaluation.
3.22.2 The Bank reserves the right to evaluate the bids on technical & functional parameters including
factory visit, client site visit and witness demos of the system and verify functionalities, response times, etc.
3.22.3 Bank will evaluate the technical and functional specification of all the equipments quoted by the
Bidder.
3.22.4 During evaluation and comparison of bids, the Bank may, at its discretion ask the bidders for
clarification of its bid. The request for clarification shall be in writing and no change in prices or substance
of the bid shall be sought, offered or permitted. No post bid clarification at the initiative of the bidder shall
be entertained.
Page 12 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.23
Evaluation of Price Bids and Finalization
3.23.1 Only those Bidders who qualify in pre-qualification and Technical evaluation would be shortlisted for
commercial evaluation via Reverse Auction conducted by the Bank‘s authorized e-Procurement service
provider, details of which are provided in Annexure–5.7
3.23.2 The L1 Bidder will be selected on the basis of net total of the price evaluation as quoted in the
Reverse Auction.
3.23.3 The successful bidder is required to provide the price breakup in Annexure 5.2.3 within 48 hours of
the conclusion of the Reverse Auction; maintaining the same ratio amongst the items as were earlier quoted
in the indicative price bid provided to the Bank at the time of bid submission.
3.23.4 Arithmetic errors, if any, in the price breakup format will be rectified as under :
(a)
If there is a discrepancy between the unit price and total price which is obtained by multiplying the
unit price with quantity, the unit price shall prevail and the total price shall be corrected unless it is a lower
figure. If the bidder does not accept the correction of errors, the bid will be rejected.
(b)
If there is a discrepancy in the unit price quoted in figures and words, the unit price in figures or in
words, as the case may be, which corresponds to the total bid price for the bid shall be taken as correct.
If the Bidder has not worked out the total bid price or the total bid price does not correspond to the
unit price quoted either in words or figures, the unit price quoted in words shall be taken as correct.
(c)
Bank may waive off any minor infirmity or non-conformity or irregularity in a bid, which does not
constitute a material deviation, provided such a waiving does not prejudice or affect the relative ranking of
any bidder.
(d)
3.23.5 For factors retained in the Bid, one or more of the following quantification methods will be applied:
(a)
Delivery Schedule: The System and/or Services covered under this bid are to be installed and
commissioned within the period mentioned in Clause 3.10.No credit will be given to early deliveries.
Quotation of Prices for all Items: The Bidder should quote for complete solution proposed/listed in
this Bid. In case, prices are not quoted by any Bidder for any specific product and / or service, for the
purpose of evaluation, the highest of the prices quoted by other Bidders participating in the bidding process
will be reckoned as the notional price for that service, for that Bidder. However, if selected, at the time of
award of Contract, the lowest of the price(s) quoted by other Bidders (whose Price Bids are also opened) for
that service will be reckoned. This shall be binding on all the Bidders. However, the Bank reserves the
right to reject all such incomplete bids.
(b)
3.24
Contacting the Bank
3.24.1 No Bidder shall contact the Bank on any matter relating to its Bid, from the time of opening of Price
Bid to the time the Contract is awarded.
3.24.2 Any effort by a Bidder to influence the Bank in its decisions on Bid evaluation, Bid comparison or
contract award may result in the rejection of the Bidder‘s Bid.
3.25 Award Criteria
3.25.1 The Bank will award the Contract to the successful Bidder who has been determined to qualify to
perform the Contract satisfactorily, and whose Bid has been determined to be responsive, and is the lowest
evaluated Bid.
Page 13 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.25.2 The Bank reserves the right at the time of award of contract to increase or decrease the quantity of
goods and / or services or change in location where equipments are to be supplied from what was originally
specified while floating the RFP without any change in unit price or any other terms and conditions.
3.26 Bank’s right To Accept Any Bid and to reject any or All Bids: The Bank reserves the right to
accept or reject any Bid in part or in full or to cancel the Bidding process and reject all Bids at any time
prior to contract award, without incurring any liability to the affected Bidder or Bidders or any obligation to
inform the affected Bidder or Bidders of the grounds for the Bank‘s action.
3.27
Notification of Award
3.27.1 Prior to expiration of the period of Bid validity, the Bank will notify the successful Bidder in writing
or by e-mail, that his Bid has been accepted.
3.27.2 The notification of award will constitute the formation of the Contract. The selected Bidder should
convey acceptance of the award of contract by returning duly signed and stamped duplicate copy of the
award letter within 7 days of receipt of the communication.
3.27.3 Upon notification of award to the L1 Bidder, the Bank will promptly notify each unsuccessful Bidder
and will discharge its EMD.
3.28Performance Bank Guarantee(PBG):
Performance Bank Guarantee of 15% of the Bid Value in the format at Annexure-5.4.3 to be submitted by
the successful Bidder for a period of 60 months from Associate Banks of State Bank of India or a Scheduled
Commercial Bank. In case, SBI is the sole Banker for the Bidder, a Letter of Comfort from SBI may be
accepted and PBG should be submitted within a week of receipt of formal communication from the Bank
about their successful bid. Purchase Order will be released only after receipt of the Performance Bank
Guarantee.
3.29
Signing of Contract:
3.29.1 In the absence of a formal contract, the Bid document, together with the Bank‘s notification of
award and the Bidder‘s acceptance thereof, would constitute a binding contract between the Bank and the
successful Bidder.
3.29.2 Failure of the successful Bidder to comply with the requirement of Clause 3 shall constitute sufficient
grounds for the annulment of the award and forfeiture of the EMD.
3.29.3 The Bank reserves the right either to invoke the Performance Bank Guarantee or to cancel the
purchase order or both if the Bidder fails to meet the terms of this RFP or contracts entered into with them.
3.30
Miscellaneous
3.30.1
The
selected Bidder should arrange for
are advised by the Bank.
storage of Equipment/Components till final locations
3.30.2 The selected Bidder should undertake, during the period of contract, if required by the Bank, the
relocation / shifting of the equipment . The Bank will reimburse the cost on actual basis.
3.30.3 The selected Bidder should undertake to implement the observations / recommendations of the
Bank‘s IS-Audit, Security Audit Team or any other audit conducted by the Bank or external agencies and
any escalation in cost on this account will not be accepted by the Bank.
Page 14 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.30.4 The bidder‘s responsibility is to provide four (4) Cabling Technician requirement 24/7 at each location.
Note: Not withstanding anything said above, the Bank reserves the right to reject the contract or cancel the
entire process without assigning reasons thereto.
PART - 4. TERMS AND CONDITIONS OF CONTRACT (TCC)
4.1 Definitions: In this Contract, the following terms shall be interpreted as indicated:
4.1.1 ―The Bank‖ means State Bank of India, its Associate, Subsidiaries and Joint Ventures located in India.
4.1.2 ―The Contract‖ means the agreement entered into between the Bank and the Bidder, as recorded in
the Contract Form signed by the parties, including all attachments and appendices thereto and all
documents incorporated by reference therein;
4.1.3 ―Bidder‖ is the successful Bidder whose technical bid has been accepted and whose price as per the
commercial bid is the lowest and to whom notification of award has been given by Bank.
4.1.4 ―The Contract Price‖ means the price payable to the Bidder under the Contract for the full and proper
performance of its contractual obligations;
4.1.5 ―The Equipment‖ means all the hardware / software and / or services which the Bidder is required to
supply to the Bank under the Contract;
4.1.6 ―The Services‖ means those services ancillary to the supply of the Products, such as transportation
and insurance, installation, commissioning, customization, provision of technical assistance, training,
maintenance and other such obligations of the Bidder covered under the Contract;
4.1.7 ―TCC‖ means the Terms and Conditions of Contract contained in this section;
4.1.8 ―The Project‖ means supply, delivery of equipments/components with 5 years Warranty.
4.1.9 ―The Project Site‖ means various branches / offices/ Data Centres and Disaster Recovery Centres of
the State Bank of India, as the case may be, where the equipment is to be supplied, installed and
commissioned.
In case of a difference of opinion on the part of the Bidder in comprehending and/or interpreting any
clause / provision of the Bid Document after submission of the Bid, the interpretation by the Bank shall be
binding and final on the Bidder.
4.2 Use of Contract Documents and Information
4.2.1 The Bidder shall not, without the Bank‘s prior written consent, disclose the Contract, or any provision
thereof, or any specification, plan, drawing, pattern, sample or information furnished by or on behalf of the
Bank in connection therewith, to any person other than a person employed by the Bidder in the
performance of the Contract. Disclosure to any such employed person shall be made in confidence and shall
extend only so far as may be necessary for purposes of such performance.
4.2.2 The Bidder will treat as confidential all data and information about the Bank, obtained in the
execution of his responsibilities, in strict confidence and will not reveal such information to any other party
without the prior written approval of the Bank.
4.3. Country of Origin / Eligibility of Goods & Services
Page 15 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4.3.1 All goods and related services to be supplied under the Contract shall have their origin in eligible
source countries, as per the prevailing Import Trade Control Regulations in India.
4.3.2 For purposes of this clause, ―origin‖ means the place where the goods are mined, grown, or
manufactured or produced, or the place from which the related services are supplied. Goods are produced
when, through manufacturing, processing or substantial and major assembly of components, a
commercially-recognized product results that is substantially different in basic characteristics or in purpose
or utility from its components.
4.4. Use of Contract Documents and Information
4.4.1 The Bidder shall not, without the Bank‘s prior written consent, disclose the Contract, or any provision
thereof, or any specification, plan, drawing, pattern, sample or information furnished by or on behalf of the
Bank in connection therewith, to any person other than a person employed by the Bidder in the
performance of the Contract. Disclosure to any such employed person shall be made in confidence and shall
extend only as far as may be necessary for purposes of such performance.
4.4.2 The Bidder shall not, without the Bank‘s prior written consent, make use of any document or
information except for purposes of performing the Contract.
4.4.3Any document, other than the Contract itself, shall remain the property of the Bank and shall be
returned (in all copies) to the Bank on completion of the Bidder‘s performance under the Contract, if so
required by the Bank.
4.5. Patent Rights
4.5.1 In the event of any claim asserted by a third party of infringement of copyright, patent, trademark,
industrial design rights, etc. arising from the use of the Goods or any part thereof in India, the Bidder shall
act expeditiously to extinguish such claim. If the Bidder fails to comply and the Bank is required to pay
compensation to a third party resulting from such infringement, the Bidder shall be responsible for the
compensation to claimant including all expenses, court costs and lawyer fees. The Bank will give notice to
the Bidder of such claim, if it is made, without delay. The Bidder shall indemnify the Bank against all third
party claims.
4.6 Inspection and Quality Control Tests
4.6.1 The Bank reserves the right to carry out pre-shipment factory / godown inspection at by a team of
Bank officials or demand a demonstration of the solution proposed on a representative model in Bidder‘s
office.
4.6.2 The Inspection and Quality Control tests before evaluation, prior to shipment of Goods and at the
time of final acceptance would be as follows:
(a)
Inspection/Pre-shipment Acceptance Testing of Goods as per quality control formats including
functional testing, burn-in tests and mains fluctuation test at full load, facilities etc., as per the standards /
specifications may be done at factory site of the Bidder before dispatch of goods, by the Bank / Bank‘s
Consultants / Testing Agency.
The Bidder should intimate the Bank before dispatching the goods to various locations/offices for
conduct of pre-shipment testing. Successful conduct and conclusion of pre-dispatch inspection shall be the
sole responsibility of the Bidder;
(b)
Provided that the Bank may, at its sole discretion, waive inspection of goods having regard to the
value of the order and/or the nature of the goods and/or any other such basis as may be decided at the sole
discretion of the Bank meriting waiver of such inspection of goods.
(c)
Page 16 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
In the event of the hardware and software failing to pass the acceptance test, as per the
specifications given, a period not exceeding two weeks will be given to rectify the defects and clear the
acceptance test, failing which, the Bank reserves the right to cancel the Purchase Order.
(d)
The inspection and quality control tests may be conducted on the premises of the Bidder, at point
of delivery and / or at the Goods‘ final destination. Reasonable facilities and assistance, including access to
drawings and production data, shall be furnished to the inspectors, at no charge to the Bank. If the testing
is conducted at the point of delivery or at the final destination, due to failure by the Bidder to provide
necessary facility / equipment at his premises, all the cost of such inspection like travel, boarding, lodging
& other incidental Expenses of the Bank‘s representatives to be borne by the Bidder.
(e)
Nothing stated herein above shall in any way release the Bidder from any warranty or other
obligations under this Contract.
(f)
The Bidder shall provide complete and legal documentation of Systems, all subsystems, operating
systems, compiler, system software and the other software. The Bidder shall also provide licensed software
for all software products, whether developed by it or acquired from others. The Bidder shall also indemnify
the Bank against any levies/penalties on account of any default in this regard.
(g)
On successful completion of acceptability test, receipt of deliverables, etc., and after the Bank is
satisfied with the working on the system, the acceptance certificate will be signed by the representative of
the Bank.
(h)
4.6.3 The Bank‘s right to inspect, test and where necessary reject the products after the products arrival at
the destination shall in no way be limited or waived by reason of the products having previously being
inspected, tested and passed by the Bank or its representative prior to the products shipment from the
place of origin by the Bank or its representative prior to the installation and commissioning.
4.6.4 Nothing stated hereinabove shall in any way release the Bidder from any warranty or other
obligations under this contract.
4.7 Delivery & Documentation
4.7.1 The Bidder shall provide such packing of the products as is required to prevent their damage or
deterioration during transit to their final destination. The packing shall be sufficient to withstand, without
limitation, rough handling during transit and exposure to extreme temperature, salt and precipitation
during transit and open storage. Size and weights of packing case shall take into consideration, where
appropriate, the remoteness of the Products final destination and the absence of heavy handling facilities at
all transit points.
4.7.2 Delivery of the equipment shall be made by the Bidder in accordance with the system approved /
ordered. The details of the documents to be furnished by the Bidder are specified hereunder:2 copies of Bidder‘s Invoice showing Contract number, Products description, quantity, unit price
and Total amount.
(a)
Delivery Note or acknowledgement of receipt of Products from the Consignor or in case of products
from abroad original and two copies of the negotiable clean Airway Bill
(b)
(c)
2 copies of packing list identifying contents of each package.
(d)
Insurance Certificate.
(e)
Manufacturer‘s / Bidder‘s warranty certificate.
4.7.3 The above documents shall be received by the Bank before arrival of Products and if not received the
Bidder will be responsible for any consequent expenses.
4.7.4 Delivery of the equipments/components shall be made by the Bidder in accordance with the system
approved / ordered.
Page 17 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4.8 For the System & other Software, the following will apply:
(a) The Bidder shall supply standard software packages published by third parties in or
out of India in their original publisher-packed status only, and should have procured
the same either directly from the publishers or from the publisher's sole authorized
representatives only.
(b) The Bidder shall provide complete and legal documentation of all subsystems,
licensed operating systems, licensed systemsoftware, licensed utility
software and other licensed software. The Bidder shall also provide licensed
software for all software products whether developed by it or acquired from others.
There shall not be any default in this regard.
(c) In case the Bidder is providing software which is not his proprietary software then the
Bidder must submit evidence in the form of agreement he has entered into with the
software Bidder which includes support from the software Bidder for the proposed
software for the full period required by the Bank.
(d) The Bidder shall explicitly absolve the Bank of any responsibility / liability for use of
system / application software delivered along with the equipment, (i.e. the Bidder
shall absolve the Bank in all cases of possible litigation / claims arising out of any
copyright / license violation) for software(s) published either by third parties, or by
themselves.
4.9
Insurance :
4.9.1 The insurance shall be in an amount equal to 110 percent of the value of the Products from
―Warehouse to final destination‖ on ―All Risks‖ basis, valid for a period not less than one month after
installation and commissioning and issue of acceptance certificate by the Bank.
4.9.2 Should any loss or damage occur, the Bidder shall:
a) initiate and pursue claim till settlement and
b) promptly make arrangements for repair and / or replacement of any damaged
item irrespective of settlement of claim by the underwriters.
4.10 Warranty / Uptime / Penalty: As per Annexure-5.3.
4.11
Payment Terms
4.11.1 Payment shall be made in Indian Rupees.
4.11.2 The payment terms for the Purchase Order :
a. 50% of the Total amount of equipment delivered on delivery and verification
b.
Page 18 of 285
of Bill of material by the bank‘s officials or by the agency/ representative
nominated by the Bank to verify Bill of material. If the equipment/ solution
delivered is not as per the Bill of material Bank reserves right to cancel the
order and no payment will be made.
Remaining 40% on, installation, testing and successful commissioning of the
Networking equipment for Switching solution, and issuance of certificate of
successful Commissioning (Annexure 5.6) duly signed by the Bank and the
Vendor. As already stated, for reasons of delays in installation and
commissioning not attributable to the Bank the liquidated damages may be
levied as stated.
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
c. Balance 10% after six months from the date of issuance of certificate of
successful commissioning and acceptance or on submission of BG for the
equivalent amount for the early release.
d. One Time Implement Cost : 100% After successful UAT and issuance of
Certificate of successful commissioning per Annexure 5.6.
e. Warranty and Support Cost :(Ref. Annexure 5.2.3): 1/5th of the total cost
yearly in arrears from the date of successful commissioning and issuance of
Certificate of successful commissioning per Annexure 5.6
4.11.3 Payments will not be released for any part-shipment or short-shipments.
4.12
Prices
4.12.1 Prices payable to the Bidder as stated in the Contract shall be firm and not subject to adjustment
during performance of the Contract, irrespective of reasons whatsoever, including exchange rate
fluctuations, changes in taxes, duties, levies, charges, etc.
4.12.2 The Bidder will pass on to the Bank, all fiscal benefits arising out of reductions, if any, in
Government levies viz. sales tax, excise duty, custom duty, etc. or the benefit of discounts if any
announced in respect of the cost of the items for which orders have been placed during that period.
4.12.3 The Bank reserves the right to re-negotiate the prices in the event of change in the international
market prices of both the hardware and software.
4.12.4The Bidder shall maintain the product and services Rate Contract for the period of 5 years from the
date of Purchase Order.
4.13 Change Orders
4.13.1 The Bank may, at any time, by a written order given to the Bidder, make changes within the general
scope of the Contract in any one or more of the following:
(a) Method of shipment or packing;
(b) Place of delivery;
(c) Quantities to be supplied subject to 25% above or below the originally declared
quantities.
4.13.2 If any such change causes an increase or decrease in the cost of, or the time required for the
Bidder‘s performance of any provisions under the Contract, an equitable adjustment shall be made in the
Contract Price or delivery schedule, or both, and the Contract shall accordingly be amended. Any claims
by the Bidder for adjustment under this clause must be asserted within thirty (30) days from the date of
Bidder‘s receipt of Bank‘s change order.
4.14 Contract Amendments: No variation in or modification of the terms of the Contract shall be
made, except by written amendment, signed by the parties.
4.15 Assignment: The Bidder shall not assign, in whole or in part, its obligations to perform under the
Contract, except with the Bank‘s prior written consent.
4.16Delays in the Bidder’s Performance
Page 19 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4.16.1 Delivery of the Products/Solution and performance of Services shall be made by the Bidder within
the timelines prescribed.
4.16.2 If at any time during performance of the Contract, the Bidder or its subcontractor(s) should
encounter conditions impeding timely delivery of the Products and performance of Services, the Bidder
shall promptly notify the Bank in writing of the fact of the delay, its likely duration and its cause(s). As
soon as practicable after receipt of the Bidder‘s notice, the Bank shall evaluate the situation and may, at
its discretion, extend the Bidders‘ time for performance, with or without liquidated damages, in which
case, the extension shall be ratified by the parties by amendment of the Contract.
4.16.3 Except as provided in the above clause, a delay by the Bidder in the performance of its delivery
obligations shall render the Bidder liable to the imposition of liquidated damages, unless an extension of
time is agreed upon without the application of liquidated damages.
4.17 Liquidated Damages : If the Bidder fails to deliver any or all of the Products or perform the
Services within the time period(s) specified in the Contract, the Bank may, without prejudice to its
other remedies under the Contract, and unless otherwise extension of time is agreed upon without
the application of Liquidated Damages as mentioned in clauses above, deduct from the Contract
Price, as liquidated damages, a sum equivalent to half (0.50) percent per week of order value subject
to maximum deduction of 5% of the order value, until actual delivery or performance. Once the
maximum deduction is reached, the Bank may consider termination of the Contract or may take any
action deemed fit by the Bank.The bidder shall intimate the Bank once the capacity of a server hall
reaches to 70%, therefore bank can prepare and initiate for balance material requirement for
additional server hall.
4.18 Termination for Default
4.18.1 The Bank, without prejudice to any other remedy for breach of Contract, by a written notice of
default sent to the Bidder, may terminate the Contract in whole or in part:
(a) If the Bidder fails to deliver any or all of the Products and Services within the period(s) specified in
the Contract, or within any extension thereof granted by the Bank;
Or
(b) If the Bidder fails to perform any other obligation(s) under the Contract.
4.18.2 In the event the Bank terminates the Contract in whole or in part, it may procure, upon such terms
and in such manner as it deems appropriate, Products and Services similar to those undelivered, and the
Bidder shall be liable to the Bank for any excess costs for such similar Products or Services. However, the
Bidder shall continue performance of the Contract to the extent not terminated.
4.19 Force Majeure
4.19.1 Notwithstanding the provisions of Terms and Conditions of Contract (TCC), the Bidder shall not be
liable for forfeiture of its performance security, liquidated damages, or termination for default if and to
the extent that the delay in performance or other failure to perform its obligations under the Contract is
the result of an event of Force Majeure.
4.19.2 For purposes of this clause, ―Force Majeure‖ means an event beyond the control of the Bidder and
not involving the Bidder‘s fault or negligence and not foreseeable. Such events may include, but are not
restricted to, acts of the Bank in its sovereign capacity, wars or revolutions, fires, floods, epidemics,
quarantine restrictions, and freight embargoes.
4.19.3 If a Force Majeure situation arises, the Bidder shall promptly notify the Bank in writing of such
condition and the cause thereof. Unless otherwise directed by the Bank in writing, the Bidder shall
Page 20 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
continue to perform its obligations under the Contract as far as is reasonably practical, and shall seek all
reasonable alternative means for performance not prevented by the Force Majeure event.
4.20
Termination for Insolvency: The Bank may, at any time, terminate the Contract by giving
written notice to the Bidder if the Bidder becomes Bankrupt or otherwise insolvent. In this event,
termination will be without compensation to the Bidder, provided that such termination will not
prejudice or affect any right of action or remedy, which has accrued or will accrue thereafter to the Bank.
4.21 Termination for Convenience: The Bank, by written notice sent to the Bidder, may terminate
the Contract, in whole or in part, at any time for its convenience. The notice of termination shall specify
that termination is for the Bank‘s convenience, the extent to which performance of the Bidder under the
Contract is terminated, and the date upon which such termination becomes effective.
4.22
Resolution of Disputes:
4.22.1 The Bank and the Bidder shall make every effort to resolve amicably by direct informal
negotiation, any disagreement or dispute arising between them under or in connection with the Contract.
4.22.2 If, the Bank and the Bidder have been unable to resolve amicably a Contract dispute even after a
reasonably long period, either party may require that the dispute be referred for resolution to the formal
mechanisms specified herein below. These mechanisms may include, but are not restricted to,
conciliation mediated by a third party and/or adjudication in an agreed national forum.
4.22.3 The dispute resolution mechanism to be applied shall be as follows:
(a) In case of Dispute or difference arising between the Bank and the Bidder relating to any matter
arising out of or connected with this agreement, such disputes or difference shall be settled in accordance
with the Arbitration and Conciliation Act, 1996. Where the value of the Contract is above Rs.1.00 Crore,
the arbitral tribunal shall consist of 3 arbitrators, one each to be appointed by the Purchaser and the
Bidder. The third Arbitrator shall be chosen by mutual discussion between the Purchaser and the Bidder.
Where the value of the contract is Rs.1.00 Crore and below, the disputes or differences arising shall be
referred to a Sole Arbitrator who shall be appointed by agreement between the parties.
Arbitration proceedings shall be held at Belapur, Navi Mumbai, and the language of the arbitration
proceedings and that of all documents and communications between the parties shall be English;
(b)
The decision of the majority of arbitrators shall be final and binding upon both parties. The cost
and expenses of Arbitration proceedings will be paid as determined by the arbitral tribunal. However, the
expenses incurred by each party in connection with the preparation, presentation, etc., of its proceedings
as also the fees and expenses paid to the arbitrator appointed by such party or on its behalf shall be borne
by each party itself; and
(c)
4.23 Governing Language: The governing language shall be English.
4.24 Applicable Law: The Contract shall be interpreted in accordance with the laws of the Union of
India and shall be subject to the exclusive jurisdiction of courts at Mumbai.
4.25 Addresses for Notices
4.25.1The following shall be the address of the Bank and Bidder.
Bank‘s address for notice purposes:
Deputy General Manager,
Tech Operations Department
State Bank Global IT Centre,
2nd Floor, C Wing,
Sector 11, CBD Belapur,
Navi Mumbai-(400614)
Page 21 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Bidder‘s address for notice purposes
<To be filled in by the Bidder)>
4.25.2 A notice shall be effective when delivered or on effective date of the notice whichever is
later.
4.26 Taxes and Duties
4.26.1 Prices quoted should be inclusive of all Central / State Government levies, taxes, excise duty, custom
duty, NMMC Cess etc., as also cost of incidental services such as transportation, insurance etc. but
exclusive of VAT / sales tax / service tax/ LBT / Octroi, which will be reimbursed upon production of
original receipts, at actual.
4.26.2 Income / Corporate Taxes in India: The Bidder shall be liable to pay all corporate taxes and income
tax that shall be levied according to the laws and regulations applicable from time to time in India and the
price bid by the Bidder shall include all such taxes in the contract price.
4.26.3 Tax deduction at Source: Wherever the laws and regulations require deduction of such taxes at the
source of payment, the Bank shall effect such deductions from the payment due to the Bidder. The
remittance of amounts so deducted and issuance of certificate for such deductions shall be made by the
Bank as per the laws and regulations in force. Nothing in the Contract shall relieve the Bidder from his
responsibility to pay any tax that may be levied in India on income and profits made by the Bidder in
respect of this contract.
4.26.4 The Bidder‘s staff, personnel and labour will be liable to pay personal income in India in respect of
such of their salaries and wages as are chargeable under the laws and regulations for the time being in
force, and the Bidder shall perform such duties in regard to such deductions thereof as may be imposed on
him by such laws and regulations.
4.27 Bidder’s obligations
4.27.1 The Bidder is responsible for and obliged to conduct all contracted activities in accordance with the
contract using state-of-the-art methods and economic principles and exercising all means available to
achieve the performance specified in the Contract.
4.27.2 The Bidder will be responsible for arranging and procuring all relevant permissions / Road Permits
etc. for transportation of the equipment to the location where installation is to be done. The Bank would
only provide necessary letters for enabling procurement of the same.
4.27.3 The Bidder is obliged to work closely with the Bank‘s staff, act within its own authority and abide by
directives issued by the Bank and implementation activities.
4.27.4 The Bidder will abide by the job safety measures prevalent in India and will free the Bank from all
demands or responsibilities arising from accidents or loss of life, the cause of which is the Bidder‘s
negligence. The Bidder will pay all indemnities arising from such incidents and will not hold the Bank
responsible or obligated.
4.27.5 The Bidder is responsible for managing the activities of its personnel or sub-contracted personnel
and will hold itself responsible for any misdemeanors.
4.27.6 The Bidder will treat as confidential all data and information about the Bank, obtained in the
execution of his responsibilities, in strict confidence and will not reveal such information to any other party
without the prior written approval of the Bank.
Page 22 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4.28 Patent Rights/Intellectual Property Rights : In the event of any claim asserted by a third
party of infringement of trademark, trade names, copyright, patent, intellectual property rights or
industrial design rights arising from the use of the Products or any part thereof in India, the Bidder shall
act expeditiously to extinguish such claim. If the Bidder fails to comply and the Bank is required to pay
compensation to a third party resulting from such infringement, the Bidder shall be responsible for the
compensation including all expenses, court costs and lawyer fees. The Bank will give notice to the Bidder of
such claim, if it is made, without delay.
4.29 Right to use defective product: If after delivery, acceptance and installation and within the
guarantee and warranty period, the operation or use of the product is found to be unsatisfactory, the Bank
shall have the right to continue to operate or use such product until rectification of defects, errors or
omissions by partial or complete replacement is made without interfering with the Bank‘s operation.
*******
Page 23 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
PART 5: BID FORM, PRICE SCHEDULES AND OTHER FORMATS
INDEX
ANNEXURE NUMBERS
5.1
Requirement Specifications
5.1.1 Technical Specifications
5.1.2 Bill of Material and Compliances
5.1.3 Undertaking of Authenticity
5.1.4 Pre-bid Format
5.2
Bid Forms
5.2.1 Bid Form (Technical)
5.2.2 Indicative Price Bid Form
5.2.3 Price Breakup after Reverse Auction
5.3
SLA Terms & Conditions for Hardware & Software
5.4
Bank Guarantee
5.4.1 EMD Bank Guarantee Format
5.4.2 Bank Guarantee Format for early release of 10% retention money
5.4.3 Performance Bank Guarantee Format
5.5
Manufacturer‘s Authorisation Form
5.6
Certificate of Successful Commissioning
5.7
Details of eProcurement Reverse Auction
5.8 Tentative List of Delivery Locations
5.9 Eligibility Criteria
5.10 Bidder Organization profile
5.11 Non-disclosure Agreement
5.12 Pre-Contract Integrity Pact
Page 24 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.1.1
LIST of OEM/MAKES TABLE – 1
Gartner Magic
Quadrant for Data
Center NetworkingMay 2016
OEMs listed in Leaders and Challangers segment,
who have their own switching and routing
solution for the given requirement.
Cisco, Arista, HPE,
Brocade, and
Juniper
Routers
n/a
OEMs listed in Leaders and Challangers segment,
who have their own switching and routing
solution for the given requirement.
Cisco, Arista, HPE,
Brocade, and
Juniper
FirewallPeriphery
Gartner Magic
Quadrant for
Enterprise Network
Firewalls- 2016
OEMs listed in Leaders and Challangers
L-1 from Palo Alto,
Checkpoint,
Fortinet, Cisco
OEMs listed in Leaders and Challangers
L-2 from Palo Alto,
Checkpoint,
Fortinet, Cisco
except the L1 OEM
OEMs listed in Leaders and Challangers
L1 from Cisco, Intel
Security (McAfee),
HPE, IBM
OEMs listed in Leaders and Challangers
L2 from Cisco, Intel
Security (McAfee),
HPE, IBM Except
L1
OEMs listed in Leaders and Challangers
F5, Radware, Citrix.
Array Networks and
A 10 Networks
Switches
NIPS-Core
Gartner Magic
Quadrant for
Enterprise Network
Firewalls- 2016
Gartner Magic
Quadrant for
Intrusion
Prevention SystemNovember 2015
Gartner Magic
Quadrant for
Intrusion
Prevention SystemNovember 2015
VPN Load
Balancer
Magic Quadrant for
Application Delivery
Controllers-October
2015
Firewallcore
NIPSPeriphery
Page 25 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
n/a
OEM should have presence in India with
manufacturing and research and development
center in India
The manufecturing & R&D Unit in India should
have ISO 9001 and ISO 14001 certifications
OEM should have supplied Rack solution to
atleast 2 data centres of 100 racks in last 2 years.
Racks can be from Single OEM. However ,
Intelligence locking / digital locking can be
provided through partnership with industry
leading NON-APAC vendor.
Rack and
iPDU
WQ, Rittal, APW
n/a
Fiber and
Copper
cabling
OEM should be a Global brand and have
manufacturing in non APAC regions as well . This
should be substantiated with a visit to these main
manufacturing plant / R&D Center minimum
four personnel at the OEM's cost.
The manufacturer should have ISO 9001 and ISO
14001 certifications or any such equivalent global
certification.
Copper and Fiber cabling Solution can be from
Single OEM. However , Intelligence can be
provided through partnership with industry
leading intelligent / DCIM solution vendor.
OEM should have supplied cabling solution to
atleast 2 data centres of 100 racks in last 2 years.
Page 26 of 285
Confidential & Proprietary
Corning,
Systimax,R&M,
Panduit, Siemon,
RIT
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
TECHNICAL SPECIFICATIONS
Structured Cabling Requirement:TABLE -2
GENERAL SPECIFICATIONS: Srl.
No
.
Compliance(Y/N
)
Details
1
IT Data Centre complete in all respect (STP CAT6 and fibre (Multimode OM4
fibre).
2
Cabling at Distribution rack will be Intelligent Cabling Solution in each server
hall.
3
Backbone between Spine and Leaf switches and leaf Switches to server rack
(multimode OM4 fibre) and in Hub rooms for sitting area (multimode OM4
fibre).
4
Cabling OEM should be approved make and have manufacturing in non APAC
regions as well. This should be substantiated with a visit (as per the procedure
and QAP set out in relevant section of the bidding document) to these main
manufacturing plant / R&D Centre minimum four personnel at the OEM's cost.
5
The OEM manufacturing facility should have ISO certifications from where OEM
is supplying material. OEM should mention the factory name against each line
item where that particular product is getting manufactured.
6
Copper and Fibre cabling Solution can be from Single OEM However, Intelligent
cabling solution can be provided through partnership with industry leading
intelligent / DCIM solution vendor.
7
The Bidder & OEM should have supplied cabling solution to atleast 2-3
datacentres of min 100 racks in last years. Self-attestation needed.
8
Structured cabling involves supply, installation, testing and commissioning of all
Jack panels, Network/Server Racks, laying of cables (Copper STP & Fibre),
Terminations at both end and other passive components.
9
Cable laying will be through metal raceways, PVC conduits, overhead ladder / tray
and other relevant activities.
10
Laying of STP copper Cable in raceways includes proper bunching and tagging for
Data/ Voice Cable including colour coding.
11
Preliminary continuity Testing & Ferruling at both end for each cable unique
identity.
Page 27 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
12
Termination, Installation, Fixing of Port Jack Panels including proper Dressing of
Cables.
13
Fixing & Casio labelling of Jack Panels.
14
Proper routing of Patch Cords in Racks, Jack Panels and wire/ cable manager
with tagging of Mounting Cords.
15
Network rack shall be with proper cable management, Ladder, Vertical &
Horizontal Wire Manager etc.
16
Fibre termination and Management System and Fibre routing also has to be
included in the scope.
17
OLTS Scanning of laid Copper/Fibre Cables for the performance testing of
Installed Cabling System with EIA/TIA specified parameters.
18
Cabling system shall include factory-terminated system components which can be
quickly mated to form an end-to-end optical link between patching locations
and/or equipment ports.
19
Cabling Solution should be a high density LSZH system solution with reduced
installation time.
20
Cabling system shall be a modular solution and should offer a greater degree of
flexibility in managing equipment moves, adds, or changes.
21
Cabling solution should maintain proper system polarity.
22
Bidder shall submit the certificate from fiber glass OEM stating bend insensitive
glass is supplied for all the cables in this project and also attenuation report of
fibre core used.
23
Fibre cable & jumper shall have OM4 fibre with bend insensitive fibre Trunk cable
and jumper should be able to withstand banding radius of three times the outer
diameter Macro bend loss in fibre cable and jumper shall not be more than 0.2
db. When 2 turns are made in a 7.5 mm mandrel and 0.1 db. when 2 turns are
made in a 15 mm mandrel.
24
All Passive Components should be RoHS (Restriction of Certain Hazardous
Substances) complied Declaration –RoHS Compliant should clearly be mentioned
on datasheets of each Passive Components.
25
There should be 25 year product warranty and Application Assurance for passive
components and minimum year warranty for any active components.
Page 28 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
26
All specification and relevant documents should be available on public domain.
27
All the passive component should meet the given Global standards.
28
Supporting data sheet should be same for all geographical location of the
manufacturer.
29
The bidder shall give the prices of each section defined in the scope of structured
cabling.
30
Though the approximate no of ports per facility is given below, the bidder may
add points they feel necessary as directed by engineer in charge.
31
All horizontal cabling should emanate from Jack panels on the distribution switch
and be routed to outlets nominated through ceiling space, risers, skirting duct and
workstation partition duct etc. .
32
The cables must be laid in an aggregated manner to reduce the cabling space
requirement.
33
Cables should be installed in a workman like manner, parallel to walls, floors and
ceilings, as applicable.
34
The Manufacturers cable form should be maintained at all times No distortion
due to kinks, sharp bends or excessive hauling tension shall be allowed to occur
during installation.
35
Care should be taken to prevent other trades damaging the cable by walking or
storing heavy objects on them whilst lying out and installation.
36
Cables should be run in a manner eliminating any possibility of strain on the
cable itself or on the terminations.
37
Cables entering or exiting trays, conduits, centenary wires and other fixed support
should have a small gooseneck or slack provided and should be fixed at both ends
to prevent the possibility of cable stress.
38
Cables should be concealed except where nominated otherwise, and should run in
neat lines
39
Cables should have no joints or splices, all foil should necessarily be grounded at
all terminations.
Page 29 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
40
Cables should be kept at a minimum distance of 150mm from items liable to
become hot or cold The distance should be consistent with the maximum or
minimum temperature possible and the cable type Cables should at no point
make direct contact with such items.
41
Cables should not be directly embedded in plaster, concrete, mortar or other
finishes unless they are in conduit and capable of being fully withdrawn and
replaced after the building is finished without damage to finishes.
42
Bending radius should not be less than the manufacturer's recommendation and
in any case should be not less than eight times the overall cable diameter.
43
Cabling will run in separate shafts and ducts from the electrical ducts so as to
avoid any interference.
44
Cable should either have a nylon sheath or should be enclosed in a conduit if
running underground.
45
Under no circumstance hand labelling of the cables will be accepted No hand
punching shall be allowed without proper tools Labelling and Punching should be
done as per TIA/EIA standards.
46
All copper conductors must be tested for continuity and pair integrity as well as
EMI interference.
47
Any cable that does not meet TIA/EIA specifications should be repaired or
replaced at the Vendor‘s expense.
48
The termination of connectors should be RJ- Single Information Outlets with
faceplates, shutter and Surface box.
49
The Fibre Couplers and Connectors generally would be LC/MTP type.
50
There should be professional Cable Management and tools available on site e.g.
copper Cable Termination tools.
51
Each outlet shall be tested for satisfactory operation based on certification
parameters valid for the entire warranty period of 25 years or more as applicable
All outlets in the Facility be clearly marked, labelled & documented for future
reference.
52
Maintenance of the LAN Passive components shall be done by the Agency
Provision of additional Passive nodes whenever required shall need to be
provided based on requests. The bidder must quote per termination charges in
various slabs.
Page 30 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
53
Cable layout plan should be submitted as part of the technical bid.
Cat 6 UTP Cable
54
55
56
Should exceed all TIA/EIA-568 Cat 6 cable performance requirements for
frequency up 250 MHz
Should be tested and verified for cat 6 component performance.
The Conductors should be twisted in pairs with four pairs contained in a flame
retardant LSZH jacket separated by a divider and conductor size should be 23
AWG.
Each port should be 100% tested to ensure NEXT and return loss performance
and should be individually serialized to support traceability.
57
Copper Patch Cords
58
59
60
Should exceed TIA/EIA-568 Category 6 and ISO 11801 Class E standards
Should be GHMT/ETL tested and approved for Category 6 Compliance.
Each patch cord should be 100% factory made and performance tested.
Plug performance should be in center of GHMT/TIA/EIA component range,
ensuring interoperability and Gigabit Ethernet channel performance.
61
62
Fiber optic patch cords should be as per GHMT/EIA/TIA standards.
Faceplates
63
Should accept Cat6 Modules for UTP / STP which snap in and out for easy moves,
adds and changes.
Information Outlets
Modular jacks shall be 4-pair, RJ-45, and shall easily fit in a UTP / STP CAT 6
Face Plate. Modular jacks shall terminate using both T568A and T568B wiring.
64
65
Information outlet shall be capable of terminating 23 AWG CAT 6 STP/UTP cable
conductors.
The insulation displacement contacts shall be paired, with additional space
between pairs, to improve crosstalk performance.
66
67
The modular jacks must be auto shuttered and should have integral dust cover
protection
Horizontal Cable Managers
Page 31 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
68
Should be made of lightweight plastic/metal construction that provides durability
and easy installation.
69
Should have rounded edges on fingers to protect cables from snags and damage to
cable.
70
71
72
Should have flexible fingers to allow easy installation and removal of cables.
Should have pass through holes that allow front to rear cabling.
Should mount to standard 19" EIA racks and cabinets.
Vertical Cable Management System
73
Should have high density which minimizes area required for network layout,
freeing up valuable floor space.
Should have curved cable management fingers that support cables as they
transition to the vertical pathway eliminating the need for horizontal managers.
74
Should have slack management spools to organize and manage patch cord slack
allowing standardization of patch cords.
75
76
77
Should have a combination of 6‖ W wire managers for cable management.
Should be equipped with end panels and doors for the wire managers
Cat 6 UTP, Type Patch Panels
78
79
80
Should accept Cat 6 Modules for STP, which snap in and out for easy moves adds
and changes.
Should be mountable onto the standard 19" racks with optional extender brackets
The patch panels should facilitate proper bend radius control and minimize the
need for horizontal cable managers
Page 32 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
1
Compliance(Y/N)
Fiber CABLE SYSTEMS GENERIC SPECIFICATION for
DATACENTER
TABLE - 3
Designing the cabling solution
1.1
Bidder has to design, lay and test the cabling to cater the DC requirements.
Cabling will be done in phases and bidder has to arrange for the same as and
when required.
1.2
Design considerations:
1.2.1
Network Rack should have a patch rack for Cross/Inter Connectivity to Server
Rack in each POD
1.2.2
Any Add / Move / Changes, passive engineer should not do any activity on
Active Switch rack at Network / Spine Rack.
1.2.3
Intelligent solution should be provided to manage end to end connectivity
(both server rack and backbone/uplink connectivity for DC)
1.2.4
All Intelligent panels should connect to the Collector device. Intelligent
Copper and Fiber Panel should be integrated within the same Collector
device.
2
Systems: General Requirements
2.1
Cabling system shall include factory-terminated system components which
can be quickly mated to form an end-to-end optical link between patching
locations and/or equipment ports.
2.2
Cabling Solution should be a high density LSZH system solution with reduced
installation time.
2.3
Cabling system shall be a modular solution and should offer a greater degree
of flexibility in managing equipment moves, adds, or changes.
2.4
Cabling solution should maintain proper system polarity.
2.5
OEM shall submit the certificate stating bend insensitive glass is supplied for
this project and also attenuation report of fiber used.
2.6
Fiber cable & jumper shall have OM3 fiber with bend insensitive fiber. Trunk
cable and jumper should be able to withstand banding radius of 3 times the
outer diameter. Macro bend loss in fiber cable and jumper shall not be more
than 0.2 db. When 2 turns are mode in a 7.5 mm mandrel and 0.1 db. when 2
turns are made in a 15 mm mandrel.
2.7
All Passive Components should be RoHS (Restriction of Certain Hazardous
Substances) complied. Declaration –RoHS Compliant should clearly be
mentioned on datasheets of each Passive Components.
Page 33 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
2.8
There should be 25 year product warranty and Application Assurance for
passive components and minimum 1 year warranty for any active
components.
2.9
All specification and relevant documents should be available on public
domain
2. 10
All the passive component should meet the given Global standards.
2.11
Supporting data sheet should be same for all geographical location of the
manufacturer.
3
Trunk MTP to MTP cable Specifications:
3.1
Optical Fiber Cable shall have OM3 fiber with bend insensitive fiber. The
cable should be able to withstand banding radius of 3 times the outer
diameter.
Maximum
insertion loss in MTP connector should be 0.25 dB
3.2
Maximum reflectance loss in MTP connector should be <-20 dB
3.3
Trunks cable shall be manufactured with ultra-bendable fiber and meet the
fiber performance mentioned in below table 1:
3.3.1
• Fiber Attenuation max (dB/km) @ 850 nm 2.8
3.3.2
• Fiber Attenuation max (dB/km) @ 1300 nm 1.0
3.4
Trunks shall be constructed with MTP male (with pin) connectors at both
ends
3.5
Fiber Trunk count shall be available in 12, 24, 36, 48, 72, 96, 144 and OEM
should have capability to make high fiber count of 288, 432 and 864.
3.6
Trunks shall be furcated (subdivided) into 12-fiber legs (subunits). Standard
leg length shall be 33 in +3/-0 in.
3.7
Trunk length shall be specified as the distance between furcation points at
each end of the cable and shall not be inclusive of the length of the legs at
each end.
3.8
Trunk furcation plugs shall consist of a molded outer shell filled with an
epoxy encapsulate.
3.9
The furcation plugs shall be square in order to facilitate plug rotation in 90
degree increments. This feature allows mounting the trunk into the hardware
in any orientation and avoids standing torsional forces applied to the cable.
3. 10
The trunk shall incorporate a flexible boot at the back of the epoxy plug, in
order to provide a uniformly smooth transition between the plug and the
trunk cable.
Page 34 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.11
A tool less snap on device shall be used to secure the trunk into the hardware.
There shall be options of snap on devices either it can hold single cable or
double cable.
3.12
Trunk furcation plugs shall provide a mounting point for a protective pulling
grip and shall be capable of sustaining the rated tensile load of 100 lbs.
3.13
Trunk furcation plugs shall incorporate mechanically designed features that
allow securing the trunks inside a connector housing.
4
Leaf Racks to spine Racks: 40/100G connectivity (Should provide
required uplink ports) in each Pod and within PoDs:
4.1
Trunk cable shall have OM3 fiber with bend insensitive fiber. Trunk cable
should be able to withstand banding radius of 3 times the outer diameter.
4.2
Maximum insertion loss in MTP connector should be 0.25 dB
4.3
c) Maximum reflectance loss in MTP connector should be <-20 dB
4.4
e) Trunks cable shall be manufactured with ultra-bendable fiber and meet the
fiber performance mentioned in below table 1:
4.4.1
• Fiber Attenuation max (dB/km) @ 850 nm 2.8
4.4.2
• Fiber Attenuation max (dB/km) @ 1300 nm 1.0
4.5
Trunks shall be constructed with MTP male (with pin) connectors at both
ends
4.6
Fiber Trunk count shall be available in 12, 24, 36, 48, 72, 96, 144 and OEM
should have capability to make high fiber count of 288, 432 and 864.
5
LIU and Cassette for Server rack and leaf rack connectivity nonintelligent
5.1
Fiber shelf should have High Density Enclosure which can cater 144 Core in
1U Rack Size for Server Rack, however there should be minimum 24F core to
start with, OM3 MM with Accessories with LC or MPO Sockets,.
5.2
Each 1U Tray shall have patch cord routing guides that allow a transition and
jumper management point.
5.3
The connector housings shall have a labeling scheme that complies with
ANSI/TIA/EIA-606.
5.4
Modules shall permit front and rear installation into the housings.
5.5
MPO cassette shall have inbuilt dust cover which allows a single hand
operation. The shutter adapter shall eliminate the need to remove and reinstall dust caps. The shutter adapter shall be VFL compatible.
Page 35 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
5.6
Fiber LIU try should be able to support both LC and MPO cassette for
(10/40/100G) requirement
6
LIU & Cassette for SPINE Racks Fiber Termination using
MPO/MTP connector in each SPINE Rack for Leaf connectivity
6.1
Fiber shelf should have High Density Enclosure which can cater Min 288
Fiber ports in 4U Rack Size, however there should be minimum 48F core to
start with, OM3 with Accessories of LC or MPO Sockets,.
6.2
Each 1U Tray shall have patch cord routing guides that allow a transition and
jumper management point.
6.3
The connector housings shall have a labeling scheme that complies with
ANSI/TIA/EIA-606.
6.4
Modules shall permit front and rear installation into the housings.
6.5
MPO-LC cassette shall have inbuilt dust cover which allows a single hand
operation. The shutter adapter shall eliminate the need to remove and reinstall dust caps. The shutter adapter shall be VFL compatible.
6.6
Fiber LIU try should be able to both support LC and MPO cassette for
(10/40/100G) requirement in same fiber shelf
6.7
Each MTP cassette shall have 6 LC duplex port in front and 1 MTP connector
at rear side.
7
Leaf Racks Fiber Patch Cord (Required to connected to switches
for uplink for SPINE connectivity)
7.1
Jumper shall be LSZH rated.
7.2
Jumper shall have duplex LC connector.
7.3
The jumper should have a mechanism that allows to reverse the polarity in
the field. A way to identify if the jumper polarity has been flipped should be
provided on the connector.
7.4
The jumper shall be constructed with a single 2 mm round cable with no
preferential bend that allows easy routing and reduces jumper congestion in
the housings and vertical managers.
7.5
The jumper should be able to withstand banding radius of 3 times the outer
diameter. Macro bend loss in fiber jumper shall not be more then 0.2 db.
when 2 turns are mode in a 7.5 mm mandrel and 0.1 db. when 2 turns are
made in a 15 mm mandrel.
7.6
Jumper shall have OM3 fiber glass
7.7
Optic fiber OM3 Patch Cord of required length
8
SPINE Racks Fiber Patch Cord (Required to connected to switches
for uplink for Leaf same rack connectivity)
8.1
Jumper shall be LSZH rated.
Page 36 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
8.2
Jumper shall have duplex LC connector.
8.3
The jumper should have a mechanism that allows to reverse the polarity in
the field. A way to identify if the jumper polarity has been flipped should be
provided on the connector.
8.4
d) The jumper shall be constructed with a single 2 mm round cable with no
preferential bend that allows easy routing and reduces jumper congestion in
the housings and vertical managers.
8.5
e) The jumper should be able to withstand banding radius of 3 times the
outer diameter. Macro bend loss in fiber jumper shall not be more then 0.2 db
when 2 turns are mode in a 7.5 mm mandrel and 0.1 db. when 2 turns are
made in a 15 mm mandrel.
8.6
Jumper shall have OM3 fiber glass
8.7
Optic fiber OM3 Patch Cord of required length
Page 37 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Data Centre Infrastructure Management (DCIM)
TABLE 4
The Intelligent Infrastructure Management/ Data Center Infrastructure
Management solution offered must be ready to meet the following
critical requirements:
Compliance
(Y/N)
Details
The solution should be capable of tracking device history for networked end devices
including the following forensics details:
1
1.1
When device was first connected to the network
1.2
If and when it was removed from the network
1.3
If and when it was moved from one physical location to another
1.4
How long it has been active or inactive.
1.5
Asset, configuration and change management
2
The solution should be fully comply with ANSI/TIA 606-B (including B-1) and
ISO/IEC 18598 standards.
3
The solution should deliver physical connectivity information to the management
software.
4
The solution should be a complete Real Time Interconnect Solution and should
provide alerts for:
a.
Patch cord connections or disconnections from the patch panel.
b.
Patch cord connections or disconnections from the switch.
4.3
c.
Inter-changing of patch cords at the switch side.
4.4
d.
Inter-changing of patch cords at the panel side.
4.1
4.2
5
These alerts should be patching connection or disconnection alerts. These should
show exact information about the panel port or switch port which got disconnected
or connected and end to end link information.
The Physical Layer Management solution should be strictly based on the physical
detection of patch cord connectivity.
6
The solution should provide the capability of electronically tagging any network
equipment such as network printer, servers, IP Camera, desktop, switches, modems,
etc.
7
The system should be robust and should report the patching connectivity information
as complete ONLY when the two ends of the same patch cords are inserted.
8
Page 38 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Patch cord removal from Panel / Switch side should be monitored and alerts like
email/SMS should be sent if any end of the patch cord is removed.
9
The solution should provide the technician an easy method of patching with- out
imposing any specific sequence rules/order for the patching.
10
The solution should provide the capability to automatically monitor 24/7 any remote
site network links and verify network availability all the time. In case of a link brake,
the solution should send a real time event & alarm.
11
The solution should provide the capability to automatically connecting to a remote
database sites as well as to a local database.
12
13
The solution shall be able to maintain a record of the rack capacity and utilization
including:
13.1
Total rack space and occupied rack space
13.2
Total number of available intelligent panel ports
13.3
Total number of non-intelligent panel ports
13.4
Total number of switch ports and ―switch utilization‖
13.5
Total number of PDU power outlets (if installed at site)
13.6
14
Total number of environmental sensors (if installed at site)
The solution should be able to monitor on-line of patch cord removal from either side
:
14.1
Between intelligent panels
14.2
Between intelligent panel to active device like Switch.
14.3
The solution should have the following visual indications:
LED above each port - indicating patching rough, parching work order pending and
correcting bilking mode in case of patching mistake.
14.4
14.5
LED per each patching frame – indicating panel status.
Sound – in case of patching or removal of a cord between either intelligent panels or
between intelligent panels to a switch.
14.6
All Changes of the telecommunications infrastructure facilities and networked
devices should be maintained within the intelligent infrastructure management
system to keep track of current activities and completed activities including:
14.7
Page 39 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
14.7.1
Real time tracking of authorized and unauthorized patching activities
14.7.2
Generation of move, add, change work orders
14.7.3
Providing means for retrieval of work orders at racks with intelligent equipment
using port LEDs, tablet, etc.
14.7.4
Automated tracking of work order completion
14.7.5
Scheduled work order and work order history
14.7.6
Monitoring and alerting on connected information
The solution should provide the capability of monitoring port availability status on
network equipment including switches, patch panels and telecommunication outlets
should be monitored in real time for the purpose of detecting unexpected or
unauthorized activities.
15
The intelligent management software should use standard database (like
Oracle/SQL/MS Access) so that the solution should be able to communicate and
exchange data with other systems using standard protocols and database formats.
This is to provide easy integration and customised reporting to other systems.
Integration can be done via: SDK, SNMP traps, XML, database sharing and web
services.
16
Server provisioning feature should be supported and built in the solution at the time
of implementation. For this the solution should be ready and should not require to
build integration module to integrate to IP power strips to get information of the
power being consumed in the racks in real time.
17
Also the solution should be ready to connect to devices which control various
parameters in the Datacentre / Hub room environment (temperature sensors,
humidity sensors, door access sensors, etc.) and provide this information to the
software in real time and help in server provisioning.
18
The solution should offer as a built in feature the possibility to report any
unauthorized MAC outside the white list of MACs allowed on the site.
19
The solution should be capable to block switch ports automatically on intrusion
detection. This capability however should be selectable by the user depending on the
critical nature of the location.
20
21
The solution should provide visual representation of the Data Centre environment
for:
21.1
Power consumption
21.2
Space availability
Page 40 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
21.3
Temperature, humidity and other related environment sensor information.
22
The solution should have inbuilt dashboard.
23
The solution should be provided with an unlimited user licenses. This is important to
enable use by multiple users.
24
The single scanning hardware unit should be able to connect to panels in more than a
single rack.
The work order execution should be achieved by LEDs on panel ports. No other
interface should be required for execution of the work order.
25
The solution connectivity, between the different scanning appliances, should be
based on standard RJ-45 or bus connector.
26
The solution should have built in reports for all physical layer monitoring, and also
for data center operations like power consumption, temperatures, rack status and
various other sensors information.
27
28
29
The intelligent solution must offer all copper and fiber options (RJ-45, LC, and
MPO/MTP)
The solution should support tablet/smart phone in order to present the work orders.
TABLE - 5
Power Distribution
NETWORK Racks:
Unit
(PDU)
Specifications
for
SERVER
or
Compliance
(Y/N)
Details
1
For Single phase each rack should have 2 IPDUs for redundancy & each IPDU
should be of single phase 32A, 230V and compatible of vertical mounting.
2
For Single phase each rack should have 2 IPDUs for redundancy & each IPDU
should be of single phase 63A, 230V and compatible of vertical mounting.
3
For three phase each rack should have 2 IPDUs for redundancy & each IPDU
should be of single phase 32A, 400V and compatible of vertical mounting.
Page 41 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4
Rack power distribution shall support needs of entry-level networking equipment
and blade environments. It should have minimum 24 C13 ports and minimum 6
C19 Receptacles/outlets for single phase and 24 C13 ports and minimum 6 C19
receptacles/outlets for three phase
5
Cord Length shall be min 3 Meters with input plug type as IEC 60309 (Industrial
socket).
6
Shall have the feature of over load branch circuit protection complaint by UL489.
7
The dimensions of the IPDU should be according to 42U rack.
8
Metered Rack PDUs monitor Input current (A), voltage (V), power (kW), apparent
power (VA), power consumption (W-hr), crest factor, Power Factor, etc. All the
IPDUs/Sensors should be integrating back into centralized monitoring and
management software (BMS/DCIM).
10
The IPDU should have the capability to work on dedicated wire free network to
eliminate requirement of network port and IP configurations in IPDU.
11
The wireless setup should not be interfering with the Data Centre network and
wireless frequency should not be affecting the default working of data centre
equipment.
12
Class A Part 15 Class A of the FCC rules, CE & ROHS compliant, UL/IEC/VDE
certified.
13
The solution should be capable to integrate with any 3 rd party system/any
DCIM/BMS for taking or providing the power or environment data.
TABLE -6 (Other Passive components)
1
Intelligent Modular Copper Frames
1.1
The Copper Frame should be a high-performance, cost-effective panel.
1.2
The Copper Frame should supports RJ-45 modular jacks for simple and
modular architecture.
1.3
The Copper Frame should support mixed cross-connect and interconnect
network topologies.
1.4
The Copper Frame should be a managed frame that supports up to 24 RJ-45
modular jacks.
Page 42 of 285
Confidential & Proprietary
Compliance
(Y/N)
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
1.7
The Copper Frame should have a single LED above each port
1.7
The Copper Frame should include a multi-mode LED and push button to assist
technicians in monitoring, configuring, and troubleshooting
1.7
By incorporating a unique ID device within the frame and working together
with autosense topology, the location of each frame within the network as well
as its position within a rack should be available at all times, even after a frame
has been relocated.
1.8
The Copper Frame back panel should support a socket for the Scanning Card
that commands the port LEDs and patch cords, and also enables reading of the
intelligent ID devices.
2
Copper Patch Cord
2.1
Should be High performance CAT6A copper Patch Cords support Intelligent
cross-connect and interconnect topologies.
2.2
Based high-end CAT6A STP cord, the cord supports two additional stranded
wires to produce an eight-wire cord. The cord is terminated with patented RJ45 plugs that include two conductive, external contacts.
2.3
The cross-connect topology should include two intelligent ID devices, one on
each end of the patch cord, while the interconnect topology includes one
intelligent ID device at the switch side
2.4
The plugs on the interconnect patch cord are fitted with a dummy latched cover
that enables easy plug insertion and removal from the frame or switch.
2.5
Cords must be under testing verification program by 3rd party lab certification
like: ETL/SEMKO/ Delta or 3P.
3
Copper Interconnect Patch Cord
3.1
Should Comprise of 8 data-wires Category6A S/FTP flexible patch cable + 2
control wires, terminated with two fully shielded RJ-45 plugs at each end with
two external ID contacts
3.2
Should be Non-molded flexible boot for enhanced life and reliability
3.3
Should Conform to ANSI/TIA-568-C.2, ISO/IEC 11801 2.1 edition and
CENELEC EN50173 (2007) standards for Category 6A/CLASS EA
3.4
Should be Backward compatible with Category 5e and 6 – UTP and STP
3.5
Should be 100% tested at the factory
3.6
Cords must be under testing verification program by 3rd party lab certification
like: ETL/SEMKO/ Delta or 3P.
4
Copper keystones:
4.1
Should have 8 internal contacts only.
Page 43 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
4.2
The solution will support C5e, C6 and C6A shielded and un-shielded keystones
types.
5
Intelligent Fiber Trays (Intelligent Tray without Cassette)
5.1
The Fiber Tray supports mixed cross-connect and interconnect network
topologies.
5.2
The Fiber Tray should supports three types of fiber patching options: LC-LC,
LC-MPO, and MPO-MPO.
5.3
The Fiber Tray should supports both Single-Mode (SM) and Multi-Mode (MM)
OM4 fiber types.
5.4
By incorporating a unique ID within the tray and two external contacts in each
port in the tray, it should be possible to achieve system-wide ID polling and
message routing. This allows unique monitoring, control, and maintenance of
the system.
5.5
The Fiber Tray should be a high-end fiber optics-managed tray that supports
up to 96 LC-LC fiber strands (LC-LC and LC-MPO) along with a full
management system.
5.6
To assist in monitoring, configuring, and troubleshooting, the Fiber Tray
should include a bi-color LED on the tray and a single LED above each port in
the cassette.
5.7
The Fiber Tray should contain a push button that enables you to initiate
manual port scanning for viewing system connectivity.
5.8
The Intelligent LC-LC Fiber Tray supports two Scanning cards and two RJ-45
ports with keystones for connections to the Scanning Device /Analyzer ports.
5.9
Supports a simple, modular architecture with up to four cassettes; each cassette
with 24 ports
5. 10
Should support 96 fibers (48 duplex LC ports) in 1U format for LC, MPO,
splitter/pigtail cassette installation and in mixed interconnect and crossconnect topologies
5.11
Should provide an individual LED on each port, which assists in visual
monitoring and maintenance
5.12
Should provide a unique Intelligent ID to each of the four cassettes and internal
PCB for system- wide identification and determination of cassette position
within the chassis
5.13
The tray can support 1, 2, 3 or 4 cassettes in different location.
5.14
At any case, the fiber adapters (either LC or MPO) should not include any
internal metal connectivity contacts (as part of the patching sensing). Any
patching contacts must be external to these fiber adapters.
6
Intelligent Fiber LC Cassettes
Page 44 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
6.1
Front connection (patch cord side) should have 12 x LC duplex adapters
6.2
Back connection (cabling side) should have 12 x LC duplex adapters
6.3
Should have one pair of LEDs for each port on the front panel (that is, one LED
for each fiber).
6.4
LEDs should show the status of ports.
6.5
Should comply to EN 55022, Class B (Europe) compliant & FCC Part 15,
subpart J, Class A (USA) compliant
7
Intelligent Fiber LC MPO Cassettes
7.1
Front connection (patch cord side) should have 12 x LC duplex adapters (MM
or SM)
7.3
Back connection (cabling side) should have 2 x MPO adapters
7.4
Should have one pair of LEDs for each port on the front panel (that is, one LED
for each fiber).
7.5
LEDs should show the status of ports.
7.6
The port LEDs can be activated by command from the network management
station.
7.7
Attenuation should not greater than 0.5dB
7.8
Should comply to EN 55022, Class B (Europe) compliant & FCC Part 15,
subpart J, Class A (USA) compliant
8
Fiber Cords
8.1
All Intelligent Patch Cords should support both interconnect and cross-connect
topologies.
8.2
Patch cords are designed for Single-Mode and Multi-Mode applications at
10G/40G/100Gbps.
8.3
Cross-connect topology should include two Intelligent ID devices, one on each
end of the patch cord. The cord should include fiber plug interface with unique
ID on both ends.
8.4
Interconnect topology should include one intelligent ID device at the switch
side. The cord includes fiber plug interface with two external pins on both ends
9
Fiber Cords LC Interconnect Intelligent Patch chord
9.1
Should be Designed for Intelligent application and as stand-alone cord
9.2
Should be Available with two fiber types – Single-Mode and Multi-Mode
50/125 OM4
9.3
Should Comply to IEC 60332-3C IEC 61034 IEC 60754
Page 45 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
9.4
The Jumper should meets the requirements of ANSI/TIA/EIA-568-C.3
10
Fiber Cords MPO -MPO Cross Connect Intelligent Patch chords
10.1
Should be Designed for Intelligent applications
10.2
Connectors should be compliant with FOCIS-5D standard
10.3
Should be Fully compatible with 40G and 100G* IEEE 802.3 applications
10.4
Should be Available in several lengths
10.5
Should comply to IEC 60332, IEC 61034, IEC 60754
10.6
The Jumper should meet the ANSI/TIA-568-C.3 requirements.
11
Intelligent Scanning Card
11.1
The Card should be a pluggable device that supports physical network
identification on interconnect and cross-connect topologies.
11.2
The Card should automatically detect and reads up to 24 Intelligent ID devices
present on each Copper Frame or Fiber Tray and on patch cords.
11.3
The Card should routes commands to the port LEDs located above each panel
port.
11.4
Every Card should contain unique ID information, enabling proper
identification and communication on the Intelligent Infrastructure
Management (IIM) network.
11.5
The Card should be connected via a socket on the back of the frame using dual
mounting latches, locking it securely in place for enhanced reliability.
11.6
The Card should communicate with higher-level system components through a
standard RJ-45 connector.
11.7
The Card can be added in later stages of the installation.
12
Scanning Hardware /Scanner / Analyzer
12.1
Should support mixed cross-connect and interconnect network topologies
12.2
Should allow ease of expansion, control, and management of an unlimited
number of ports in real time.
12.3
Should support copper and fiber solutions, both individually and in a mixed
configuration in the same system, with 10 Gbps and 40/100 Gbps.
Page 46 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
12.4
Solution does not interfere with the actual network data. Therefore, its
communication over the network does not cause any load on the network.
12.5
Should give LED signalling of make/break status
12.6
Should support Tablet application for work orders
12.7
Should Support Environmental Controller
12.8
Should support SDK for easy interfacing to other application
12.9
Each scanning hardware should support up to 24 Cards, with each Card
capable of supporting 24 ports, resulting in a single device capable of
supporting up to 576 ports.
12. 10
The scanning hardware should supports up to four TCP/IP ports through an
internal L2 switch, saving on ports in the main switch and enabling cascading
of scanning hardware to provide unlimited network expansion.
12.11
Should also support connectivity to other network IP devices such as PDUs.
12.12
The Scanning hardware should support installation in zero-U configuration for
rack space optimization. in case its needed the device can be installed also in
1U configuration.
12.13
The Scanning hardware should support connections to external devices such as
a tablet PC (via mini-AB USB connector) and any USB device such as a flash
drive (via a host type A USB socket).
12.14
The Scanning hardware should be powered through the mains supply via a
power socket on the rear, and supplies power to the Cards over the RJ-45
connector.
13
Tablet
13.1
The tablet supports performing work orders (MACs) in an easy and userfriendly manner.
13.2
The tablet should support multi-tasking MAC at the same time and have the
ability to monitor whole infrastructure network.
14
ID Key Reader
14.1
Should be used for Learning Mode only
14.2
Builds the ID database of the Switch modules & ports
14.3
Should support LC duplex or RJ-45 male connectors
14.4
Should have Mini USB for tablet connection
15
Intelligent Copper ID Key
15.1
Intelligent ID Key that stores useful link information such as switch, rack, cable
type, and revision level
Page 47 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
15.2
Standard should be IEC 60603-7 compliant
15.3
Should Comply with ANSI/TIA-568-C.3
TABLE - 7
KVM Requirement in SERVER RACK:
SRL no.
DETAILS
Functionality
A1
A2
A3
Compliance(Y/N)
KVM should be able to provide min. 8 ports in 1U
KVM should provide total 2 port access (1 IP port + Local port).
Servers can be located up to 40 meters away from the KVM.
KVM should have DB-15 VGA (up to 1600 x 1200)and 2 x USB for KB
& MS local port for enhanced local administration
A4
A5
KVM should have IP remote access across the world wide web
A6
KVM Support DVI-USB dongle, VGA-USB dongle & VGA-PS/2
dongle
A7
KVM should have redundant power port
A8
A9
KVM shoud have the regulatory approval - CUL, FCC & CE
KVM shoud be capable to auto scan servers
KVM should provide easy switch between connected devices with:
Hardware Push Button, Hot-Keys , OSD menu
A10
A 11
A12
A13
A14
A15
A16
KVM should be compatible with Windows, Linux, Unix, or Mac OS
KVM can be allowed the firmware update at IP console platform
KVM should be support DHCP / BOOTP / DNS
KVM should provide event log list to view ar IP console platform
KVM should be able to provide min. 8 ports in 1U
KVM should provide total 2 port access (1 IP port + Local port).
Page 48 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A17
Servers can be located up to 40 meters away from the KVM.
Security
A18
KVM should be support SSL v3, RSA, AES, HTTP/ HTTPS , CSR.
A19
KVM should be able to create up to 15 username & password at IP
console platform
A20
KVM should provide three different user role groups permission for
management at IP console platform
Table 8
Network Rack specification
Quantity: 40 or more, if required
Feature Set
Sr. No.
A
Qty
Compliance
(Yes/No)
Solution Requirement
per
rack
A1
42 U Network Rack of Dimension (800WX1000D)
A2
Modular cabinet Networking - 42U - 800W - 1000D - Black Fine Tex.
1
A3
Modular cabinet Honeycomb (Performax) Flat Plain Door - 42U 800W - Black Fine Tex. - Assembly front and back door
2
A6
Modular cabinet Side Panel - 42U - 1000D - Cam Lock - 1/3
Ventilation - Black Fine Tex.- Assembly
2
A7
A8
Fan's - AC - 90 Cfm - with four fans - Assembly
Mounting Hardware Packet - 1000 Set
1
1
A9
Metal Cable Channel- 100 mm Width - 1600 mm Height - Black Fine
Tex. – Assembly
4
A10
A11
Castor - 3 Inch Height - With Brake - Assembly
Castor - 3 Inch Height - With Out Brake - Assembly
2
2
A12
Power Distribution Unit - 06/16 Amp universal socket - 12 Socket Single Pole / Screw Mountable / 32 Amp MCB / Alternating Current
- Indicator - Black Fine Tex. - Assembly
2
A13
Power Distribution Unit should be of intelligent and should get
monitored using SNMP through network, should support SNMP V.2
and V.3
2
A14
Rack should be having electronic, programmable, contactless card
door lock
2
Page 49 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Table 8
Rack Access Control Requirement:
Rack Access Control Requirement:
A1
A2
Comply (Y/N)
1. The rack access control system should provide an extensive range of alarm and
system messages that should be customized.
a.
Temperature
b.
Unauthorized access
c.
Status of Lock (open/closed)
d.
Green period
e.
Blocking period
2. The system should be able to provide wide range of options
a.
Time stamp profiles
b.
Days
c.
Organizations
d.
Temperature
e.
Level of authentication – single , dual, triple
A3
3. The system should be compatible for centralized architecture and decentralized architecture.
A4
4. The software must be reliable and convenient for different users with different
access profiles for their respective data racks.
A5
5. All actions should logged as ―log events‖ which could also be exported( pdf,
html, mht, rich text, excel, icsv)
A6
6. The software graphically displays the status of all swing handle stations in real
time.
A7
7. The swing handle lock should have multicolor status LED indicator and field
for display of rack name and number.
A8
8. Four Eye Principle – Triple authorization via transponder card and secret pin
/ numeric key pad numbers at rack level
A9
9. The Mechatronic lock should have memory to store 1,000 user cards + 1,000
Pins + 1 Super User
A10
10. The system should work as standalone during network failure
A11
11. The system should provide High Security, Control mechanism, Monitoring
and Audit reports
A12
12. The swing handle should have a feature to turn to unlock automatically
during emergency / fire accidents
A13
13. The Mechatronic locks should eliminate the use of traditional mechanical key
Page 50 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
locks for racks
A14
14. The system should be Retrofitted on server racks of different OEM rack
manufacturers
A15
15. It should have proper mechanism to override in case of network failure /
power failure / emergency without breaking the swing handle.
A16
16. The system / software should facilitate planned access and super user
function
A17
17. The system / software should have task scheduler for pre-programming the
activities in DC
A18
18. The system / Software should allow specific user to be assigned to a specific
racks.
A19
19. The Software should integrate with authentication system like Active
Directory, Radius, etc. ,
A20
20. The geographically distributed devices across different locations should be
control, monitor, and audit from remote location.
Active components
Requirement Baseline and summary
Sr.
No.
Requirement baseline
Requirement Details
Minimum
Quantity
A
A1
A2
A3
A4
A5
A6
A7
A8
1/10G - UTP DATA Port per Rack
10/25G - Optic Fibre DATA Ports per Rack
1/10G - UTP Out of Band (OOB) Ports per Rack
Number of racks in one cluster for Leaf Networking
Total Number of Server Racks in one server hall (POD)
Total Number of Rack Cluster Units Per Server hall (POD)
Total Number of Server halls (POD)
Leaf switches type 1 and 2 to SPINE connectivity over subscription ratio
12+12
12+12
12+12
4
220
55
4
6:1
SBI, Hyderabad Data Center
Compliance(Y/N)
Sl
no
Description
General Requirement TABLE - 9
Sr.
No.
A
Feature
General Requirement
Page 51 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A1
Attach solution document containing detailed bill of material (make, model, OS
details: version, date of release, date of release of next version, end of sale &
support date, product development path, etc.)
A2
Solution should integrate seamlessly with Bank's existing network infrastructure
comprising of Cisco and other make router/switches/firewalls/IPS and various
types of WAN links
A3
Please submit a list of all features provided by each component of the proposed
solution in addition to the specifications mentioned in this document that will be
available to the bank without any additional charges and will be under support.
These features will be treated at par with other features mentioned in the RFP
B
Licensing Requirement
B1
Solution should have enterprise license without any restrictions to use the
features mentioned in the RFP from day one. If during the contract, solution is
not performing as per specifications in this RFP, bidder has to upgrade/enhance
the devices or place additional devices and reconfigure the system without any
cost to bank
B2
Solution and its various features like switching, routing, NIPS, Firewall and and
other inbuilt features etc should not have any licensing restriction on number of
users, concurrent connections, total connections, new connections, number of
vlan, zones, number of policies, number of appliances, other network parameters,
number of equipments / servers etc as per the RFP specification
B3
The offered product part codes have to be General Availability Part codes and not
custom built Part Code for the Bank. There should be cross reference to the public
website of the OEM
B4
Any third party product required to achieve the functionality should be provided
with the necessary enterprise version license of software/appliance and necessary
hardware, database and other relevant software or hardware etc should be
provided with the solution
C
Scope of Work for network
C1
Bidder has to own the responsibility of making the solution run as desired by the
Bank
C2
Bidder to implement the network and post successful run, has to handover the
active part to the network integrator of the Bank
Page 52 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C3
Bidder has to transfer support of active components to the NI of the Bank
C4
If some components are missed out or not properly sized, onus is on the bidder to
replace it.
C5
Bidder has to design, lay and test the cabling to cater the DC requirements.
Cabling will be done in phases and bidder has to arrange for the same as and
when required.
C6
Bidder has to arrange at least 4 onsite, dedicated, skilled cabling officials,who will
be overall in charge of the cabling and will also do structured cabling intra and
inter rack cabling
C7
Bidder shall also be responsible of connectivity between mux rooms to server
farm rooms
C8
Switching and routing equipment should be supplied from same OEM.
Important : Wherever 10/25G or 40/100G is written, it is meant that given
equipment should have scalability to use the higher and lower bandwidth, however
in case of 40/100G uplink for UTP leaf switches, bidder may propose 40G or 100G
uplink maintaining the given over subscription ratio.
The 40/100G card/module must support 40G and 100G without changing the
card/module. Whenever Bank requires 100G ports that has to be provisioned by the
bidder without any cost to the Bank. Bank will pay the cost of Transceivers only-NOT
FOR CARD/MODULE. Bidders should quote the appropriate cards accordingly
fulfilling the requirement asked.
Switching Fabric Architecture TABLE - 10
Quantity: Enough to accommodate 880 Server racks
with 4 racks in each cluster and in 4 different POD
with 220 racks in each POD
Sr. No.
Compliance(Y/N)
Feature Set
A
Fabric Definition
A1
Fabric is the IP Clos Architecture defined using Spine, Leaf,
Controller and VXLAN + ISIS or VXLAN + EVPN Protocol
A2
Fabric should have following functionalities to be achieved:
A2.1
Flexibility : allows workload mobility anywhere in the DC
A2.2
Robustness : while dynamic mobility is allowed on any
authorized location of the DC, the failure domain is contained
to its smallest zone
Page 53 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A2.3
Performance: full cross sectional bandwidth (any-to-any) –
all possible paths, inside the PoD and among PoDs between
two endpoints should be active
A2.4
Deterministic Latency : fix and predictable latency between
two endpoints with same hop count between any two
endpoints, independently of scale
A2.5
Scalability : The solution should be designed to achieve
desired scale in terms of number of servers by adding
additional leaf switches while maintaining the same
oversubscription ratio everywhere inside the fabric
B
Hardware and Interface Requirement
B1
Fabric Connectivity should have the following properties:
B1.1
Leaf switches type 1 (48 Port UTP) and Type 2 (48 Port Fiber)
to SPINE connectivity should use uplink port using line rate
40/100G only
B1.2
Each Leaf switch should connect each SPINE switch using
equal bandwidth uplink ports
B1.3
Leaf switch Type 1 (48 Port UTP) in the fabric should have
access ports of 1/10G (G/Gb/Gbps=Gigabits per second) ports
bandwidth and required 40/100G uplink ports to achieve the
over subscription ratio
B1.4
Leaf switch Type 2 (48 Port Fiber) in the fabric should have
access ports of 1G/10G/25G ports and required 40/100G
uplink ports to achieve the over subscription ratio
B1.5
All switches including spine and leafs should be of line rate
(non-blocking) including access and uplink ports
B1.6
Each SPINE switch must connect with each Super Spine Switch
using 40/100G uplinks while maintaining the desired (6:1) over
subscription ratio. Each Super Spine Should connect to each
DMZ Switch with 40/100G
C
Fabric Features
C1
In the fabric the oversubscription ration of the connectivity
between each leaf to SPINE switches should not be less than 6:1
C2
Each POD Spine must connect to Super Spine Switches with an
oversubscription ratio of 6:1 for uplink connectivity .
C3
Fabric must support various Hypervisor encapsulation
including VXLAN/EVPN (Ethernet VPN) and 802.1q natively
without any additional hardware/software or design change.
C4
Fabric should be able to auto discover all the hardware and
auto provision the fabric
Page 54 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C5
The fabric architecture must be based on hardware VXLAN
overlays to provide logical topologies that are abstracted from
the physical infrastructure with no performance degradation.
Fabric must support Virtual Extensible LAN (VXLAN)
Switching/Bridging and VXLAN Routing.
C6
Fabric must provide open programmable interface using
Python SDK, Json SDK, XML, netconf or COBRA etc. from the
Central Management appliance / SDN (Software Defined
Networking) Controller for programming/configuring the
entire fabric.
C7
Fabric must provide open scripting interface using Bash /
powershell / NetConf/YANG from the central management
appliance / SDN Controller for configuring the entire fabric.
C8
Fabric must support Role Based Access Control in order to
support Multi - Tenant environment.
C9
Fabric must integrate with different virtual machine manager
and manage virtual machine networking from the single pane
of Glass - Fabric Controller/SDN Controller
C10
Fabric must integrate with best of breed L4 - L7 Physical and
virtual appliances for management purpose
C11
Fabric must provide deeper visibility into the fabric in terms of
latency and packet drop between VM(Virtual Machine) to VM,
VM to Physical server and vise versa, Leaf to another leaf etc.
C12
Fabric must act as distributed layer 2 and Layer 3 Fabric
C13
Fabric must provide REST APIs from the Central management
appliance/SDN Controller in order to integrate with best of
breed Management, Monitoring, Hypervisor and Cloud
automation & Orchastration software.
C14
Solution must support multiple data centers architecture
C15
Solution must support multiple physical data centers working
as a single logical data center
C16
Solution must support extending L2 subnets across DCs (Data
Centers)
D
Fabric Layer 2, Layer 3 and Misc. Features
D1
Fabric is a layer 3 fabric
D2
Fabric must support Layer 2 features like LACP, STP /RSTP
/MSTP, VLAN Trunking, LLDP etc
D3
Fabric must support multi chassis ether channel/MLAG i.e.
Host connects to two different Leaf switches and form ether
channel using LACP/NIC Teaming on Host
Page 55 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D4
Fabric must support Jumo Frame upto 9K Bytes on
1G/10G/25G/40G/100G ports
D5
Fabric must support Layer 2 Multicast i.e. IGMP v1, v2 and v3
and Layer 3 Multicast
D6
Fabric must support IP v4 and IP v6 FHRP using HSRP or
VRRP
D7
Fabric Must support IP v4 and IP v6 Layer 3 routing protocol
OSPF and BGP
D8
Fabric must support IP v6 dual stack
D9
Fabric must support traffic redistribution between different
routing protocol
D10
Fabric must support IP v4 and IP v6 management tools like Ping, Traceroute, VTY, SSH, TFTP and DNS
D11
Fabric must support IP v4 and IP v6 SNMP V1 / V2 / V3
D12
Fabric must support RMON/RMON-II for monitoring
D13
Fabric must support integration with the centralized Syslog
server for monitoring and audit trail
D14
Fabric must support NTP
E
Fabric Security Features
E1
Fabric must support State less firewall for restricting the access
and provide security
E2
Fabric must provide RBAC policies and support AAA using
Local User authentication, External RADIUS, External
TACACS+, External LDAP, External AD
E3
Fabric must support Micro Segmentation for the Virtualize and
Non - Virtualize environment
E4
Fabric must support true multi - tanency
E5
Fabric must be accessible using CLI over SSH and GUI using
HTTP/HTTPS
E6
Fabric must support SNMP v2/3 with HMAC-MD5 or HMACSHA authentication and DES encryption.
E7
Fabric must act as a State-less distributed firewall with the
logging capability
F
Fabric Sevice Features
F1
Fabric must be capable of integrating with L 4 - L7 services
using physical or virual appliances i.e. Firewall, ADC, IPS etc.
F2
Fabric must support State less firewall for restricting the access
and provide security
G
Fabric Scale and Performance
G1
Fabric should support scale up and scale out without any
service disruption
Page 56 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G2
Fabric must support for 500 VRF/Private network without any
additional component or upgrade or design change
G3
Fabric must scale from 100 Tenant to 500 Tenant without any
additional component or upgrade or design change
G4
Fabric must integrate with Virtual Machine Manager (i.e.
vCenter, SCVMM, OpenStack etc.) of different Hypervisors
simultaneously
G5
Fabric must be capable of connecting 5000 physical servers
and scale to 10000 physical servers.
G6
Fabric must support minimum of 1000 Leaf switches and scale
upto 2000 Leaf switches without any design change.
G7
Fabric must support minimum of 2 Spine Switches and scale
upto 8 Spine switches without any design change.
G8
Spine Switches must have adequate number of line rate
40/100G ports to support desired Leaf Scale. Each Leaf
connects to Each Spine using minimum 1 x 40/100 G ports
connectivity i.e. Each Spine must have 220 nos. of line rate
40G/100G ports scalable to 256 nos with consideration of leaf
to SPINE over subscription ration of 6:1
G9
Fabric must support 20K IPv4 and 10K IPv6 routes scalable to
30K IPv4 and 15K IPv6 routes.
G10
Fabric must support minimum 4K multicast groups
G11
Fabric must support 256 nos. of MC -LAG/VPC/LAG scalable
to 500 nos. Each MLAG/VPC/LAG must support maximum 8
member links.
H
Fabric management
H1
Fabric must provide Centralised Management Appliance or
SDN Controller - Single pane of Glass for managing,
monitoring and provisioning the entire Fabric.
H2
Centralised management appliance or SDN Controller should
not participate in Data plane and control plane path of the
fabric.
H3
Centralised management appliance or SDN Controller must
provide necessary report for compliance and audit.
H4
Centralised management appliance or SDN Controller must
communicate to south bound devices using open standard
protocol i.e. OPFLEX, OPENFLOW, OVSDB etc. or using
Device APIs.
H5
Centralised management appliance or SDN Controller
communication with the south bound devices must be
encrypted
Page 57 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H6
Centralised management appliance or SDN Controller must
communicate with the south bound devices using more than
one IP path
H7
Centralised management appliance or SDN Controller provide
dynamic device inventory of the Fabric as well as current
network topology of the fabric. It must also validate the cabling
connectivity and generate alarms in case of wrong or faulty
connectivity.
H8
Centralised management appliance or SDN Controller must
run in "N + 1 or N + 2" redundancy to provide availability as
well as function during the split brain scenario
H9
In Event of all Centralised management appliances or SDN
Controllers fails, the fabric must function without any
performance degradation and with the current configuration.
H10
Centralised management appliance or SDN Controller must
support multi tenancy from management perspective and also
provide Role Based Access Control per tenant for the tenant
management.
H11
Centralised management appliance or SDN Controller must
support TACACS+, RADIUS, LDAP or Local Authentication. It
must also provide an integration with the Syslog servers.
Leaf (UTP) Switch Specification: TABLE –11A
Quantity:440
Sr. No.
A
A1
A2
Compliance(Y/N)
Feature Set
Solution Requirement
The Switch should support non-blocking Layer 2 switching and Layer 3
routing
There switch should not have any single point of failure like power
supplies and fans etc should have 1:1/N+1 level of redundancy
A3
Switch support in-line hot insertion and removal of different parts like
modules/power supplies/fan tray etc should not require switch reboot and
disrupt the functionality of the system
A4
Switch should support the complete STACK of IP V4 and IP V6 services
A5
The Switch and different modules used should function in line rate and
should not have any port with oversubscription ratio applied
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 48 x 100M/1000M/10G Ethernet RJ45 Interface
B1.2
b. 2 x 40/100GbE QSFP ports + two additional ports
B2
Switch should have console port
Page 58 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B3
Switch should have management interface for Out of Band Management
B4
Switch should be rack mountable and support side rails if required
B5
B6
Switch should have adequate power supply for the complete system
usage with all slots populated and used and provide N+1 redundant
Switch should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B7
B8
Switch should support VLAN tagging (IEEE 802.1q)
Switch should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Switch should support Configuration roll-back and check point
B10
Switch should support for different logical interface types like loopback,
VLAN, SVI/RBI, Port Channel/LAG, multi chassis port channel etc
C
Performance Requirement
C1
The switch should support 12,000 IPv4 and IPv6 routes entries in the
routing table including multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding operation for routing
protocols like OSPF,
BGP etc. to ensure high-availability during primary
controller failure
C5
The switch should support hardware based loadbalancing at wire speed
using LACP and multi chassis etherchannel/LAG
C6
Switch should have wire rate switching capacity including the services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
C7
Each leaf should have connectivity to all spine switches and the over
subscription should not be less then 6:1 within a POD
D
Advance Features
D1
Switch should support Network Virtualisation using Virtual Over Lay
Network using VXLAN (RFC 7348)/NVGRE
D2
Switch should support VXLAN and EVPN or equivalent for supporting
Spine - Leaf architecture to optimise the east - west traffic flow inside the
data center
D3
Switch should support OpenFlow/Open Day light/Open Stack controller
D4
Switch should support Data Center Bridging
Page 59 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D5
Switch should support multi OEM hypervisor environment and should be
able to sense movement of VM and configure network automatically.
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 8201.D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should support 4096
VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 96,000 no. of MAC addresses
E5
E6
Switch should support 8 Nos. of link or more per Port channel (using
LACP) and support 96 port channels or more per switch
Switch should support Industry Standard Port/Link Aggregation for All
Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All Ports across
any module or any port of the switch and Link aggregation should support
802.3ad LACP protocol for communication with downlink/uplink any
third party switch or server
E8
Switch should support Jumbo Frames up to 9K Bytes on 1G/10G Ports
Support for broadcast, multicast and unknown unicast storm control to
E9
prevent degradation of switch performance from storm due to network
attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per IEEE 802.1AB
for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2 or Layer 3
mode and also should support layer 3 VLAN Interface and Loopback port
Interface
F2
Switch should support basic routing feature i.e. IP Classless, default
routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
f. Should be compliant to Multiprotocol Extensions for BGP-4
F4
Switch should re-converge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding/Non stop Routing for
fast re-convergence of routing protocols
F5
Switch should support multi instance MPLS routing using VRF, VRF Edge
routing and should support VRF Route leaking functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide mutlicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
Page 60 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way Equal Cost
Multi Path load splitting
G
Availability
G1
G2
G3
Switch should have provisioning for connecting to 1:1/N+1 power supply
for usage and redundancy
Switch should provide gateway level of redundancy in Ip V.4 and IP V.6
using HSRP/VRRP
Switch should support for BFD For Fast Failure Detection as per RFC
5880
H
Quality of Service
H1
Switch system should support 802.1P classification and marking of packet
using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
H3
Switch should support methods for identifying different types of traffic for
better management and resilience
Switch should support for different type of QoS features for ream time
traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority settings of the
end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to control traffic
rates during congestion by allowing congested nodes to pause link
operation at the other end for receiving traffic as per IEEE 802.3x
I
Security
I1
Switch should support for deploying different security for each logicaland
physical interface using Port Based access control lists of Layer-2 to Layer4 in IP V.4 and IP V.6 and logging for fault finding and audit trail
I2
Switch should support control plane i.e. processor and memory Protection
from unnecessary or DoS traffic by control plane protection policy
I4
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join into the
network for Audit trails and logging
Page 61 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I6
Switch should support to restrict end hosts in the network. Secures the
access to an access or trunk port based on MAC address. It limits the
number of learned MAC addresses to deny MAC address flooding
I7
Switch should support DHCP Snooping
I8
Switch should support Dynamic ARP Inspection to ensure host integrity
by preventing malicious users from exploiting the insecure nature of the
ARP protocol
I9
Switch should support IP Source Guard to prevents a malicious hosts from
spoofing or taking over another host's IP address by creating a binding
table between the client's IP and MAC address, port, and VLAN
I10
Switch should support for Role Based access control (RBAC) for restricting
host level network access as per policy defined
I11
Switch should support Spanning tree BPDU protection
I12
Switch should support unicast and/or multicast blocking on a switch port
to suppress the flooding of frames destined for an unknown unicast or
multicast MAC address out of that port
I13
Switch should support Spanning tree BPDU protection
I14
Switch should support for MOTD banner displayed on all connected
terminals at login and security discrimination messages can be flashed as
per banks ISD rules
J
J1
Manageability
Switch should support for embedded RMON/RMON-II for central NMS
management and monitoring
J2
J3
Switch should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
Switch should support for capturing packets for identifying application
J4
performance using local and remote port mirroring for packet captures
J5
Switch should support for management and monitoring status using
different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronization using Network
Time Protocol NTP V.4/PTP
Page 62 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J8
Switch should support for providing granular MIB support for different
statistics of the physical and logical interfaces
Switch should support for predefined and customizeds execution of script
J9
for device mange for automatic and scheduled system status update for
monitoring and management
J10
J11
Switch should provide different privilege for login in to the system for
monitoring and management
Switch should support Real time Packet Capture using Wireshark in real
time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing required for
network reachability using different routing protocols such
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network using PIMv2
Sparse Mode/MLD
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using different
versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version 3
K5
K6
K7
Switch should support syslog for sending system log messages to
centralized log server in IP V.6 environment
Switch should support NTP to provide an accurate and consistent
timestamp over IPv6 to synchronize log collection and events
Switch should support for IP V.6 different types of tools for
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
Leaf (Fibre) Switch SpecificationTABLE –11B
Quantity:440
Page 63 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Sr. No.
A
A1
Feature Set
Solution Requirement
The Switch should support non-blocking Layer 2 switching and Layer 3
routing
A2
There switch should not have any single point of failure like power
supplies and fans etc should have 1:1/N+1 level of redundancy
Switch support in-line hot insertion and removal of different parts like
A3
modules/power supplies/fan tray etc should not require switch reboot
and disrupt the functionality of the system
A4
A5
Switch should support the complete STACK of IP V4 and IP V6 services
The Switch and different modules used should function in line rate and
should not have any port with oversubscription ratio applied
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 48 x 10G/25G Multi Mode Fiber Interface
B1.2
b. 2 x 40/100GbE QSFP ports
B2
Switch should have console port
B3
Switch should have management interface for Out of Band Management
B4
Switch should be rack mountable and support side rails if required
B5
B6
Switch should have adequate power supply for the complete system
usage with all slots populated and used and provide N+1 redundant
Switch should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B7
B8
Switch should support VLAN tagging (IEEE 802.1q)
Switch should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Switch should support Configuration roll-back and check point
B10
Switch should support for different logical interface types like loopback,
VLAN, SVI/RBI, Port Channel/LAG, multi chassis port channel etc
C
Performance Requirement
C1
The switch should support 12,000 IPv4 and IPv6 routes entries in the
routing table including multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
The switch should support uninterrupted forwarding operation for OSPF,
C4
BGP etc. routing protocol to ensure high-availability during primary
controller failure
Page 64 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C5
The switch should support hardware based load balancing at wire speed
using LACP and multi chassis ether channel/LAG
C6
Switch should support minimum 3.2 Tbps of switching capacity (or as per
specifications of the switch if quantity of switches are more, but should be
non-blocking capacity) including the services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
C7
Each leaf should have connectivity to all spine switches and the over
subscription should not be less then 6:1 within a POD
D
Advance Features
D1
Switch should support Network Virtualization using Virtual Over Lay
Network using VXLAN /NVGRE
D2
Switch should support VXLAN and EVPN or equivalent for supporting
Spine - Leaf architecture to optimize the east - west traffic flow inside the
data center
D3
Switch should support Open Flow/Open Day light/Open Stack controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment and should be
able to sense movement of VM and configure network automatically.
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 8201.D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should support 4096
VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 96,000 no. of MAC addresses
E5
Switch should support 8 Nos. of link or more per Port channel (using
LACP) and support 48 port channels or more per switch
E6
Switch should support Industry Standard Port/Link Aggregation for All
Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All Ports across
any module or any port of the switch and Link aggregation should support
802.3ad LACP protocol for communication with downlink/uplink any
third party switch or server
E8
Switch should support Jumbo Frames up to 9K Bytes
Support for broadcast, multicast and unknown unicast storm control to
E9
prevent degradation of switch performance from storm due to network
attacks and vulnerabilities
Page 65 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E10
Switch should support Link Layer Discovery Protocol as per IEEE 802.1AB
for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2 or Layer 3
mode and also should support layer 3 VLAN Interface and Loopback port
Interface
F2
Switch should support basic routing feature i.e. IP Classless, default
routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
f. Should be compliant to Multiprotocol Extensions for BGP-4 (Desirable)
F4
Switch should re-converge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding/Non stop Routing for
fast re-convergence of routing protocols
F5
Switch should support multi instance MPLS routing using VRF, VRF Edge
routing and should support VRF Route leaking functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way Equal Cost
Multi Path load splitting
G
G1
Availability
Switch should have provisioning for connecting to 1:1/N+1 power supply
for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip V.4 and IP V.6
using HSRP/VRRP
G3
H
H1
H1.1
Switch should support for BFD For Fast Failure Detection as per RFC
5880
Quality of Service
Switch system should support 802.1P classification and marking of
packet using:
a. CoS (Class of Service)
Page 66 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
H3
Switch should support methods for identifying different types of traffic for
better management and resilience
Switch should support for different type of QoS features for ream time
traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority settings of the
end points as per the defined policy
H5
I
Switch should support Flow control of Ethernet ports to control traffic
rates during congestion by allowing congested nodes to pause link
operation at the other end for receiving traffic as per IEEE 802.3x
Security
Switch should support for deploying different security for each logical
I1
and physical interface using Port Based access control lists of Layer-2 to
Layer-4 in IP V.4 and IP V.6 and logging for fault finding and audit trail
Switch should support control plane i.e. processor and memory
I2
Protection from unnecessary or DoS traffic by control plane protection
policy
I3
I4
Switch should support for stringent security policies based on time of
day of Layer-2 to Layer-4
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join into the
network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network. Secures the
access to an access or trunk port based on MAC address. It limits the
number of learned MAC addresses to deny MAC address flooding
I7
Switch should support DHCP Snooping
I8
Switch should support Dynamic ARP Inspection to ensure host integrity
by preventing malicious users from exploiting the insecure nature of the
ARP protocol
I9
Switch should support IP Source Guard to prevents a malicious hosts from
spoofing or taking over another host's IP address by creating a binding
table between the client's IP and MAC address, port, and VLAN
Page 67 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I10
Switch should support for Role Based access control (RBAC) for restricting
host level network access as per policy defined
Switch should support to prevent edge devices in the network not
I11
administrator's controlled from becoming Spanning Tree Protocol root
nodes
I12
Switch should support unicast and/or multicast blocking on a switch port
to suppress the flooding of frames destined for an unknown unicast or
multicast MAC address out of that port
I13
Switch should support Spanning tree BPDU protection
I14
Switch should support for MOTD banner displayed on all connected
terminals at login and security discrimination messages can be flashed as
per banks ISD rules
J
J1
Manageability
Switch should support for embedded RMON/RMON-II for central NMS
management and monitoring
J2
J3
Switch should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
Switch should support for capturing packets for identifying application
J4
performance using local and remote port mirroring for packet captures
J5
Switch should support for management and monitoring status using
different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronization using Network
Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for different
statistics of the physical and logical interfaces
Switch should support for predefined and customized execution of script
J9
for device mange for automatic and scheduled system status update for
Page 68 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
monitoring and management
J10
J11
Switch should provide different privilege for login in to the system for
monitoring and management
Switch should support Real time Packet Capture using Wireshark in real
time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing required for
network reachability using different routing protocols such
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network using PIMv2
Sparse Mode/MLD
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using different
versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version 3
K5
K6
K7
Switch should support syslog for sending system log messages to
centralized log server in IP V.6 environment
Switch should support NTP to provide an accurate and consistent
timestamp over IPv6 to synchronize log collection and events
Switch should support for IP V.6 different types of tools for
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
Leaf (UTP-OOB) Switch SpecificationTABLE –11C
Quantity:440
Page 69 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
OOB (out-of-band) data is the data transferred through a stream
that is independent from the main in-band data stream. An outof-band data mechanism provides a conceptually independent
path, which allows any data sent via that mechanism to be kept
separate from in-band data.
Sr. No.
Feature Set
A
Solution Requirement
A1
The Switch should support non-blocking Layer 2 switching and Layer 3
routing
A2
There switch should not have any single point of failure like power
supplies and fans etc should have 1:1/N+1 level of redundancy
A3
Switch support in-line hot insertion and removal of different parts like
modules/power supplies/fan tray etc should not require switch reboot and
disrupt the functionality of the system
A4
Switch should support the complete STACK of IP V4 and IP V6 services
A5
The Switch and different modules used should function in line rate and
should not have any port with oversubscription ratio applied
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 48 x 100M/1000M/10G Ethernet RJ45 Interface
B1.2
b. 2 x 10/40GbE QSFP ports
B2
Switch should have console port
B3
Switch should have management interface for Out of Band Management
B4
Switch should be rack mountable and support side rails if required
B5
B6
Switch should have adequate power supply for the complete system
usage with all slots populated and used and provide N+1 redundant
Switch should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B7
B8
Switch should support VLAN tagging (IEEE 802.1q)
Switch should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Switch should support Configuration roll-back and check point
B10
Switch should support for different logical interface types like loopback,
VLAN, SVI/RBI, Port Channel/LAG, multi chassis port channel etc
C
Performance Requirement
C1
The switch should support 12,000 IPv4 and IPv6 routes entries in the
routing table including multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
Page 70 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C4
The switch should support uninterrupted forwarding operation for routing
protocols like OSPF,
BGP etc. to ensure high-availability during primary
controller failure
C5
The switch should support hardware based loadbalancing at wire speed
using LACP and multi chassis etherchannel/LAG
C6
Switch should support minimum 1.28 Tbps of switching capacity (or as per
specifications of the switch if quantity of switches are more, but should be
non blocking capacity) including the services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
C7
Each leaf should have connectivity to all spine switches and the over
subscription should not be less then 6:1 within a POD
D
Advance Features
D1
Switch should support Network Virtualisation using Virtual Over Lay
Network using VXLAN (RFC 7348)/NVGRE
D2
Switch should support VXLAN and EVPN or equivalent for supporting
Spine - Leaf architecture to optimise the east - west traffic flow inside the
data center
D3
Switch should support OpenFlow/Open Day light/Open Stack controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment and should be
able to sense movement of VM and configure network automatically.
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 8201.D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should support 4096
VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 96,000 no. of MAC addresses
E5
Switch should support 8 Nos. of link or more per Port channel (using
LACP) and support 96 port channels or more per switch
E6
Switch should support Industry Standard Port/Link Aggregation for All
Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All Ports across
any module or any port of the switch and Link aggregation should support
802.3ad LACP protocol for communication with downlink/uplink any
third party switch or server
E8
Switch should support Jumbo Frames up to 9K Bytes on 1G/10G Ports
Page 71 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Support for broadcast, multicast and unknown unicast storm control to
E9
prevent degradation of switch performance from storm due to network
attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per IEEE 802.1AB
for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2 or Layer 3
mode and also should support layer 3 VLAN Interface and Loopback port
Interface
F2
Switch should support basic routing feature i.e. IP Classless, default
routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
f. Should be compliant to Multiprotocol Extensions for BGP-4
F4
Switch should re-converge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding/Non stop Routing for
fast re-convergence of routing protocols
F5
Switch should support multi instance MPLS routing using VRF, VRF Edge
routing and should support VRF Route leaking functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide mutlicast traffic rechable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way Equal Cost
Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1 power supply
for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip V.4 and IP V.6
using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection as per RFC
5880
H
Quality of Service
H1
Switch system should support 802.1P classification and marking of packet
using:
H1.1
a. CoS (Class of Service)
Page 72 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
H3
Switch should support methods for identifying different types of traffic for
better management and resilience
Switch should support for different type of QoS features for ream time
traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority settings of the
end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to control traffic
rates during congestion by allowing congested nodes to pause link
operation at the other end for receiving traffic as per IEEE 802.3x
I
Security
I1
Switch should support for deploying different security for each logicaland
physical interface using Port Based access control lists of Layer-2 to Layer4 in IP V.4 and IP V.6 and logging for fault finding and audit trail
I2
Switch should support control plane i.e. processor and memory Protection
from unnecessary or DoS traffic by control plane protection policy
I4
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join into the
network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network. Secures the
access to an access or trunk port based on MAC address. It limits the
number of learned MAC addresses to deny MAC address flooding
I7
Switch should support DHCP Snooping
I8
Switch should support Dynamic ARP Inspection to ensure host integrity
by preventing malicious users from exploiting the insecure nature of the
ARP protocol
I9
Switch should support IP Source Guard to prevents a malicious hosts from
spoofing or taking over another host's IP address by creating a binding
table between the client's IP and MAC address, port, and VLAN
I10
Switch should support for Role Based access control (RBAC) for restricting
host level network access as per policy defined
I11
Switch should support Spanning tree BPDU protection
Page 73 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I12
Switch should support unicast and/or multicast blocking on a switch port
to suppress the flooding of frames destined for an unknown unicast or
multicast MAC address out of that port
I13
Switch should support Spanning tree BPDU protection
I14
Switch should support for MOTD banner displayed on all connected
terminals at login and security discrimination messages can be flashed as
per banks ISD rules
J
J1
Manageability
Switch should support for embedded RMON/RMON-II for central NMS
management and monitoring
J2
J3
Switch should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
Switch should support for capturing packets for identifying application
J4
performance using local and remote port mirroring for packet captures
J5
Switch should support for management and monitoring status using
different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronization using Network
Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for different
statistics of the physical and logical interfaces
Switch should support for predefined and custmised execution of script
J9
for device mange for automatic and scheduled system status update for
monitoring and management
J10
J11
Switch should provide different privilege for login in to the system for
monitoring and management
Switch should support Real time Packet Capture using Wireshark in real
time for traffic analysis and fault finding
Page 74 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing required for
network reachability using different routing protocols such
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network using PIMv2
Sparse Mode/MLD
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using different
versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version 3
Switch should support syslog for sending system log messages to
K5
centralized log server in IP V.6 environment
Switch should support NTP to provide an accurate and consistent
K6
timestamp over IPv6 to synchronize log collection and events
Switch should support for IP V.6 different types of tools for
K7
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
TABLE – 12
Spine Switch Specification
Quantity: Enough to accommodate all ports as mentioned
below maintaining 1+1 redundancy at switch level
Sr.
No.
A
Feature Set
A1
The spine layer switches should have hardware level
redundancy (1+1) in terms of data plane and control plane.
Issues with any of the plane should not impact the functioning
of the switch
Compliance(Y/N)
General Requirement
Page 75 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A2
The switch should have redundant CPUs working in activeactive or active-standby mode. CPU fail over/change over
should not
disrupt/impact/degrade the functioning the switch.
A3
The Switch should support non-blocking Layer 2 switching and
Layer 3 routing
A4
The switch should not have any single point of failure like CPU,
supervisor, switching fabric power supplies and fans etc should
have 1:1/N+1 level of redundancy
A5
Switch should support in line hot insertion and removal of
different parts like modules/power supplies/fan tray etc. This
should not require rebooting of the switch or create disruption
in the working/functionality of the switch
A6
Switch should support the complete STACK of IP V4 and IP V6
services
A7
Switch with different modules should function line rate and
should not have any port with oversubscription ratio applied
A8
Switch should support in service software upgrade of the switch
without disturbing the traffic flow. There should not be any
impact on the performance in the event of the software
upgrade/downgrade. It should support in service patching of
selected process/processes only without impacting other
running processes
A9
Switch should support non blocking, wire speed performance
per line card
B
Hardware and Interface Requirement
B1
Switch should have 220 nos. of line rate and Non - Blocking
40/100G ports and scaleable upto 256 nos. of 40/100G ports
B2
Switch should have console port for local management
B3
Switch should have management interface for Out of Band
Management
B4
Switch should be rack mountable and support side rails, if
required
B5
Switch should have adequate power supplies for the complete
system usage with all slots populated and used, providing N+1
redundancy
B6
Switch should have hardware health monitoring capabilities
and should provide different parameters through SNMP
B7
Switch should support VLAN tagging (IEEE 802.1q)
Page 76 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B8
Switch should support IEEE Link Aggregation and Ethernet
Bonding
functionality to group multiple ports for redundancy
B9
Switch should have the capability of holding multiple OS
images to
support resilience & easy rollbacks during the version upgrades
etc and should support in service software upgrade including:
B9.1
a. Multiple System image
B9.2
b. Multiple system configuration
B9.3
c. Option of Configuration roll-back
B10
Switch should support for different logical interface types like
loopback, VLAN, SVI/RBI, Port Channel/LAG, multi chassis
port channel etc
C
Performance Requirement
C1
The switch should support 1,20,000 IPv4 and IPv6 routes
entries in the routing table with multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding operation
for OSPF, BGP etc. routing protocol to ensure high-availability
during primary controller failure
C5
The switch should support hardware based loadbalancing at
wire speed using LACP and multi chassis etherchannel/LAG
C6
C6.1
Switch should have wire rate switching capacity including the
services:
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
D
Virtualization Features
D1
Switch should support Network Virtualisation using Virtual
Over Lay Network using VXLAN (RFC 7348)/NVGRE as per
RFC 2890
Page 77 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D2
Switch should support VXLAN and EVPN for supporting Spine
- Leaf architecture to optimise the east - west traffic flow inside
the data center
D3
Switch should support Open Flow/Open Day light/Open Stack
controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment and
should be able to sense movement of VM and configure network
automatically
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 802.1D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should
support 4096 VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 160,000 no. of MAC
addresses
E5
Switch should support 16 Nos. of link or more per Port channel
(using LACP) and support 200 port channels or more per
switch
E6
Switch should support Industry Standard Port/Link
Aggregation for All Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All
Ports across any module or any port
E8
Switch should support Jumbo Frames up to 9K Bytes
E9
Support for broadcast, multicast and unknown unicast storm
control to prevent degradation of switch performance from
storm due to network attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per
IEEE 802.1AB for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2
or Layer 3 mode and also should support layer 3 VLAN
Interface and Loopback port Interface
F2
Switch should support basic routing feature i.e. IP Classless,
default routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
Page 78 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
f. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
F4
Switch should reconverge all dynamic routing protocol at the
time of routing update changes i.e. Non-Stop forwarding/Non
Stop Routing for fast re-convergence of routing protocols
F5
Switch should support multi instance MPLS routing using VRF,
VRF
Edge routing and should support VRF
functionality
Route leaking
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way
Equal Cost Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1
power supply for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip V.4
and IP V.6 using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection as
per RFC (5880)
H
Quality of Service
H1
Switch system should support 802.1P classification and
marking of
packet using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
Page 79 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
Switch should support methods for identifying different types of
traffic for better management and resilience
H3
Switch should support for different type of QoS features for real
time traffic differential treatment
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority
settings of the end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to control
traffic rates during congestion by allowing congested nodes to
pause link operation at the other end for receiving traffic as per
IEEE 802.3x/ IEEE 802.1Qbb
I
Security
I1
Switch should support for deploying different security for each
logical and physical interface using Port Based access control
lists of Layer-2 to Layer-4 in IP V.4 and IP V.6 and logging for
fault finding and audit trail
I2
Switch should support control plane i.e. processor and memory
Protection from unnecessary or DoS traffic by control plane
protection policy
I4
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join
into the network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network.
Secures the access to an access or trunk port based on MAC
address. It limits the number of learned MAC addresses to deny
MAC address flooding
I7
Switch should support for Role Based access control (RBAC) for
restricting host level network access as per policy defined
Page 80 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I8
Switch should support to prevent edge devices in the network
not administrator's controlled from becoming Spanning Tree
Protocol root nodes
I9
Switch should support unicast and/or multicast blocking on a
switch port to suppress the flooding of frames destined for an
unknown unicast or multicast MAC address out of that port
I10
Switch should support Spanning tree BPDU protection
I11
Switch should support for MOTD banner displayed on all
connected terminals at login and security discrimination
messages can be flashed
J
Manageability
J1
Switch should support for embedded RMON/RMON-II for
central NMS management and monitoring
J2
Switch should support for sending logs to multiple centralised
syslog server for monitoring and audit trail
J3
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
J4
Switch should support for capturing packets for identifying
application performance using local and remote port mirroring
for packet captures
J5
Switch should support for management and monitoring status
using different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronisation
using Network Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for
different statistics of the physical and logical interfaces
Page 81 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J9
Switch should support for predefined and customized execution
of script for device mange for automatic and scheduled system
status update for monitoring and management
J10
Switch should provide different privilege for login in to the
system for monitoring and management
J11
Switch should support Real time Packet Capture using
Wireshark in real time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network
using PIMv2 Sparse Mode/MLD
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using
different versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version
3
K5
Switch should support syslog for sending system log messages
to
centralised log server in IP V.6 environment
K6
Switch should support NTP to provide an accurate and
consistent
timestamp over IPv6 to synchronize log collection and events
K7
Switch should support for IP V.6 different types of tools for
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
Page 82 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
Super Spine Switch Specification
TABLE 13
QTY=2
Sr. No.
Feature Set
A
General Requirement
A1
The spine layer switches should have hardware level
redundancy (1+1) in terms of data plane and control plane.
Issues with any of the plane should not impact the
functioning of the switch.
A2
Compliance(Y/N)
The switch should have redundant CPUs working in activeactive or active-standby mode. CPU fail over/change over
should not
disrupt/impact/degrade the functioning the switch.
A3
A4
The Switch should support non-blocking Layer 2 switching
and Layer 3 routing
The switch should not have any single point of failure like
CPU,
supervisor, switching fabric power supplies and fans etc
should have 1:1/N+1 level of redundancy
A5
Switch should support in line hot insertion and removal of
different parts like modules/power supplies/fan tray etc.
This should not require rebooting of the switch or create
disruption in the working/functionality of the switch
A6
Switch should support the complete STACK of IP V4 and IP
V6 services
A7
Switch with different modules should function line rate and
should not have any port with oversubscription ratio
applied
A8
Switch should support in service software upgrade of the
switch without disturbing the traffic flow. There should not
be any impact on the performance in the event of the
software upgrade/downgrade. It should support in service
patching of selected process/processes only without
impacting other running processes
Page 83 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A9
Switch should support non blocking, wire speed
performance per line card
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 48 x 1G/10G Ethernet RJ45 Interface*
B1.2
b. 48 x 10G Multi Mode Fiber Interface
B1.3
c. 120 or as many required for achieving the over
subscription ratio of 6:1 x 40/100G QSFP Fiber Interface
(with OM4 fibre)
B2
Switch should have console port for local management
B3
Switch should have management interface for Out of Band
Management
B4
Switch should be rack mountable and support side rails, if
required
B5
Switch should have adequate power supplies for the
complete system usage with all slots populated and used,
providing N+1 redundancy
B6
Switch should have hardware health monitoring
capabilities and should provide different parameters
through SNMP
B7
Switch should support VLAN tagging (IEEE 802.1q)
B8
Switch should support IEEE Link Aggregation and Ethernet
Bonding
functionality to group multiple ports for redundancy
Switch should have the capability of holding multiple OS
images to
B9
support resilience & easy rollbacks during the version
upgrades etc and should support in service software
upgrade including:
B9.1
a. Multiple System image
B9.2
b. Multiple system configuration
B9.3
c. Option of Configuration roll-back
B10
Switch should support for different logical interface types
like loopback, VLAN, SVI/IRB, Port Channel/ multi chassis
port channel/Link Aggregation Group (LAG) etc
C
Performance Requirement
Page 84 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C1
The switch should support 1,20,000 IPv4 and IPv6 routes
entries in the routing table with multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding
operation for OSPF, BGP etc. routing protocol to ensure
high-availability during primary controller failure
C5
The switch should support hardware based loadbalancing at
wire speed using LACP and multi chassis
etherchannel/LAG
C6
Switch should have wire rate switching capacity including
the services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
D
Virtualization Features
D1
Switch should support Network Virtualisation using Virtual
Over Lay Network using VXLAN (RFC 7348)/NVGRE as
per RFC 2890
D2
Switch should support VXLAN and EVPN for supporting
Spine - Leaf architecture to optimise the east - west traffic
flow inside the data center
D3
Switch should support Open Flow/Open Day light/Open
Stack controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment
and should be able to sense movement of VM and configure
network automatically
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 802.1D, 802.1W, 802.1S
Page 85 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E2
Switch should support VLAN Trunking (802.1q) and should
support 4096 VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 160,000 no. of MAC
addresses
E5
Switch should support 16 Nos. of link or more per Port
channel (using LACP) and support 200 port channels or
more per switch
E6
Switch should support Industry Standard Port/Link
Aggregation for All Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for
All Ports across any module or any port of the switch and
Link aggregation should support 802.3ad LACP protocol
for communication with downlink/uplink any third party
switch or server. Spine to spine -minimum 16 port Multi
Chasis etherchannel/LAG should be provided.
E8
Switch should support Jumbo Frames up to 9K Bytes
E9
Support for broadcast, multicast and unknown unicast
storm control to prevent degradation of switch performance
from storm due to network attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per
IEEE 802.1AB for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in
Layer2 or Layer 3 mode and also should support layer 3
VLAN Interface and Loopback port Interface
F2
Switch should support basic routing feature i.e. IP
Classless, default routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
Page 86 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these
protocols
F3.6
F4
F5
f. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
Switch should reconverge all dynamic routing protocol at
the time of routing update changes i.e. Non-Stop
forwarding/Non Stop Routing for fast re-convergence of
routing protocols
Switch should support multi instance MPLS routing using
VRF, VRF
Edge routing and should support VRF Route leaking
functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16
way Equal Cost Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1
power supply for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip
V.4 and IP V.6 using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection
as per RFC (5880)
H
Quality of Service
H1
Switch system should support 802.1P classification and
marking of
packet using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
Page 87 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
Switch should support methods for identifying different
types of traffic for better management and resilience
H3
Switch should support for different type of QoS features for
ream time traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority
settings of the end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to
control traffic rates during congestion by allowing
congested nodes to pause link operation at the other end for
receiving traffic as per IEEE 802.3x/ IEEE 802.1Qbb
I
Security
I1
Switch should support for deploying different security for
each logical and physical interface using Port Based access
control lists of Layer-2 to Layer-4 in IP V.4 and IP V.6 and
logging for fault finding and audit trail
I2
I4
Switch should support control plane i.e. processor and
memory
Protection from unnecessary or DoS traffic by control plane
protection policy
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host
join into the network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network.
Secures the access to an access or trunk port based on MAC
address. It limits the number of learned MAC addresses to
deny MAC address flooding
Page 88 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I7
Switch should support for Role Based access control
(RBAC) for
restricting host level network access as per policy defined
I8
Switch should support to prevent edge devices in the
network not administrator's controlled from becoming
Spanning Tree Protocol root nodes
I9
Switch should support unicast and/or multicast blocking on
a switch port to suppress the flooding of frames destined
for an unknown unicast or multicast MAC address out of
that port
I10
Switch should support Spanning tree BPDU protection
I11
Switch should support for MOTD banner displayed on all
connected terminals at login and security discrimination
messages can be flashed
J
Manageability
J1
Switch should support for embedded RMON/RMON-II for
central NMS management and monitoring
J2
Switch should support for sending logs to multiple
centralised syslog server for monitoring and audit trail
J3
Switch should provide remote login for administration
using:
J3.1
a. Telnet
J3.2
b. SSH V.2
J4
Switch should support for capturing packets for identifying
application performance using local and remote port
mirroring for packet captures
J5
Switch should support for management and monitoring
status using different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
Page 89 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J7
Switch should support central time server synchronisation
using Network Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support
for different statistics of the physical and logical interfaces
J9
Switch should support for predefined and customized
execution of script for device mange for automatic and
scheduled system status update for monitoring and
management
J10
Switch should provide different privilege for login in to the
system for monitoring and management
J11
Switch should support Real time Packet Capture using
Wireshark in real time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these
protocols
K2
Switch should support multicast routing in IP V.6 network
using PIMv2 Sparse Mode/ MLD V1/2
K3
Switch should support for QoS in IP V.6 network
connectivity
K4
Switch should support for monitoring and management
using different versions of SNMP in IP V.6 environment
such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP
Version 3
K5
Switch should support syslog for sending system log
messages to
centralised log server in IP V.6 environment
Page 90 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Switch should support NTP to provide an accurate and
consistent
K6
timestamp over IPv6 to synchronize log collection and
events
Switch should support for IP V.6 different types of tools for
K7
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
*may use a leaf to cater this requirement
DMZ Switch Specification
TABLE14
QTY=2
Sr. No.
Feature Set
A
General Requirement
A1
The spine layer switches should have hardware level redundancy
(1+1) in terms of data plane and control plane. Issues with any of
the plane should not impact the functioning of the switch.
A2
Compliance(Y/N)
The switch should have redundant CPUs working in active-active
or active-standby mode. CPU fail over/change over should not
disrupt/impact/degrade the functioning the switch.
A3
The Switch should support non-blocking Layer 2 switching and
Layer 3 routing
The switch should not have any single point of failure like CPU,
A4
A5
supervisor, switching fabric power supplies and fans etc should
have 1:1/N+1 level of redundancy
Switch should support in line hot insertion and removal of
different parts like modules/power supplies/fan tray etc. This
should not require rebooting of the switch or create disruption in
the working/functionality of the switch
Page 91 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A6
Switch should support the complete STACK of IP V4 and IP V6
services
A7
Switch with different modules should function line rate and
should not have any port with oversubscription ratio applied
A8
Switch should support in service software upgrade of the switch
without disturbing the traffic flow. There should not be any
impact on the performance in the event of the software
upgrade/downgrade. It should support in service patching of
selected process/processes only without impacting other running
processes
A9
Switch should support non blocking, wire speed performance per
line card
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 48 x 1G/10G Ethernet RJ45 Interface (may use a leaf to cater
this requirement)
B1.2
b. 48 x 10G Multi Mode Fiber Interface
B1.3
c. 16 x 40/100 GbE QSFP Fiber Interface
B2
Switch should have console port for local management
B3
Switch should have management interface for Out of Band
Management
B4
Switch should be rack mountable and support side rails, if
required
B5
Switch should have adequate power supplies for the complete
system usage with all slots populated and used, providing N+1
redundancy
B6
Switch should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B7
Switch should support VLAN tagging (IEEE 802.1q)
B8
Switch should support IEEE Link Aggregation and Ethernet
Bonding
functionality to group multiple ports for redundancy
Switch should have the capability of holding multiple OS images
to
B9
support resilience & easy rollbacks during the version upgrades
etc and should support in service software upgrade including:
B9.1
a. Multiple System image
B9.2
b. Multiple system configuration
B9.3
c. Option of Configuration roll-back
Page 92 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B10
Switch should support for different logical interface types like
loopback, VLAN, SVI/IRB, Port Channel/ multi chassis port
channel/Link Aggregation Group (LAG) etc
C
Performance Requirement
C1
The switch should support 1,20,000 IPv4 and IPv6 routes entries
in the routing table with multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding operation
for OSPF, BGP etc. routing protocol to ensure high-availability
during primary controller failure
C5
The switch should support hardware based loadbalancing at wire
speed using LACP and multi chassis etherchannel/LAG
C6
Switch should have wire rate switching capacity including the
services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
D
Virtualization Features
D1
Switch should support Network Virtualisation using Virtual Over
Lay Network using VXLAN (RFC 7348)/NVGRE as per RFC
2890
D2
Switch should support VXLAN and EVPN for supporting Spine Leaf architecture to optimise the east - west traffic flow inside the
data center
D3
Switch should support Open Flow/Open Day light/Open Stack
controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment and
should be able to sense movement of VM and configure network
automatically
E
Layer2 Features
Page 93 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E1
Spanning Tree Protocol (IEEE 802.1D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should
support 4096 VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 160,000 no. of MAC addresses
E5
Switch should support 16 Nos. of link or more per Port channel
(using LACP) and support 200 port channels or more per switch
E6
Switch should support Industry Standard Port/Link Aggregation
for All Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All
Ports across any module or any port of the switch and Link
aggregation should support 802.3ad LACP protocol for
communication with downlink/uplink any third party switch or
server. Spine to spine -minimum 16 port Multi Chasis
etherchannel/LAG should be provided.
E8
Switch should support Jumbo Frames up to 9K Bytes
E9
Support for broadcast, multicast and unknown unicast storm
control to prevent degradation of switch performance from storm
due to network attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per IEEE
802.1AB for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2 or
Layer 3 mode and also should support layer 3 VLAN Interface
and Loopback port Interface
F2
Switch should support basic routing feature i.e. IP Classless,
default routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
Page 94 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3.6
F4
F5
f. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
Switch should reconverge all dynamic routing protocol at the
time of routing update changes i.e. Non-Stop forwarding/Non
Stop Routing for fast re-convergence of routing protocols
Switch should support multi instance MPLS routing using VRF,
VRF
Edge routing and should support VRF Route leaking functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way
Equal Cost Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1 power
supply for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip V.4 and
IP V.6 using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection as per
RFC (5880)
H
Quality of Service
H1
Switch system should support 802.1P classification and marking
of
packet using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
Switch should support methods for identifying different types of
traffic for better management and resilience
Page 95 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H3
Switch should support for different type of QoS features for ream
time traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority settings
of the end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to control
traffic rates during congestion by allowing congested nodes to
pause link operation at the other end for receiving traffic as per
IEEE 802.3x/ IEEE 802.1Qbb
I
Security
I1
Switch should support for deploying different security for each
logical and physical interface using Port Based access control lists
of Layer-2 to Layer-4 in IP V.4 and IP V.6 and logging for fault
finding and audit trail
Switch should support control plane i.e. processor and memory
I2
I4
Protection from unnecessary or DoS traffic by control plane
protection policy
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join
into the network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network.
Secures the access to an access or trunk port based on MAC
address. It limits the number of learned MAC addresses to deny
MAC address flooding
Switch should support for Role Based access control (RBAC) for
I7
restricting host level network access as per policy defined
I8
Switch should support to prevent edge devices in the network not
administrator's controlled from becoming Spanning Tree
Protocol root nodes
Page 96 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I9
Switch should support unicast and/or multicast blocking on a
switch port to suppress the flooding of frames destined for an
unknown unicast or multicast MAC address out of that port
I10
Switch should support Spanning tree BPDU protection
I11
Switch should support for MOTD banner displayed on all
connected terminals at login and security discrimination
messages can be flashed
J
Manageability
J1
Switch should support for embedded RMON/RMON-II for
central NMS management and monitoring
J2
Switch should support for sending logs to multiple centralised
syslog server for monitoring and audit trail
J3
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
J4
Switch should support for capturing packets for identifying
application performance using local and remote port mirroring
for packet captures
J5
Switch should support for management and monitoring status
using different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronisation using
Network Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for
different statistics of the physical and logical interfaces
J9
Switch should support for predefined and customized execution
of script for device mange for automatic and scheduled system
status update for monitoring and management
Page 97 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J10
Switch should provide different privilege for login in to the
system for monitoring and management
J11
Switch should support Real time Packet Capture using Wireshark
in real time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network using
PIMv2 Sparse Mode/ MLD V1/2
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using
different versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version
3
K5
Switch should support syslog for sending system log messages to
centralised log server in IP V.6 environment
Switch should support NTP to provide an accurate and consistent
K6
timestamp over IPv6 to synchronize log collection and events
K7
Switch should support for IP V.6 different types of tools for
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
Page 98 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
K7.6
f. DNS lookup
Page 99 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Extranet Switch Specification
TABLE –15
QTY=2
Sr. No.
A
General Requirement
A1
The spine layer switches should have hardware level redundancy (1+1) in
terms of data plane and control plane. Issues with any of the plane should
not impact the functioning of the switch.
A2
Compliance(Y/N)
Feature Set
The switch should have redundant CPUs working in active-active or
active-standby mode. CPU fail over/change over should not
disrupt/impact/degrade the functioning the switch.
A3
The Switch should support non-blocking Layer 2 switching and Layer 3
routing
The switch should not have any single point of failure like CPU,
A4
supervisor, switching fabric power supplies and fans etc should have
1:1/N+1 level of redundancy
A5
Switch should support in line hot insertion and removal of different parts
like modules/power supplies/fan tray etc. This should not require
rebooting of the switch or create disruption in the working/functionality
of the switch
A6
Switch should support the complete STACK of IP V4 and IP V6 services
A7
Switch with different modules should function line rate and should not
have any port with oversubscription ratio applied
A8
Switch should support in service software upgrade of the switch without
disturbing the traffic flow. There should not be any impact on the
performance in the event of the software upgrade/downgrade. It should
support in service patching of selected process/processes only without
impacting other running processes
A9
Switch should support non blocking, wire speed performance per line
card
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a. 96 x 1G/10G Ethernet RJ45 Interface*
B1.2
b. 48 x 10G Multi Mode Fiber Interface
B1.3
c. 16 x 40/100 GbE QSFP Fiber Interface
B2
Switch should have console port for local management
B3
Switch should have management interface for Out of Band Management
B4
Switch should be rack mountable and support side rails, if required
Page 100 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B5
Switch should have adequate power supplies for the complete system
usage with all slots populated and used, providing N+1 redundancy
B6
Switch should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B7
Switch should support VLAN tagging (IEEE 802.1q)
B8
Switch should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
Switch should have the capability of holding multiple OS images to
B9
support resilience & easy rollbacks during the version upgrades etc and
should support in service software upgrade including:
B9.1
a. Multiple System image
B9.2
b. Multiple system configuration
B9.3
c. Option of Configuration roll-back
B10
Switch should support for different logical interface types like loopback,
VLAN, SVI/IRB, Port Channel/ multi chassis port channel/Link
Aggregation Group (LAG) etc
C
Performance Requirement
C1
The switch should support 1,20,000 IPv4 and IPv6 routes entries in the
routing table with multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding operation for OSPF,
BGP etc. routing protocol to ensure high-availability during primary
controller failure
C5
The switch should support hardware based loadbalancing at wire speed
using LACP and multi chassis etherchannel/LAG
C6
Switch should have wire rate switching capacity including the services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
D
Virtualization Features
Page 101 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D1
Switch should support Network Virtualisation using Virtual Over Lay
Network using VXLAN (RFC 7348)/NVGRE as per RFC 2890
D2
Switch should support VXLAN and EVPN for supporting Spine - Leaf
architecture to optimise the east - west traffic flow inside the data center
D3
Switch should support Open Flow/Open Day light/Open Stack controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment and should be
able to sense movement of VM and configure network automatically
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 802.1D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should support 4096
VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 160,000 no. of MAC addresses
E5
Switch should support 16 Nos. of link or more per Port channel (using
LACP) and support 200 port channels or more per switch
E6
Switch should support Industry Standard Port/Link Aggregation for All
Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All Ports across
any module or any port of the switch and Link aggregation should support
802.3ad LACP protocol for communication with downlink/uplink any
third party switch or server. Spine to spine -minimum 16 port Multi
Chasis etherchannel/LAG should be provided.
E8
Switch should support Jumbo Frames up to 9K Bytes
E9
Support for broadcast, multicast and unknown unicast storm control to
prevent degradation of switch performance from storm due to network
attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per IEEE
802.1AB for finding media level failures
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2 or Layer 3
mode and also should support layer 3 VLAN Interface and Loopback port
Interface
F2
Switch should support basic routing feature i.e. IP Classless, default
routing and Inter VLAN routing
Page 102 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
F4
f. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
Switch should reconverge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding/Non Stop Routing for
fast re-convergence of routing protocols
Switch should support multi instance MPLS routing using VRF, VRF
F5
Edge routing and should support VRF Route leaking functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way Equal Cost
Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1 power supply
for usage and redundancy
G2
Switch should provide gateway level of redundancy in Ip V.4 and IP V.6
using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection as per RFC
(5880)
H
Quality of Service
H1
Switch system should support 802.1P classification and marking of
packet using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
Page 103 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
Switch should support methods for identifying different types of traffic for
better management and resilience
H3
Switch should support for different type of QoS features for ream time
traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority settings of the
end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to control traffic
rates during congestion by allowing congested nodes to pause link
operation at the other end for receiving traffic as per IEEE 802.3x/ IEEE
802.1Qbb
I
Security
I1
Switch should support for deploying different security for each logical and
physical interface using Port Based access control lists of Layer-2 to
Layer-4 in IP V.4 and IP V.6 and logging for fault finding and audit trail
Switch should support control plane i.e. processor and memory
I2
I4
Protection from unnecessary or DoS traffic by control plane protection
policy
Switch should support for external database for AAA using:
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join into the
network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network. Secures the
access to an access or trunk port based on MAC address. It limits the
number of learned MAC addresses to deny MAC address flooding
I7
Switch should support for Role Based access control (RBAC) for
restricting host level network access as per policy defined
I8
Switch should support to prevent edge devices in the network not
administrator's controlled from becoming Spanning Tree Protocol root
nodes
I9
Switch should support unicast and/or multicast blocking on a switch port
to suppress the flooding of frames destined for an unknown unicast or
multicast MAC address out of that port
I10
Switch should support Spanning tree BPDU protection
Page 104 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I11
Switch should support for MOTD banner displayed on all connected
terminals at login and security discrimination messages can be flashed
J
Manageability
J1
Switch should support for embedded RMON/RMON-II for central NMS
management and monitoring
J2
Switch should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
J3
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
J4
Switch should support for capturing packets for identifying application
performance using local and remote port mirroring for packet captures
J5
Switch should support for management and monitoring status using
different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronisation using Network
Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for different
statistics of the physical and logical interfaces
J9
Switch should support for predefined and customized execution of script
for device mange for automatic and scheduled system status update for
monitoring and management
J10
Switch should provide different privilege for login in to the system for
monitoring and management
J11
Switch should support Real time Packet Capture using Wireshark in real
time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing required for
network reachability using different routing protocols such as:
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
Page 105 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network using PIMv2
Sparse Mode/ MLD V1/2
K3
Switch should support for QoS in IP V.6 network connectivity
K4
Switch should support for monitoring and management using different
versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP Version 3
Switch should support syslog for sending system log messages to
K5
centralised log server in IP V.6 environment
Switch should support NTP to provide an accurate and consistent
K6
timestamp over IPv6 to synchronize log collection and events
Switch should support for IP V.6 different types of tools for
K7
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
*may use a leaf to cater this requirement
WAN Edge Switch Specification
TABLE - 16
Quantity 2
Sr. No.
Compliance(Y/N)
Feature Set
A
General Requirement
A1
The spine layer switches should have hardware level
redundancy (1+1) in terms of data plane and control plane.
Issues with any of the plane should not impact the functioning
of the switch.
Page 106 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A2
The switch should have redundant CPUs working in activeactive or active-standby mode. CPU fail over/change over
should not
disrupt/impact/degrade the functioning the switch.
A3
The Switch should support non-blocking Layer 2 switching and
Layer 3 routing
The switch should not have any single point of failure like CPU,
A4
supervisor, switching fabric power supplies and fans etc should
have 1:1/N+1 level of redundancy
A5
Switch should support in line hot insertion and removal of
different parts like modules/power supplies/fan tray etc. This
should not require rebooting of the switch or create disruption
in the working/functionality of the switch
A6
Switch should support the complete STACK of IP V4 and IP V6
services
A7
Switch with different modules should function line rate and
should not have any port with oversubscription ratio applied
A8
Switch should support in service software upgrade of the
switch without disturbing the traffic flow. There should not be
any impact on the performance in the event of the software
upgrade/downgrade. It should support in service patching of
selected process/processes only without impacting other
running processes
A9
Switch should support non blocking, wire speed performance
per line card
B
Hardware and Interface Requirement
B1
Switch should have the following interfaces:
B1.1
a.48 x 10G Multi Mode Fiber Interface
B1.2
b. 24 x 40/100 GbE QSFP Fiber Interface
B2
Switch should have console port for local management
B3
Switch should have management interface for Out of Band
Management
B4
Switch should be rack mountable and support side rails, if
required
B5
Switch should have adequate power supplies for the complete
system usage with all slots populated and used, providing N+1
redundancy
B6
Switch should have hardware health monitoring capabilities
and should provide different parameters through SNMP
Page 107 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B7
Switch should support VLAN tagging (IEEE 802.1q)
B8
Switch should support IEEE Link Aggregation and Ethernet
Bonding
functionality to group multiple ports for redundancy
Switch should have the capability of holding multiple OS
images to
B9
support resilience & easy rollbacks during the version
upgrades etc and should support in service software upgrade
including:
B9.1
a. Multiple System image
B9.2
b. Multiple system configuration
B9.3
c. Option of Configuration roll-back
B10
Switch should support for different logical interface types like
loopback, VLAN, SVI/IRB, Port Channel/ multi chassis port
channel/Link Aggregation Group (LAG) etc
C
Performance Requirement
C1
The switch should support 1,20,000 IPv4 and IPv6 routes
entries in the routing table with multicast routes
C2
Switch should support Graceful Restart for OSPF, BGP etc.
C3
Switch should support minimum 1000 VRF instances
C4
The switch should support uninterrupted forwarding operation
for OSPF, BGP etc. routing protocol to ensure high-availability
during primary controller failure
C5
The switch should support hardware based loadbalancing at
wire speed using LACP and multi chassis etherchannel/LAG
C6
Switch should have wire rate switching capacity including the
services:
C6.1
a. Switching
C6.2
b. IP Routing (Static/Dynamic)
C6.3
c. IP Forwarding
C6.4
d. Policy Based Routing
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
g. IP V.6 host and IP V.6 routing
D
Virtualization Features
Page 108 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D1
Switch should support Network Virtualisation using Virtual
Over Lay Network using VXLAN (RFC 7348)/NVGRE as per
RFC 2890
D2
Switch should support VXLAN and EVPN for supporting
Spine - Leaf architecture to optimise the east - west traffic flow
inside the data center
D3
Switch should support Open Flow/Open Day light/Open Stack
controller
D4
Switch should support Data Center Bridging
D5
Switch should support multi OEM hypervisor environment
and should be able to sense movement of VM and configure
network automatically
E
Layer2 Features
E1
Spanning Tree Protocol (IEEE 802.1D, 802.1W, 802.1S
E2
Switch should support VLAN Trunking (802.1q) and should
support 4096 VLAN
E3
Switch should support basic Multicast IGMP v1, v2, v3
E4
Switch should support minimum 160,000 no. of MAC
addresses
E5
Switch should support 16 Nos. of link or more per Port channel
(using LACP) and support 200 port channels or more per
switch
E6
Switch should support Industry Standard Port/Link
Aggregation for All Ports across any module or any port.
E7
Switch should support multi chassis Link Aggregation for All
Ports across any module or any port of the switch and Link
aggregation should support 802.3ad LACP protocol for
communication with downlink/uplink any third party switch
or server. Spine to spine -minimum 16 port Multi Chasis
etherchannel/LAG should be provided.
E8
Switch should support Jumbo Frames up to 9K Bytes
E9
Support for broadcast, multicast and unknown unicast storm
control to prevent degradation of switch performance from
storm due to network attacks and vulnerabilities
E10
Switch should support Link Layer Discovery Protocol as per
IEEE 802.1AB for finding media level failures
Page 109 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F
Layer3 Features
F1
Switch should support all physical ports to use either in Layer2
or Layer 3 mode and also should support layer 3 VLAN
Interface and Loopback port Interface
F2
Switch should support basic routing feature i.e. IP Classless,
default routing and Inter VLAN routing
F3
Switch should support static and dynamic routing using:
F3.1
a. Static routing
F3.2
b. OSPF V.2 using MD5 Authentication
F3.3
c. ISIS using MD5 Authentication
F3.4
d. BGP V.4 using MD5 Authentication
F3.5
e. Should support route redistribution between these protocols
F3.6
F4
F5
f. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
Switch should reconverge all dynamic routing protocol at the
time of routing update changes i.e. Non-Stop forwarding/Non
Stop Routing for fast re-convergence of routing protocols
Switch should support multi instance MPLS routing using
VRF, VRF
Edge routing and should support VRF Route leaking
functionality
F6
Switch should be capable to work as DHCP server and relay
F7
Switch should provide multicast traffic reachable using:
F7.1
a. PIM-SM
F7.2
b. PIM-SSM
F7.3
c. Bi-Directional PIM
F7.4
d. Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
F7.5
e. IGMP V.1, V.2 and V.3
F8
Switch should support Multicast routing of minimum 16 way
Equal Cost Multi Path load splitting
G
Availability
G1
Switch should have provisioning for connecting to 1:1/N+1
power supply for usage and redundancy
Page 110 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G2
Switch should provide gateway level of redundancy in Ip V.4
and IP V.6 using HSRP/VRRP
G3
Switch should support for BFD For Fast Failure Detection as
per RFC (5880)
H
Quality of Service
H1
Switch system should support 802.1P classification and
marking of
packet using:
H1.1
a. CoS (Class of Service)
H1.2
b. DSCP (Differentiated Services Code Point)
H1.3
c. Source physical interfaces
H1.4
d. Source/destination IP subnet
H1.5
e. Protocol types (IP/TCP/UDP)
H1.6
f. Source/destination TCP/UDP ports
H2
Switch should support methods for identifying different types
of traffic for better management and resilience
H3
Switch should support for different type of QoS features for
ream time traffic differential treatment using
H3.1
a. Weighted Random Early Detection
H3.2
b. Strict Priority Queuing
H4
Switch should support to trust the QoS marking/priority
settings of the end points as per the defined policy
H5
Switch should support Flow control of Ethernet ports to
control traffic rates during congestion by allowing congested
nodes to pause link operation at the other end for receiving
traffic as per IEEE 802.3x/ IEEE 802.1Qbb
I
Security
I1
Switch should support for deploying different security for each
logical and physical interface using Port Based access control
lists of Layer-2 to Layer-4 in IP V.4 and IP V.6 and logging for
fault finding and audit trail
I2
I4
Switch should support control plane i.e. processor and
memory
Protection from unnecessary or DoS traffic by control plane
protection policy
Switch should support for external database for AAA using:
Page 111 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I4.1
a. TACACS+
I4.2
b. RADIUS
I5
Switch should support MAC Address Notification on host join
into the network for Audit trails and logging
I6
Switch should support to restrict end hosts in the network.
Secures the access to an access or trunk port based on MAC
address. It limits the number of learned MAC addresses to
deny MAC address flooding
I7
Switch should support for Role Based access control (RBAC)
for
restricting host level network access as per policy defined
I8
Switch should support to prevent edge devices in the network
not administrator's controlled from becoming Spanning Tree
Protocol root nodes
I9
Switch should support unicast and/or multicast blocking on a
switch port to suppress the flooding of frames destined for an
unknown unicast or multicast MAC address out of that port
I10
Switch should support Spanning tree BPDU protection
I11
Switch should support for MOTD banner displayed on all
connected terminals at login and security discrimination
messages can be flashed
J
Manageability
J1
Switch should support for embedded RMON/RMON-II for
central NMS management and monitoring
J2
Switch should support for sending logs to multiple centralised
syslog server for monitoring and audit trail
J3
Switch should provide remote login for administration using:
J3.1
a. Telnet
J3.2
b. SSH V.2
J4
Switch should support for capturing packets for identifying
application performance using local and remote port mirroring
for packet captures
Page 112 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J5
Switch should support for management and monitoring status
using different type of Industry standard NMS using:
J5.1
a. SNMP V1 and V.2
J5.2
b. SNMP V.3 with encryption
J5.3
c. Filtration of SNMP using Access list
J5.4
d. SNMP MIB support for QoS
J6
Switch should support for basic administrative tools like:
J6.1
a. Ping
J6.2
b. Traceroute
J7
Switch should support central time server synchronisation
using Network Time Protocol NTP V.4/PTP
J8
Switch should support for providing granular MIB support for
different statistics of the physical and logical interfaces
J9
Switch should support for predefined and customized
execution of script for device mange for automatic and
scheduled system status update for monitoring and
management
J10
Switch should provide different privilege for login in to the
system for monitoring and management
J11
Switch should support Real time Packet Capture using
Wireshark in real time for traffic analysis and fault finding
K
IPv6 features
K1
Switch should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
K1.1
a. OSPF V.3
K1.2
b. BGP with IP V.6
K1.3
c. IP V.6 Policy based routing
K1.4
d. IP V.6 Dual Stack etc
K1.5
e. IP V.6 Static Route
K1.6
f. IP V.6 Default route
K1.7
g. Should support route redistribution between these protocols
K2
Switch should support multicast routing in IP V.6 network
using PIMv2 Sparse Mode/ MLD V1/2
K3
Switch should support for QoS in IP V.6 network connectivity
Page 113 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
K4
Switch should support for monitoring and management using
different versions of SNMP in IP V.6 environment such as:
K4.1
a. SNMPv1, SNMPv2c, SNMPv3
K4.2
b. SNMP over IP V.6 with encryption support for SNMP
Version 3
K5
Switch should support syslog for sending system log messages
to
centralised log server in IP V.6 environment
K6
Switch should support NTP to provide an accurate and
consistent
timestamp over IPv6 to synchronize log collection and events
K7
Switch should support for IP V.6 different types of tools for
administration and management such as:
K7.1
a. Ping
K7.2
b. Traceroute
K7.3
c. VTY
K7.4
d. SSH
K7.5
e. TFTP
K7.6
f. DNS lookup
WAN Router
TABLE- 17
Quantity: 2
Compliance(Y/N)
Sr.
No.
A
Feature Set
A1
The router architecture should be based on hardware based forwarding and
switching. System should be multi processor based architecture for enhanced
performance
A2
The router should have data plane and control plane hardware level of
redundency for providing self redundency and should not disrupt the system
functionality at the time of any data plane or control plane hardware failure
A3
The router should support granular traffic detection and management using
QoS features and should allocate network resources on application priority and
requirement
A6
Router should have facility to work as IPSec VPN Concentrator for Site-to-Site
VPN
A7
Router should support the complete STACK of IP V4 and IP V6 services
Solution Requirement
Page 114 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A8
The switch should have Control Plane (routing engine) redundancy so in event
of failure either hardware or software there should not be disruption in services
A9
The router should support on line hot insertion and removal of power supply
and connected modules. Any insertion line card/power supply should not
require for router rebooting nor should disrupt the functionality of the system
A10
Router should be certified by EAL 3 and above
B
Hardware and Interface Requirement
B1
Router should have the following interfaces:
B1.1
a. 16 x 1G Ethernet RJ45 Interface
B1.2
b. 12 x 1G Single Mode Fiber Interface
B1.3
c. 12 x 1G Multi Mode Fiber Interface
B1.4
d. 12 x 10GbE Single Mode Fiber Interface
B1.5
e. 12 x 10GbE Multi Mode Fiber Interface
B2
Router should have console port
B3
Router should have management interface for Out of Band Management
B4
Router should be rack mountable and support side rails if required
B5
Router should have redundant power supplies (atleast dual)
B6
Router should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B7
Router should support VLAN tagging (IEEE 802.1q)
B8
Router should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Router should have the capability of holding multiple OS images to support
resilience & easy rollbacks during the version upgrades etc and should support
inservice software upgrade including:
B10
a. Multiple System image
B11
b. Multiple system configuration
B12
c. Option of Configuration roll-back
B13
Router should support for different logical interface types like loopback, GRE
and IPIP tunnel, VLAN etc
C
Performance Requirement
C1
The router should support minimum 3,000,000 IPv4 and IPv6 routes entries
including multicast routes
Page 115 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C3
Router should support Graceful Restart for OSPF, BGP, MP-BGP etc.
C4
The router should support minimum 1000 VRF instances
C5
Router should support 1000 of IPSec tunnels
C6
Router should support minimum 60 Gbps of Unicast WAN traffic including the
services
C6.1
a. IP Routing (Static/Dynamic)
C6.2
b. IP Forwarding
C6.4
d. NAT
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
h. MPLS with VRF Edge Routing
C6.8
i. IPv6 host and IPv6 routing
C7
C8
The router should support uninterrupted forwarding operation for OSPF, BGP
etc. routing protocol to ensure high-availability during primary controller
failure
The router should support secured connectivity using point to point and any to
any dynamic IPSec VPN for secured data transfer
C8.1
a. Hardware based IPSec Encryption
C8.2
b. 1000 Point to Point IPSec Tunnels
C8.3
c. Any to Any Dynamic IPSec VPN using the GDOI Protocol should be
supported
d. IPSec Idle Timeout and Dead Peer detection
e. Support Multicast traffic over any to any dynamic VPN
Layer2 Features
C8.4
C8.5
D
D1
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2
VLAN Trunking (802.1q)
D3
System should provide basic Layer 2 WAN protocols as:
D3.2
b. GRE
D3.3
c. Ethernet
E
Layer3 Features
E1
The router should support IPSec Framework for Secured Data tansfer
E1.1
a. IPSec Data Encapsulation AH and ESP
E1.2
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, Pre-Shared Keys (PSK),
Public Key Infrastructure PKI (X.509), RSA encrypted nonces etc
E1.3
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4
d. Authentication Algorithm: SHA1 and SHA2
Page 116 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E1.5
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
E1.6
g. Different mode of communication: Tunnel mode and Transport mode
E1.7
h. IPSec NAT Traversal
E2
The router should support IPSec framework standard RFC:
E2.1
a. IPSec (RFCs 2401 to 2410)
E2.2
b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3
c. IPSec authentication header using MD5 or SHA (RFCs 2403 to 2404)
E2.4
d. IKE (RFCs 2407 to 2409)
E2.5
e. GDOI (RFC 3547 - Group Domain of Interpretation)
E3
Router should provide basic routing feature i.e. IP Classless and default routing
E4
Router should provide static and dynamic routing using:
E4.1
a. Static routing
E4.2
b. RIP V.2 with MD5 Authentication
E4.3
d. OSPF V.2 using MD5 Authentication
E4.5
e. ISIS using MD5 Authentication
E4.6
f. BGP V.4 using MD5 Authentication
E4.7
g. Should support route redustibution between these protocols
E5
h. Should be compliant to RFC 4760 Multiprotocol Extensions for BGP-4
(Desirable)
Router should support for policy based routing for providing different path
selection for different applications and also should support best path selection
using realtime parameters like:
E5.1
a. Jitter
E5.2
b. Minimum cost
E5.3
c. Network path availability
E5.4
d. Network Response Time
E5.5
e. Packet loss
E6
E7
The router should reconverge all dynamic routing protocol at the time of
routing update changes i.e. Non-Stop forwarding for fast re-convergence of
routing protocols
Router should connecting multiple MPLS service provider using multi instance
routing using VRF and do VRF Edge routing or equivalent
E8
Router should be capable to work as DHCP server and relay
E9
Router should provide mutlicast traffic rechable using:
E9.1
PIM-SM
Page 117 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E9.2
PIM-SSM
E9.3
Bi-Directional PIM
E9.4
MBGP and DVMRP or equivalent
E9.5
Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
E9.6
Support Any cast Rendezvous Point (RP) mechanism using PIM and Multicast
Source Discovery Protocol (MSDP) as defined in RFC 3446
E9.7
IGMP V.1, V.2 and V.3
F
Availability
F1
Router should have provisioning for connecting to dual power system
F2
Router should support to dynamically discover and cope with differences in the
maximum allowable maximum transmission unit (MTU) size of the various
links along the path, using multiple interconnected for end to end network
connectivity and usability
Router should automatically failover of primary interface status change or
remote network not rechable to the secondary link connectivity using following
realtime parameters (IP SLA):
F3
F3.1
Jitter
F3.2
Network path availability
F3.3
Network Response Time
F3.4
Packet loss
F4
Router should provide gateway level of redudency in IPv4 and IPv6 using
HSRP/VRRP & NHRP / equivalent for Dynamic VPN
G
Quality of Service
G1
Router system should support 802.1P classification and marking of packet
using:
G1.1
a. CoS (Class of Service)
G1.2
b. DSCP (Differentiated Services Code Point)
G1.3
c. Source physical interfaces
G1.4
d. Source/destination IP subnet
G1.5
e. Protocol types (IP/TCP/UDP)
G1.6
f. Source/destination TCP/UDP ports
G2
Router should support methods for identifying different types of traffic for
better mangement and resilience under network attacks
G3
Router should support for different type of QoS features for ream time traffic
differential treatment using
G3.1
Weighted Fair Queuing or equivalent
G3.2
Weighted Random Early Detection or equivalent
G3.3
Priority queuing
G4
G4.1
Router should support controlling incoming and outgoing traffic using
a. Traffic Shaping
Page 118 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G4.2
G5
b. Traffic Policing
Router should support for managing congested network connectivity using:
G5.1
a. TCP congestion control
G5.2
b. IP Precedence
G5.3
c. Ingress and Egress Rate Limiting
G6
Router should support for packet classification and fragmentation before
applying IPSec security encryption for providing end to end QoS treatment
G7
Router should support heierarchical QoS for providing granual policy per
application basis for providing bandwidth provisioning and management
H
Security
H2
Router should support for deploying different security for each logical and
physical interface using Port Based access control lists of Layer-2 to Layer-4 in
IPv4 and IPv6
H3
Router processor and memory Protection from unnecessary or DoS traffic by
control plane protection policy
H4
Router should support for strigent security policies based on time of day of
Layer-2 to Layer-4
H5
Router should support for external database for AAA using:
H5.1
a. TACACS+
H5.2
b. RADIUS
H6
Router should support dynamic inspection of ARP for the locally connected
network system
H7
Router should support for multiple service provider using edge VRF and IPSec
traffic encryption
H8
Router should support GRE and IPSec WAN traffic encapsulation and
encryption
H9
The router shall support unicast RPF (uRPF) feature to block any
communications and attacks that are being sourced from Randomly generated
IP addresses.
Manageability
I
I1
I2
I3
Router should support for embedded RMON for central NMS management and
moniotring
Router should support for sending logs to multiple centralised syslog server for
monitoring and audit trail
Router should provide remote loging for administration using:
I3.1
a. Telnet
I3.2
b. SSH V.2
I4
Router should support for capturing packets for idenitfying application
performance using remote port mirroring for packet captures
Page 119 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I5
Router should support for management and monitoring status using different
type of Industry standard NMS using:
I5.1
a. SNMP V1 and V.2
I5.2
b. SNMP V.3
I5.4
c. Filteration of SNMP using Access list
I5.5
d. SNMP MIB support for QoS
I6
Router should support for basic administrative tools like:
I6.1
a. Ping
I6.2
b. Traceroute
I7
Router should support central time server synchronisation using Network Time
Protocol NTP V.4
I8
Router should support for collecting realtime traffic statistics for analysis and
troubleshooting using Netflow or Ipfix or equivalent
I9
Router should support for providing granular MIB support for different
statistics of the LAN and WAN interface
I10
Router should support for predefined and custmised execution of script for
device mange for automatic and scheduled system status update for monitoring
and management
I.11
Router should provide different priviledge for login in to the system for
monitoring and mangement
I.12
Router should support to dynamically change in configuration or operating
system by using diffent local and central tools and scripts
J
IPv6 features
J1
Router should support IPv6
J2
Router should support for IP V.6 connectivity and routing required for network
rechability using different routing protocols such as:
J2.1
a. RIP NG
J2.2
b. OSPF V.3
J2.3
c. BGP with IPv6
J2.4
d. IPv6 Policy based routing
J2.5
e. IPv6 Dual Stack etc
J2.6
f. IPv6 Static Route
J2.7
g. IPv6 Default route
J2.8
h. Should support route redustibution between these protocols
J3
J3.1
Router should support diffent types of IPv6 tunnling mechanism, such as:
a. Automatic IPv6 to IPv4 tunnels / IPv4 to IPv6 tunnels
Page 120 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J3.2
b. Automatic IPv4 compatible tunnels / IPv4 to IPv6 tunnels
J3.3
c. IPv6 over IPv4 tunneling
J3.4
d. ISATAP Tunneling
J4
Router should support differnet types of multicast routing in IPv6 network
using:
J4.1
a. PIMv2 Sparse Mode
J4.2
b. PIMv2 Source-Specific Multicast
J5
Router should support for QoS in IPv6 network connectivity
J6
Router should support for minotoring and management using different
versions of SNMP in IPv6 environement such as:
J6.1
a. SNMPv1, SNMPv2c, SNMPv3
J6.2
b. SNMP over IPv6 & AES & 3DES encryption support for SNMP Version 3
J6.3
c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7
Router should support syslog for sending system log messages to centralised
log server in IPv6 environment
J8
Router should support NTP to provide an accurate and consistent timestamp
over IPv6 to snchronize log collection and events
J9
Router should support for IPv6 different type of application usage like:
J9.1
a. HTTP
J9.2
b. HTTPS
J9.3
c. ICMP
J9.4
d. TCP/UDP
J9.5
e. DNS lookup
J9.6
f. DHCP
J10
Router should support for IPv6 different types of tools for administration and
management such as:
J10.1
a. Ping
J10.2
b. Traceroute
J10.3
c. VTY
J10.4
d. SSH
J10.5
e. TFTP
Page 121 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Replication Router
TABLE - 18
Quantity: 2
Sr. No.
Compliance(Y/N)
Feature Set
A
Solution Requirement
A1
The router architecture should be based on hardware based
forwarding and switching. System should be multi processor
based architecture for enhanced performance
A2
The router should have data plane and control plane
hardware level of redundancy for providing self redundancy
and should not disrupt the system functionality at the time
of any data plane or control plane hardware failure
A3
The router should support granular traffic detection and
management using QoS features and should allocate
network resources on application priority and requirement
A6
Router should have facility to work as IPSec VPN
Concentrator for Site-to-Site VPN
A7
Router should support the complete STACK of IP V4 and IP
V6 services
A8
The switch should have Control Plane (routing engine)
redundancy so in event of failure either hardware or
software there should not be disruption in services
A9
The router should support on line hot insertion and removal
of power supply and connected modules. Any insertion line
card/power supply should not require for router rebooting
nor should disrupt the functionality of the system
A10
Router should be certified by EAL 3 and above
B
Hardware and Interface Requirement
B1
Router should have the following interfaces:
B1.1
a. 10 x 1G Ethernet RJ45 Interface
B1.2
b. 10 x 1G Single Mode Fiber Interface
B1.3
c. 12 x 10GbE Multi Mode Fiber Interface
B1.4
B2
d. 16 x 10GbE Single Mode Fiber Interface
Router should have console port
B3
Router should have management interface for Out of Band
Management
B4
Router should be rack mountable and support side rails if
required
Router should have redundant power supplies (atleast dual)
B5
Page 122 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B6
Router should have hardware health monitoring capabilities
and should provide different parameters through SNMP
B7
Router should support VLAN tagging (IEEE 802.1q)
B8
Router should support IEEE Link Aggregation and Ethernet
Bonding functionality to group multiple ports for
redundancy
B9
Router should have the capability of holding multiple OS
images to support resilience & easy rollbacks during the
version upgrades etc and should support inservice software
upgrade including:
B10
a. Multiple System image
B11
b. Multiple system configuration
B12
c. Option of Configuration roll-back
B13
Router should support for different logical interface types
like loopback, GRE and IPIP tunnel, VLAN etc
C
Performance Requirement
C1
The router should support minimum 3,000,000 IPv4 and
IPv6 routes entries including multicast routes
Router should support Graceful Restart for OSPF, BGP, MPBGP etc.
C3
C4
The router should support minimum 1000 VRF instances
C5
Router should support 1000 of IPSec tunnels
C6
C6.1
Router should support 6 Gbps of IMIX WAN traffic
including the services
a. IP Routing (Static/Dynamic)
C6.2
b. IP Forwarding
C6.4
d. NAT
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
h. MPLS with VRF Edge Routing
C6.8
i. IPv6 host and IPv6 routing
C7
The router should support uninterrupted forwarding
operation for OSPF, BGP etc. routing protocol to ensure
high-availability during primary controller failure
C8
The router should support secured connectivity using point
to point and any to any dynamic IPSec VPN for secured data
transfer
C8.1
a. Hardware based IPSec Encryption
C8.2
b. 1000 Point to Point IPSec Tunnels
Page 123 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C8.3
c. Any to Any Dynamic IPSec VPN using the GDOI Protocol
should be supported
C8.4
d. IPSec Idle Timeout and Dead Peer detection
C8.5
e. Support Multicast traffic over any to any dynamic VPN
D
Layer2 Features
D1
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2
VLAN Trunking (802.1q)
D3
System should provide basic Layer 2 WAN protocols as:
D3.2
b. GRE
D3.3
c. Ethernet
E
Layer3 Features
E1
The router should support IPSec Framework for Secured
Data tansfer
E1.1
a. IPSec Data Encapsulation AH and ESP
E1.2
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, PreShared Keys (PSK), Public Key Infrastructure PKI (X.509),
RSA encrypted nonces etc
E1.3
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4
d. Authentication Algorithm: SHA1 and SHA2
E1.5
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
E1.6
g. Different mode of communication: Tunnel mode and
Transport mode
E1.7
h. IPSec NAT Traversal
E2
The router should support IPSec framework standard RFC:
E2.1
a. IPSec (RFCs 2401 to 2410)
E2.2
b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3
c. IPSec authentication header using MD5 or SHA (RFCs
2403 to 2404)
E2.4
d. IKE (RFCs 2407 to 2409)
E2.5
e. GDOI (RFC 3547 - Group Domain of Interpretation)
E3
Router should provide basic routing feature i.e. IP Classless
and default routing
E4
Router should provide static and dynamic routing using:
E4.1
a. Static routing
Page 124 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E4.2
b. RIP V.2 with MD5 Authentication
E4.3
d. OSPF V.2 using MD5 Authentication
E4.5
e. ISIS using MD5 Authentication
E4.6
f. BGP V.4 using MD5 Authentication
E4.7
g. Should support route redistribution between these
protocols
h. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
E5
Router should support for policy based routing for providing
different path selection for different applications and also
should support best path selection using realtime
parameters like:
E5.1
a. Jitter
E5.2
b. Minimum cost
E5.3
c. Network path availability
E5.4
d. Network Response Time
E5.5
e. Packet loss
E6
The router should reconverge all dynamic routing protocol at
the time of routing update changes i.e. Non-Stop forwarding
for fast re-convergence of routing protocols
E7
Router should connecting multiple MPLS service provider
using multi instance routing using VRF and do VRF Edge
routing or equivalent
E8
Router should be capable to work as DHCP server and relay
E9
Router should provide mutlicast traffic rechable using:
E9.1
PIM-SM
E9.2
PIM-SSM
E9.3
Bi-Directional PIM
E9.4
MBGP and DVMRP or equivalent
E9.5
Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
E9.6
Support Any cast Rendezvous Point (RP) mechanism using
PIM and Multicast Source Discovery Protocol (MSDP) as
defined in RFC 3446
IGMP V.1, V.2 and V.3
E9.7
F
Availability
F1
Router should have provisioning for connecting to dual
power system
Page 125 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F2
Router should support to dynamically discover and cope
with differences in the maximum allowable maximum
transmission unit (MTU) size of the various links along the
path, using multiple interconnected for end to end network
connectivity and usability
F3
Router should automatically failover of primary interface
status change or remote network not rechable to the
secondary link connectivity using following realtime
parameters (IP SLA):
F3.1
Jitter
F3.2
Network path availability
F3.3
Network Response Time
F3.4
Packet loss
F4
Router should provide gateway level of redudency in IPv4
and IPv6 using HSRP/VRRP & NHRP / equivalent for
Dynamic VPN
G
Quality of Service
G1
Router system should support 802.1P classification and
marking of packet using:
G1.1
a. CoS (Class of Service)
G1.2
b. DSCP (Differentiated Services Code Point)
G1.3
c. Source physical interfaces
G1.4
d. Source/destination IP subnet
G1.5
e. Protocol types (IP/TCP/UDP)
G1.6
f. Source/destination TCP/UDP ports
G2
Router should support methods for identifying different
types of traffic for better mangement and resilience under
network attacks
G3
Router should support for different type of QoS features for
ream time traffic differential treatment using
G3.1
Weighted Fair Queuing or equivalent
G3.2
Weighted Random Early Detection or equivalent
G3.3
Priority queuing
G4
Router should support controlling incoming and outgoing
traffic using
G4.1
a. Traffic Shaping
G4.2
b. Traffic Policing
G5
Router should support for managing congested network
connectivity using:
G5.1
a. TCP congestion control
G5.2
b. IP Precedence
G5.3
c. Ingress and Egress Rate Limiting
Page 126 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G6
Router should support for packet classification and
fragmentation before applying IPSec security encryption for
providing end to end QoS treatment
G7
Router should support hierarchical QoS for providing
granular policy per application basis for providing
bandwidth provisioning and management
H
Security
H2
Router should support for deploying different security for
each logical and physical interface using Port Based access
control lists of Layer-2 to Layer-4 in IPv4 and IPv6
H3
Router processor and memory Protection from unnecessary
or DoS traffic by control plane protection policy
H4
Router should support for strigent security policies based on
time of day of Layer-2 to Layer-4
H5
Router should support for external database for AAA using:
H5.1
a. TACACS+
H5.2
b. RADIUS
H6
Router should support dynamic inspection of ARP for the
locally connected network system
H7
Router should support for multiple service provider using
edge VRF and IPSec traffic encryption
H8
Router should support GRE and IPSec WAN traffic
encapsulation and encryption
H9
The router shall support unicast RPF (uRPF) feature to block
any communications and attacks that are being sourced
from Randomly generated IP addresses.
I
Manageability
I1
Router should support for embedded RMON for central
NMS management and monitoring
I2
Router should support for sending logs to multiple
centralised syslog server for monitoring and audit trail
I3
I3.1
Router should provide remote logging for administration
using:
a. Telnet
I3.2
b. SSH V.2
I4
Router should support for capturing packets for identifying
application performance using remote port mirroring for
packet captures
I5
Router should support for management and monitoring
status using different type of Industry standard NMS using:
I5.1
a. SNMP V1 and V.2
Page 127 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I5.2
b. SNMP V.3
I5.4
c. Filtration of SNMP using Access list
I5.5
d. SNMP MIB support for QoS
I6
I6.1
Router should support for basic administrative tools like:
a. Ping
I6.2
b. Traceroute
I7
Router should support central time server synchronisation
using Network Time Protocol NTP V.4
I8
Router should support for collecting realtime traffic
statistics for analysis and troubleshooting using Netflow or
Ipfix or equivalent
I9
Router should support for providing granular MIB support
for different statistics of the LAN and WAN interface
I10
Router should support for predefined and customised
execution of script for device mange for automatic and
scheduled system status update for monitoring and
management
I.11
Router should provide different privilege for login in to the
system for monitoring and management
I.12
J
Router should support to dynamically change in
configuration or operating system by using different local
and central tools and scripts
IPv6 features
J1
Router should support IPv6
J2
Router should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
J2.1
a. RIP NG
J2.2
b. OSPF V.3
J2.3
c. BGP with IPv6
J2.4
d. IPv6 Policy based routing
J2.5
e. IPv6 Dual Stack etc
J2.6
f. IPv6 Static Route
J2.7
g. IPv6 Default route
J2.8
h. Should support route redistribution between these
protocols
J3
Router should support different types of IPv6 tunnelling
mechanism, such as:
J3.1
a. Automatic IPv6 to IPv4 tunnels / IPv4 to IPv6 tunnels
J3.2
b. Automatic IPv4 compatible tunnels / IPv4 to IPv6 tunnels
J3.3
c. IPv6 over IPv4 tunnelling
Page 128 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J3.4
J4
d. ISATAP Tunnelling
Router should support different types of multicast routing in
IPv6 network using:
J4.1
a. PIMv2 Sparse Mode
J4.2
b. PIMv2 Source-Specific Multicast
J5
Router should support for QoS in IPv6 network connectivity
J6
Router should support for monitoring and management
using different versions of SNMP in IPv6 environment such
as:
a. SNMPv1, SNMPv2c, SNMPv3
J6.1
J6.2
b. SNMP over IPv6 & AES & 3DES encryption support for
SNMP Version 3
J6.3
c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7
Router should support syslog for sending system log
messages to centralised log server in IPv6 environment
J8
Router should support NTP to provide an accurate and
consistent timestamp over IPv6 to synchronize log
collection and events
Router should support for IPv6 different type of application
usage like:
J9
J9.1
a. HTTP
J9.2
b. HTTPS
J9.3
c. ICMP
J9.4
d. TCP/UDP
J9.5
e. DNS lookup
J9.6
f. DHCP
J10
Router should support for IPv6 different types of tools for
administration and management such as:
J10.1
a. Ping
J10.2
b. Traceroute
J10.3
c. VTY
J10.4
d. SSH
J10.5
e. TFTP
Internet Router :
TABLE - 19
Quantity: 2
Sr. No.
Compliance(Y/N)
Feature Set
A
Solution Requirement
A1
The router architecture should be based on hardware based
forwarding and switching. System should be multi- processor
based architecture for enhanced performance
Page 129 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A2
The router should have data plane and control plane hardware
level of redundancy for providing self redundancy and should
not disrupt the system functionality at the time of any data
plane or control plane hardware failure
A3
The router should support granular traffic detection and
management using QoS features and should allocate network
resources on application priority and requirement
A6
Router should have facility to work as IPSec VPN Concentrator
for Site-to-Site VPN
A7
Router should support the complete STACK of IP V4 and IP V6
services
The switch should have Control Plane (routing engine)
redundancy so in event of failure either hardware or software
there should not be disruption in services
A8
A9
The router should support on line hot insertion and removal of
power supply and connected modules. Any insertion line
card/power supply should not require for router rebooting nor
should disrupt the functionality of the system
A10
B
Router should be certified by EAL 3 and above
Hardware and Interface Requirement
B1
Router should have the following interfaces:
B1.1
a. 12 x 10G Multi Mode Fibre Interface
B1.2
b. 6 x 10G Single Mode Fiber Interface
B1.3
c. 2 x 40G QSFP Multi Mode Fiber Interface
B1.4
d. 2 x 40G QSFP Single Mode Fiber Interface
B2
Router should have console port
B3
Router should have management interface for Out of Band
Management
Router should be rack mountable and support side rails if
required
Router should have redundant power supplies (atleast dual)
B4
B5
B6
Router should have hardware health monitoring capabilities
and should provide different parameters through SNMP
B7
Router should support VLAN tagging (IEEE 802.1q)
B8
Router should support IEEE Link Aggregation and Ethernet
Bonding functionality to group multiple ports for redundancy
B9
Router should have the capability of holding multiple OS
images to support resilience & easy rollbacks during the version
upgrades etc and should support inservice software upgrade
including:
B10
a. Multiple System image
Page 130 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B11
b. Multiple system configuration
B12
c. Option of Configuration roll-back
B13
Router should support for different logical interface types like
loopback, GRE and IPIP tunnel, VLAN etc
C
Performance Requirement
C1
C4
The router should support minimum 3,000,000 IPv4 and IPv6
routes entries including multicast routes
Router should support Graceful Restart for OSPF, BGP, MPBGP etc.
The router should support minimum 1000 VRF instances
C5
Router should support 1000 of IPSec tunnels
C6
C6.1
Router should support 5 Gbps of crypto IMIX WAN traffic
including the services
a. IP Routing (Static/Dynamic)
C6.2
b. IP Forwarding
C6.4
d. NAT
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
h. MPLS with VRF Edge Routing
C6.8
i. IPv6 host and IPv6 routing
C3
C7
The router should support uninterrupted forwarding operation
for OSPF, BGP etc. routing protocol to ensure high-availability
during primary controller failure
C8
C8.1
The router should support secured connectivity using point to
point and any to any dynamic IPSec VPN for secured data
transfer
a. Hardware based IPSec Encryption
C8.2
b. 1000 Point to Point IPSec Tunnels
C8.3
C8.4
c. Any to Any Dynamic IPSec VPN using the GDOI Protocol
should be supported
d. IPSec Idle Timeout and Dead Peer detection
C8.5
e. Support Multicast traffic over any to any dynamic VPN
D
Layer2 Features
D1
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2
VLAN Trunking (802.1q)
D3
System should provide basic Layer 2 WAN protocols as:
D3.2
b. GRE
D3.3
c. Ethernet
E
Layer3 Features
E1
The router should support IPSec Framework for Secured Data
tansfer
Page 131 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E1.1
a. IPSec Data Encapsulation AH and ESP
E1.2
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, PreShared Keys (PSK), Public Key Infrastructure PKI (X.509), RSA
encrypted nonces etc
E1.3
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4
d. Authentication Algorithm: SHA1 and SHA2
E1.5
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
E1.6
g. Different mode of communication: Tunnel mode and
Transport mode
h. IPSec NAT Traversal
E1.7
E2
The router should support IPSec framework standard RFC:
E2.1
a. IPSec (RFCs 2401 to 2410)
E2.2
b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3
E2.4
c. IPSec authentication header using MD5 or SHA (RFCs 2403
to 2404)
d. IKE (RFCs 2407 to 2409)
E2.5
e. GDOI (RFC 3547 - Group Domain of Interpretation)
E3
Router should provide basic routing feature i.e. IP Classless and
default routing
E4
Router should provide static and dynamic routing using:
E4.1
a. Static routing
E4.2
b. RIP V.2 with MD5 Authentication
E4.3
d. OSPF V.2 using MD5 Authentication
E4.5
e. ISIS using MD5 Authentication
E4.6
f. BGP V.4 using MD5 Authentication
E4.7
g. Should support route redustibution between these protocols
h. Should be compliant to RFC 4760 Multiprotocol Extensions
for BGP-4 (Desirable)
E5
Router should support for policy based routing for providing
different path selection for different applications and also
should support best path selection using realtime parameters
like:
E5.1
a. Jitter
E5.2
b. Minimum cost
E5.3
c. Network path availability
E5.4
d. Network Response Time
E5.5
e. Packet loss
Page 132 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E6
The router should reconverge all dynamic routing protocol at
the time of routing update changes i.e. Non-Stop forwarding for
fast re-convergence of routing protocols
E7
Router should be connecting multiple MPLS service provider
using multi instance routing using VRF and do VRF Edge
routing or equivalent
E8
Router should be capable to work as DHCP server and relay
E9
Router should provide multicast traffic reachable using:
E9.1
PIM-SM
E9.2
PIM-SSM
E9.3
Bi-Directional PIM
E9.4
MBGP and DVMRP or equivalent
E9.5
Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
E9.6
Support Any cast Rendezvous Point (RP) mechanism using PIM
and Multicast Source Discovery Protocol (MSDP) as defined in
RFC 3446
E9.7
IGMP V.1, V.2 and V.3
F
Availability
F1
Router should have provisioning for connecting to dual power
system
Router should support to dynamically discover and cope with
differences in the maximum allowable maximum transmission
unit (MTU) size of the various links along the path, using
multiple interconnected for end to end network connectivity
and usability
F2
F3
Router should automatically failover of primary interface status
change or remote network not rechable to the secondary link
connectivity using following realtime parameters (IP SLA):
F3.1
Jitter
F3.2
Network path availability
F3.3
Network Response Time
F3.4
Packet loss
F4
Router should provide gateway level of redudency in IPv4 and
IPv6 using HSRP/VRRP & NHRP / equivalent for Dynamic
VPN
Quality of Service
G
G1
Router system should support 802.1P classification and
marking of packet using:
G1.1
a. CoS (Class of Service)
G1.2
b. DSCP (Differentiated Services Code Point)
G1.3
c. Source physical interfaces
G1.4
d. Source/destination IP subnet
G1.5
e. Protocol types (IP/TCP/UDP)
Page 133 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G1.6
f. Source/destination TCP/UDP ports
G2
Router should support methods for identifying different types
of traffic for better management and resilience under network
attacks
G3
Router should support for different type of QoS features for
ream time traffic differential treatment using
G3.1
Weighted Fair Queuing or equivalent
G3.2
Weighted Random Early Detection or equivalent
G3.3
Priority queuing
G4
G4.1
Router should support controlling incoming and outgoing
traffic using
a. Traffic Shaping
G4.2
b. Traffic Policing
G5
Router should support for managing congested network
connectivity using:
G5.1
a. TCP congestion control
G5.2
b. IP Precedence
G5.3
c. Ingress and Egress Rate Limiting
G6
Router should support for packet classification and
fragmentation before applying IPSec security encryption for
providing end to end QoS treatment
G7
Router should support hierarchical QoS for providing granular
policy per application basis for providing bandwidth
provisioning and management
H
Security
H2
Router should support for deploying different security for each
logical and physical interface using Port Based access control
lists of Layer-2 to Layer-4 in IPv4 and IPv6
H3
Router processor and memory Protection from unnecessary or
DoS traffic by control plane protection policy
H4
Router should support for strigent security policies based on
time of day of Layer-2 to Layer-4
H5
Router should support for external database for AAA using:
H5.1
a. TACACS+
H5.2
b. RADIUS
H6
Router should support dynamic inspection of ARP for the
locally connected network system
H7
Router should support for multiple service provider using edge
VRF and IPSec traffic encryption
Page 134 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H8
Router should support GRE and IPSec WAN traffic
encapsulation and encryption
H9
The router shall support unicast RPF (uRPF) feature to block
any communications and attacks that are being sourced from
Randomly generated IP addresses.
I
Manageability
I1
Router should support for embedded RMON for central NMS
management and monitoring
I2
Router should support for sending logs to multiple centralised
syslog server for monitoring and audit trail
I3
Router should provide remote logging for administration using:
I3.1
a. Telnet
I3.2
b. SSH V.2
I4
Router should support for capturing packets for identifying
application performance using remote port mirroring for packet
captures
I5
Router should support for management and monitoring status
using different type of Industry standard NMS using:
I5.1
a. SNMP V1 and V.2
I5.2
b. SNMP V.3
I5.4
c. Filtration of SNMP using Access list
I5.5
d. SNMP MIB support for QoS
I6
Router should support for basic administrative tools like:
I6.1
a. Ping
I6.2
b. Traceroute
I7
Router should support central time server synchronisation
using Network Time Protocol NTP V.4
I8
Router should support for collecting real-time traffic statistics
for analysis and troubleshooting using Netflow or Ipfix or
equivalent
I9
Router should support for providing granular MIB support for
different statistics of the LAN and WAN interface
I10
Router should support for predefined and customised execution
of script for device mange for automatic and scheduled system
status update for monitoring and management
I.11
Router should provide different privileges for login in to the
system for monitoring and management
I.12
Router should support to dynamically change in configuration
or operating system by using differentlocal and central tools
and scripts
Page 135 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J
IPv6 features
J1
Router should support IPv6
J2
Router should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
J2.1
a. RIP NG
J2.2
b. OSPF V.3
J2.3
c. BGP with IPv6
J2.4
d. IPv6 Policy based routing
J2.5
e. IPv6 Dual Stack etc
J2.6
f. IPv6 Static Route
J2.7
g. IPv6 Default route
J2.8
h. Should support route redistribution between these protocols
J3
J3.1
Router should support different types of IPv6 tunnelling
mechanism, such as:
a. Automatic IPv6 to IPv4 tunnels / IPv4 to IPv6 tunnels
J3.2
b. Automatic IPv4 compatible tunnels / IPv4 to IPv6 tunnels
J3.3
c. IPv6 over IPv4 tunnelling
J3.4
d. ISATAP Tunnelling
J4
Router should support different types of multicast routing in
IPv6 network using:
J4.1
a. PIMv2 Sparse Mode
J4.2
b. PIMv2 Source-Specific Multicast
J5
Router should support for QoS in IPv6 network connectivity
J6
Router should support for monitoring and management using
different versions of SNMP in IPv6 environment such as:
J6.1
a. SNMPv1, SNMPv2c, SNMPv3
J6.2
b. SNMP over IPv6 & AES & 3DES encryption support for
SNMP Version 3
J6.3
c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7
Router should support syslog for sending system log messages
to centralised log server in IPv6 environment
J8
Router should support NTP to provide an accurate and
consistent timestamp over IPv6 to synchronize log collection
and events
J9
Router should support for IPv6 different type of application
usage like:
J9.1
a. HTTP
J9.2
b. HTTPS
J9.3
c. ICMP
Page 136 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J9.4
d. TCP/UDP
J9.5
e. DNS lookup
J9.6
f. DHCP
J10
Router should support for IPv6 different types of tools for
administration and management such as:
J10.1
a. Ping
J10.2
b. Traceroute
J10.3
c. VTY
J10.4
d. SSH
J10.5
e. TFTP
Extranet Router
TABLE- 20
Quantity: 2
Sr. No.
A
Compliance(Y/N)
Feature Set
Solution Requirement
A1
The router architecture should be based on hardware based
forwarding and switching. System should be multi-processor
based architecture for enhanced performance
A2
The router should have data plane and control plane
hardware level of redundancy for providing self-redundancy
and should not disrupt the system functionality at the time
of any data plane or control plane hardware failure
A3
The router should support granular traffic detection and
management using QoS features and should allocate
network resources on application priority and requirement
A6
Router should have facility to work as IPSec VPN
Concentrator for Site-to-Site VPN
A7
Router should support the complete STACK of IP V4 and IP
V6 services
A8
The switch should have Control Plane (routing engine)
redundancy so in event of failure either hardware or
software there should not be disruption in services
A9
The router should support on line hot insertion and removal
of power supply and connected modules. Any insertion line
card/power supply should not require for router rebooting
nor should disrupt the functionality of the system
A10
Router should be certified by EAL 3 and above
Page 137 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B
Hardware and Interface Requirement
B1
Router should have the following interfaces:
B1.1
a. 48 x 1G Ethernet RJ45 Interface
B1.2
b. 8 x 1G Single Mode Fiber Interface
B1.3
c. 8 x 10GbE Multi Mode Fiber Interface
B1.4
B2
d. 24 x E1 Interface
Router should have console port
B3
Router should have management interface for Out of Band
Management
B4
Router should be rack mountable and support side rails if
required
B5
Router should have redundant power supplies (atleast dual)
B6
Router should have hardware health monitoring capabilities
and should provide different parameters through SNMP
B7
B8
Router should support VLAN tagging (IEEE 802.1q)
Router should support IEEE Link Aggregation and Ethernet
Bonding functionality to group multiple ports for
redundancy
B9
Router should have the capability of holding multiple OS
images to support resilience & easy rollbacks during the
version upgrades etc and should support inservice software
upgrade including:
B10
a. Multiple System image
B11
b. Multiple system configuration
c. Option of Configuration roll-back
B12
B13
Router should support for different logical interface types
like loopback, GRE and IPIP tunnel, VLAN etc
C
Performance Requirement
C1
The router should support minimum 3,000,000 IPv4 and
IPv6 routes entries including multicast routes
C3
Router should support Graceful Restart for OSPF, BGP, MPBGP etc.
C4
The router should support minimum 1000 VRF instances
C5
Router should support 1000 of IPSec tunnels
Page 138 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C6
Router should support 40 Gbps of Unicast WAN traffic
including the services
C6.1
a. IP Routing (Static/Dynamic)
C6.2
b. IP Forwarding
C6.4
d. NAT
C6.5
e. QoS
C6.6
f. ACL and Other IP Services
C6.7
h. MPLS with VRF Edge Routing
C6.8
i. IPv6 host and IPv6 routing
C7
The router should support uninterrupted forwarding
operation for OSPF, BGP etc. routing protocol to ensure
high-availability during primary controller failure
C8
C8.1
C8.2
C8.3
C8.4
The router should support secured connectivity using point
to point and any to any dynamic IPSec VPN for secured data
transfer
a. Hardware based IPSec Encryption
b. 1000 Point to Point IPSec Tunnels
c. Any to Any Dynamic IPSec VPN using the GDOI Protocol
should be supported
d. IPSec Idle Timeout and Dead Peer detection
C8.5
e. Support Multicast traffic over any to any dynamic VPN
D
Layer2 Features
D1
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2
VLAN Trunking (802.1q)
D3
System should provide basic Layer 2 WAN protocols as:
D3.2
b. GRE
D3.3
c. Ethernet
E
Layer3 Features
E1
The router should support IPSec Framework for Secured
Data tansfer
E1.1
E1.2
a. IPSec Data Encapsulation AH and ESP
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, PreShared Keys (PSK), Public Key Infrastructure PKI (X.509),
RSA encrypted nonces etc
E1.3
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4
d. Authentication Algorithm: SHA1 and SHA2
E1.5
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
Page 139 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E1.6
g. Different mode of communication: Tunnel mode and
Transport mode
E1.7
h. IPSec NAT Traversal
E2
The router should support IPSec framework standard RFC:
E2.1
a. IPSec (RFCs 2401 to 2410)
E2.2
b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3
c. IPSec authentication header using MD5 or SHA (RFCs
2403 to 2404)
E2.4
d. IKE (RFCs 2407 to 2409)
E2.5
e. GDOI (RFC 3547 - Group Domain of Interpretation)
E3
Router should provide basic routing feature i.e. IP Classless
and default routing
E4
Router should provide static and dynamic routing using:
E4.1
a. Static routing
E4.2
b. RIP V.2 with MD5 Authentication
E4.3
d. OSPF V.2 using MD5 Authentication
E4.5
e. ISIS using MD5 Authentication
E4.6
f. BGP V.4 using MD5 Authentication
E4.7
g. Should support route redistribution between these
protocols
h. Should be compliant to RFC 4760 Multiprotocol
Extensions for BGP-4 (Desirable)
E5
Router should support for policy based routing for providing
different path selection for different applications and also
should support best path selection using realtime
parameters like:
E5.1
a. Jitter
E5.2
b. Minimum cost
E5.3
c. Network path availability
E5.4
d. Network Response Time
E5.5
e. Packet loss
E6
The router should reconverge all dynamic routing protocol
at the time of routing update changes i.e. Non-Stop
forwarding for fast re-convergence of routing protocols
Page 140 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E7
Router should be connecting multiple MPLS service
provider using multi instance routing using VRF and do VRF
Edge routing or equivalent
E8
Router should be capable to work as DHCP server and relay
E9
Router should provide mutli-cast traffic reachable using:
E9.1
PIM-SM
E9.2
PIM-SSM
E9.3
Bi-Directional PIM
E9.4
MBGP and DVMRP or equivalent
E9.5
E9.6
E9.7
F
Support RFC 3618 Multicast Source Discovery Protocol
(MSDP)
Support Any cast Rendezvous Point (RP) mechanism using
PIM and Multicast Source Discovery Protocol (MSDP) as
defined in RFC 3446
IGMP V.1, V.2 and V.3
Availability
F1
Router should have provisioning for connecting to dual
power system
Router should support to dynamically discover and cope
with differences in the maximum allowable maximum
transmission unit (MTU) size of the various links along the
path, using multiple interconnected for end to end network
connectivity and usability
F2
F3
Router should automatically failover of primary interface
status change or remote network not reachable to the
secondary link connectivity using following real-time
parameters (IP SLA):
F3.1
Jitter
F3.2
Network path availability
F3.3
Network Response Time
F3.4
Packet loss
Router should provide gateway level of redundancy in IPv4
and IPv6 using HSRP/VRRP & NHRP / equivalent for
Dynamic VPN
F4
G
Quality of Service
G1
Router system should support 802.1P classification and
marking of packet using:
G1.1
a. CoS (Class of Service)
G1.2
b. DSCP (Differentiated Services Code Point)
G1.3
c. Source physical interfaces
G1.4
d. Source/destination IP subnet
G1.5
e. Protocol types (IP/TCP/UDP)
Page 141 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G1.6
f. Source/destination TCP/UDP ports
G2
Router should support methods for identifying different
types of traffic for better management and resilience under
network attacks
G3
Router should support for different type of QoS features for
ream time traffic differential treatment using
G3.1
G3.2
G3.3
G4
Weighted Fair Queuing or equivalent
Weighted Random Early Detection or equivalent
Priority queuing
Router should support controlling incoming and outgoing
traffic using
G4.1
G4.2
G5
a. Traffic Shaping
b. Traffic Policing
Router should support for managing congested network
connectivity using:
G5.1
a. TCP congestion control
G5.2
b. IP Precedence
G5.3
G6
c. Ingress and Egress Rate Limiting
Router should support for packet classification and
fragmentation before applying IPSec security encryption for
providing end to end QoS treatment
Router should support hierarchical QoS for providing
granular policy per application basis for providing
bandwidth provisioning and management
G7
H
Security
Router should support for deploying different security for
each logical and physical interface using Port Based access
control lists of Layer-2 to Layer-4 in IPv4 and IPv6
H2
H3
Router processor and memory Protection from unnecessary
or DoS traffic by control plane protection policy
H4
Router should support for stringent security policies based
on time of day of Layer-2 to Layer-4
H5
Router should support for external database for AAA using:
H5.1
a. TACACS+
H5.2
b. RADIUS
H6
Router should support dynamic inspection of ARP for the
locally connected network system
H7
Router should support for multiple service provider using
edge VRF and IPSec traffic encryption
Page 142 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H8
Router should support GRE and IPSec WAN traffic
encapsulation and encryption
H9
The router shall support unicast RPF (uRPF) feature to
block any communications and attacks that are being
sourced from Randomly generated IP addresses.
I
Manageability
I1
Router should support for embedded RMON for central
NMS management and monitoring
I2
Router should support for sending logs to multiple
centralised syslog server for monitoring and audit trail
I3
Router should provide remote logging for administration
using:
I3.1
a. Telnet
I3.2
b. SSH V.2
I4
Router should support for capturing packets for identifying
application performance using remote port mirroring for
packet captures
I5
Router should support for management and monitoring
status using different type of Industry standard NMS using:
I5.1
a. SNMP V1 and V.2
I5.2
b. SNMP V.3
I5.4
c. Filtration of SNMP using Access list
I5.5
d. SNMP MIB support for QoS
I6
Router should support for basic administrative tools like:
I6.1
a. Ping
I6.2
b. Traceroute
I7
I8
Router should support central time server synchronisation
using Network Time Protocol NTP V.4
Router should support for collecting real-time traffic
statistics for analysis and troubleshooting using Netflow or
Ipfix or equivalent
I9
Router should support for providing granular MIB support
for different statistics of the LAN and WAN interface
Page 143 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I10
Router should support for predefined and customised
execution of script for device mange for automatic and
scheduled system status update for monitoring and
management
I.11
Router should provide different privileges for login in to the
system for monitoring and management
I.12
Router should support to dynamically change in
configuration or operating system by using different local
and central tools and scripts
J
IPv6 features
J1
Router should support IPv6
J2
Router should support for IP V.6 connectivity and routing
required for network reachability using different routing
protocols such as:
J2.1
a. RIP NG
J2.2
b. OSPF V.3
J2.3
c. BGP with IPv6
J2.4
d. IPv6 Policy based routing
J2.5
e. IPv6 Dual Stack etc
J2.6
f. IPv6 Static Route
J2.7
g. IPv6 Default route
J2.8
h. Should support route redistribution between these
protocols
J3
Router should support different types of IPv6 tunnelling
mechanism, such as:
J3.1
a. Automatic IPv6 to IPv4 tunnels / IPv4 to IPv6 tunnels
J3.2
b. Automatic IPv4 compatible tunnels / IPv4 to IPv6 tunnels
J3.3
c. IPv6 over IPv4 tunnelling
J3.4
d. ISATAP Tunnelling
J4
Router should support different types of multicast routing in
IPv6 network using:
J4.1
a. PIMv2 Sparse Mode
J4.2
b. PIMv2 Source-Specific Multicast
J5
Router should support for QoS in IPv6 network connectivity
J6
Router should support for monitoring and management
using different versions of SNMP in IPv6 environment such
as:
Page 144 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J6.1
a. SNMPv1, SNMPv2c, SNMPv3
J6.2
b. SNMP over IPv6 & AES & 3DES encryption support for
SNMP Version 3
J6.3
c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7
Router should support syslog for sending system log
messages to centralised log server in IPv6 environment
J8
Router should support NTP to provide an accurate and
consistent timestamp over IPv6 to synchronize log
collection and events
J9
Router should support for IPv6 different type of application
usage like:
J9.1
a. HTTP
J9.2
b. HTTPS
J9.3
c. ICMP
J9.4
d. TCP/UDP
J9.5
e. DNS lookup
J9.6
f. DHCP
J10
Router should support for IPv6 different types of tools for
administration and management such as:
J10.1
a. Ping
J10.2
b. Traceroute
J10.3
c. VTY
J10.4
d. SSH
J10.5
e. TFTP
VPN Router Specification : TABLE - 21
Quantity: Suitable no in N+1 redundancy to cater IPSEC tunnels from
40,000 branches to Hyderabad DC
Sr. No.
Feature Set
Compliance(Y/N)
A
Solution Requirement
A1
Solution should support 30,000 IPSEC tunnels either on single box or
on cluster including N+1 redundancy
A2
The router architecture should be based on hardware based
forwarding and switching. System should be multi processor and
modular based architecture for enhanced performance
A3
The router should support granular traffic detection and management
using QoS features and should allocate network resources on
application priority and requirement
A6
Router should have facility to work as IPSec VPN Concentrator for
Site-to-Site VPN
Page 145 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A7
Router should support the complete STACK of IPv4 and IPv6 services
A8
The switch should have Control Plane (routing engine) redundancy so
in event of failure either hardware or software there should not be
disruption in services
A9
The router should support on line hot insertion and removal of power
supply and connected modules. Any insertion line card/power supply
should not require for router rebooting nor should disrupt the
functionality of the system
A10
Router should be certified by EAL 3 and above
A11
Router should support reverse route injection
B
B1
Hardware and Interface Requirement
Each Router should have at least 6 x 10GbE Multi Mode Fiber
Interfaces
B2
Router should have console port
B3
Router should have management interface for Out of Band
Management
B4
Router should be rack mountable and support side rails if required
B5
Router should have redundant power supplies (atleast dual)
B6
Router should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B7
Router should support VLAN tagging (IEEE 802.1q)
B8
Router should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Router should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
and should support inservice software upgrade including:
B10
a. Multiple System image
B11
b. Multiple system configuration
B12
c. Option of Configuration roll-back
B13
Router should support for different logical interface types like
loopback, GRE and IPIP tunnel, VLAN etc
C
Performance Requirement
Page 146 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C1
Solution should support 30,000 IPSEC tunnels in n+1 redundancy
mode
C2
C5
C6
The router should support minimum 3,000,000 IPv4 and IPv6 routes
entries including multicast routes
Router should support Graceful Restart for OSPF, BGP, MP-BGP etc.
Router should support minimum 6 Gbps of IMIX WAN traffic
including the services
C6.1
a. Hardware based encryption acceleration (IPSec VPN)
C6.2
b. IPSec Encryption (ESP-AES 256 ESP-SHA-HMAC)
C6.3
c. IP Routing (Static/Dynamic)
C6.4
d. IP Forwarding
C6.6
f. NAT
C6.7
g. QoS
C6.8
h. ACL and Other IP Services
C6.9
i. MPLS with VRF Edge Routing
C7
j. IPv6 host and IPv6 routing
C7.1
The router should support secured connectivity using point to point
and any to any dynamic IPSec VPN for secured data transfer:
C7.2
a. Hardware based IPSec Encryption
C7.3
b. Any to Any Dynamic IPSec VPN using the GDOI Protocol should be
supported
C7.4
c. IPSec Idle Timeout and Dead Peer detection
C7.5
d. Support Multicast traffic over any to any dynamic VPN
C7.6
e. Reverse route injection
C8
The router should support uninterrupted forwarding operation for
OSPF, BGP etc. routing protocol to ensure high-availability during
primary controller failure
D
Layer2 Features
D1
Spanning Tree Protocol ( IEEE 8201.D, 802.1S)
D2
VLAN Trunking (802.1q)
D3
System should provide basic Layer 2 WAN protocols as:
D3.1
b. GRE
D3.2
c. Ethernet
E
Layer3 Features
Page 147 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E1
The router should support IPSec Framework for Secured Data
transfer
E1.1
a. IPSec Data Encapsulation AH and ESP
E1.2
b. Key Exchange : Internet Key Exchange (IKE), IKEv2, Pre-Shared
Keys (PSK), Public Key Infrastructure PKI (X.509), RSA encrypted
nonces etc
E1.3
c. Encryption Algorithm: DES, 3DES, AES-128/192/256
E1.4
E1.5
d. Authentication Algorithm: SHA1 and SHA2
e. Group: Diffie-Hellman (DH) Group 1, 2, 5
E1.7
g. Different mode of communication: Tunnel mode and Transport
mode
h. IPSec NAT Traversal
E1.8
E2
The router should support IPSec framework standard RFC:
E2.1
a. IPSec (RFCs 2401 to 2410)
E2.2
b. IPSec ESP using DES and 3DES (RFC 2406)
E2.3
c. IPSec authentication header using MD5 or SHA (RFCs 2403 to
2404)
E2.4
d. IKE (RFCs 2407 to 2409)
E2.5
E3
e. GDOI -Group Domain of Interpretation
Router should provide basic routing feature i.e. IP Classless and
default routing
E4
E4.1
Router should provide static and dynamic routing using:
a. Static routing
E4.2
E4.3
b. RIP V.2 with MD5 Authentication
d. OSPF V.2 using MD5 Authentication
E4.4
e. ISIS using MD5 Authentication
E4.5
f. BGP V.4 using MD5 Authentication
E4.6
g. Should support route redistribution between these protocols
E4.7
h. Should be compliant to RFC 4760 Multiprotocol Extensions for
BGP-4 (Desirable)
E5
Router should support for policy based routing for providing different
path selection for different applications and also should support best
path selection using realtime parameters like:
E5.1
a. Jitter
E5.2
b. Minimum cost
E5.3
c. Network path availability
E5.4
d. Network Response Time
Page 148 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E5.5
e. Packet loss
E6
The router should reconverge all dynamic routing protocol at the time
of routing update changes i.e. Non-Stop forwarding for fast reconvergence of routing protocols
E7
Router should connecting multiple MPLS service provider using multi
instance routing using VRF and do VRF Edge routing
E8
Router should be capable to work as DHCP server and relay
E9
Router should provide multicast traffic reachable using:
E9.1
PIM-SM
E9.2
PIM-SSM
E9.3
Bi-Directional PIM
E9.4
MBGP and DVMRP or equivalent
E9.5
Support RFC 3618 Multicast Source Discovery Protocol (MSDP)
E9.6
Support Any Cast Rendezvous Point (RP) mechanism using PIM and
Multicast Source Discovery Protocol (MSDP) as defined in RFC 3446
E9.7
IGMP V.1, V.2 and V.3
F
Availability
F1
Router should have provisioning for connecting to dual power system
F2
Router should support to dynamically discover and cope with
differences in the maximum allowable maximum transmission unit
(MTU) size of the various links along the path, using multiple
interconnected for end to end network connectivity and usability
F3
Router should automatically failover of primary interface status
change or remote network not reachable to the secondary link
connectivity using following real-time parameters (IP SLA):
F3.1
Jitter
F3.2
Network path availability
F3.3
Network Response Time
F3.4
Packet loss
F4
Switch should provide gateway level of redundancy in Ip V.4 and IP
V.6 using HSRP/VRRP & NHRP/equivalent for Dynamic VPN
Quality of Service
G
G1
G1.1
Router system should support 802.1P classification and marking of
packet using:
a. CoS (Class of Service)
Page 149 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G1.2
b. DSCP (Differentiated Services Code Point)
G1.3
c. Source physical interfaces
G1.4
d. Source/destination IP subnet
G1.5
e. Protocol types (IP/TCP/UDP)
G1.6
f. Source/destination TCP/UDP ports
G2
The router should have inbuilt control plane protection
G3
Router should support for different type of QoS features for ream
time traffic differential treatment using
G3.1
Weighted Fair Queuing or equivalent
G3.2
Weighted Random Early Detection or equivalent
G3.3
Priority queuing
G4
Router should support controlling incoming and outgoing traffic
using
G4.1
a. Traffic Shaping
G4.2
b. Traffic Policing
G5
G5.1
Router should support for managing congested network connectivity
using:
a. TCP congestion control
G5.2
b. IP Precedence
G5.3
c. Ingress and Egress Rate Limiting
G6
Router should support for packet classification and fragmentation
before applying IPSec security encryption for providing end to end
QoS treatment
G7
Router should support hierarchical QoS for providing granular policy
per application basis for providing bandwidth provisioning and
management
H
Security
H2
Router should support for deploying different security for each logical
and physical interface using Port Based access control lists of Layer-2
to Layer-4 in IPv4 and IPv6
H3
Router processor and memory Protection from unnecessary or DoS
traffic by control plane protection policy
H4
Router should support for stringent security policies based on time of
day of Layer-2 to Layer-4
H5
Router should support for external database for AAA using:
Page 150 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H5.1
a. TACACS+
H5.2
b. RADIUS
H6
Router should support dynamic inspection of ARP for the locally
connected network system
H7
Router should support for multiple service provider using edge VRF
and IPSec traffic encryption
H8
Router should support GRE and IPSec WAN traffic encapsulation and
encryption
H9
The router shall support unicast RPF (uRPF) feature to block any
communications and attacks that are being sourced from Randomly
generated IP addresses.
I
Manageability
I1
Router should support for embedded RMON for central NMS
management and monitoring
I2
Router should support for sending logs to multiple centralised syslog
server for monitoring and audit trail
I3
Router should provide remote logging for administration using:
I3.1
a. Telnet
I3.2
b. SSH V.2
I4
Router should support for capturing packets for identifying
application performance using remote port mirroring for packet
captures
I5
Router should support for management and monitoring status using
different type of Industry standard NMS using:
I5.1
a. SNMP V1 and V.2
I5.2
b. SNMP V.3
I5.3
c. Filtration of SNMP using Access list
I5.4
d. SNMP MIB support for QoS
I6
Router should support for basic administrative tools like:
I6.1
a. Ping
I6.2
b. Traceroute
I7
Router should support central time server synchronisation using
Network Time Protocol NTP V.4
I8
Router should support for collecting realtime traffic statistics for
analysis and troubleshooting using Netflow or Ipfix or equivalent
I9
Router should support for providing granular MIB support for
different statistics of the LAN and WAN interface
Page 151 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
I10
Router should support for predefined and customised execution of
script for device mange for automatic and scheduled system status
update for monitoring and management
I11
Router should provide different privilege for login in to the system for
monitoring and management
I12
Router should support to dynamically change in configuration or
operating system by using different local and central tools and scripts
J
IPv6 features
J1
Router should support IPv6
J2
Router should support for IPv6 connectivity and routing required for
network reachability using different routing protocols such as:
J2.1
a. RIP NG
J2.2
b. OSPF V.3
J2.3
c. BGP with IPv6
J2.4
d. IPv6 Policy based routing
J2.5
e. IPv6 Dual Stack etc
J2.6
f. IPv6 Static Route
J2.7
g. IPv6 Default route
J2.8
h. Should support route redistribution between these protocols
J3
Router should support different types of IPv6 tunnelling mechanism,
such as:
J3.1
a. Automatic IPV 6 to IPV4 tunnels/IPv4 to IPv6 IP Tunnels
J3.2
b. Automatic IP v4 compatible tunnels/IPv4 to IPv6 IP Tunnels
J3.3
c. IPv6 over IPv4 tunnelling
J3.4
d. ISATAP Tunnelling
J4
Router should support different types of multicast routing in IPv6
network using:
J4.1
a. PIMv2 Sparse Mode
J4.2
2. PIMv2 Source-Specific Multicast
J5
Router should support for QoS in IPv6 network connectivity
J6
Router should support for minotoring and management using
different versions of SNMP in IPv6 environement such as:
Page 152 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
J6.1
a. SNMPv1, SNMPv2c, SNMPv3
J6.2
b. SNMP over IPv6
J6.3
c. RFC4292/RFC4293 MIBs for IPv6 traffic
J7
Router should support syslog for sending system log messages to
centralised log server in IPv6 environment
J8
Router should support NTP to provide an accurate and consistent
timestamp over IPv6 to synchronize log collection and events
J9
Router should support for IPv6 different type of application usage
like:
J9.1
a. HTTP
J9.2
b. HTTPS
J9.3
c. ICMP
J9.4
d. TCP/UDP
J9.5
e. DNS lookup
J9.6
f. DHCP
J10
Router should support for IPv6 different types of tools for
administration and management such as:
J10.1
a. Ping
J10.2
b. Traceroute
J10.3
c. VTY
J10.4
d. SSH
J10.5
e. TFTP
Core Firewall Specifications
TABLE - 23
Quantity: 2 Nos
Sr. No.
A
Compliance(Y/N)
Feature
Solution Requirement
A1
Attach solution document containing with detailed bill of material. It
should name, version, date of release, date of release of next version,
end of sale & support date, application/product development path, etc.
A2
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up.
Bidder should clearly illustrate various tools and methodologies used to
achieve the same
Page 153 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A3
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document that will be
available to the bank without any additional charges and will be under
support. These features will be treated at par with other features
mentioned in the RFP
A4
Solution should support Statefull Firewall functionality
A5
Solution should support ―Stateful‖ policy inspection technology. It
should also have application intelligence for commonly used TCP/IP
protocols, not limited to telnet, ftp, http, https etc
A7
The communication between all the components of solution (firewall
module, logging & policy and Web GUI Console) should be encrypted
with SSL or PKI
A8
The communication between all the components of solution (firewall,
logging & policy and Web GUI Console) should be encrypted
A9
Management of the entire solution including real-time monitoring,
event logs collection, policy enforcement etc should be from a single
device only (mgt server/appliance), however solution should have
management devices at both locations
A 10
Firewall should be supplied with the support for static routing and
dynamic routing with protocols, like RIP v2, OSPF, & BGPv6 etc.
A 11
Firewall should support the multicast protocols like IGMP and PIMDM / PIM-SM etc
A 12
Solution should support Identity Access for Granular User/ Group and
machine based visibility
A 13
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort of
manual intervention
A 14
Each appliance of Solution should have hardened OS for both
appliance and management platform
A 15
Solution should have capability to store Logs and configuration of all
devices, centrally in the solution and should also have capability to
send logs of all devices to the generic central log collection servers
Page 154 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A 16
Solution should be IPV6 ready. It should have IPV6 ready logo or
similar certification from any other reputed third party. No extra cost
will be borne by bank for IPV6 implementation
A 17
Solution must support the complete STACK of IP V4 and IP V6 services
A 18
Solution should support for multiple security levels/zones like internal,
DMZ and external etc.
A 19
Any compromise including but not limited to data leakage,
unauthorised access of bank's network/data/information due to any
flaw/security loop hole etc of the solution shall attract legal and
financial liabilities to the Bidder/Vendor and OEM.
A 20
Signatures, Patches & updates being received from OEM should be
from trusted sites
B
Hardware and Interface Requirement
B1
Each appliance should have at least 4 x 40G and 8 X 10G Mbps RJ45
interface Multimode fiber interfaces.All ports should be populated with
required transcievers. Apart from this, each applicance should have
additional ports for sync, HA and other functionalities.
B2
Firewall should have console port
B3
Firewall should have management interface for Out of Band
Management
B4
Firewall should be rack mountable and support side rails if required
B5
Firewall should have redundant power supplies (atleast dual)
B6
Each appliance should have hardware health monitoring capabilities
and should provide different parameters through SNMP
B7
Solution should support VLAN tagging (IEEE 802.1q)
B8
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Solution should Support DHCP Relay
Page 155 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B 10
Solution should support and not limited to:
B.10.1
Active- Failover: The firewall must support Stateful Active-Failover or
clustering mode architecture for Firewall and high availability for
redundancy. Appliance failover should be complete Stateful.
B.10.2
Solution should not require any downtime/reboot for failover
B.10.3
Should support Non Stop Forwarding in HA during failover and
Graceful Restart
B 11
Solution should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
B 12
Centralized Management Solution should provide high availability at
site level for enabling DR deployment
B 13
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment. (Please note
that high availability for management module is not required. One
management appliance at each site should be able to manage the
solution at both sites.)
B 14
The firewall system should have adequate local storage in order to keep
the various logs in the event of management server connection failure
etc.
C
Performance Requirement
C1
Solution should be properly sized for following given parameters, with
all features enabled at the same time:
C 1.1
Handling minimum 100 Gbps statefull inspection (by each firewall) of
user traffic (Incoming 50 Gbps and Outgoing 50 Gbps traffic
simultaneously) and other application Zones (Minimum 10 Application
Zones, WAN Zone, Outside Zone etc) connected using 10/40G
interfaces per zone.
C 1.2
The throughput of the each appliance should not be less than 100 Gbps
for IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte
packets with TCP, UDP queries and DNS requests) with all services
enabled
Page 156 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C 1.3
Running all internet protocols etc, traffic flowing through different
zones in the solution with all the features enabled and running
C2
Solution should support minimum 70 million concurrent connections
C3
Solution should support minimum 2.5 million new sessions per second
processing
C4
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution is less than 200
microseconds with all the services enabled together as asked in this
RFP at any point of time
C5
Firewall should be able to operate in multi-context mode (or
equivalent) and should support minimum 10 context
D
Network Standards/Protocols Requirement
D1
Solution should support at least 250+ protocols for filtering/making
other decision on the traffic
D2
Solution should have a capability to support for more than 1000 VLAN
D3
Solution should support the filtering of TCP/IP based applications with
standard TCP/UDP ports or deployed with custom ports etc
D4
Firewall Modules should support the deployment in Routed as well as
Transparent Mode & should also support following:
D 4.1
Solution should mask the internal network from the external
world/network
D 4.2
Multi-layer, stateful, application-inspection-based filtering should be
done
D 4.3
It should provide network segmentation features with powerful
capabilities that facilitate deploying security for various internal,
external and DMZ (Demilitarized Zone) sub-groups on the network, to
prevent unauthorized access
D 4.4
Ingress/egress filtering capability should be provided for internal,
external and DMZ (Demilitarized Zone) zones
D5
Solution should provide Network Address Translation (NAT)
functionality, including dynamic and static NAT translation etc
Page 157 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 5.1
Network Address Translation (NAT) should be configurable as
D 5.2
Firewall must have 1:1, 1: many, many: 1, many:many, flexible NAT
(overlapping IP addresses). Reverse NAT support
D 5.3
Firewall must have support static nat, pat, dynamic nat, pat &
destination based nat
D 5.4
Firewall must have support Nat66 (IPv6-to-IPv6), Nat 64 (IPv6-toIPv4) & Nat46 (IPv4-to-IPv6) functionality
D 5.5
Port address translation (PAT)/Masquerading should be provided for
IP applications for filtering like Telnet, FTP, SMTP, http, DNS, ICMP,
DHCP, ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc
D6
Should support Remotely Triggered Black Hole for Border Gateway
protocol security
D7
Solution should support integration with following standards :
D 7.1
X.509 Digital certificates
D 7.2
RSA Secure ID Certified
D 7.3
Two Factor Authentication
D 7.4
Radius/Tacacs+
D8
Solution should support RADIUS/TACACS+ authentication protocol
for Local & remote access to devices
D9
Solution should support PKI with:
D 9.1
PKCS 7/PKCS 10/ PKCS 12 and PEM
D 9.2
Self-signed Certificates
D 9.3
External CA support
D 9.4
Certificate Revocation List Import/Check
D 10
Solution should support to features and not limited to:
D 10.1
The Firewall must provide filtering capability that includes parameters
like source addresses, destination addresses, source and destination
port numbers, protocol type with other parameters to configure rules
based on following parameters:
Page 158 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 10.2
Source/Destination IP/Port
D 10.3
Time and date access
D 10.4
User/group role (Integration with AD)
D 10.5
Customizable services
D 10.6
Time based
D 10.7
Combination of one or multiple of above mentioned parameter
D 11
The Firewall should be able to filter traffic even if the packets are
fragmented
D 14
Should support CLI & GUI based access to the firewall modules
D 15
Solution should support Access for Granular user, group & machine
based visibility and policy enforcement etc
D 16
Should support basic attack protection features listed below but not
limited to :
D 16.1
Maximum no of protections against attacks that exploit weaknesses in
the TCP/IP protocol suite
D 16.2
It should enable rapid detection of network attacks
D 16.3
TCP reassembly for fragmented packet protection
D 16.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL
Packets etc
D 16.5
Protection against IP spoofing
D 16.6
Malformed packet protection
D 17
Solution should support the IPSec VPN for both Site-Site & Remote
Access VPN etc
D 18
Firewall system should support virtual tunnel interfaces to provision
Route-Based IPSec VPN
D 19
Dynamic Host Configuration Protocol (DHCP) over Virtual Private
Network (VPN) should be supported for dynamic allocation of IP
addresses
D 20
Solution should support IPSec VPN features and not limited to:
Page 159 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 20.1
The firewall should support Internet Protocol Security (IPSec)
D 20.2
Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public
Key Infrastructure PKI (X.509)
D 20.3
Site-to-site VPN tunnels: full-mesh / star topology should be supported
D 20.4
Support Latest Encryption algorithms including AES
128/192/256(Advanced Encryption Standards), 3DES(Data Encryption
Standard) etc
D 20.5
Support Latest Authentication algorithms including SHA-1(Secure
Hash Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
D 20.6
IPSec NAT traversal should be supported
D 20.7
Support for client-to-site based in IPSEC must be included
D 20.8
It must include the ability to establish VPNs with gateways with
dynamic public IP's
Administration, Management and Logging Functionality
Features Requirement
E
E1
The bidder must propose two management devices for real time
monitoring, management and log collection, each with at least 4TB
RAID storage. Out of the two, one at DC & one at DR, to manage these
12 Firewall. All the logs should be retain in these 2 management
devices. in case if primary management device fails, complete logs
should be available at secondary management device
E2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles. It
should provide Audit Trail of the Changes etc
E3
Secondary (SLAVE) Management Server should support the MASTER
role once the Disaster recovery is triggered for any or multiple
management domains in the Management Server
Page 160 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E4
Both DC and DR systems should be manageable from the centralised
management framework with support for managing MIN 25 Gateways
E5
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring, Management &
Log Collection etc
E 5.1
Solution should support migration of existing policies in to the newer
Solution
E 5.2
To ensure business continuity all the solutions/hardware proposed
should be in HA
E6
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
E7
Firewall Management system should also provide the real time health
status of all the firewall modules of all firewalls on the dashboard for
CPU & memory utilization, state table, total number of concurrent
connections and the connections/second counter etc
E8
It should support SNMP (Simple Network Management Protocol) v 2.0
and v 3.0 and NTP V.4 with all new versions being released in future
E9
Firewall should be capable of sending mail or SNMP traps to Network
Management Servers (NMS) in response to defined events such as
system failures or threshold violations for any parameter of the
solution
E 10
Firewall should support the user based logging. Log levels must be
configurable based on severity
E 11
Centralized management Appliance should support SAN / NAS
E 12
The Firewall must provide simplified provisioning for addition of new
firewalls where by a standard firewall policy could be pushed into the
new firewall
E 13
The Firewall administration station must provide a means for
exporting the firewall rules, policies and configuration
E 14
Support for role based administration of firewall
Page 161 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E 15
The Firewall administration software must provide a means of viewing,
filtering and managing the log data
E 16
The Firewall logs must contain information about the firewall policy
rule that triggered the log
E 17
Centralized Security Management should include for all the proposed
security controls but not limited to:
E 17.1
Real Time Security Monitoring
E 17.2
Logging
E 17.3
Reporting functions
E 18
The solution must provide statistics including (but not limited to)
health of the firewall, the amount of traffic traversing, memory & CPU
utilization etc
E 19
Solution should support for configuration rollback
E 20
Solution should support Real time traffic statistics & Historical report
with Customized reports in HTML/PDF/word format etc
E 21
Solution Audit Trail should contain at a minimum:
E 21.1
The name of the administrator making the change
E 21.2
The change made
E 21.3
Time of change made
E 22
Management system should provide detailed Event analysis for
Firewall and also should provide Syslog output to integrate with other
major SIEM tools and specifically should support RSA SIEM tool
current and future versions
E 23
Solution should support for real time analysis of all traffic the firewall
may encounter (all possible SOURCE, DESTINATION, SERVICE,
including groups) etc
F
F1
Licensing Requirement
Solution should have enterprise license without any restrictions. If
during the contract, solution is not performing as per specifications in
this RFP, bidder has to upgrade/enhance the devices or place
additional devices and reconfigure the system without any cost to bank
Page 162 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F2
Solution and its various components like Firewall and other inbuilt
features etc should not have any licensing restriction on number of
users, concurrent connections, total connections, new connections,
number of vlan, zones, number of policies, number of appliances, other
network parameters, number of equipments / servers etc
F3
The offered product part codes have to be General Availability Part
codes and not custom built Part Code for SBI. There should be cross
reference to the public website of the OEM
F4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other
relevant software or hardware etc should be provided with the solution
Internet Firewall Specifications TABLE -24
Quantity: 2 Nos
Sr.
No.
A
Compliance(Y/N)
Feature
Solution Requirement
A1
Attach solution document containing with detailed bill of material. It should
name, version, date of release, date of release of next version, end of sale &
support date, application/product development path, etc.
A2
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up. Bidder
should clearly illustrate various tools and methodologies used to achieve the
same
A3
Please submit a list of all features provided by proposed solution in addition to
the specifications mentioned in this document that will be available to the
bank without any additional charges and will be under support. These features
will be treated at par with other features mentioned in the RFP
Page 163 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A4
Solution should support Statefull Firewall functionality
A5
Solution should support ―Stateful‖ policy inspection technology. It should also
have application intelligence for commonly used TCP/IP protocols, not limited
to telnet, ftp, http, https etc
A7
The communication between all the components of solution (firewall module,
logging & policy and Web GUI Console) should be encrypted with SSL or PKI
A8
The communication between all the components of solution (firewall, logging
& policy and Web GUI Console) should be encrypted
A9
Management of the entire solution including real-time monitoring, event logs
collection, policy enforcement etc should be from a single device only (mgt
server/appliance), however solution should have management devices at both
locations
A 10
Firewall should be supplied with the support for static routing and dynamic
routing with protocols, like RIP v2, OSPF, & BGPv6 etc.
A 11
Firewall should support the multicast protocols like IGMP and PIM-DM /
PIM-SM etc
A 12
Solution should support Identity Access for Granular User/ Group and
machine based visibility
A 13
Solution should provide stateful failover among devices for all components and
should be completely automatic without any sort of manual intervention
A 14
Each appliance of Solution should have hardened OS for both appliance and
management platform
A 15
Solution should have capability to store Logs and configuration of all devices,
centrally in the solution and should also have capability to send logs of all
devices to the generic central log collection servers
A 16
Solution should be IPV6 ready. It should have IPV6 ready logo or similar
certification from any other reputed third party. No extra cost will be borne by
bank for IPV6 implementation
A 17
Solution must support the complete STACK of IP V4 and IP V6 services
Page 164 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A 18
Solution should support for multiple security levels/zones like internal, DMZ
and external etc.
A 19
Any compromise including but not limited to data leakage, unauthorised
access of bank's network/data/information due to any flaw/security loop hole
etc of the solution shall attract legal and financial liabilities to the
Bidder/Vendor and OEM.
A 20
Signatures, Patches & updates being received from OEM should be from
trusted sites
B
Hardware and Interface Requirement
B1
Each appliance should have at least 4 x 40G and 8 X 10G Mbps RJ45
interface Multimode fiber interfaces.All ports should be populated with
required transceivers. Apart from this, each applicance should have additional
ports for sync, HA and other functionalities.
B2
Firewall should have console port
B3
Firewall should have management interface for Out of Band Management
B4
Firewall should be rack mountable and support side rails if required
B5
Firewall should have redundant power supplies (atleast dual)
B6
Each appliance should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B7
Solution should support VLAN tagging (IEEE 802.1q)
B8
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Solution should Support DHCP Relay
B 10
Solution should support and not limited to:
B.10.1
Active- Failover: The firewall must support Stateful Active-Failover or
clustering mode architecture for Firewall and high availability for redundancy.
Appliance failover should be complete Stateful.
B.10.2
Solution should not require any downtime/reboot for failover
Page 165 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B.10.3
Should support Non Stop Forwarding in HA during failover and Graceful
Restart
B 11
Solution should have the capability of holding multiple OS images to support
resilience & easy rollbacks during the version upgrades etc
B 12
Centralized Management Solution should provide high availability at site level
for enabling DR deployment
B 13
It should be possible to manage the entire solution from Primary & Secondary
management server/appliance placed at DC and DR. Management solution
should have the capability to be deployed in geographically different location
enabling DR deployment. (Please note that high availability for management
module is not required. One management appliance at each site should be able
to manage the solution at both sites.)
B 14
The firewall system should have adequate local storage in order to keep the
various logs in the event of management server connection failure etc.
C
Performance Requirement
C 1.1
Handling minimum 60 Gbps statefull inspection (by each firewall) of user
traffic (Incoming 30 Gbps and Outgoing 30 Gbps traffic simultaneously) and
other application Zones (Minimum 10 Application Zones, WAN Zone, Outside
Zone etc) connected using 10/40G interfaces per zone.
C 1.2
The throughput of the each appliance should not be less than 60 Gbps for
IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte packets with
TCP, UDP queries and DNS requests) with all services enabled
C 1.3
Running all internet protocols etc, traffic flowing through different zones in
the solution with all the features enabled and running
C2
Solution should support minimum 50 million concurrent connections
C3
Solution should support minimum 900,000 new sessions per second
processing
C4
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution should be less than 200 microsecond
Page 166 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C5
Firewall should be able to operate in multi-context mode (or equivalent) and
should support minimum 10 context
C6
Solution should support Minimum 1000 site to site IPSEC VPN tunnels
D
Network Standards/Protocols Requirement
D1
Solution should support at least 250+ protocols for filtering/making other
decision on the traffic
D2
Solution should have a capability to support for more than 1000 VLAN
D3
Solution should support the filtering of TCP/IP based applications with
standard TCP/UDP ports or deployed with custom ports etc
D4
Firewall Modules should support the deployment in Routed as well as
Transparent Mode & should also support following:
D 4.1
Solution should mask the internal network from the external world/network
D 4.2
Multi-layer, stateful, application-inspection-based filtering should be done
D 4.3
It should provide network segmentation features with powerful capabilities
that facilitate deploying security for various internal, external and DMZ
(Demilitarized Zone) sub-groups on the network, to prevent unauthorized
access
D 4.4
Ingress/egress filtering capability should be provided for internal, external and
DMZ (Demilitarized Zone) zones
D5
Solution should provide Network Address Translation (NAT) functionality,
including dynamic and static NAT translation etc
D 5.1
Network Address Translation (NAT) should be configurable as
D 5.2
Firewall must have 1:1, 1: many, many: 1, many:many, flexible NAT
(overlapping IP addresses). Reverse NAT support
D 5.3
Firewall must have support static nat, pat, dynamic nat, pat & destination
based nat
Page 167 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 5.4
Firewall must have support Nat66 (IPv6-to-IPv6), Nat 64 (IPv6-to-IPv4) &
Nat46 (IPv4-to-IPv6) functionality
D 5.5
Port address translation (PAT)/Masquerading should be provided for IP
applications for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP,
ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc
D6
Should support Remotely Triggered Black Hole for Border Gateway protocol
security
D7
Solution should support integration with following standards :
D 7.1
X.509 Digital certificates
D 7.2
RSA Secure ID Certified
D 7.3
Two Factor Authentication
D 7.4
Radius/Tacacs+
D8
Solution should support RADIUS/TACACS+ authentication protocol for Local
& remote access to devices
D9
Solution should support PKI with:
D 9.1
PKCS 7/PKCS 10/ PKCS 12 and PEM
D 9.2
Self-signed Certificates
D 9.3
External CA support
D 9.4
Certificate Revocation List Import/Check
D 10
Solution should support to features and not limited to:
D 10.1
The Firewall must provide filtering capability that includes parameters like
source addresses, destination addresses, source and destination port numbers,
protocol type with other parameters to configure rules based on following
parameters:
D 10.2
Source/Destination IP/Port
D 10.3
Time and date access
D 10.4
User/group role (Integration with AD)
D 10.5
Customizable services
D 10.6
Time based
Page 168 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 10.7
Combination of one or multiple of above mentioned parameter
D 11
The Firewall should be able to filter traffic even if the packets are fragmented
D 14
Should support CLI & GUI based access to the firewall modules
D 15
Solution should support Access for Granular user, group & machine based
visibility and policy enforcement etc
D 16
Should support basic attack protection features listed below but not limited to :
D 16.1
Maximum no of protections against attacks that exploit weaknesses in the
TCP/IP protocol suite
D 16.2
It should enable rapid detection of network attacks
D 16.3
TCP reassembly for fragmented packet protection
D 16.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL Packets
etc
D 16.5
Protection against IP spoofing
D 16.6
Malformed packet protection
D 17
Solution should support the IPSec VPN for both Site-Site & Remote Access
VPN etc
D 18
Firewall system should support virtual tunnel interfaces to provision RouteBased IPSec VPN
D 19
Dynamic Host Configuration Protocol (DHCP) over Virtual Private Network
(VPN) should be supported for dynamic allocation of IP addresses
D 20
Solution should support IPSec VPN features and not limited to:
D 20.1
The firewall should support Internet Protocol Security (IPSec)
D
20.2
Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public Key
Infrastructure PKI (X.509)
D
20.3
Site-to-site VPN tunnels: full-mesh / star topology should be supported
D
20.4
Support Latest Encryption algorithms including AES 128/192/256(Advanced
Encryption Standards), 3DES(Data Encryption Standard) etc
Page 169 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D
20.5
D
20.6
D
20.7
Support Latest Authentication algorithms including SHA-1(Secure Hash
Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
D
20.8
It must include the ability to establish VPNs with gateways with dynamic
public IP's
IPSec NAT traversal should be supported
Support for client-to-site based in IPSEC must be included
E
Administration, Management and Logging Functionality Features
Requirement
E1
The bidder must propose two management devices for real time monitoring,
management and log collection, each with at least 4TB RAID storage. Out of
the two, one at DC & one at DR, to manage these 12 Firewall. All the logs
should be retain in these 2 management devices. in case if primary
management device fails, complete logs should be available at secondary
management device
E2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles. It should
provide Audit Trail of the Changes etc
E3
Secondary (SLAVE) Management Server should support the MASTER role
once the Disaster recovery is triggered for any or multiple management
domains in the Management Server
E4
Both DC and DR systems should be manageable from the centralised
management framework with support for managing MIN 25 Gateways
E5
Solution should be able to support large scale WAN deployment with following
important Criteria for Real-Time Monitoring, Management & Log Collection
etc
E 5.1
Solution should support migration of existing policies in to the newer Solution
E 5.2
To ensure business continuity all the solutions/hardware proposed should be
in HA
E6
Any changes or commands issued by an authenticated user should be logged to
a database of the management system
Page 170 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E7
Firewall Management system should also provide the real time health status of
all the firewall modules of all firewalls on the dashboard for CPU & memory
utilization, state table, total number of concurrent connections and the
connections/second counter etc
E8
It should support SNMP (Simple Network Management Protocol) v 2.0 and v
3.0 and NTP V.4 with all new versions being released in future
E9
Firewall should be capable of sending mail or SNMP traps to Network
Management Servers (NMS) in response to defined events such as system
failures or threshold violations for any parameter of the solution
E 10
Firewall should support the user based logging. Log levels must be
configurable based on severity
E 11
Centralized management Appliance should support SAN / NAS
E 12
The Firewall must provide simplified provisioning for addition of new firewalls
where by a standard firewall policy could be pushed into the new firewall
E 13
The Firewall administration station must provide a means for exporting the
firewall rules, policies and configuration
E 14
Support for role based administration of firewall
E 15
The Firewall administration software must provide a means of viewing,
filtering and managing the log data
E 16
The Firewall logs must contain information about the firewall policy rule that
triggered the log
E 17
Centralized Security Management should include for all the proposed security
controls but not limited to:
E 17.1
Real Time Security Monitoring
E 17.2
Logging
E 17.3
Reporting functions
E 18
The solution must provide statistics including (but not limited to) health of the
firewall, the amount of traffic traversing, memory & CPU utilization etc
Page 171 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E 19
Solution should support for configuration rollback
E 20
Solution should support Real time traffic statistics & Historical report with
Customized reports in HTML/PDF/word format etc
E 21
Solution Audit Trail should contain at a minimum:
E 21.1
The name of the administrator making the change
E 21.2
The change made
E 21.3
Time of change made
E 22
Management system should provide detailed Event analysis for Firewall and
also should provide Syslog output to integrate with other major SIEM tools
and specifically should support RSA SIEM tool current and future versions
E 23
Solution should support for real time analysis of all traffic the firewall may
encounter (all possible SOURCE, DESTINATION, SERVICE, including groups)
etc
F
Licensing Requirement
F1
Solution should have enterprise license without any restrictions. If during the
contract, solution is not performing as per specifications in this RFP, bidder
has to upgrade/enhance the devices or place additional devices and
reconfigure the system without any cost to bank
F2
Solution and its various components like Firewall and other inbuilt features etc
should not have any licensing restriction on number of users, concurrent
connections, total connections, new connections, number of vlan, zones,
number of policies, number of appliances, other network parameters, number
of equipments / servers etc
Page 172 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3
The offered product part codes have to be General Availability Part codes and
not custom built Part Code for SBI. There should be cross reference to the
public website of the OEM
F4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of software/appliance
and necessary hardware, database and other relevant software or hardware etc
should be provided with the solution
Extranet Firewall Specifications TABLE -25
Quantity: 2 Nos
Sr.
No.
A
Compliance(Y/N)
Feature
Solution Requirement
A1
Attach solution document containing with detailed bill of material. It should
name, version, date of release, date of release of next version, end of sale &
support date, application/product development path, etc.
A2
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up. Bidder
should clearly illustrate various tools and methodologies used to achieve the
same
A3
Please submit a list of all features provided by proposed solution in addition to
the specifications mentioned in this document that will be available to the
bank without any additional charges and will be under support. These features
will be treated at par with other features mentioned in the RFP
A4
Solution should support Statefull Firewall functionality
A5
Solution should support ―Stateful‖ policy inspection technology. It should also
have application intelligence for commonly used TCP/IP protocols, not limited
to telnet, ftp, http, https etc
Page 173 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A7
The communication between all the components of solution (firewall module,
logging & policy and Web GUI Console) should be encrypted with SSL or PKI
A8
The communication between all the components of solution (firewall, logging
& policy and Web GUI Console) should be encrypted
A9
Management of the entire solution including real-time monitoring, event logs
collection, policy enforcement etc should be from a single device only (mgt
server/appliance), however solution should have management devices at both
locations
A 10
Firewall should be supplied with the support for static routing and dynamic
routing with protocols, like RIP v2, OSPF, & BGPv6 etc.
A 11
Firewall should support the multicast protocols like IGMP and PIM-DM /
PIM-SM etc
A 12
Solution should support Identity Access for Granular User/ Group and
machine based visibility
A 13
Solution should provide stateful failover among devices for all components and
should be completely automatic without any sort of manual intervention
A 14
Each appliance of Solution should have hardened OS for both appliance and
management platform
A 15
Solution should have capability to store Logs and configuration of all devices,
centrally in the solution and should also have capability to send logs of all
devices to the generic central log collection servers
A 16
Solution should be IPV6 ready. It should have IPV6 ready logo or similar
certification from any other reputed third party. No extra cost will be borne by
bank for IPV6 implementation
A 17
Solution must support the complete STACK of IP V4 and IP V6 services
A 18
Solution should support for multiple security levels/zones like internal, DMZ
and external etc.
Page 174 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A 19
Any compromise including but not limited to data leakage, unauthorised
access of bank's network/data/information due to any flaw/security loop hole
etc of the solution shall attract legal and financial liabilities to the
Bidder/Vendor and OEM.
A 20
Signatures, Patches & updates being received from OEM should be from
trusted sites
B
Hardware and Interface Requirement
B1
Each appliance should have at least 8 x 10/100/1000 Mbps RJ45 ethernet
interfaces and 8 x 10GbE Multimode fiber interfaces.All ports should be
populated with required transcievers. Apart from this, each applicance should
have additional ports for sync, HA and other functionalities.
B2
Firewall should have console port
B3
Firewall should have management interface for Out of Band Management
B4
B5
Firewall should be rack mountable and support side rails if required
Firewall should have redundant power supplies (atleast dual)
B6
Each appliance should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B7
Solution should support VLAN tagging (IEEE 802.1q)
B8
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Solution should Support DHCP Relay
B 10
Solution should support and not limited to:
B.10.1
Active- Failover: The firewall must support Stateful Active-Failover or
clustering mode architecture for Firewall and high availability for redundancy.
Appliance failover should be complete Stateful.
B.10.2
Solution should not require any downtime/reboot for failover
Page 175 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B.10.3
Should support Non Stop Forwarding in HA during failover and Graceful
Restart
B 11
Solution should have the capablitiy of holding multiple OS images to support
resilience & easy rollbacks during the version upgrades etc
B 12
Centralized Management Solution should provide high availability at site level
for enabling DR deployment
B 13
It should be possible to manage the entire solution from Primary & Secondary
management server/appliance placed at DC and DR. Management solution
should have the capability to be deployed in geographically different location
enabling DR deployment. (Please note that high availability for management
module is not required. One management appliance at each site should be able
to manage the solution at both sites.)
B 14
The firewall system should have adequate local storage in order to keep the
various logs in the event of management server connection failure etc.
C
C1
Performance Requirement
Solution should be properly sized for following given parameters, with all
features enabled at the same time:
C 1.1
Handling minimum 10 Gbps (by each firewall) of user traffic (Incoming 5 Gbps
and Outgoing 5 Gbps traffic simultaneously) and other application Zones
(Minimum 10 Application Zones, WAN Zone, Outside Zone etc) connected
using 10G & 1G interfaces per zone.
C 1.2
The throughput of the each appliance should not be less than 10 Gbps for IMIX
(Real World Internet MIX traffic with 64, 512, 1500 byte packets with TCP,
UDP queries and DNS requests) with all services enabled
C 1.3
Running all internet protocols etc, traffic flowing through different zones in
the solution with all the features enabled and running
C2
Solution should support minimum 10,00,000 concurrent connections
C3
Solution should support minimum 150,000 new sessions per second
processing
Page 176 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C4
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution should be less than 10 micro-second
C5
Firewall should be able to operate in multi-context mode (or equivalent) and
should support minimum 10 context
C6
Solution should support Minimum 1000 site to site IPSEC VPN tunnels
D
Network Standards/Protocols Requirement
D1
Solution should support at least 250+ protocols for filtering/making other
decision on the traffic
D2
Solution should have a capability to support for more than 1000 VLAN
D3
Solution should support the filtering of TCP/IP based applications with
standard TCP/UDP ports or deployed with custom ports etc
D4
Firewall Modules should support the deployment in Routed as well as
Transparent Mode & should also support following:
D 4.1
Solution should mask the internal network from the external world/network
D 4.2
Multi-layer, stateful, application-inspection-based filtering should be done
D 4.3
It should provide network segmentation features with powerful capabilities
that facilitate deploying security for various internal, external and DMZ
(Demilitarized Zone) sub-groups on the network, to prevent unauthorized
access
D 4.4
Ingress/egress filtering capability should be provided for internal, external and
DMZ (Demilitarized Zone) zones
D5
Solution should provide Network Address Translation (NAT) functionality,
including dynamic and static NAT translation etc
D 5.1
Network Address Translation (NAT) should be configurable as
D 5.2
Firewall must have 1:1, 1: many, many: 1, many:many, flexible NAT
(overlapping IP addresses). Reverse NAT support
Page 177 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 5.3
Firewall must have support static nat, pat, dynamic nat, pat & destination
based nat
D 5.4
Firewall must have support Nat66 (IPv6-to-IPv6), Nat 64 (IPv6-to-IPv4) &
Nat46 (IPv4-to-IPv6) functionality
D 5.5
Port address translation (PAT)/Masquerading should be provided for IP
applications for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP,
ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc
D6
Should support Remotely Triggered Black Hole for Border Gateway protocol
security
D7
Solution should support integration with following standards :
D 7.1
X.509 Digital certificates
D 7.2
RSA Secure ID Certified
D 7.3
Two Factor Authentication
D 7.4
Radius/Tacacs+
D8
Solution should support RADIUS/TACACS+ authentication protocol for Local
& remote access to devices
D9
Solution should support PKI with:
D 9.1
PKCS 7/PKCS 10/ PKCS 12 and PEM
D 9.2
Self-signed Certificates
D 9.3
External CA support
D 9.4
Certificate Revocation List Import/Check
D 10
Solution should support to features and not limited to:
D 10.1
The Firewall must provide filtering capability that includes parameters like
source addresses, destination addresses, source and destination port numbers,
protocol type with other parameters to configure rules based on following
parameters:
D 10.2
Source/Destination IP/Port
D 10.3
Time and date access
D 10.4
User/group role (Integration with AD)
D 10.5
Customizable services
D 10.6
Time based
Page 178 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 10.7
Combination of one or multiple of above mentioned parameter
D 11
The Firewall should be able to filter traffic even if the packets are fragmented
D 14
Should support CLI & GUI based access to the firewall modules
D 15
Solution should support Access for Granular user, group & machine based
visibility and policy enforcement etc
D 16
Should support basic attack protection features listed below but not limited to :
D 16.1
Maximum no of protections against attacks that exploit weaknesses in the
TCP/IP protocol suite
D 16.2
It should enable rapid detection of network attacks
D 16.3
TCP reassembly for fragmented packet protection
D 16.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL Packets
etc
D 16.5
Protection against IP spoofing
D 16.6
Malformed packet protection
D 17
Solution should support the IPSec VPN for both Site-Site & Remote Access
VPN etc
D 18
Firewall system should support virtual tunnel interfaces to provision RouteBased IPSec VPN
D 19
Dynamic Host Configuration Protocol (DHCP) over Virtual Private Network
(VPN) should be supported for dynamic allocation of IP addresses
D 20
Solution should support IPSec VPN features and not limited to:
D 20.1
The firewall should support Internet Protocol Security (IPSec)
D
20.2
Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public Key
Infrastructure PKI (X.509)
D
20.3
Site-to-site VPN tunnels: full-mesh / star topology should be supported
D
20.4
Support Latest Encryption algorithms including AES 128/192/256(Advanced
Encryption Standards), 3DES(Data Encryption Standard) etc
Page 179 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D
20.5
Support Latest Authentication algorithms including SHA-1(Secure Hash
Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
D
20.6
IPSec NAT traversal should be supported
D
20.7
Support for client-to-site based in IPSEC must be included
D
20.8
It must include the ability to establish VPNs with gateways with dynamic
public IP's
E
Administration, Management and Logging Functionality Features
Requirement
E1
The bidder must propose two management devices for real time monitoring,
management and log collection, each with at least 4TB RAID storage. Out of
the two, one at DC & one at DR, to manage these 12 Firewall. All the logs
should be retain in these 2 management devices. in case if primary
management device fails, complete logs should be available at secondary
management device
E2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles. It should
provide Audit Trail of the Changes etc
E3
Secondary (SLAVE) Management Server should support the MASTER role
once the Disaster recovery is triggered for any or multiple management
domains in the Management Server
E4
Both DC and DR systems should be manageable from the centralised
management framework with support for managing MIN 25 Gateways
E5
Solution should be able to support large scale WAN deployment with following
important Criteria for Real-Time Monitoring, Management & Log Collection
etc
E 5.1
Solution should support migration of existing policies in to the newer Solution
E 5.2
To ensure business continuity all the solutions/hardware proposed should be
in HA
E6
Any changes or commands issued by an authenticated user should be logged to
a database of the management system
Page 180 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E7
Firewall Management system should also provide the real time health status of
all the firewall modules of all firewalls on the dashboard for CPU & memory
utilization, state table, total number of concurrent connections and the
connections/second counter etc
E8
It should support SNMP (Simple Network Management Protocol) v 2.0 and v
3.0 and NTP V.4 with all new versions being released in future
E9
Firewall should be capable of sending mail or SNMP traps to Network
Management Servers (NMS) in response to defined events such as system
failures or threshold violations for any parameter of the solution
E 10
Firewall should support the user based logging. Log levels must be
configurable based on severity
E 11
Centralized management Appliance should support SAN / NAS
E 12
The Firewall must provide simplified provisioning for addition of new firewalls
where by a standard firewall policy could be pushed into the new firewall
E 13
The Firewall administration station must provide a means for exporting the
firewall rules, policies and configuration
E 14
Support for role based administration of firewall
E 15
The Firewall administration software must provide a means of viewing,
filtering and managing the log data
E 16
The Firewall logs must contain information about the firewall policy rule that
triggered the log
E 17
Centralized Security Management should include for all the proposed security
controls but not limited to:
E 17.1
Real Time Security Monitoring
E 17.2
Logging
E 17.3
Reporting functions
E 18
The solution must provide statistics including (but not limited to) health of the
firewall, the amount of traffic traversing, memory & CPU utilization etc
Page 181 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E 19
Solution should support for configuration rollback
E 20
Solution should support Real time traffic statistics & Historical report with
Customized reports in HTML/PDF/word format etc
E 21
Solution Audit Trail should contain at a minimum:
E 21.1
The name of the administrator making the change
E 21.2
The change made
E 21.3
Time of change made
E 22
Management system should provide detailed Event analysis for Firewall and
also should provide Syslog output to integrate with other major SIEM tools
and specifically should support RSA SIEM tool current and future versions
E 23
Solution should support for real time analysis of all traffic the firewall may
encounter (all possible SOURCE, DESTINATION, SERVICE, including groups)
etc
F
Licensing Requirement
F1
Solution should have enterprise license without any restrictions. If during the
contract, solution is not performing as per specifications in this RFP, bidder
has to upgrade/enhance the devices or place additional devices and
reconfigure the system without any cost to bank
F2
Solution and its various components like Firewall and other inbuilt features etc
should not have any licensing restriction on number of users, concurrent
connections, total connections, new connections, number of vlan, zones,
number of policies, number of appliances, other network parameters, number
of equipments / servers etc
F3
The offered product part codes have to be General Availability Part codes and
not custom built Part Code for SBI. There should be cross reference to the
public website of the OEM
F4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of software/appliance
and necessary hardware, database and other relevant software or hardware etc
should be provided with the solution
Page 182 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Out of Band Firewall Specifications TABLE-26
Quantity: 2 Nos
Sr. No.
A
Compliance(Y/N)
Feature
Solution Requirement
A1
Attach solution document containing with detailed bill of material. It should
name, version, date of release, date of release of next version, end of sale &
support date, application/product development path, etc.
A2
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up. Bidder
should clearly illustrate various tools and methodologies used to achieve the
same
A3
Please submit a list of all features provided by proposed solution in addition to
the specifications mentioned in this document that will be available to the
bank without any additional charges and will be under support. These features
will be treated at par with other features mentioned in the RFP
A4
Solution should support Firewall functionality
A5
Solution should support ―Stateful‖ policy inspection technology. It should also
have application intelligence for commonly used TCP/IP protocols, not
limited to telnet, ftp, http, https etc
A7
The communication between all the components of solution (firewall module,
logging & policy and Web GUI Console) should be encrypted with SSL or PKI
Page 183 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A8
The communication between all the components of solution (firewall, logging
& policy and Web GUI Console) should be encrypted
A9
Management of the entire solution including real-time monitoring, event logs
collection, policy enforcement etc should be from a single device only (mgt
server/appliance), however solution should have management devices at both
locations
A 10
Firewall should be supplied with the support for static routing and dynamic
routing with protocols, like RIP v2, OSPF, & BGPv6 etc.
A 11
Firewall should support the multicast protocols like IGMP and PIM-DM /
PIM-SM etc
A 12
Solution should support Identity Access for Granular User/ Group and
machine based visibility
A 13
Solution should provide stateful failover among devices for all components
and should be completely automatic without any sort of manual intervention
A 14
Each appliance of Solution should have hardened OS for both appliance and
management platform
A 15
Solution should have capability to store Logs and configuration of all devices,
centrally in the solution and should also have capability to send logs of all
devices to the generic central log collection servers
Page 184 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A 16
Solution should be IPV6 ready. It should have IPV6 ready logo or similar
certification from any other reputed third party. No extra cost will be borne by
bank for IPV6 implementation
A 17
Solution must support the complete STACK of IP V4 and IP V6 services
A 18
Solution should support for multiple security levels/zones like internal, DMZ
and external etc.
A 19
Any compromise including but not limited to data leakage, unauthorised
access of bank's network/data/information due to any flaw/security loop hole
etc of the solution shall attract legal and financial liabilities to the
Bidder/Vendor and OEM.
A 20
Signatures, Patches & updates being received from OEM should be from
trusted sites
B
Hardware and Interface Requirement
B1
Each appliance should have at least 8 x 10/100/1000 Mbps RJ45 ethernet
interfaces and 8 x 10GbE Multimode fiber interfaces.All ports should be
populated with required transcievers. Apart from this, each applicance should
have additional ports for sync, HA and other functionalities.
B2
Firewall should have console port
B3
Firewall should have management interface for Out of Band Management
B4
Firewall should be rack mountable and support side rails if required
B5
Firewall should have redundant power supplies (atleast dual)
Page 185 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B6
Each appliance should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B7
Solution should support VLAN tagging (IEEE 802.1q)
B8
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B9
Solution should Support DHCP Relay
B 10
Solution should support and not limited to:
B.10.1
Active- Failover: The firewall must support Stateful Active-Failover or
clustering mode architecture for Firewall and high availability for redundancy.
Appliance failover should be complete Stateful.
B.10.2
Solution should not require any downtime/reboot for failover
B.10.3
Should support Non Stop Forwarding in HA during failover and Graceful
Restart
B 11
Solution should have the capablitiy of holding multiple OS images to support
resilience & easy rollbacks during the version upgrades etc
B 12
Centralized Management Solution should provide high availability at site level
for enabling DR deployment
Page 186 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B 13
It should be possible to manage the entire solution from Primary & Secondary
management server/appliance placed at DC and DR. Management solution
should have the capability to be deployed in geographically different location
enabling DR deployment. (Please note that high availability for management
module is not required. One management appliance at each site should be
able to manage the solution at both sites.)
B 14
The firewall system should have adequate local storage in order to keep the
various logs in the event of management server connection failure etc.
C
Performance Requirement
C1
Solution should be properly sized for following given parameters, with all
features enabled at the same time:
C 1.1
Handling minimum 10 Gbps (by each firewall) of user traffic (Incoming 5
Gbps and Outgoing 5 Gbps traffic simultaneously) and other application
Zones (Minimum 10 Application Zones, WAN Zone, Outside Zone etc)
connected using 10G & 1G interfaces per zone.
C 1.2
The throughput of the each appliance should not be less than 10 Gbps for
IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte packets with
TCP, UDP queries and DNS requests) with all services enabled
C 1.3
Running all internet protocols etc, traffic flowing through different zones in
the solution with all the features enabled and running
Page 187 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C2
Solution should support minimum 10,00,000 concurrent connections
C3
Solution should support minimum 150,000 new sessions per second
processing
C4
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution should be less than 10 microsecond
C5
Firewall should be able to operate in multi-context mode (or equivalent) and
should support minimum 10 context
D
Network Standards/Protocols Requirement
D1
Solution should support at least 250+ protocols for filtering/making other
decision on the traffic
D2
Solution should have a capability to support for more than 1000 VLAN
D3
Solution should support the filtering of TCP/IP based applications with
standard TCP/UDP ports or deployed with custom ports etc
D4
Firewall Modules should support the deployment in Routed as well as
Transparent Mode & should also support following:
D 4.1
Solution should mask the internal network from the external world/network
D 4.2
Multi-layer, stateful, application-inspection-based filtering should be done
Page 188 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 4.3
It should provide network segmentation features with powerful capabilities
that facilitate deploying security for various internal, external and DMZ
(Demilitarized Zone) sub-groups on the network, to prevent unauthorized
access
D 4.4
Ingress/egress filtering capability should be provided for internal, external
and DMZ (Demilitarized Zone) zones
D5
Solution should provide Network Address Translation (NAT) functionality,
including dynamic and static NAT translation etc
D 5.1
Network Address Translation (NAT) should be configurable as
D 5.2
Firewall must have 1:1, 1: many, many: 1, many:many, flexible NAT
(overlapping IP addresses). Reverse NAT support
D 5.3
Firewall must have support static nat, pat, dynamic nat, pat & destination
based nat
D 5.4
Firewall must have support Nat66 (IPv6-to-IPv6), Nat 64 (IPv6-to-IPv4) &
Nat46 (IPv4-to-IPv6) functionality
D 5.5
Port address translation (PAT)/Masquerading should be provided for IP
applications for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP,
ARP, RPC, SNMP, Lotus Notes, MS-Exchange etc
D6
Should support Remotely Triggered Black Hole for Border Gateway protocol
security
D7
Solution should support integration with following standards :
D 7.1
X.509 Digital certificates
Page 189 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 7.2
RSA Secure ID Certified
D 7.3
Two Factor Authentication
D 7.4
Radius/Tacacs+
D8
Solution should support RADIUS/TACACS+ authentication protocol for Local
& remote access to devices
D9
Solution should support PKI with:
D 9.1
PKCS 7/PKCS 10/ PKCS 12 and PEM
D 9.2
Self-signed Certificates
D 9.3
External CA support
D 9.4
Certificate Revocation List Import/Check
D 10
Solution should support to features and not limited to:
D 10.1
The Firewall must provide filtering capability that includes parameters like
source addresses, destination addresses, source and destination port
numbers, protocol type with other parameters to configure rules based on
following parameters:
D 10.2
Source/Destination IP/Port
D 10.3
Time and date access
D 10.4
User/group role (Integration with AD)
D 10.5
Customizable services
D 10.6
Time based
D 10.7
Combination of one or multiple of above mentioned parameter
D 11
The Firewall should be able to filter traffic even if the packets are fragmented
D 14
Should support CLI & GUI based access to the firewall modules
D 15
Solution should support Access for Granular user, group & machine based
visibility and policy enforcement etc
Page 190 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 16
Should support basic attack protection features listed below but not limited to
:
D 16.1
Maximum no of protections against attacks that exploit weaknesses in the
TCP/IP protocol suite
D 16.2
It should enable rapid detection of network attacks
D 16.3
TCP reassembly for fragmented packet protection
D 16.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL Packets
etc
D 16.5
Protection against IP spoofing
D 16.6
Malformed packet protection
D 17
Solution should support the IPSec VPN for both Site-Site & Remote Access
VPN etc
D 18
Firewall system should support virtual tunnel interfaces to provision RouteBased IPSec VPN
D 19
Dynamic Host Configuration Protocol (DHCP) over Virtual Private Network
(VPN) should be supported for dynamic allocation of IP addresses
D 20
Solution should support IPSec VPN features and not limited to:
D 20.1
The firewall should support Internet Protocol Security (IPSec)
D 20.2
Key exchange with latest Internet Key Exchange (IKE), IKEv2, Public Key
Infrastructure PKI (X.509)
D 20.3
Site-to-site VPN tunnels: full-mesh / star topology should be supported
D 20.4
Support Latest Encryption algorithms including AES 128/192/256(Advanced
Encryption Standards), 3DES(Data Encryption Standard) etc
Page 191 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D 20.5
Support Latest Authentication algorithms including SHA-1(Secure Hash
Algorithm-1), SHA- 2(Secure Hash Algorithm-2) etc
D 20.6
IPSec NAT traversal should be supported
D 20.7
Support for client-to-site based in IPSEC must be included
D 20.8
It must include the ability to establish VPNs with gateways with dynamic
public IP's
E
Administration, Management and Logging Functionality Features
Requirement
E1
The bidder must propose two management devices for real time monitoring,
management and log collection, each with at least 4TB RAID storage. Out of
the two, one at DC & one at DR, to manage these 12 Firewall. All the logs
should be retain in these 2 management devices. in case if primary
management device fails, complete logs should be available at secondary
management device
E2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles. It should
provide Audit Trail of the Changes etc
E3
Secondary (SLAVE) Management Server should support the MASTER role
once the Disaster recovery is triggered for any or multiple management
domains in the Management Server
E4
Both DC and DR systems should be manageable from the centralised
management framework with support for managing MIN 25 Gateways
Page 192 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E5
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring, Management & Log
Collection etc
E 5.1
Solution should support migration of existing policies in to the newer Solution
E 5.2
To ensure business continuity all the solutions/hardware proposed should be
in HA
E6
Any changes or commands issued by an authenticated user should be logged
to a database of the management system
E7
Firewall Management system should also provide the real time health status
of all the firewall modules of all firewalls on the dashboard for CPU & memory
utilization, state table, total number of concurrent connections and the
connections/second counter etc
E8
It should support SNMP (Simple Network Management Protocol) v 2.0 and v
3.0 and NTP V.4 with all new versions being released in future
E9
Firewall should be capable of sending mail or SNMP traps to Network
Management Servers (NMS) in response to defined events such as system
failures or threshold violations for any parameter of the solution
E 10
Firewall should support the user based logging. Log levels must be
configurable based on severity
E 11
Centralized management Appliance should support SAN / NAS
Page 193 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E 12
The Firewall must provide simplified provisioning for addition of new
firewalls where by a standard firewall policy could be pushed into the new
firewall
E 13
The Firewall administration station must provide a means for exporting the
firewall rules, policies and configuration
E 14
Support for role based administration of firewall
E 15
The Firewall administration software must provide a means of viewing,
filtering and managing the log data
E 16
The Firewall logs must contain information about the firewall policy rule that
triggered the log
E 17
Centralized Security Management should include for all the proposed security
controls but not limited to:
E 17.1
Real Time Security Monitoring
E 17.2
Logging
E 17.3
Reporting functions
E 18
The solution must provide statistics including (but not limited to) health of
the firewall, the amount of traffic traversing, memory & CPU utilization etc
E 19
Solution should support for configuration rollback
E 20
Solution should support Real time traffic statistics & Historical report with
Customized reports in HTML/PDF/word format etc
E 21
Solution Audit Trail should contain at a minimum:
E 21.1
The name of the administrator making the change
E 21.2
The change made
E 21.3
Time of change made
Page 194 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E 22
Management system should provide detailed Event analysis for Firewall and
also should provide Syslog output to integrate with other major SIEM tools
and specifically should support RSA SIEM tool current and future versions
E 23
Solution should support for real time analysis of all traffic the firewall may
encounter (all possible SOURCE, DESTINATION, SERVICE, including
groups) etc
F
Licensing Requirement
F1
Solution should have enterprise license without any restrictions. If during the
contract, solution is not performing as per specifications in this RFP, bidder
has to upgrade/enhance the devices or place additional devices and
reconfigure the system without any cost to bank
F2
Solution and its various components like Firewall and other inbuilt features
etc should not have any licensing restriction on number of users, concurrent
connections, total connections, new connections, number of vlan, zones,
number of policies, number of appliances, other network parameters, number
of equipments / servers etc
F3
The offered product part codes have to be General Availability Part codes and
not custom built Part Code for SBI. There should be cross reference to the
public website of the OEM
F4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of software/appliance
and necessary hardware, database and other relevant software or hardware etc
should be provided with the solution
Page 195 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Core Network Intrusion Prevention System (NIPS) Specification
TABLE 27
Quantity: 2 Nos
Serial No.
Technical Specification
A
Solution Requirement
A1
Make and Model number of the proposed solution
A2
Attach solution document containing with detailed bill of material.
It should contain OEM name, model, version, date of release, date
of release of next version, end of sale & support date,
application/product development path, etc. for each component
A3
Proposed solution framework should be scalable to support large
scale deployment and reduce the time and effort to deploy the entire
set up. Bidder should clearly illustrate various tools and
methodologies used to achieve the same
A4
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document that will
be available to the bank without any additional charges and will be
under support. These features will be treated at par with other
features mentioned in the RFP
A5
Solution should propose built and provide Intrusion Prevention
System, SSL Inspection, Anti Malware, Anti BOT, Application
control capabilities
A6
IPS should have Recommended rating and certified by Group tests
of NSS for NIPS or EAL4 certified
A7
The communication between all the components of solution (IPS
module, logging & policy and Web GUI Console) should be
encrypted with SSL or PKI
A8
Management of the entire solution including real-time monitoring,
event logs collection, policy enforcement etc should be from a single
device only (mgt server/appliance), however solution should have
management devices at two locations
Page 196 of 285
Confidential & Proprietary
Compliance(Y/N)
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A9
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort
of manual intervention
A10
Solution Should provide protection against various types of cyber
attacks evasive attacks, scripting attacks etc
A12
Solution should have capability to store Logs and configuration of
all devices, centrally in the solution and should also have capability
to send logs of all devices to the generic central log collection
servers
A13
Solution should be IPV6 ready. It should have IPV6 ready logo or
similar certification from any other reputed third party. No extra
cost will be borne by bank for IPV6 implementation
Solution should be IPv6 ready. No extra cost will be borne by bank
for IPV6 implementation
A14
Solution must support the complete STACK of IP V4 and IP V6
services
A15
Independent administrative controls for all the major functions like
IPS, SSL Inspection etc should be in place. Compromise with any
component either by connecting with it physically or remotely
should not impact other components of the solution
A16
Any compromise including but not limited to data leakage,
unauthorised access of bank's network/data/information due to any
flaw/security loop hole etc of the solution shall attract legal and
financial liabilities to the System Integrator and OEM
A17
The device should have functionality of hardware based fail-open
Page 197 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A18
The device must be capable of dynamically tuning IPS sensors
(Like: selecting rules/signatures, configuring policies, updating
policies, etc.) with minimal human intervention
B
Hardware and Interface Requirements
B1
Each appliance should have at least 8 x 40G and 16 X 10G Mbps
RJ45 interface Multimode fiber interfaces.All ports should be
populated with required transcievers. Apart from this, each
applicance should have additional ports for sync, HA and other
functionalities.
B2
NIPS should have Console port and USB Port/s
B3
NIPS should have management interface for Out of Band
Management
B4
The appliance should have separate dedicated 1xG Ethernet
interface for management console. None of the monitoring ports
should be used for this purpose.
B5
NIPS should be rack mountable and support side rails if required
B6
NIPS should have redundant power supplies (atleast dual)
B7
NIPS should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B8
Solution should support VLAN tagging (IEEE 802.1q)
B9
Solution should support IEEE Link Aggregation and Ethernet
Bonding functionality to group multiple ports for redundancy
B10
Each appliance in the Solution should support and not limited to:
B10.1
NIPS should be deployed in High Availability. It should support
stateful high availability such that state information is shared
between the HA appliance. In case one of the appliances fails state
is maintained.
Page 198 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B10.2
Active- Failover: The NIPS must support Stateful Active-Failover
architecture for NIPS and high availability for redundancy with out
using any third party or additional software or hardware
B11
Solution should have the capability of holding multiple OS images
to support resilience & easy rollbacks during the version upgrades
etc
B12
Centralized Management Solution should provide high availability
at site level for enabling DR deployment
B13
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment
B14
The NIPS system should have adequate local storage in order to
keep the various logs
B15
NIPS should be able to perform entire packet capture of the infected
traffic and sent to the other application for analysis
C
Performance Requirement
C1
NIPS solution should be a purpose built dedicated standalone
appliance and not a integrated firewall or UTM appliance
C2
NIPS systems should be manageable from the centralised
management framework from DC and DR with support for
managing MIN 10 NIPS systems
C3
Each appliance in the Solution should be properly sized for
following given parameters, with all features enabled at the same
time:
C 3.1
Handling minimum 100 Gbps statefull inspection (by each firewall)
of user traffic (Incoming 50 Gbps and Outgoing 50 Gbps traffic
simultaneously) and other application Zones (Minimum 10
Application Zones, WAN Zone, Outside Zone etc) connected using
10/40G interfaces per zone.
Page 199 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C 3.2
The throughput of the each appliance should not be less than 100
Gbps for IMIX (Real World Internet MIX traffic with 64, 512, 1500
byte packets with TCP, UDP queries and DNS requests) with all
services enabled
C 3.3
Running all internet protocols etc, traffic flowing through different
zones in the solution with all the features enabled and running
C 3.4
Solution(each device) should be sized for inspection SSL traffic of
minimum 50 Gbps
C4
Solution should support minimum 20,000,000 concurrent
connections
C5
Solution should support minimum 250,000 new sessions per
second processing
C6
Solution should not impact the application response by adding
latency. Maximum permissible latency of solution is less than 200
microseconds with all the services enabled together as asked in this
RFP at any point of time
D
Features Requirement
D1
Solution should have capability to keep track the network
connections, identify the threats, detect and prevent the threat and
relate the threat with corresponding end points (IP address, user,
software program etc
D2
In Network forensics context, solution should be providing flow
information details (Netflow, Jflow, Sflow or similar) for a specific
host for given time interval
D3
Solution should able to get enterprise visibility of internet access
like URL access, Malicious website visits etc.
D4
Solution should able to get enterprise visibility of internet access malicious server visits, country details
E
Detection and Prevention Requirement
Page 200 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
NIPS should support different mode of deployment in following
modes:
a)IDS,
b)TAP Mode,
E1
c)Inline
E2
NIPS should accurately detects intrusion attempts and discerns
between the various types and risk levels including unauthorized
access attempts, pre-attack probes, suspicious activity, DoS, DDoS,
vulnerability exploitation, hybrids, and zero-day attacks, Worm,
Phishing, Spyware, Virus, Trojan, P2P, VoIP, Backdoor,
Reconnaissance, Bandwidth Hijacking, Cross-site scripting, SQL
Injection etc.
E3
NIPS should employ all seven-layer (of OSI model) protocol
analysis. Should support minimum of 100 internet protocols such
as but not limited to IP, DNS, VLAN, IMAP, TCP, RPC, MPLS, SMB,
ICMP, HTTP, FTP, Telnet, SMTP, UDP,E-mail, Script, Syslog,
SNMP etc.
E4
NIPS should support more than 23000 high quality vulnerability
based signatures
E5
Should support vulnerability based and not exploit based
signatures. Detects and blocks all known, high risk exploits along
with their underlying vulnerability (not just one exploit of that
vulnerability)
E6
Should support a wide variety of techniques to perform traffic
inspection including (a) TCP stream reassembly, b) Does IP
defragmentation, c) Bi- directional inspection, d) Protocol Anomaly
Detection, e) Protocol tunneling, f) Signatures g) Behavior anomaly
h) Reputation
E7
NIPS should support Quality of Service. The solution should have
the ability to create QoS rules based on protocols, applications such
as P2P,IM etc,IP address and user or user groups
Page 201 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E8
NIPS should have the ability to identify application traversing on
the network so that you can allow or block specific application on
the network. For example, you can block just the connections to
Orkut, from your network while allowing all other HTTP and
HTTPS traffic
E9
NIPS should protect against SSL based attacks. NIPS should have
built-in SSL decryption Engine for SSL Traffic decryption to
support prevention of encrypted attacks - which includes attacks
over secured http channel without need to have additional
appliances
E10
NIPS should support source reputation based analysis. NIPS should
obtain through the cloud the reputation for each host involved in an
attack and uses the reputation score of the source host as one of the
factor for blocking the host
E11
NIPS should support malware protection by performing file
reputation analysis of malicious files
E12
NIPS should have the ability to scan malware within files such as
PDF using emulation techniques and block only if pdf files with java
scripts are malicious
E13
NIPS should have the ability to inspect traffic in the virtual
environment and if any additional licenses are required to achieve
it, should be provided.
E14
NIPS should do attack recognition inside IPv6 encapsulated packets
E15
NIPS should support provide advanced botnet protection using
heuristic detection methods
E16
NIPS should provide advanced botnet protection using multi event
behavior based detection mechanism.
E17
Should protect against DOS/DDOS attacks. Should have ―selflearning" capability to monitor the network traffic and develops a
baseline profile. It should have the ability to constantly update this
profile to keep an updated view of the network
Page 202 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E18
NIPS should support the ability to limit the number of
TCP/UDP/ICMP active connections or connection rate from a host
E19
NIPS should support active blocking of traffic based on pre-defined
rules to thwart attacks before any damage is done, i.e. before
compromise occurs
E20
NIPS should have the ability to control traffic based on geographical
locations. For e.g. a policy can be created to block traffic coming or
going to a particular country
E21
NIPS should have the ability to block connection from outside based
on the reputation of the IP address that is trying to communicate
with the network
E22
Should protect against evasion techniques
Should support a wide range of response actions as :
a) Block traffic,
b) Ignore,
c) TCP reset,
d) Quarantine host,
e) Log traffic,
f) Packet capture,
g) User defined scripts,
h) Email alert,
i) SNMP alert,
E23
j) syslog alert
E24
The device should accurately detect the following Attack categories:
E24.1
Malformed traffic, Invalid Headers
E24.2
Vulnerability exploitation
E24.3
URL obfuscation
E25
The device should employ full seven-layer protocol analysis of over
4000+ internet protocols/applications like HTTP, FTP, SMTP,
Facebook, Gmail, etc.
Page 203 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E26
The device must support vulnerability based and exploit based
signatures. It should detect and block all known high risk exploits
and the underlying vulnerability (not just one exploit of that
vulnerability)
E27
Solution should get Signatures, Patches & updates being received
from OEM should be from trusted sites
E28
The device should handle following traffic inspection & support
following:
E28.1
IPv6, IPv4, Tunneled: 4in6, 6in4, 6to4
E28.2
Bi- directional inspection, Detection of Shell Code, Buffer overflows,
Advanced evasion protection
E28.3
Application Anomalies, P2P attacks, TCP segmentation and IP
fragmentation
E28.4
Rate-based threats, Statistical anomalies
E29
The device should have the ability to identify/block individual
applications (eg. Facebook or skype) running on one protocol (eg
HTTP or HTTPs)
E30
IPS should have application intelligence for commonly used TCP/IP
protocols, not limited to telnet, ftp, http, https etc
E31
he device should support Block attacks based on:
E32
IP reputation, DNS Inspection and Sink-Holing, Geo-location, URL
Inspection / intelligence
E33
The device should have the feature for importing SNORT
signatures.
E34
Should support basic attack protection features listed below but not
limited to :
E34.1
Maximum no of protections against attacks that exploit weaknesses
in the TCP/IP protocol suite
E34.2
It should enable rapid detection of network attacks
E34.3
TCP reassembly for fragmented packet protection
Page 204 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E34.4
SYN cookie protection , SYN Flood, Half Open Connections and
NUL Packets etc
E34.5
Protection against IP spoofing
E34.6
Malformed packet protection
E34.7
It should be able to block Instant Messaging like Yahoo, MSN, ICQ,
Skype (SSL and HTTP tunneled) etc
E35
The Solution should provide visibility into how network bandwidth
is consumed to aid in troubleshooting network outages and
detecting Advanced Malware related DoS & DDoS activity from
within the network
F
Administration, Management and Logging Functionality
Features Requirement
F1
Solution Real-Time Monitoring, Management & Log Collection
(with storage) should not be distributed to more than ONE
server/appliance
F2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles,
should provide Audit Trail of the Changes etc
F3
Secondary (SLAVE) Management Server should support the
MASTER role once the Disaster recovery is triggered for any or
multiple management domains in the Management Server
F4
Solution should be able to support large scale WAN deployment
with following important Criteria for Real-Time Monitoring,
Management & Log Collection etc
Page 205 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F4.1
Implementation team has to migrate existing policies and create
policies as per Bank's IT & IS.
F4.2
To ensure business continuity all the solutions/hardware proposed
should be in HA
F5
Any changes or commands issued by an authenticated user should
be logged to a database of the management system
F6
Any changes or commands issued by an authenticated user should
be logged to a database of the management system
F7
It should support SNMP (Simple Network Management Protocol) v
2.0 and v 3.0 and NTP V.4 with all new versions of present and
future release
F8
IPS must send mail or SNMP traps to Network Management
Servers (NMS) in response to system failures or threshold violations
of the health attributes.
F9
Centralized management Appliance should support SAN or NAS etc
F10
The IPS must provide simplified provisioning for addition of new
IPSs where by a standard IPS policy could be pushed into the new
IPS
F11
The IPS administration station must provide a means for exporting
the IPS rules set and configuration
F12
NIPS Management console should be capable of producing
extensive graphics metric for analysis. Further, users should be able
to drill down into these graphical reports to view pertinent details.
F13
Support for role based administration of IPS
F14
NIPS should support granular management. Should allow policy to
be assigned per device, port ,VLAN tag, IP address/range
F15
NIPS should operate effectively and protect against high risk, high
impact malicious traffic via default out of box policy configuration,
should be able to block attacks by default.
Page 206 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F16
The IPS administration software must provide a means of viewing,
filtering and managing the log data
F17
The IPS logs must contain information about the IPS policy rule
that triggered the log
F18
Should support to enable/disable each individual signature. Each
signature should allow granular tuning
F19
Centralized Security Management should include for all the
proposed security controls but not limited to:
F19.1
Real Time Security Monitoring
F19.2
Logging
F19.3
Reporting functions based on 1. Security event risk level, 2.
Date/time, 3. Event name 4. Source IP 5. Destination IP 6.
Response Taken 7. Sensor Identity 8. Severity, etc
F20
The solution must provide a minimum basic statistics about the
health of the IPS and the amount of traffic traversing the IPS
F21
Solution should support for configuration rollback
F22
Solution should support Real time traffic statistics & Historical
report with
F22.1
Attacks and threat reports, etc.
F22.2
Customized reports on HTML, CSV and PDF format etc
F23
Solution Audit Trail should contain at a minimum:
F23.1
The name of the administrator making the change
F23.2
The change made
F23.3
Time of change made
F24
Management system should provide detailed Event analysis for IPS
and also should provide Syslog output to integrate with other major
SIEM tools and specifically should support RSA SIEM tool current
and future versions
Page 207 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F25
Solution should support for real time analysis of all traffic the IPS
may encounter (all possible SOURCE, DEST, SERVICE, including
groups) etc
F26
Provide geographic distribution of data collection from devices,
processed locally, compressed and then transferred to the central
manager
F27
Solution should manage the NIPS appliances from a central
management console
F28
Management platform supports policy configuration, command,
control, and event management functions for the NIPS appliances
F29
Management console should support Radius and LDAP
authentication in addition to the local user authentication
F30
Management console should have the ability to allow access to
specific hosts by enabling GUI Access and defining the list of
authorized hosts/networks
G
Licensing Requirements
G1
Solution should have enterprise license without any restrictions. If
during the contract, solution is not performing as per specifications
in this RFP, bidder has to upgrade/enhance the devices or place
additional devices and reconfigure the system without any cost to
bank
Solution and its various components like Firewall, IPS, VPN etc
should not have any licensing restriction on number of users,
number of vlan, zones, number of policies, number of appliances,
other network parameters, number of equipments / servers etc.
G2
Solution should be able to achieve all the features and
functionalities mentioned in the RFP and accordingly, all the
requried licenses should be provided as part of solution.
Page 208 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Further, if vendor is proposing a higher end device (having more
capacity than asked in this RFP) then there should not be any
restriction to use additional features, capacity, throughput etc.
Vendor has to mention the additional capacity in the solution
docuement.
G3
The offered product part codes have to be General Availability Part
codes and not custom built Part Code for SBI. There should be cross
reference to the public website of the OEM
G4
Any third party product required to achieve the functionality should
be provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other
relevant software or hardware etc should be provided with the s
Internet Network Intrusion Prevention System (NIPS) Specification
TABLE 28
Quantity: 2 Nos
Compliance(Y/N)
Serial
No.
Technical Specification
A
Solution Requirement
A1
Make and Model number of the proposed solution
A2
Attach solution document containing with detailed bill of material. It
should contain OEM name, model, version, date of release, date of release
of next version, end of sale & support date, application/product
development path, etc. for each component
A3
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up.
Bidder should clearly illustrate various tools and methodologies used to
achieve the same
Page 209 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A4
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document that will be
available to the bank without any additional charges and will be under
support. These features will be treated at par with other features
mentioned in the RFP
A5
Solution should propose built and provide Intrusion Prevention System,
SSL Inspection, Anti Malware, Anti BOT, Application control capabilities
A6
IPS should have Recommended rating and certified by Group tests of NSS
for NIPS or EAL4 certified
A7
The communication between all the components of solution (IPS module,
logging & policy and Web GUI Console) should be encrypted with SSL or
PKI
A8
Management of the entire solution including real-time monitoring, event
logs collection, policy enforcement etc should be from a single device only
(mgt server/appliance), however solution should have management
devices at two locations
A9
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort of
manual intervention
A10
Solution Should provide protection against various types of cyber attacks
evasive attacks, scripting attacks etc
A12
Solution should have capability to store Logs and configuration of all
devices, centrally in the solution and should also have capability to send
logs of all devices to the generic central log collection servers
A13
Solution should be IPV6 ready. It should have IPV6 ready logo or similar
certification from any other reputed third party. No extra cost will be
borne by bank for IPV6 implementation
Solution should be IPv6 ready. No extra cost will be borne by bank for
IPV6 implementation
A14
Solution must support the complete STACK of IP V4 and IP V6 services
A15
Independent administrative controls for all the major functions like IPS,
SSL Inspection etc should be in place. Compromise with any component
either by connecting with it physically or remotely should not impact
other components of the solution
Page 210 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A16
Any compromise including but not limited to data leakage, unauthorised
access of bank's network/data/information due to any flaw/security loop
hole etc of the solution shall attract legal and financial liabilities to the
System Integrator and OEM
A17
The device should have functionality of hardware based fail-open
A18
The device must be capable of dynamically tuning IPS sensors (Like:
selecting rules/signatures, configuring policies, updating policies, etc.)
with minimal human intervention
B
Hardware and Interface Requirements
B1
Each appliance should have at least 8 x 40G and 16 X 10G Mbps RJ45
interface Multimode fiber interfaces.All ports should be populated with
required transcievers. Apart from this, each applicance should have
additional ports for sync, HA and other functionalities.
B2
NIPS should have Console port and USB Port/s
B3
NIPS should have management interface for Out of Band Management
B4
The appliance should have separate dedicated 1xG Ethernet interface for
management console. None of the monitoring ports should be used for
this purpose.
B5
NIPS should be rack mountable and support side rails if required
B6
NIPS should have redundant power supplies (atleast dual)
B7
NIPS should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B8
Solution should support VLAN tagging (IEEE 802.1q)
B9
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B10
Each appliance in the Solution should support and not limited to:
Page 211 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B10.1
NIPS should be deployed in High Availability. It should support stateful
high availability such that state information is shared between the HA
appliance. In case one of the appliances fails state is maintained.
B10.2
Active- Failover: The NIPS must support Stateful Active-Failover
architecture for NIPS and high availability for redundancy with out using
any third party or additional software or hardware
B11
Solution should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
B12
Centralized Management Solution should provide high availability at site
level for enabling DR deployment
B13
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment
B14
The NIPS system should have adequate local storage in order to keep the
various logs
B15
NIPS should be able to perform entire packet capture of the infected
traffic and sent to the other application for analysis
C
Performance Requirement
C1
NIPS solution should be a purpose built dedicated standalone appliance
and not a integrated firewall or UTM appliance
C2
NIPS systems should be manageable from the centralised management
framework from DC and DR with support for managing MIN 10 NIPS
systems
C3
Each appliance in the Solution should be properly sized for following
given parameters, with all features enabled at the same time:
C 3.1
Handling minimum 60 Gbps statefull inspection (by each firewall) of user
traffic (Incoming 30 Gbps and Outgoing 30 Gbps traffic simultaneously)
and other application Zones (Minimum 10 Application Zones, WAN Zone,
Outside Zone etc) connected using 10/40G interfaces per zone.
Page 212 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C 3.2
The throughput of the each appliance should not be less than 60 Gbps for
IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte packets
with TCP, UDP queries and DNS requests) with all services enabled
C 3.3
Running all internet protocols etc, traffic flowing through different zones
in the solution with all the features enabled and running
C 3.4
Solution(each device) should be sized for inspection SSL traffic of
minimum 50 Gbps
C4
Solution should support minimum 20,000,000 concurrent connections
C5
Solution should support minimum 250,000 new sessions per second
processing
C6
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution should be less than 200
microsecond
D
Features Requirement
D1
Solution should have capability to keep track the network connections,
identify the threats, detect and prevent the threat and relate the threat
with corresponding end points (IP address, user, software program etc
D2
In Network forensics context, solution should be providing flow
information details (Netflow, Jflow, Sflow or similar) for a specific host for
given time interval
D3
Solution should able to get enterprise visibility of internet access like URL
access, Malicious website visits etc.
D4
Solution should able to get enterprise visibility of internet access malicious server visits, country details
E
Detection and Prevention Requirement
NIPS should support different mode of deployment in following modes:
a)IDS,
b)TAP Mode,
E1
c)Inline
Page 213 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E2
NIPS should accurately detects intrusion attempts and discerns between
the various types and risk levels including unauthorized access attempts,
pre-attack probes, suspicious activity, DoS, DDoS, vulnerability
exploitation, hybrids, and zero-day attacks, Worm, Phishing, Spyware,
Virus, Trojan, P2P, VoIP, Backdoor, Reconnaissance, Bandwidth
Hijacking, Cross-site scripting, SQL Injection etc.
E3
NIPS should employ all seven-layer (of OSI model) protocol analysis.
Should support minimum of 100 internet protocols such as but not
limited to IP, DNS, VLAN, IMAP, TCP, RPC, MPLS, SMB, ICMP, HTTP,
FTP, Telnet, SMTP, UDP,E-mail, Script, Syslog, SNMP etc.
E4
NIPS should support more than 23000 high quality vulnerability based
signatures
E5
Should support vulnerability based and not exploit based signatures.
Detects and blocks all known, high risk exploits along with their
underlying vulnerability (not just one exploit of that vulnerability)
E6
Should support a wide variety of techniques to perform traffic inspection
including (a) TCP stream reassembly, b) Does IP defragmentation, c) Bidirectional inspection, d) Protocol Anomaly Detection, e) Protocol
tunneling, f) Signatures g) Behavior anomaly h) Reputation
E7
NIPS should support Quality of Service. The solution should have the
ability to create QoS rules based on protocols, applications such as P2P,IM
etc,IP address and user or user groups
E8
NIPS should have the ability to identify application traversing on the
network so that you can allow or block specific application on the
network. For example, you can block just the connections to Orkut, from
your network while allowing all other HTTP and HTTPS traffic
E9
NIPS should protect against SSL based attacks. NIPS should have built-in
SSL decryption Engine for SSL Traffic decryption to support prevention of
encrypted attacks - which includes attacks over secured http channel
without need to have additional appliances
Page 214 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E10
NIPS should support source reputation based analysis. NIPS should
obtain through the cloud the reputation for each host involved in an attack
and uses the reputation score of the source host as one of the factor for
blocking the host
E11
NIPS should support malware protection by performing file reputation
analysis of malicious files
E12
NIPS should have the ability to scan malware within files such as PDF
using emulation techniques and block only if pdf files with java scripts are
malicious
E13
NIPS should have the ability to inspect traffic in the virtual environment
and if any additional licenses are required to achieve it, should be
provided.
E14
NIPS should do attack recognition inside IPv6 encapsulated packets
E15
NIPS should support provide advanced botnet protection using heuristic
detection methods
E16
NIPS should provide advanced botnet protection using multi event
behavior based detection mechanism.
E17
Should protect against DOS/DDOS attacks. Should have ―self-learning"
capability to monitor the network traffic and develops a baseline profile. It
should have the ability to constantly update this profile to keep an
updated view of the network
E18
NIPS should support the ability to limit the number of TCP/UDP/ICMP
active connections or connection rate from a host
E19
NIPS should support active blocking of traffic based on pre-defined rules
to thwart attacks before any damage is done, i.e. before compromise
occurs
E20
NIPS should have the ability to control traffic based on geographical
locations. For e.g. a policy can be created to block traffic coming or going
to a particular country
E21
NIPS should have the ability to block connection from outside based on
the reputation of the IP address that is trying to communicate with the
network
E22
Should protect against evasion techniques
Page 215 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Should support a wide range of response actions as :
a) Block traffic,
b) Ignore,
c) TCP reset,
d) Quarantine host,
e) Log traffic,
f) Packet capture,
g) User defined scripts,
h) Email alert,
i) SNMP alert,
E23
j) syslog alert
E24
The device should accurately detect the following Attack categories:
E24.1
Malformed traffic, Invalid Headers
E24.2
Vulnerability exploitation
E24.3
URL obfuscation
E25
The device should employ full seven-layer protocol analysis of over 4000+
internet protocols/applications like HTTP, FTP, SMTP, Facebook, Gmail,
etc.
E26
The device must support vulnerability based and exploit based signatures.
It should detect and block all known high risk exploits and the underlying
vulnerability (not just one exploit of that vulnerability)
E27
Solution should get Signatures, Patches & updates being received from
OEM should be from trusted sites
E28
The device should handle following traffic inspection & support following:
E28.1
IPv6, IPv4, Tunneled: 4in6, 6in4, 6to4
E28.2
Bi- directional inspection, Detection of Shell Code, Buffer overflows,
Advanced evasion protection
E28.3
Application Anomalies, P2P attacks, TCP segmentation and IP
fragmentation
E28.4
Rate-based threats, Statistical anomalies
E29
The device should have the ability to identify/block individual
applications (eg. Facebook or skype) running on one protocol (eg HTTP or
HTTPs)
Page 216 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E30
IPS should have application intelligence for commonly used TCP/IP
protocols, not limited to telnet, ftp, http, https etc
E31
he device should support Block attacks based on:
E32
IP reputation, DNS Inspection and Sink-Holing, Geo-location, URL
Inspection / intelligence
E33
The device should have the feature for importing SNORT signatures.
E34
Should support basic attack protection features listed below but not
limited to :
E34.1
Maximum no of protections against attacks that exploit weaknesses in the
TCP/IP protocol suite
E34.2
It should enable rapid detection of network attacks
E34.3
TCP reassembly for fragmented packet protection
E34.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL
Packets etc
E34.5
Protection against IP spoofing
E34.6
Malformed packet protection
E34.7
It should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype
(SSL and HTTP tunneled) etc
E35
The Solution should provide visibility into how network bandwidth is
consumed to aid in troubleshooting network outages and detecting
Advanced Malware related DoS & DDoS activity from within the network
F
Administration, Management and Logging Functionality
Features Requirement
F1
Solution Real-Time Monitoring, Management & Log Collection (with
storage) should not be distributed to more than ONE server/appliance
F2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles,
should provide Audit Trail of the Changes etc
F3
Secondary (SLAVE) Management Server should support the MASTER role
once the Disaster recovery is triggered for any or multiple management
domains in the Management Server
Page 217 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F4
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring, Management &
Log Collection etc
F4.1
Implementation team has to migrate existing policies and create policies
as per Bank's IT & IS.
F4.2
To ensure business continuity all the solutions/hardware proposed should
be in HA
F5
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
F6
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
F7
It should support SNMP (Simple Network Management Protocol) v 2.0
and v 3.0 and NTP V.4 with all new versions of present and future release
F8
IPS must send mail or SNMP traps to Network Management Servers
(NMS) in response to system failures or threshold violations of the health
attributes.
F9
Centralized management Appliance should support SAN or NAS etc
F10
The IPS must provide simplified provisioning for addition of new IPSs
where by a standard IPS policy could be pushed into the new IPS
F11
The IPS administration station must provide a means for exporting the
IPS rules set and configuration
F12
NIPS Management console should be capable of producing extensive
graphics metric for analysis. Further, users should be able to drill down
into these graphical reports to view pertinent details.
F13
Support for role based administration of IPS
F14
NIPS should support granular management. Should allow policy to be
assigned per device, port ,VLAN tag, IP address/range
F15
NIPS should operate effectively and protect against high risk, high impact
malicious traffic via default out of box policy configuration, should be able
to block attacks by default.
Page 218 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F16
The IPS administration software must provide a means of viewing,
filtering and managing the log data
F17
The IPS logs must contain information about the IPS policy rule that
triggered the log
F18
Should support to enable/disable each individual signature. Each
signature should allow granular tuning
F19
Centralized Security Management should include for all the proposed
security controls but not limited to:
F19.1
Real Time Security Monitoring
F19.2
Logging
F19.3
Reporting functions based on 1. Security event risk level, 2. Date/time, 3.
Event name 4. Source IP 5. Destination IP 6. Response Taken 7. Sensor
Identity 8. Severity, etc
F20
The solution must provide a minimum basic statistics about the health of
the IPS and the amount of traffic traversing the IPS
F21
Solution should support for configuration rollback
F22
Solution should support Real time traffic statistics & Historical report
with
F22.1
Attacks and threat reports, etc.
F22.2
Customized reports on HTML, CSV and PDF format etc
F23
Solution Audit Trail should contain at a minimum:
F23.1
The name of the administrator making the change
F23.2
The change made
F23.3
Time of change made
F24
Management system should provide detailed Event analysis for IPS and
also should provide Syslog output to integrate with other major SIEM
tools and specifically should support RSA SIEM tool current and future
versions
F25
Solution should support for real time analysis of all traffic the IPS may
encounter (all possible SOURCE, DEST, SERVICE, including groups) etc
F26
Provide geographic distribution of data collection from devices, processed
locally, compressed and then transferred to the central manager
Page 219 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F27
Solution should manage the NIPS appliances from a central management
console
F28
Management platform supports policy configuration, command, control,
and event management functions for the NIPS appliances
F29
Management console should support Radius and LDAP authentication in
addition to the local user authentication
F30
Management console should have the ability to allow access to specific
hosts by enabling GUI Access and defining the list of authorized
hosts/networks
G
Licensing Requirements
G1
Solution should have enterprise license without any restrictions. If during
the contract, solution is not performing as per specifications in this RFP,
bidder has to upgrade/enhance the devices or place additional devices and
reconfigure the system without any cost to bank
Solution and its various components like Firewall, IPS, VPN etc should
not have any licensing restriction on number of users, number of vlan,
zones, number of policies, number of appliances, other network
parameters, number of equipments / servers etc.
Solution should be able to achieve all the features and functionalities
mentioned in the RFP and accordingly, all the requried licenses should be
provided as part of solution.
G2
Further, if vendor is proposing a higher end device (having more capacity
than asked in this RFP) then there should not be any restriction to use
additional features, capacity, throughput etc. Vendor has to mention the
additional capacity in the solution docuement.
G3
The offered product part codes have to be General Availability Part codes
and not custom built Part Code for SBI. There should be cross reference to
the public website of the OEM
Page 220 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
G4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other relevant
software or hardware etc should be provided with the solution
Extranet Intrusion Prevention System (NIPS) Specification
TABLE 29
Quantity: 2 Nos
Serial
No.
Technical Specification
A
Solution Requirement
A1
Make and Model number of the proposed solution
A2
Attach solution document containing with detailed bill of material. It
should contain OEM name, model, version, date of release, date of
release of next version, end of sale & support date, application/product
development path, etc. for each component
A3
Proposed solution framework should be scalable to support large scale
deployment and reduce the time and effort to deploy the entire set up.
Bidder should clearly illustrate various tools and methodologies used to
achieve the same
A4
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document that will be
available to the bank without any additional charges and will be under
support. These features will be treated at par with other features
mentioned in the RFP
A5
Solution should propose built and provide Intrusion Prevention
System, SSL Inspection, Anti Malware, Anti BOT, Application control
capabilities
A6
IPS should have Recommended rating and certified by Group tests of
NSS for NIPS or EAL4 certified
A7
The communication between all the components of solution (IPS
module, logging & policy and Web GUI Console) should be encrypted
with SSL or PKI
Page 221 of 285
Confidential & Proprietary
Compliance(Y/N)
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A8
Management of the entire solution including real-time monitoring,
event logs collection, policy enforcement etc should be from a single
device only (mgt server/appliance), however solution should have
management devices at two locations
A9
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort of
manual intervention
A10
Solution Should provide protection against various types of cyber
attacks evasive attacks, scripting attacks etc
A12
Solution should have capability to store Logs and configuration of all
devices, centrally in the solution and should also have capability to send
logs of all devices to the generic central log collection servers
A13
Solution should be IPV6 ready. It should have IPV6 ready logo or
similar certification from any other reputed third party. No extra cost
will be borne by bank for IPV6 implementation
Solution should be IPv6 ready. No extra cost will be borne by bank for
IPV6 implementation
A14
Solution must support the complete STACK of IP V4 and IP V6 services
A15
Independent administrative controls for all the major functions like
IPS, SSL Inspection etc should be in place. Compromise with any
component either by connecting with it physically or remotely should
not impact other components of the solution
A16
Any compromise including but not limited to data leakage,
unauthorised access of bank's network/data/information due to any
flaw/security loop hole etc of the solution shall attract legal and
financial liabilities to the System Integrator and OEM
A17
The device should have functionality of hardware based fail-open
A18
The device must be capable of dynamically tuning IPS sensors (Like:
selecting rules/signatures, configuring policies, updating policies, etc.)
with minimal human intervention
Page 222 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B
Hardware and Interface Requirements
B1
Each appliance should have at least 16 x 10/100/1000 Mbps RJ45
Ethernet interfaces and 16 x 10GbE Multimode fiber interfaces.All ports
should be populated with required transceivers. Apart from this, each
appliance should have additional ports for sync, HA and other
functionalities.
B2
NIPS should have Console port and USB Port/s
B3
NIPS should have management interface for Out of Band Management
B4
The appliance should have separate dedicated 1xG Ethernet interface
for management console. None of the monitoring ports should be used
for this purpose.
B5
NIPS should be rack mountable and support side rails if required
B6
NIPS should have redundant power supplies (atleast dual)
B7
NIPS should have hardware health monitoring capabilities and should
provide different parameters through SNMP
B8
Solution should support VLAN tagging (IEEE 802.1q)
B9
Solution should support IEEE Link Aggregation and Ethernet Bonding
functionality to group multiple ports for redundancy
B10
Each appliance in the Solution should support and not limited to:
B10.1
NIPS should be deployed in High Availability. It should support stateful
high availability such that state information is shared between the HA
appliance. In case one of the appliances fails state is maintained.
B10.2
Active- Failover: The NIPS must support Stateful Active-Failover
architecture for NIPS and high availability for redundancy with out
using any third party or additional software or hardware
B11
Solution should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
B12
Centralized Management Solution should provide high availability at
site level for enabling DR deployment
Page 223 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B13
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment
B14
The NIPS system should have adequate local storage in order to keep
the various logs
B15
NIPS should be able to perform entire packet capture of the infected
traffic and sent to the other application for analysis
C
Performance Requirement
C1
NIPS solution should be a purpose built dedicated standalone appliance
and not a integrated firewall or UTM appliance
C2
NIPS systems should be manageable from the centralised management
framework from DC and DR with support for managing MIN 10 NIPS
systems
C3
Each appliance in the Solution should be properly sized for following
given parameters, with all features enabled at the same time:
C 3.1
Handling minimum 10 Gbps (by each firewall) of user traffic (Incoming
5 Gbps and Outgoing 5 Gbps traffic simultaneously) and other
application Zones (Minimum 10 Application Zones, WAN Zone,
Outside Zone etc) connected using 10G & 1G interfaces per zone.
C 3.2
The throughput of the each appliance should not be less than 10 Gbps
for IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte
packets with TCP, UDP queries and DNS requests) with all services
enabled
C 3.3
Running all internet protocols etc, traffic flowing through different
zones in the solution with all the features enabled and running
C 3.4
Solution(each device) should be sized for inspection SSL traffic of
minimum 10 Gbps
C4
Solution should support minimum 20,00,000 concurrent connections
C5
Solution should support minimum 125,000 new sessions per second
processing
C6
Solution should not impact the application response by adding latency.
Maximum permissible latency of solution should be less than 5
microsecond
Page 224 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D
Features Requirement
D1
Solution should have capability to keep track the network connections,
identify the threats, detect and prevent the threat and relate the threat
with corresponding end points (IP address, user, software program etc
D2
In Network forensics context, solution should be providing flow
information details (Netflow, Jflow, Sflow or similar) for a specific host
for given time interval
D3
Solution should able to get enterprise visibility of internet access like
URL access, Malicious website visits etc.
D4
Solution should able to get enterprise visibility of internet access malicious server visits, country details
E
Detection and Prevention Requirement
NIPS should support different mode of deployment in following modes:
a)IDS,
b)TAP Mode,
E1
c)Inline
E2
NIPS should accurately detects intrusion attempts and discerns
between the various types and risk levels including unauthorized access
attempts, pre-attack probes, suspicious activity, DoS, DDoS,
vulnerability exploitation, hybrids, and zero-day attacks, Worm,
Phishing, Spyware, Virus, Trojan, P2P, VoIP, Backdoor,
Reconnaissance, Bandwidth Hijacking, Cross-site scripting, SQL
Injection etc.
E3
NIPS should employ all seven-layer (of OSI model) protocol analysis.
Should support minimum of 100 internet protocols such as but not
limited to IP, DNS, VLAN, IMAP, TCP, RPC, MPLS, SMB, ICMP, HTTP,
FTP, Telnet, SMTP, UDP,E-mail, Script, Syslog, SNMP etc.
E4
NIPS should support more than 23000 high quality vulnerability based
signatures
E5
Should support vulnerability based and not exploit based signatures.
Detects and blocks all known, high risk exploits along with their
underlying vulnerability (not just one exploit of that vulnerability)
Page 225 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E6
Should support a wide variety of techniques to perform traffic
inspection including (a) TCP stream reassembly, b) Does IP
defragmentation, c) Bi- directional inspection, d) Protocol Anomaly
Detection, e) Protocol tunneling, f) Signatures g) Behavior anomaly h)
Reputation
E7
NIPS should support Quality of Service. The solution should have the
ability to create QoS rules based on protocols, applications such as
P2P,IM etc,IP address and user or user groups
E8
NIPS should have the ability to identify application traversing on the
network so that you can allow or block specific application on the
network. For example, you can block just the connections to Orkut,
from your network while allowing all other HTTP and HTTPS traffic
E9
NIPS should protect against SSL based attacks. NIPS should have builtin SSL decryption Engine for SSL Traffic decryption to support
prevention of encrypted attacks - which includes attacks over secured
http channel without need to have additional appliances
E10
NIPS should support source reputation based analysis. NIPS should
obtain through the cloud the reputation for each host involved in an
attack and uses the reputation score of the source host as one of the
factor for blocking the host
E11
NIPS should support malware protection by performing file reputation
analysis of malicious files
E12
NIPS should have the ability to scan malware within files such as PDF
using emulation techniques and block only if pdf files with java scripts
are malicious
E13
NIPS should have the ability to inspect traffic in the virtual
environment and if any additional licenses are required to achieve it,
should be provided.
E14
NIPS should do attack recognition inside IPv6 encapsulated packets
E15
NIPS should support provide advanced botnet protection using
heuristic detection methods
E16
NIPS should provide advanced botnet protection using multi event
behavior based detection mechanism.
Page 226 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E17
Should protect against DOS/DDOS attacks. Should have ―self-learning"
capability to monitor the network traffic and develops a baseline profile.
It should have the ability to constantly update this profile to keep an
updated view of the network
E18
NIPS should support the ability to limit the number of TCP/UDP/ICMP
active connections or connection rate from a host
E19
NIPS should support active blocking of traffic based on pre-defined
rules to thwart attacks before any damage is done, i.e. before
compromise occurs
E20
NIPS should have the ability to control traffic based on geographical
locations. For e.g. a policy can be created to block traffic coming or
going to a particular country
E21
NIPS should have the ability to block connection from outside based on
the reputation of the IP address that is trying to communicate with the
network
E22
Should protect against evasion techniques
Should support a wide range of response actions as :
a) Block traffic,
b) Ignore,
c) TCP reset,
d) Quarantine host,
e) Log traffic,
f) Packet capture,
g) User defined scripts,
h) Email alert,
i) SNMP alert,
E23
j) syslog alert
E24
The device should accurately detect the following Attack categories:
E24.1
Malformed traffic, Invalid Headers
E24.2
Vulnerability exploitation
E24.3
URL obfuscation
E25
The device should employ full seven-layer protocol analysis of over
4000+ internet protocols/applications like HTTP, FTP, SMTP,
Facebook, Gmail, etc.
Page 227 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E26
The device must support vulnerability based and exploit based
signatures. It should detect and block all known high risk exploits and
the underlying vulnerability (not just one exploit of that vulnerability)
E27
Solution should get Signatures; Patches & updates being received from
OEM should be from trusted sites
E28
The device should handle following traffic inspection & support
following:
E28.1
IPv6, IPv4, Tunneled: 4in6, 6in4, 6to4
E28.2
Bi- directional inspection, Detection of Shell Code, Buffer overflows,
Advanced evasion protection
E28.3
Application Anomalies, P2P attacks, TCP segmentation and IP
fragmentation
E28.4
Rate-based threats, Statistical anomalies
E29
The device should have the ability to identify/block individual
applications (eg. Facebook or skype) running on one protocol (eg HTTP
or HTTPs)
E30
IPS should have application intelligence for commonly used TCP/IP
protocols, not limited to telnet, ftp, http, https etc
E31
he device should support Block attacks based on:
E32
IP reputation, DNS Inspection and Sink-Holing, Geo-location, URL
Inspection / intelligence
E33
The device should have the feature for importing SNORT signatures.
E34
Should support basic attack protection features listed below but not
limited to :
E34.1
Maximum no of protections against attacks that exploit weaknesses in
the TCP/IP protocol suite
E34.2
It should enable rapid detection of network attacks
E34.3
TCP reassembly for fragmented packet protection
E34.4
SYN cookie protection , SYN Flood, Half Open Connections and NUL
Packets etc
Page 228 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E34.5
Protection against IP spoofing
E34.6
Malformed packet protection
E34.7
It should be able to block Instant Messaging like Yahoo, MSN, ICQ,
Skype (SSL and HTTP tunneled) etc
E35
The Solution should provide visibility into how network bandwidth is
consumed to aid in troubleshooting network outages and detecting
Advanced Malware related DoS & DDoS activity from within the
network
F
Administration, Management and Logging Functionality
Features Requirement
F1
Solution Real-Time Monitoring, Management & Log Collection (with
storage) should not be distributed to more than ONE server/appliance
F2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles,
should provide Audit Trail of the Changes etc
F3
Secondary (SLAVE) Management Server should support the MASTER
role once the Disaster recovery is triggered for any or multiple
management domains in the Management Server
F4
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring, Management &
Log Collection etc
F4.1
Implementation team has to migrate existing policies and create
policies as per Bank's IT & IS.
F4.2
To ensure business continuity all the solutions/hardware proposed
should be in HA
F5
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
F6
Any changes or commands issued by an authenticated user should be
logged to a database of the management system
Page 229 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F7
It should support SNMP (Simple Network Management Protocol) v 2.0
and v 3.0 and NTP V.4 with all new versions of present and future
release
F8
IPS must send mail or SNMP traps to Network Management Servers
(NMS) in response to system failures or threshold violations of the
health attributes.
F9
Centralized management Appliance should support SAN or NAS etc
F10
The IPS must provide simplified provisioning for addition of new IPSs
where by a standard IPS policy could be pushed into the new IPS
F11
The IPS administration station must provide a means for exporting the
IPS rules set and configuration
F12
NIPS Management console should be capable of producing extensive
graphics metric for analysis. Further, users should be able to drill down
into these graphical reports to view pertinent details.
F13
Support for role based administration of IPS
F14
NIPS should support granular management. Should allow policy to be
assigned per device, port ,VLAN tag, IP address/range
F15
NIPS should operate effectively and protect against high risk, high
impact malicious traffic via default out of box policy configuration,
should be able to block attacks by default.
F16
The IPS administration software must provide a means of viewing,
filtering and managing the log data
F17
The IPS logs must contain information about the IPS policy rule that
triggered the log
F18
Should support to enable/disable each individual signature. Each
signature should allow granular tuning
F19
Centralized Security Management should include for all the proposed
security controls but not limited to:
F19.1
Real Time Security Monitoring
F19.2
Logging
Page 230 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F19.3
Reporting functions based on 1. Security event risk level, 2. Date/time,
3. Event name 4. Source IP 5. Destination IP 6. Response Taken 7.
Sensor Identity 8. Severity, etc
F20
The solution must provide a minimum basic statistics about the health
of the IPS and the amount of traffic traversing the IPS
F21
Solution should support for configuration rollback
F22
Solution should support Real time traffic statistics & Historical report
with
F22.1
Attacks and threat reports, etc.
F22.2
Customized reports on HTML, CSV and PDF format etc
F23
Solution Audit Trail should contain at a minimum:
F23.1
The name of the administrator making the change
F23.2
The change made
F23.3
Time of change made
F24
Management system should provide detailed Event analysis for IPS and
also should provide Syslog output to integrate with other major SIEM
tools and specifically should support RSA SIEM tool current and future
versions
F25
Solution should support for real time analysis of all traffic the IPS may
encounter (all possible SOURCE, DEST, SERVICE, including groups)
etc
F26
Provide geographic distribution of data collection from devices,
processed locally, compressed and then transferred to the central
manager
F27
Solution should manage the NIPS appliances from a central
management console
F28
Management platform supports policy configuration, command,
control, and event management functions for the NIPS appliances
F29
Management console should support Radius and LDAP authentication
in addition to the local user authentication
Page 231 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Management console should have the ability to allow access to specific
hosts by enabling GUI Access and defining the list of authorized
hosts/networks
F30
G
Licensing Requirements
G1
Solution should have enterprise license without any restrictions. If
during the contract, solution is not performing as per specifications in
this RFP, bidder has to upgrade/enhance the devices or place additional
devices and reconfigure the system without any cost to bank
Solution and its various components like Firewall, IPS, VPN etc should
not have any licensing restriction on number of users, number of vlan,
zones, number of policies, number of appliances, other network
parameters, number of equipments / servers etc.
Solution should be able to achieve all the features and functionalities
mentioned in the RFP and accordingly, all the requried licenses should
be provided as part of solution.
G2
Further, if vendor is proposing a higher end device (having more
capacity than asked in this RFP) then there should not be any
restriction to use additional features, capacity, throughput etc. Vendor
has to mention the additional capacity in the solution document.
G3
The offered product part codes have to be General Availability Part
codes and not custom built Part Code for SBI. There should be cross
reference to the public website of the OEM
G4
Any third party product required to achieve the functionality should be
provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other
relevant software or hardware etc should be provided with the solution
OOB Network Intrusion Prevention System (NIPS)
SpecificationTABLE 30
Quantity: 2 Nos
Serial No.
Technical Specification
A
Solution Requirement
Page 232 of 285
Confidential & Proprietary
Compliance(Y/N)
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A1
Make and Model number of the proposed solution
A2
Attach solution document containing with detailed bill of material. It
should contain OEM name, model, version, date of release, date of
release of next version, end of sale & support date,
application/product development path, etc. for each component
A3
Proposed solution framework should be scalable to support large
scale deployment and reduce the time and effort to deploy the entire
set up. Bidder should clearly illustrate various tools and
methodologies used to achieve the same
A4
Please submit a list of all features provided by proposed solution in
addition to the specifications mentioned in this document that will
be available to the bank without any additional charges and will be
under support. These features will be treated at par with other
features mentioned in the RFP
A5
Solution should propose built and provide Intrusion Prevention
System, SSL Inspection, Anti Malware, Anti BOT, Application
control capabilities
A6
IPS should have Recommended rating and certified by Group tests
of NSS for NIPS or EAL4 certified
A7
The communication between all the components of solution (IPS
module, logging & policy and Web GUI Console) should be
encrypted with SSL or PKI
A8
Management of the entire solution including real-time monitoring,
event logs collection, policy enforcement etc should be from a single
device only (mgt server/appliance), however solution should have
management devices at two locations
A9
Solution should provide stateful failover among devices for all
components and should be completely automatic without any sort of
manual intervention
A10
Solution Should provide protection against various types of cyber
attacks evasive attacks, scripting attacks etc
A12
Solution should have capability to store Logs and configuration of all
devices, centrally in the solution and should also have capability to
send logs of all devices to the generic central log collection servers
A13
Solution should be IPV6 ready. It should have IPV6 ready logo or
similar certification from any other reputed third party. No extra
cost will be borne by bank for IPV6 implementation
Solution should be IPv6 ready. No extra cost will be borne by bank
for IPV6 implementation
Page 233 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
A14
Solution must support the complete STACK of IP V4 and IP V6
services
A15
Independent administrative controls for all the major functions like
IPS, SSL Inspection etc should be in place. Compromise with any
component either by connecting with it physically or remotely
should not impact other components of the solution
A16
Any compromise including but not limited to data leakage,
unauthorised access of bank's network/data/information due to any
flaw/security loop hole etc of the solution shall attract legal and
financial liabilities to the System Integrator and OEM
A17
The device should have functionality of hardware based fail-open
A18
The device must be capable of dynamically tuning IPS sensors (Like:
selecting rules/signatures, configuring policies, updating policies,
etc.) with minimal human intervention
B
Hardware and Interface Requirements
B1
Each appliance should have at least 16 x 10/100/1000 Mbps RJ45
ethernet interfaces and 16 x 10GbE Multimode fiber interfaces.All
ports should be populated with required transcievers. Apart from
this, each applicance should have additional ports for sync, HA and
other functionalities.
B2
NIPS should have Console port and USB Port/s
B3
NIPS should have management interface for Out of Band
Management
B4
The appliance should have separate dedicated 1xG Ethernet
interface for management console. None of the monitoring ports
should be used for this purpose.
B5
NIPS should be rack mountable and support side rails if required
B6
NIPS should have redundant power supplies (atleast dual)
B7
NIPS should have hardware health monitoring capabilities and
should provide different parameters through SNMP
B8
Solution should support VLAN tagging (IEEE 802.1q)
B9
Solution should support IEEE Link Aggregation and Ethernet
Bonding functionality to group multiple ports for redundancy
B10
Each appliance in the Solution should support and not limited to:
Page 234 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
B10.1
NIPS should be deployed in High Availability. It should support
stateful high availability such that state information is shared
between the HA appliance. In case one of the appliances fails state is
maintained.
B10.2
Active- Failover: The NIPS must support Stateful Active-Failover
architecture for NIPS and high availability for redundancy with out
using any third party or additional software or hardware
B11
Solution should have the capability of holding multiple OS images to
support resilience & easy rollbacks during the version upgrades etc
B12
Centralized Management Solution should provide high availability at
site level for enabling DR deployment
B13
It should be possible to manage the entire solution from Primary &
Secondary management server/appliance placed at DC and DR.
Management solution should have the capability to be deployed in
geographically different location enabling DR deployment
B14
The NIPS system should have adequate local storage in order to
keep the various logs
B15
NIPS should be able to perform entire packet capture of the infected
traffic and sent to the other application for analysis
C
Performance Requirement
C1
NIPS solution should be a purpose built dedicated standalone
appliance and not a integrated firewall or UTM appliance
C2
NIPS systems should be manageable from the centralised
management framework from DC and DR with support for
managing MIN 10 NIPS systems
C3
Each appliance in the Solution should be properly sized for following
given parameters, with all features enabled at the same time:
C 3.1
Handling minimum 10 Gbps (by each firewall) of user traffic
(Incoming 5 Gbps and Outgoing 5 Gbps traffic simultaneously) and
other application Zones (Minimum 10 Application Zones, WAN
Zone, Outside Zone etc) connected using 10G & 1G interfaces per
zone.
C 3.2
The throughput of each appliance should not be less than 10 Gbps
for IMIX (Real World Internet MIX traffic with 64, 512, 1500 byte
packets with TCP, UDP queries and DNS requests) with all services
enabled
Page 235 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
C 3.3
Running all internet protocols etc, traffic flowing through different
zones in the solution with all the features enabled and running
C 3.4
Solution(each device) should be sized for inspection SSL traffic of
minimum 10 Gbps
C4
Solution should support minimum 20,00,000 concurrent
connections
C5
Solution should support minimum 125,000 new sessions per second
processing
C6
Solution should not impact the application response by adding
latency. Maximum permissible latency of solution should be less
than 5 microsecond
D
Features Requirement
D1
Solution should have capability to keep track the network
connections, identify the threats, detect and prevent the threat and
relate the threat with corresponding end points (IP address, user,
software program etc
D2
In Network forensics context, solution should be providing flow
information details (Netflow, Jflow, Sflow or similar) for a specific
host for given time interval
D3
Solution should able to get enterprise visibility of internet access like
URL access, Malicious website visits etc.
D4
Solution should able to get enterprise visibility of internet access malicious server visits, country details
E
Detection and Prevention Requirement
NIPS should support different mode of deployment in following
modes:
a)IDS,
b)TAP Mode,
E1
E2
c)Inline
NIPS should accurately detects intrusion attempts and discerns
between the various types and risk levels including unauthorized
access attempts, pre-attack probes, suspicious activity, DoS, DDoS,
vulnerability exploitation, hybrids, and zero-day attacks, Worm,
Phishing, Spyware, Virus, Trojan, P2P, VoIP, Backdoor,
Reconnaissance, Bandwidth Hijacking, Cross-site scripting, SQL
Injection etc.
E3
NIPS should employ all seven-layer (of OSI model) protocol
analysis. Should support minimum of 100 internet protocols such as
but not limited to IP, DNS, VLAN, IMAP, TCP, RPC, MPLS, SMB,
ICMP, HTTP, FTP, Telnet, SMTP, UDP,E-mail, Script, Syslog,
SNMP etc.
E4
NIPS should support more than 23000 high quality vulnerability
based signatures
Page 236 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E5
Should support vulnerability based and not exploit based signatures.
Detects and blocks all known, high risk exploits along with their
underlying vulnerability (not just one exploit of that vulnerability)
E6
Should support a wide variety of techniques to perform traffic
inspection including (a) TCP stream reassembly, b) Does IP
defragmentation, c) Bi- directional inspection, d) Protocol Anomaly
Detection, e) Protocol tunneling, f) Signatures g) Behavior anomaly
h) Reputation
E7
NIPS should support Quality of Service. The solution should have
the ability to create QoS rules based on protocols, applications such
as P2P,IM etc,IP address and user or user groups
E8
NIPS should have the ability to identify application traversing on the
network so that you can allow or block specific application on the
network. For example, you can block just the connections to Orkut,
from your network while allowing all other HTTP and HTTPS traffic
E9
NIPS should protect against SSL based attacks. NIPS should have
built-in SSL decryption Engine for SSL Traffic decryption to support
prevention of encrypted attacks - which includes attacks over
secured http channel without need to have additional appliances
E10
NIPS should support source reputation based analysis. NIPS should
obtain through the cloud the reputation for each host involved in an
attack and uses the reputation score of the source host as one of the
factor for blocking the host
E11
NIPS should support malware protection by performing file
reputation analysis of malicious files
E12
NIPS should have the ability to scan malware within files such as
PDF using emulation techniques and block only if pdf files with java
scripts are malicious
E13
NIPS should have the ability to inspect traffic in the virtual
environment and if any additional licenses are required to achieve it,
should be provided.
E14
NIPS should do attack recognition inside IPv6 encapsulated packets
E15
NIPS should support provide advanced botnet protection using
heuristic detection methods
E16
NIPS should provide advanced botnet protection using multi event
behavior based detection mechanism.
E17
Should protect against DOS/DDOS attacks. Should have ―selflearning" capability to monitor the network traffic and develops a
baseline profile. It should have the ability to constantly update this
profile to keep an updated view of the network
Page 237 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E18
NIPS should support the ability to limit the number of
TCP/UDP/ICMP active connections or connection rate from a host
E19
NIPS should support active blocking of traffic based on pre-defined
rules to thwart attacks before any damage is done, i.e. before
compromise occurs
E20
NIPS should have the ability to control traffic based on geographical
locations. For e.g. a policy can be created to block traffic coming or
going to a particular country
E21
NIPS should have the ability to block connection from outside based
on the reputation of the IP address that is trying to communicate
with the network
E22
Should protect against evasion techniques
Should support a wide range of response actions as :
a) Block traffic,
b) Ignore,
c) TCP reset,
d) Quarantine host,
e) Log traffic,
f) Packet capture,
g) User defined scripts,
h) Email alert,
E23
i) SNMP alert,
j) syslog alert
E24
The device should accurately detect the following Attack categories:
E24.1
Malformed traffic, Invalid Headers
E24.2
Vulnerability exploitation
E24.3
URL obfuscation
E25
The device should employ full seven-layer protocol analysis of over
4000+ internet protocols/applications like HTTP, FTP, SMTP,
Facebook, Gmail, etc.
E26
The device must support vulnerability based and exploit based
signatures. It should detect and block all known high risk exploits
and the underlying vulnerability (not just one exploit of that
vulnerability)
E27
Solution should get Signatures; Patches & updates being received
from OEM should be from trusted sites
E28
The device should handle following traffic inspection & support
following:
E28.1
IPv6, IPv4, Tunneled: 4in6, 6in4, 6to4
Page 238 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
E28.2
Bi- directional inspection, Detection of Shell Code, Buffer overflows,
Advanced evasion protection
E28.3
Application Anomalies, P2P attacks, TCP segmentation and IP
fragmentation
E28.4
Rate-based threats, Statistical anomalies
E29
The device should have the ability to identify/block individual
applications (eg. Facebook or skype) running on one protocol (eg
HTTP or HTTPs)
E30
IPS should have application intelligence for commonly used TCP/IP
protocols, not limited to telnet, ftp, http, https etc
E31
he device should support Block attacks based on:
E32
IP reputation, DNS Inspection and Sink-Holing, Geo-location, URL
Inspection / intelligence
E33
The device should have the feature for importing SNORT signatures.
E34
Should support basic attack protection features listed below but not
limited to :
E34.1
Maximum no of protections against attacks that exploit weaknesses
in the TCP/IP protocol suite
E34.2
It should enable rapid detection of network attacks
E34.3
TCP reassembly for fragmented packet protection
E34.4
SYN cookie protection , SYN Flood, Half Open Connections and
NUL Packets etc
E34.5
Protection against IP spoofing
E34.6
Malformed packet protection
E34.7
It should be able to block Instant Messaging like Yahoo, MSN, ICQ,
Skype (SSL and HTTP tunneled) etc
E35
The Solution should provide visibility into how network bandwidth
is consumed to aid in troubleshooting network outages and
detecting Advanced Malware related DoS & DDoS activity from
within the network
F
Administration, Management and Logging Functionality
Features Requirement
F1
Solution Real-Time Monitoring, Management & Log Collection (with
storage) should not be distributed to more than ONE
server/appliance
F2
A centralized monitoring and management system with multiple
administrators who have administrative rights based on their roles,
should provide Audit Trail of the Changes etc
Page 239 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F3
Secondary (SLAVE) Management Server should support the
MASTER role once the Disaster recovery is triggered for any or
multiple management domains in the Management Server
F4
Solution should be able to support large scale WAN deployment with
following important Criteria for Real-Time Monitoring,
Management & Log Collection etc
F4.1
Implementation team has to migrate existing policies and create
policies as per Bank's IT & IS.
F4.2
To ensure business continuity all the solutions/hardware proposed
should be in HA
F5
Any changes or commands issued by an authenticated user should
be logged to a database of the management system
F6
Any changes or commands issued by an authenticated user should
be logged to a database of the management system
F7
It should support SNMP (Simple Network Management Protocol) v
2.0 and v 3.0 and NTP V.4 with all new versions of present and
future release
F8
IPS must send mail or SNMP traps to Network Management Servers
(NMS) in response to system failures or threshold violations of the
health attributes.
F9
Centralized management Appliance should support SAN or NAS etc
F10
The IPS must provide simplified provisioning for addition of new
IPSs where by a standard IPS policy could be pushed into the new
IPS
F11
The IPS administration station must provide a means for exporting
the IPS rules set and configuration
F12
NIPS Management console should be capable of producing extensive
graphics metric for analysis. Further, users should be able to drill
down into these graphical reports to view pertinent details.
F13
Support for role based administration of IPS
F14
NIPS should support granular management. Should allow policy to
be assigned per device, port ,VLAN tag, IP address/range
F15
NIPS should operate effectively and protect against high risk, high
impact malicious traffic via default out of box policy configuration,
should be able to block attacks by default.
Page 240 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F16
The IPS administration software must provide a means of viewing,
filtering and managing the log data
F17
The IPS logs must contain information about the IPS policy rule that
triggered the log
F18
Should support to enable/disable each individual signature. Each
signature should allow granular tuning
F19
Centralized Security Management should include for all the
proposed security controls but not limited to:
F19.1
Real Time Security Monitoring
F19.2
Logging
F19.3
Reporting functions based on 1. Security event risk level, 2.
Date/time, 3. Event name 4. Source IP 5. Destination IP 6. Response
Taken 7. Sensor Identity 8. Severity, etc
F20
The solution must provide a minimum basic statistics about the
health of the IPS and the amount of traffic traversing the IPS
F21
Solution should support for configuration rollback
F22
Solution should support Real time traffic statistics & Historical
report with
F22.1
Attacks and threat reports, etc.
F22.2
Customized reports on HTML, CSV and PDF format etc
F23
Solution Audit Trail should contain at a minimum:
F23.1
The name of the administrator making the change
F23.2
The change made
F23.3
Time of change made
F24
Management system should provide detailed Event analysis for IPS
and also should provide Syslog output to integrate with other major
SIEM tools and specifically should support RSA SIEM tool current
and future versions
F25
Solution should support for real time analysis of all traffic the IPS
may encounter (all possible SOURCE, DEST, SERVICE, including
groups) etc
F26
Provide geographic distribution of data collection from devices,
processed locally, compressed and then transferred to the central
manager
F27
Solution should manage the NIPS appliances from a central
management console
Page 241 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F28
Management platform supports policy configuration, command,
control, and event management functions for the NIPS appliances
F29
Management console should support Radius and LDAP
authentication in addition to the local user authentication
F30
Management console should have the ability to allow access to
specific hosts by enabling GUI Access and defining the list of
authorized hosts/networks
G
G1
Licensing Requirements
Solution should have enterprise license without any restrictions. If
during the contract, solution is not performing as per specifications
in this RFP, bidder has to upgrade/enhance the devices or place
additional devices and reconfigure the system without any cost to
bank
G2
Solution and its various components like Firewall, IPS, VPN etc
should not have any licensing restriction on number of users,
number of vlan, zones, number of policies, number of appliances,
other network parameters, number of equipments / servers etc.
Solution should be able to achieve all the features and
functionalities mentioned in the RFP and accordingly, all the
requried licenses should be provided as part of solution.
Further, if vendor is proposing a higher end device (having more
capacity than asked in this RFP) then there should not be any
restriction to use additional features, capacity, throughput etc.
Vendor has to mention the additional capacity in the solution
docuement.
G3
The offered product part codes have to be General Availability Part
codes and not custom built Part Code for SBI. There should be cross
reference to the public website of the OEM
G4
Any third party product required to achieve the functionality should
be provided with the necessary enterprise version license of
software/appliance and necessary hardware, database and other
relevant software or hardware etc should be provided with the
solution
IPSEC VPN Load Balancer Specification TABLE 31
Quantity: minimum 2
A
Compliance(Y/N)
Architecture
A.1
Should have multiprocessing capabilities and functionalities
A.2
Should have a dedicated always on (AOM) out of band management port
Should have full support IPv6. It should support all IPv6 scenarios:
A.3
a. IPv4 on the inside and IPv6 on the outside
Page 242 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
b. IPv6 on the inside and IPv4 on the outside
c. IPv6 on the inside and outside
A.4
Should support min 5 instances with resource allocation capabilities,
which also supports overlapping of IP addresses without any conflict.
A.5
Should support VLAN, LACP & Trunking
A.6
Should support 4096 VLANs
A.7
Should also support Jumbo Frames
A.8
Should Support Static and Advance Routing Protocols ( RIP V.2, OPSF,
IS-IS, BGP) for both IPv4 and IPv6
A.9
Should support complete STACK of IPV4, IPV6 and Dual STACK
A.10
Should support load balancing of IPSec VPN and IPSec termination
(Site to Site )
A.11
It should be a single box solution
B
Hardware Requirements
B.1
Should have Rack mountable system
B.2
Should have 4 x 10G SFP Multimode Fiber
B.3
Should have 4 x 40G QSFP Ports (Multimode Fiber)
B.4
Should have a dedicated management port
B.5
Should support USB ports for OS upgradation for future use (Optional)
B.6
Should have dual power supply
B.7
Should have a LCD front panel to see any alerts (Optional)
C
Performance
C.1
Should be capable to deliver 40 Gbps of Layer 4 throughput
C.2
Should be capable to handle a maximum of 30 Million Concurrent
Connections
C.3
Should be capable of handling 150,000 (150K) L4 connections per
second
D
D.1
IPSEC Load Balancing Features
Support for scripting language to create customized rules that can be
triggered based on an event in the L4-L7 stack
Page 243 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
D.2
Should support IPv6 to IPv4 Conversion
D.3
Should support HTTP Header manipulation on client requests and
server responses
D.4
Should support URL-based redirection
D.5
Should support load balancing algorithm based on cookie
D.6
Should support End-to-End SSL Encryption (Backend Encryption)
D.7
Should support priority groups within a pool. If a given number of
higher priority group members in a pool are not available, the members
from the next lower priority group will be selected automatically. OR
Should provide the facility to get activated back-up virtual server in case
the primary virtual server is down
D.8
Should have the capability to create customized health monitors to send
a specific request and analyze the response and intelligently determine if
the application service is available
D.9
Should have the capability to import a script and invoke the same for
monitoring the health of the application
E
High Availability
E.1
Support both Active - Active and Active - Standby topology & N+1
Clustering
E.2
Should support transparent failover between 2 devices, the failover
should be transparent to other networking devices
E.3
Should support failover to reduce failover time less then 1 second with
all sessions persistence
E.4
Should support network based failover for session mirroring, connection
mirroring and heartbeat check
E.5
Should support configuration sync to and from active and backup unit
E.6
Should support the feature to force the active device to standby and back
to active state; or force a device to offline mode
F
F.1
Security
Should have protection against L4 DoS/DDoS
Page 244 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
F.2
Should have facility to flush idle connections at the time of system high
utilisation with predefined threshold
F.3
Should protect against SYN Flood attacks
G
Device Administration
G.1
Should provide HTTPS interface management for administering the
device
G.2
Should provide SSH interface management for administering the device
G.3
Should provide troubleshooting and traffic analysis tool like tcpdump
G.4
Should support SNMP V1, V2c, V3
Should have a web dashboard that should provide the following
information:
• Throughput
• New connection
• CPU Usage
• Memory Usage
G.5
Graphs of the above data for the last 30 days should be available
G.6
Should provide to store multiple image and config version option on the
appliance
G.7
Should provide system, traffic logs on web GUI
G.8
Should support role based admin access with roles like no access, Guest,
Operator, Application Editor, Resource Administrator and
Administrator
G.9
Should have option to change the SSL certificate used for management
of the appliance
G.10
Authenticating Mechanisms - RADIUS, TACACS+
G.11
OEM should provide tools, whereby the device administrator can upload
the device configuration and verify the known issues or bug on the
existing OS & also configuration and should also proactively provide
recommendation on stable code that the appliance can be migrated too.
G.12
Should have an OEM Online TAC 24x7 telephonic support and L3
resource support in India for onsite Support
Page 245 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
H
Reporting
H.1
Should support Syslog server
H.2
Should support High Speed Logging to a Syslog server
H.3
Should support integration with industry standard SIEM like RSA
enVision, ArcSight and Splunk
H.4
Should have a filter for logs to filter out specific fields for logging
H.5
Should have a log publisher that can publish logs simultaneously to
multiple logging servers at the same time
H.6
Support for triggering of a script to log any event in the L4-L7 stack
H.7
Should support report scheduling (Optional)
Page 246 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
TABLE 32 : Specifications for IP PBX
SR
No
Specifications
Complied
(Yes/No)
Remarks
Proposed solution should have pure IP Platform.
The solution should be processor based only. The software
should be from indigenous or globally known OEM. No open
source or Asterisk based solution is allowed.
Proposed solution should be configured in HA Mode
(Active/Passive).
The proposed solution (single appliance) should be able to
support 500 registered users from day 1 and proposed single
appliance should be Scalable up to 2000 extensions users.
The system should have IP architecture and provide support for
integrated telephony solution for IP Phones, Video Phones, SIP
Client, all 3rd party Mobile SIP Client, E1 / PRI, SIP and all 3rd
party SIP gateways.
Provides reports for calls based on records, calls on a user basis,
calls through gateways etc.
The proposed appliance should have in-built 4 PRI ports.
Able to add bulk add and delete operations for devices and users.
Alternate Automatic Routing, Auto route selection and Least
Cost Routing should be available.
The application should have inbuilt SIP / VOIP trunk facility
without any additional module.
The system should support minimum of 10 registered SIP trunks
for calling purpose.
Protocol :
Protocol to be supported: SIP, MGCP, H.323
Coder-decoder (codec) support for automated bandwidth
selection: G.711 mu-law, a-law, G.729.
Should support appropriate Video Codec H.264 and H.263
General specs for IPPBX
Call processing and call-control.
Support for configuration database (contains system and device
configuration information, including dial plan)
Digit manipulation and call treatment (digit string insertion,
deletion, stripping, dial access codes, digit string translation)
Centralized call processing
Active - Passive disaster recovery mode. Solution should support
working with automatic fail over mechanism
The solution should support routing of incoming calls based
upon caller input to menus, real‐time queue statistics, time of
day, ANI, etc.
The solution should support active and standby server mode. In
case of Main server in the Data centre fail the standby server
should take over seamlessly. The solution should support
placing of Main and Stand by server in both sites respectively.
Administrative Features for IPPBX
Should have ―web based administration UI with capability to
delegate administrative specific task to power users‖
Call detail records (System wise, extension wise)
CDR should be downloadable in various formats like PDF, CSV,
Page 247 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Excel
Configuration of all Class 5 features via Web based GUI
Dialled number identification service
Recording File should be played on the GUI and should be
downloadable by the administrator
Administrator should have access to Live Dashboard to see the
details of Agent and Live call status.
User Features: IPPBX
Abbreviated Dial
Answer and answer release
Call back busy, no reply to station
Call forward—all (off net and on net)
Call forward—busy
Call forward—no answer
Call hold and retrieve
Call status per line (state, duration, number)
Calling Line Identification
Calling Line Identification Restriction call by call
Calling party name identification
25 Party Meet me conference bridge (Multiple Room)
Automatic Scheduled conference with moderator control Panel
Call Paging : Manual and IVR Driven
Direct inward dial (DID)
Distinctive rings and Caller Tune
Extension mobility support
Hands-free, speakerphone
Immediate Divert to voicemail for all extensions
100% Voicemail to Email for all extensions without any
additional hardware
100% Fax to Email
Automatic Call back
Inbuilt 100% Call Recording for all extensions without any
additional hardware
Call Monitoring
Call Barge in
Call Whispering
Multi-Level IVRS platform
System should support Chat facility (IM)
Inbuilt Rating and Charging for extension wise call control
Inbuilt SIP trunk ready platform
Provided platform should support FTP to archive historical CDR
and Recording files
Interactive Voice blaster
Certifications
OEM / product should be ISO 9001, 27001, 14001 certified
Warranty - Must be quoted with the five years comprehensive
replacement and direct OEM 8 x 5 Support pack.
All Licences, Software and upgrade (Application, Database),
security patches etc should be part of solution.
Specifications - IP Phones
SDRAM – 16 MB
FLASH – 4MB
LCD – 128X64 Dot Matrix
Page 248 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
SIP lines – minimum 2
Supported Codec (G.711,G.723.1,G.729AB,G.722)
Should support SIP2.0 over UDP/TCP/TLS
Should support basic call features e.g- Mute / Unmute
(microphone),Call Hold / Resume, Call Waiting, Caller ID
Display, Call Forwarding (Always/Busy/No Answer) , Call
Transfer (Attended/Unattended), Call Parking/Pick-up , DoNot-Disturb (per line / per phone) ,three party conference.
IP Operator Console Phone
SDRAM – 16 MB
FLASH – 8MB
2 LCD – Main LCD 128X64 Dot Matrix , DSS Key LCD 64 x 192
Dot Matrix
SIP lines – minimum 6
Should support Inbuilt 40 DSS Keys.
Supported Codec (G.711,G.723.1,G.729AB,G.722)
Should support SIP2.0 over UDP/TCP/TLS
Should support basic call features e.g.- Mute / Unmute
(microphone) , Call Hold / Resume , Call Waiting , Caller ID
Display , Call Forwarding (Always/Busy/No Answer) , Call
Transfer (Attended/Unattended), Call Parking/Pick-up , DoNot-Disturb (per line / per phone) ,three party conference.
Page 249 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.1.2
(see attached file)
Bill of Material and Compliances
We confirm that we comply with all the specifications mentioned above & the terms & conditions
mentioned in the RFP Document are acceptable to us.
Dated this ....... day of ............................ 2016
______________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
Page 250 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.1.3
Undertaking of Authenticity
To:
Deputy General Manager,
Networking & Communication Department,
State Bank Global IT Centre,
Ground Floor, A Wing,
Sector 11, CBD Belapur,
Navi Mumbai-(400614)
Sub: Undertaking of Authenticity for Hardware & Software SuppliesRef:
SBI/GITC/TECHOPS/2016-17/320 dated: 06.12.2016
With reference to the equipment being quoted to you vide our Quotation: SBI/GITC/
TECHOPS/2016-17/320 dated: 06.12.2016, we hereby confirm that all the components /parts
/assembly / software etc. used in the equipment to be supplied shall be original new components /
parts / assembly / software only, from respective OEMs of the products and that no refurbished /
duplicate / second hand components /parts/ assembly / software shall be supplied or shall be
used. We also undertake to produce certificate from the Original Equipment Manufacturers (if
required by you) in support of the above statement at the time of delivery / installation
We also confirm that in respect of licensed operating systems and other software utilities to
be supplied, the same will be procured from authorized sources and supplied with Authorized
License Certificate (e.g. Product keys on Certification of Authenticity in case of Microsoft
Windows Operating System)
2.
In case of default and the Bank finds that the above conditions are not complied with, we
agree to take back the equipments/components supplied and return the money paid by you, in
full within seven days of intimation of the same by the Bank, without demur or any reference to a
third party and without prejudice to any remedies the Bank may deem fit.
3.
In case of default and we are unable to comply with above at the time of delivery or during
installation, for the IT Hardware / Software already billed, we agree to take back the equipment
without demur, if already supplied and return the money if any paid to us by you in this regard.
4.
We also take full responsibility of both parts & Service SLA as per the content even if there
is any defect by our authorized Service Centre / Reseller / SI etc.
5.
Dated this ....... day of ............................ 201
_________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
Page 251 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Annexure 5.1.4
PRE BID FORMAT
Page
no.
Table
no.
Annexure
No.
Clause
no./Srl
no.
RFP Phrase
Clarifications by
bidder
Remarks if any
Dated this ....... day of ............................ 201
_________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
Page 252 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.2.1
BID FORM (TECHNICAL BID) (to be included in Technical Bid Envelope)
Date:________________
To:
Deputy General Manager,
Networking & Communication Department,
State Bank Global IT Centre,
Ground Floor, A Wing,
Sector 11, CBD Belapur,
Navi Mumbai-(400614)
Dear Sir,
Ref: SBI/GITC/TECHOPS/2016-17/320 dated: 06.12.2016
We have examined the RFP, the receipt of which is hereby duly acknowledged and subsequent
pre-bid clarifications/ modifications / revisions, if any, furnished by the Bank and we offer to
supply, Install, test, commission and maintain the
equipments/components detailed in
Annexure-5.1.1 and 5.1.2, as per the terms and conditions spelt out in the RFP. We shall
participate and submit the commercial bid through online auction to be conducted by the Bank‘s
authorized service provider, on the date advised to us.
2. While submitting this bid, we certify that:

The undersigned is authorized to sign on behalf of the BIDDER and the necessary support
document delegating this authority is enclosed to this letter.

Indicative prices submitted by us have been arrived at without agreement with any other
Bidder of this RFP for the purpose of restricting competition.

The indicative prices submitted by us have not been disclosed and will not be disclosed to
any other Bidder responding to this RFP.

We have not induced or attempted to induce any other Bidder to submit or not to submit
a bid for restricting competition.
The rate quoted in the indicative price bids for the MCU are as per the RFP and
subsequent pre-bid clarifications/ modifications/ revisions furnished by the Bank,
without any exception.

3. If our offer is accepted, we undertake to complete the formalities for supply of the
equipments/components within a period of 8 weeks from date of Purchase Order.
4. We agree to abide by the Bid and the rates quoted therein for the orders
awarded by the Bank up to the period prescribed in the Bid, which shall remain
binding upon us.
5. Until a formal contract is prepared and executed, this Bid, together with your written
acceptance thereof and your notification of award, shall constitute a binding Contract between
us.
Page 253 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
6. We undertake that, in competing for (and, if the award is made to us, in executing) the above
contract, we will strictly observe the laws against fraud and corruption in force in India namely
―Prevention of Corruption Act 1988‖.
7. We also certify that the information/ data/ particulars furnished in our bids are factually
correct. We also accept that in the event of any information / data / particulars proving to be
incorrect, the Bank will have the right to disqualify us from the bid.
8. We understand that you are not bound to accept the lowest or any Bid you may receive.
Dated this ....... day of ............................ 2016
______________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
______________________________________
Page 254 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.2.2
INDICATIVE PRICE PROPOSAL
(to be included in Indicative Price Proposal Envelope)
To:
Dear Sir,
Ref: SBI/GITC/TECHOPS/2016-17/320 dated: 06.12.2016
Having examined the Bidding Documents, the receipt of which is hereby duly acknowledged, we,
the undersigned, submit our Indicative Price Bid of Rs.______________ (Rupees
___________________________________) (Total Proposal amount in words and
figures) for supply, delivery of the equipments/components in conformity with the said Bidding
documents
Dated this ....... day of ............................ 2016
______________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
______________________________________________________________
Page 255 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE – 5.2.3
Price Breakup Schedule(To be submitted after Reverse Auction)
Total Equipment Cost with 5 year warranty amount
(Details to be given AS PER THE format of BOM as specified in Annexure 5.1.2. Bidder need to
specify the unit cost for each and every item)
Dated this ....... day of ............................ 201
______________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
______________________________________________________________
Page 256 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE -5.3
SLA Terms & Conditions for Hardware, Software & Maintenance Services
1.
The Vendor warrants that the products supplied under the Contract are new, unused, of
the most recent or current model and they incorporate all recent improvements in design
and / or features. The Vendor further warrants that all the Products supplied under this
Contract shall have no defect, arising from design or from any act of omission of the
Vendor, that may develop under normal use of the supplied products in the conditions
prevailing in India.
2.
Warranty for Hardware Components : Onsite comprehensive warranty for all the
hardware components including free replacement of spares, parts, kits as and when
necessary will be 60 months from date of installation or 63 months from date of delivery,
whichever is earlier.
3.
Warranty for the System Software/off-the-shelf Software will be provided to the Bank as
per the general conditions of sale of such software.
4.
The Vendor shall in addition comply with the performance guarantees specified under the
Contract. If, for reasons attributable to the Vendor, these guarantees are not attained in
whole or in part the Vendor shall make such changes, modifications and / or additions to
the Products or any part thereof as may be necessary in order to attain the contractual
guarantees specified in the Contract at its own cost and expense and to carry out further
performance tests.
5.
On-site comprehensive warranty: The warranty would be on-site and comprehensive in
nature and back to back support from the OEM. The vendor will warrant all the hardware
and software against defects arising out of faulty design, materials and media
workmanship etc. for a period of five years from the date of acceptance of the hardware
and software. The vendor will provide support for Operating Systems and other
preinstalled software components during the warranty period of the hardware on which
these software & operating system will be installed. The Vendor shall repair or replace
worn out or defective parts including all plastic parts of the equipment at his own cost
including the cost of transport.
6.
During the term of the contract, the VENDOR will maintain the equipments/components
in perfect working order and condition and for this purpose will provide the following
repairs and maintenance services:
a)
Free maintenance services during the period of warranty. Professionally qualified
personnel who have expertise in the hardware and system software supplied by
the vendor will provide these services.
b)
The Bidder shall rectify any defects, faults and failures in the
equipments/components and shall repair/replace worn out or defective parts of
the equipment during working hours i.e. from 8.00 A.M. to 8.00 P.M. on all
working days (viz. Monday to Saturday). In case any defects, faults and failures
in the equipment could not be repaired or rectified during the said period, the
engineers of the VENDOR are required to accomplish their duties beyond the said
schedules in case of any situation if it warrants. In cases where unserviceable
parts of the equipment need replacement, the VENDOR shall replace such parts,
at no extra cost to the BANK, with brand new parts or those equivalent to new
parts in performance. For this purpose the VENDOR shall keep sufficient stock of
spares at Bank‘s premises or at the premises of The VENDOR.
Page 257 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
c)
The maximum response time for a maintenance complaint from the site of
installation (i.e. time required for Vendor‘s maintenance engineers to report to
the installations after a request call / fax /email is made or letter is written) shall
not exceed 4 (four) hours.
d)
The VENDOR shall ensure that faults and failures intimated by Bank as above are
set right within 6 (six) hours of being informed of the same. In any case the
equipment should be made workable and available not later than the Next
Business Day.
e)
The Vendor shall ensure that the full configuration of the equipment is available
to the BANK in proper working condition. The solution should achieve uptime of
100% of the time on a 24x7x365 basis and 99.5% for each equipment.
f)
In the event of the equipments/components not being repaired or a workable
solution not provided during Warranty period, a penalty of one (1) percent of the
total consideration for each week or part thereof the delay, subject to maximum
amount of ten (10) percent of the total consideration will be charged to vendor.
The vendor may provide temporary equivalent replacement as a workable
solution to avoid the above penalty.
g)
Any penalty due during the Warranty period will be adjusted against the 10%
retention money retained by the Bank.
For purpose of calculating penalty,
uptime is calculated as under :
Uptime(%)= Sum of total hours during month - Sum of downtime hours during month X 100
Sum of total hours during the month
Total hours during the month = No. of working days x 8
h)
i)
The VENDOR shall ensure that the meantime between failures (including any
malfunctioning, breakdown or fault) in the equipment or any part thereof, as
calculated during any and every quarter (period of three consecutive months) is
not less than 90 days.
Preventive maintenance: the VENDOR shall conduct Preventive Maintenance
(including but not limited to inspection, testing, satisfactory execution of all
diagnostics, cleaning and removal of dust and dirt from the interior and exterior
of the equipment, and necessary repair of the equipment) once within first 15
days of the installation once within the first 15 days of every alternate month
during the currency of this agreement on a day and time to be mutually agreed
upon. Notwithstanding the foregoing the VENDOR recognizes Bank‘s operational
needs and agrees that Bank shall have the right to require the VENDOR to
adjourn preventive maintenance from any scheduled time to a date and time not
later than 15 working days thereafter.
j)
All engineering changes generally adopted hereafter by the VENDOR for
equipment similar to that covered by this AGREEMENT, shall be made to the
equipments/components at no cost to the Bank.
k)
Qualified
maintenance
engineers
totally
familiar
with
the
equipments/components shall perform all repairs and maintenance service
described herein.
l)
The Bank shall maintain a register at its site in which, the Bank‘s operator /
supervisor shall record each event of failure and / of malfunction of the
equipment. The VENDOR‘s engineer shall enter the details of the action taken in
such register. Additionally every time a preventive or corrective maintenance is
carried out, the VENDOR‘S engineer shall make, effect in duplicate, a field call
report which shall be signed by him and thereafter countersigned by the Bank‘s
Page 258 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
official. The original of the field call report shall be handed over to the Bank‘s
official.
m)
The VENDOR shall provide replacement equipments/components if any
equipments/components is out of the premises for repairs.
7.
Any worn or defective parts withdrawn from the equipment and replaced by the VENDOR
shall become the property of the VENDOR and the parts replacing the withdrawn parts
shall become the property of Bank.
8.
The VENDOR‘s maintenance personnel shall, be given access to the
equipments/components when necessary, for purpose of performing the repair and
maintenance services indicated in this agreement.
9.
However if Bank desires to shift the equipments/components to a new site and install it
thereof urgently, the VENDOR shall be informed of the same immediately. THE Bank
shall bear the charges for such shifting and the VENDOR shall provide necessary
arrangement to Bank in doing so. The terms of this agreement, after such shifting to the
alternate site and reinstallation thereof would continue to apply and binding on the
VENDOR.
10.
Bank shall arrange to maintain appropriate environmental conditions, such as those
relating to space, temperature, power supply, dust within the acceptable limits required
for equipments/components similar to that covered by this Agreement.
11.
NO term or provision hereof shall be deemed waived and no breach excused, unless such
waiver or consent shall be in writing and signed by the party claimed to have waived or
consented. Any consent by any party to or waiver of a breach by other, whether express or
implied, shall not constitute a consent to or waiver of or excuse for another different or
subsequent breach.
12.
If, in any month, the VENDOR does not fulfill the provisions of clauses (b), (c),(d), (e)
and (h) only the proportionate maintenance charges for that period during the month will
be considered payable by Bank without prejudice to the right of the Bank to terminate the
contract. In such event the VENDOR was credited without deducting the proportionate
maintenance charges for that month, the Bank can deduct the same from future payments
payable or the VENDOR shall refund the amount forthwith to Bank on demand by Bank.
13.
On account of any negligence, commission or omission by the engineers of the VENDOR
and if any loss or damage caused to the equipments/components, the VENDOR shall
indemnify/pay/reimburse the loss suffered by the BANK.
14.
Future additions of Hardware / Software:
14.1
The Bank would have the right to:
a) Shift supplied systems to an alternative site of its choice.
b) Disconnect / connect / substitute peripherals such as printers, etc. or devices or any
equipment / software acquired from another vendor.
c) Expand the capacity / enhance the features / upgrade the hardware / software
supplied, either from the vendor, or another vendor, or developed in-house.
Page 259 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
provided such changes or attachments do not prevent proper maintenance, from being
performed or unreasonably increase the VENDOR cost of performing repair and
maintenance service.
14.2
The warranty terms would not be considered as violated if any of (a), (b) or (c) above takes
place. Should there be a fault in the operations of the system, the vendor, would not
unreasonably assume that the causes lie with those components / software not acquired
from them.
15.
15.1
CONFIDENTIALITY:
The VENDOR acknowledges that all material and information which has and will come
into its possession or knowledge in connection with this agreement or the performance
thereof, whether consisting of confidential and proprietary data or not, whose disclosure
to or use by third parties may be damaging or cause loss to Bank will all times be held by it
in strictest confidence and it shall not make use thereof other than for the performance of
this agreement and to release it only to employees requiring such information, and not to
release or disclose it to any other party. the VENDOR agrees to take appropriate action
with respect to its employees to ensure that the obligations of non-use and non-disclosure
of confidential information under this agreement are fully satisfied. In the event of any
loss to the Bank in divulging the information by the employees of the VENDOR, the bank
shall be indemnified. The VENDOR agrees to maintain the confidentiality of the Bank‘s
information after the termination of the agreement also.
15.2
The VENDOR/Bank will treat as confidential all data and information about the
VENDOR/Bank/Contract, obtained in the execution of this tender including any business,
technical or financial information, in strict confidence and will not reveal such
information to any other party.
16. Transition Clause
In the event of failure of the Service Provider to render the Services or in the event of
termination of agreement or expiry of term or otherwise, without prejudice to any other
right, the Bank at its sole discretion may make alternate arrangement for getting the
Services contracted with another vendor. In such case, the Bank shall give prior notice to
the existing Service Provider. The existing Service Provider shall continue to provide
services as per the terms of contract until a ‗New Service Provider‘ completely takes over
the work. During the transition phase, the existing Service Provider shall render all
reasonable assistance to the new Service Provider within such period prescribed by the
Bank, at no extra cost to the Bank, for ensuring smooth switch over and continuity of
services. If existing vendor is breach of this obligation, they shall be liable for paying a
penalty of Rs 25 lakh on demand to the Bank, which may be settled from the payment of
invoices for the contracted period.
--@@@@@--
Page 260 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
FORMAT FOR EMD BANK GUARANTEE
To:
Dear Sir,
EMD BANK GUARANTEE FORSUPPLY, DELIVERY OF
EQUIPMENTS/COMPONENTS
AS ARE SET OUT IN THE SBI RFP NO. SBI/GITC/TECHOPS/2016-17/320 dated
06.12.2016
WHEREAS State Bank of India (SBI), having its Corporate Office at Nariman Point, Mumbai,
and Regional offices at other State capital cities in India has invited Request for Proposal for
supply, delivery of equipments/components to State Bank of India and such services as are set out
in the State Bank of India, Request for Proposal SBI/GITC/TECHOPS/2016-17/320 dated:
06.12.2016.
2. It is one of the terms of said Request for Proposal that the Bidder shall furnish a Bank
Guarantee for a sum of Rs.__________/- (Rupees
_____________________ Only) as Earnest Money Deposit.
3. M/s. ________________________, (hereinafter called as Vendor, who are our
constituents intends to submit their tender for the said work and have requested us to furnish
guarantee in respect of the said sum of Rs.__________/- (Rupees
_____________________ Only)
4. NOW THIS GUARANTEE WITNESSETH THAT
We _____________________________ (Bank) do hereby agree with and undertake to the
State Bank of India, their Successors, assigns that in the event of the SBI coming to the conclusion
that the Bidder has not performed their obligations under the said conditions of the RFP or have
committed a breach thereof, which conclusion shall be binding on us as well as the said Vendor,
we shall on demand by the SBI, pay without demur to the SBI, a sum of Rs.__________/(Rupees _____________________ Only) or any lower amount that may be demanded by
State Bank of India. Our guarantee shall be treated as equivalent to the Earnest Money Deposit
for the due performance of the obligations of the Vendor under the said conditions, provided,
however, that our liability against such sum shall not exceed the sum of Rs.__________/(Rupees _____________________ Only).
5. We also agree to undertake to and confirm that the sum not exceeding Rs.__________/(Rupees _____________________ Only) as aforesaid shall be paid by us without any
demur or protest, merely on demand from the SBI on receipt of a notice in writing stating the
amount is due to them and we shall not ask for any further proof or evidence and the notice
from the SBI shall be conclusive and binding on us and shall not be questioned by us in any
respect or manner whatsoever. We undertake to pay the amount claimed by the SBI within a
period of one week from the date of receipt of the notice as aforesaid. We confirm that our
obligation to the SBI under this guarantee shall be independent of the agreement or
Page 261 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
agreements or other understandings between the SBI and the Vendor. This guarantee shall not
be revoked by us without prior consent in writing of the SBI.
6. We hereby further agree that –
a) Any forbearance or commission on the part of the SBI in enforcing the conditions of the
said agreement or in compliance with any of the terms and conditions stipulated in the
said tender and/or hereunder or granting of any time or showing of any indulgence by
the SBI to the Vendor or any other matter in connection therewith shall not discharge
us in any way our obligation under this guarantee. This guarantee shall be discharged
only by the performance of the Vendor of their obligations and in the event of their
failure to do so, by payment to us of the sum not exceeding Rs.__________/- (Rupees
_____________________ Only)
b) Our liability under these presents shall not exceed the sum of Rs.__________/(Rupees _____________________ Only)
c) Our liability under this agreement shall not be affected by any infirmity or irregularity
on the part of our said constituents in tendering for the said work or their obligations
there under or by dissolution or change in the constitution of our said constituents.
d) This guarantee shall remain in force upto 180 days provided that if so desired by the
SBI, this guarantee shall be renewed for a further period as may be indicated by them
on the same terms and conditions as contained herein.
e) Our liability under this presents will terminate unless these presents are renewed as
provided herein upto 180 days or on the day when our said constituents comply with
their obligations, as to which a certificate in writing by the SBI alone is the conclusive
proof, whichever date is later.
f) Unless a claim or suit or action is filed against us within six months from that date or
any extended period, all the rights of the SBI against us under this guarantee shall be
forfeited and we shall be released and discharged from all our obligations and liabilities
hereunder.
Yours faithfully,
For and on behalf of
___________________________
Authorized official.
(NB : This guarantee will require stamp duty as applicable in the State where it is executed and
shall be signed by the official(s) whose signature and authority shall be verified)
Page 262 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE - 5.4.2
BANK GUARANTEE FOR EARLY RELEASE OF 10% RETENTION MONEY
To:
Dear Sir,
BANK GUARANTEE FOR EARLY RELEASE OF 10% RETENTION MONEYAS SET OUT
IN THE SBI RFP NO. SBI/GITC/TECHOPS/2016-17/320 dated:
06.12.2016
GUARANTEE NO: _______________ AMOUNT: Rs. ___________________
GUARANTEE COVER FROM _______________ TO _________________ LAST
DATE OF LODGEMENT OF CLAIM _________________________
(3 months after expiry of warranty)
Whereas ______________________, a company registered under the
Companies Act 1956 having its Registered Office at ......... (hereinafter referred to as `vendor'
which expression shall include its successors and assigns) entered into a agreement dated
_____________ with State Bank of India (SBI) for supply, delivery of the following hardware,
software & services at State Bank of India site in ______________ (hereinafter referred to as
`the said agreement')
<details of equipment that supplied to be filled in table>
and it has been agreed that a payment of Rs._____________ (Rupees
________________________only) will be made to the vendor representing balance 10% of
the consideration amount against the security of a Bank Guarantee from a Scheduled Commercial
Bank.
2. Now this deed of guarantee witnesseth that in consideration of SBI agreeing to release a sum of
Rs.___________ (Rupees_____________Only) representing balance 10% of the
consideration amount payable to the vendor in terms of, the said agreement,
we_________________________(Bank)
having
our
head
office
at_____________________________and amongst other places, a branch at
_____________ (hereinafter referred to as the guarantor) do hereby expressly, irrevocably and
unreservedly agree and undertake that :
a) In the event of vendor committing breach of any of the undertakings or committing default in
fulfilling any obligation arising out of said agreement, we _________________ (bank) shall on
demand,
pay
SBI
without
any
demur
Rs.__________(Rupees
__________________________ only) and notwithstanding any right the vendor may have
against SBI or any disputes raised by the vendor or any suit or proceedings pending in any
competent Court of Law in
India or otherwise or before any arbitrator, and SBI's written demand shall be conclusive evidence
to us that such amount is payable by us under the said contract and shall be binding in all respects
on the Guarantor.
The Guarantor shall not be discharged or released from the aforesaid undertaking and
guarantee by any agreement, variations made between SBI and the vendor, indulgence shown to
the vendor by SBI, with or without the consent and knowledge of the Guarantor or by any
alterations in the obligations of the vendor by any forbearance whether as to payment, time
performance or otherwise.
3.
Page 263 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
(a) This guarantee shall remain valid until (date which is 3 months after expiry of warranty
period), or until discharged by SBI in writing.
4.
This guarantee shall be a continuing guarantee and shall not be revocable except with the
previous written consent of SBI and save as aforesaid it will be in force until the vendor complies
with its obligations hereunder.
(b)
This Guarantee shall not be affected by any change in the constitution of the vendor by
absorption with any other body or corporation or dissolution or otherwise and this guarantee will
be available to or enforceable against such body or corporation.
(c)
In order to give effect to this guarantee, SBI will be entitled to act as if the guarantor were
the principal debtor and the guarantor hereby waives all and any of its rights of surety ship.
5.
This guarantee shall continue to be in force notwithstanding the discharge of the vendor by
operation of law and shall cease only on payment of the full amount by the guarantor to SBI of the
amount hereby secured.
6.
This Guarantee shall be in addition to and not in substitution for any other guarantee or
security for the vendor given or to be given to SBI in respect of the said contract.
7.
Any notice by way of request and demand or otherwise hereunder may be sent by post or
any other mode of communication to the guarantor‘s address as aforesaid, and if sent by post, it
shall be deemed to have been given at the time when it would be delivered in due course by post
and in proving such notice when given by post it shall be sufficient to prove that the envelope
containing the notice was posted and a certificate signed by an officer of SBI that the envelope was
so posted shall be conclusive.
9.
These presents shall be governed by and construed in accordance with Indian Law.
Notwithstanding anything contained herein:
8.
a) Our liability under this Bank Guarantee shall not exceed Rs.________
(Rupees ___________________________ only)
b) This Bank Guarantee shall be valid up to (date which is 3 months after expiry of warranty
period) and
c) We are liable to pay the guaranteed amount or any part thereof under this Bank Guarantee
only and only if you serve upon us a written claim or demand on or before
______________ (three months after the date of expiry of the warranty)
d) The guarantor has under its constitution powers to give this guarantee and Shri
__________ (signatories) Officials/ Managers of the Bank who has/have signed this guarantee
has/have powers to do so.
Dated this ......... day of................ 2016 at .................
For and on behalf of........................... (Bank).
Authorised Signatory ...................... in favour of the Bank
Designation ......................
_______________________________________________________________
the amount of the Advance Payment.
Page 264 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Page 265 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE - 5.4.3
PERFORMANCE BANK GUARANTEE FORMAT
(TO BE STAMPED AS AN AGREEMENT)
THIS PERFORMANCE BANK GUARANTEE AGREEMENT executed at ……..this…….day of
……….. 2016 by ……………. (name of the Bank)……….. having its Registered Office at …………….and
its Branch at
…………………………………………….(hereinafter referred to as "the Guarantor", which expression
shall, unless it be repugnant to the subject, meaning or context thereof, be deemed to mean and
include its successors and permitted assigns) IN FAVOUR OF State Bank of India, a Statutory
Corporation constituted under theState Bank of India Act, 1955 having its Corporate Centre at
State Bank Bhavan, Nariman Point, Mumbai and one of its offices at (procuring office address),
hereinafter referred to as "the Bank" which expression shall, unless repugnant to the subject,
context or meaning thereof, be deemed to mean and include its successors and assigns).
WHEREAS
The State Bank of India, having its Corporate Office at State Bank Bhavan, Madam Cama Road,
Mumbai - 400 021 (hereinafter called the 'Bank') has invited quotations for supply of hardware,
software and services vide RFP ref No. SBI/GITC/TECHOPS/2016-17/320 dated: 06.12.2016,
1.
It is one of the terms of invitation of applications that the applicant shall furnish a
Performance Bank Guarantee for a sum of Rs……….………/(Rupees …………………….only) as a Bid Security Performance Bank Guarantee.
2.
M/s. _________________________________, our constituent, intend to submit
the Bid Security Performance Bank Guarantee for the said empanelment and requested us
to furnish guarantee to the 'Bank' in respect of the said sum of Rs……….………/- (Rupees
…………………….only)
NOW THIS GUARANTEE WITNESSETH AS FOLLOWS WITHOUT ANY DEMUR
1.
We ____________ (bank), the Guarantors, do hereby irrevocably & unconditionally
agree an undertake to the State Bank of India, their Successors, Assigns that in the event
of the State Bank of India coming to the conclusion that the vendor (pl. mention the name
in bracket) have not adhered to the terms and conditions of the 'Bank' or committed a
breach thereof, which conclusion shall be binding on us as well as the said vendor, we
shall on demand by the State Bank of India, pay without demur to the State Bank of India,
a sum of Rs……….………/- (Rupees
…………………….only) or any lower amount that may be demanded by the State Bank of
India. Our guarantee shall be treated as equivalent to the Security Deposit for the due
performance of the obligations of the vendor under the said Conditions, provided,
however, that our liability
against such sum shall not exceed the sum of Rs……….………/- (Rupees
…………………….only)
2.
We also agree to undertake to and confirm that the sum not exceeding
Rs……….………/- (Rupees …………………….only) as aforesaid shall be paid by us without any
demur or protest, merely on demand from the State Bank of India on receipt of a notice in
writing stating the amount is due to them and we shall not ask for any further proof or
evidence in this regard. The notice from the State Bank of India shall be conclusive and
binding on us and shall not be questioned by us in any respect or manner whatsoever. We
undertake to pay the amount claimed by the State Bank of India within a period of one
week from the date of receipt of the notice as aforesaid.
Page 266 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
3.
We confirm that our obligation to the State Bank of India under this guarantee shall be
independent of the agreement or other understandings, whatsoever, between the State
Bank of India and the vendor.
This guarantee shall not be revoked by us without prior consent in writing of the State bank of
India.
We hereby further agree that-
(a)
Any forbearance or omission on the part of the State Bank of India in enforcing the
conditions of the said agreement or in compliance with any of the terms and conditions
stipulated in the said tender and / or hereunder or granting of any time or showing of any
indulgence by the Bank of India to the vendor or any other matters in connection
therewith shall not discharge us in any way our obligation under this guarantee. This
guarantee shall be discharged only by the performance by the vendor of their obligations
and in the event of their failure to do so, by payment by us of the sum not exceeding
Rs……….………/- (Rupees …………………….only)
(b)
Our liability under these presents shall not exceed the sum of Rs……….………/- (Rupees
…………………….only)
(c)
Our liability under this agreement shall not be affected by any infirmity or irregularity on
the part of our said constituents in tendering for the said work or their obligations there
under or by dissolution or change in the constitution of our said constituents.
(d)
This guarantee shall remain in force upto(date ) provided that if so desired by the State
Bank of India, this guarantee shall be renewed for a further period as may be indicated by
them on the same terms and conditions as contained herein.
(e)
Our liability under these presents/guarantee shall remain in force till (date ) unless these
presents are renewed as provided hereinabove on the (date ) or on the day when our said
constituents comply with their obligations, as to which a certificate in writing by the State
Bank of India alone is the conclusive proof whichever date is later. Unless a claim or suit
or action is filed against us within four months from the date or any extended period, all
the rights of the State Bank of India against us under this guarantee shall be forfeited and
we shall be released and discharged from all our obligations and liabilities hereunder.
(f)The liability of the Guarantor under this Security Performance Bank Guarantee shall not be
affected by -
(i)
Insolvency or winding up of the Bidder or absorption, merger, acquisition or
amalgamation of the Bidder with any other Company, Corporation or concern; or
(ii)
Insolvency or winding up of the Guarantor or absorption, merger, acquisition or
amalgamation of the Guarantor with any other Company, Corporation or
concern; or change in the constitution structure or management of the Guarantor
(iii)
any change in the management of the Bidder by takeover of the management of
the Bidder by the Central or State Government or by any other authority; or
(iv)
any change in the constitution/structure or management of the Bank or
(v)
any dispute between the Bidder and the Bank.
(g) This guarantee shall be governed by Indian Laws and the Courts at Mumbai, India alone shall
have the jurisdiction to try & entertain any dispute arising out of this guarantee.
Notwithstanding anything contained herein :
(a) Our liability under this Bank Guarantee shall not exceed Rs……….………/(Rupees …………………….only)
Page 267 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
(b) This Bank Guarantee shall be valid upto……………………….
(c) We are liable to pay the guaranteed amount or any part thereof under this Bank
Guarantee only and only if you serve upon us a written claim or demand on or before
…………………… (date which is 3 months after date mentioned at (b) above.
Yours faithfully,
For and on behalf of Bank.
__________________________
Authorised official
Page 268 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE- 5.5
MANUFACTURERS'/PRODUCERS’ AUTHORIZATION FORM
No.
Date:
To:
Dear Sir:
Ref: RFP No. SBI/GITC/TECHOPS/2016-17/320 dated: 06.12.2016
We
who
are
established
and
reputable
manufacturers
/
producers
of
________________________ having factories / development facilities at
(address of factory / facility) do hereby authorise M/s ___________________ (Name and
address of Agent)to submit a Bid, and sign the contract with you against the above Bid Invitation.
We hereby extend our full guarantee and warranty for the Solution, Products and services
offered by the above firm against this Bid Invitation.
2.
We also undertake to provide any or all of the following materials, notifications, and
information pertaining to the Products manufactured or distributed by the Vendor :
3.
(a) Such Products as the Bank may opt to purchase from the Vendor, provided, that this
option shall not relieve the Vendor of any warranty obligations under the Contract;
and
(b) in the event of termination of production of such Products:
(i) advance notification to the Bank of the pending termination, in sufficient time
to permit the Bank to procure needed requirements; and
(ii) following such termination, furnishing at no cost to the Bank, the blueprints,
design documents, operations manuals, standards, source codes and
specifications of the Products, if requested.
We duly authorise the said firm to act on our behalf in fulfilling all Technical support and
maintenance obligations required by the contract.
4.
Yours faithfully,
(Name of Manufacturer / Producers)
Note: This letter of authority should be on the letterhead of the manufacturer and should be signed by a
person competent and having the power of attorney to bind the manufacturer. The Bidder in its Bid should
include it.
Page 269 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE - 5.6
PROFORMA OF CERTIFICATE TO BE ISSUED BY THE BANK AFTER SUCCESSFUL
COMMISSIONING AND ACCEPTANCE OF THE HARDWARE / SOFTWARE /
SERVICES
Date:
M/s.
Sub:
1.
Certificate of commissioning of Solution
This is to certify that the products / equipment as detailed below has/have been received in
good condition along with all the standard and special accessories (subject to remarks in Para
No. 2) in accordance with the Contract/Specifications. The same has been installed and
commissioned.
a) Bid No. ._________________ dated _______________________ ___
b) Description of the Solution ________________________________
c) Quantity ____________________________________________ ____
d) Date of commissioning _____________________________________
e) Date of acceptance test _____________________________________
2.
Details of products not yet supplied and recoveries to be made on that account:
S.No.
Description
Amount to be recovered
3.
The acceptance test has been done to our entire satisfaction and Staff have been trained to
operate the Product.
4.
The Vendor has fulfilled his contractual obligations satisfactorily* or
The Vendor has failed to fulfill his contractual obligations with regard to the following:
(a)
(b)
(c)
5.
The amount of recovery on account of non-supply of Products is given under Para No. 2.
6.
The amount of recovery on account of failure of the Vendor to meet his contractual
obligations is as indicated in endorsement of the letter.
Page 270 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
Signature
_______________________
Name
_______________________
Designation with stamp __________________
______________________________________
* Explanatory notes for filling up the certificates:
(a) The Vendor has adhered to the time schedule specified in the contract in dispatching the
Products / Manuals pursuant to Technical Specifications.
(b) Training of personnel has been done by the Vendor as specified in the contract.
(c) In the event of Manuals having not been supplied or installation and commissioning of the
Solution having been delayed on account of the Vendor, the extent of delay should always be
mentioned.
***********
Page 271 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE - 5.7
DETAILS OF ePROCUREMENT REVERSE AUCTION
AUCTION TO BE
CONDUCTED BY
e-Procurement Technologies Pvt. Ltd.
(abcprocure.com)
B-705, Wall Street - II,
Opp. Orient Club,
Nr. Gujarat College,
Ahmedabad - 380 006.
Gujarat State, India
Tel.:- 91 - 079 - 4001 6860 / 6861 /
079 - 4001 6863 / 6864 / 6877
Fax:- 91 - 079 - 4001 6876
http://SBI.abcprocure.com
ANNEXURE - 5.8
TENTATIVE LIST OF LOCATIONS
State Bank of India,
Data Centre at Hyderabad
Survey no. 26,
Gachibowli
Hyderabad -
Page 272 of 285
Confidential & Proprietary
6th December,2016
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
ANNEXURE- 5.9
Sr.
No.
COMPLIANCE CERTIFICATE FOR ELIGIBILITY CRITERIA
Criteria
Compliance
(Yes/No)
Remarks
1
The Bidder should be in a business of supply, delivery
installation, configuration and maintenance and support of
networking equipment in India for at least last 05 years and
should be a current legal entity in India.
2
Bidder should have partnership with OEM for at least last 3
years
Partnership
certificate
evidencing minimum 3
years of partnership with
the OEM As on date to be
submitted
with bid
3
The Bidder must have registered net profits during last three
consecutive financial years as per the audited balance sheets
and P& L accounts for FY 2013-14 and 2014-15,2015-16.
Financial
statement
for
201314,2014-15 ,2015-16
4
The bidders should submit financial statements i.e. Audited
Balance sheet and Profit & Loss accounts for three years 201314 , 2014-15,2015-16.
Financial
statement
for,201314,2014-15,201516
5
The Bidder‘s Account should not have been declared as a NonPerforming Asset (NPA) in the Books of any bank or financial
institution as on 31.03.2016, A certificate to this effect should
be obtained from the Bank/Auditor of the bidder and submitted
along with the Bid.
Certificate from Bank/
Auditor
6
The bidder has to submit an undertaking that no Government /
undertaking organizations have blacklisted the bidder for any
reason
Undertaking
Bidder.
7
The Bidder should have permanent office in Mumbai and
Hyderabad or any other major city in India
Submit address proof.
8
The bidder should have their own support centre in India for
providing 24 x 7 telephonic technical support and assistance
services for immediate response and faster call resolution.
Bidder has to provide details of the same with bid submission.
Documentary evidence of
support
centre
and
resolution mechanism to
be submitted.
9
The bidder should be an Indian Company registered in India
with ISO 9001 Certification valid till date of submission of bid.
Certification copy
Page 273 of 285
Confidential & Proprietary
Certificate of
Incorporation and
documentary evidence
showing bidders is in
business of networking
equipment in last 05
years.
6th December,2016
by
RFP for procurement of Network
Infrastructure for Hyderabad Data Centre
10
The Bidder should have yearly sales turnover of not less than
Rs.200 crores during last three financial years (2013-2014,
2014-2015 & 2015-16)
Audited Balance Sheet
copy and a certificate
certifying sales turnover
for the FY 2015-16
11
The bidder should be in a business of supply, installation,
configuration and maintenance support of Network hardware.
Bidder should have successfully commissioned, configured
executed building 250 Racks Data centre with a minimum of
100 Racks at one sitein the last 3 financial years. Installation
certificate/ signoff reports, copies of purchase order evidencing
approx. should be submitted alongwith bid document. Bank
may carry out check/cross reference with the organization and
may reject the bid if it is found to be misleading.
Installation
certificate/
signoff reports, copies of
purchase order
12
The bidder should not outsource the contract to subcontractor.
The bidder should deploy & manage the project with its
resources.
Undertaking
submitted
to
13
The equipment or similar equipment or equipment from same
family for switching and routing, which bidder is proposing to
the Bank, should have been supplied and installed in any data
centre (with minimum 100 racks) in India in last one year as on
31.05.2016.
Installation
signoff reports
certificate/
14.
The bidder should ensure that the OEM, whose
product/solution is being proposed, must have the Technical
Support Centre in India for providing 24x7x365 technical
support.
Documentary
evidence
submitted
to
We confirm that we comply with the eligibility criteria mentioned above & the terms & conditions
mentioned in the RFP Document are acceptable to us.
Dated this ....... day of ............................ 2016
_____________________________________________________________
(Signature)
(Name)
(In the capacity of)
Duly authorised to sign Bid for and on behalf of
Page 274 of 285
Confidential & Proprietary
6th December,2016
be
be
RFP for procurement of Switching
solution for Data Centres
ANNEXURE-5.10
BIDDER’S ORGANIZATION PROFILE
Details of the Bidder:
1)
2)
3)
4)
5)
6)
Name
Date of Incorporation and / or commencement of business
Certificate of incorporation/Partnership deed
Brief description of the Bidder including details of its main line of business
Company /firms website URL
Particulars of the Authorized Signatory of the Bidder
a. Name
b. Designation
c. Address
d. Phone Number (Landline)
e. Mobile Number
f. Fax Number
g. Email Address
Dated this ......... day of................ 2016 at .................
For and on behalf of...........................
Authorized Signatory ......................
Designation ......................
Page 275
RFP for procurement of Switching
solution for Data Centres
ANNEXURE-5.11
NON-DISCLOSURE AGREEMENT
THIS RECIPROCAL NON-DISCLOSURE AGREEMENT (the ―Agreement‖) is made at
Mumbai between:
__________________________________ constituted under the _________ Act,
______ having its Corporate Centre at ___________________________
__________________________________ (hereinafter referred to as ―Bank‖ which
expression includes its successors and assigns) of the ONE PART;
And
____________________________________ (hereinafter referred
to as
―_________‖ which expression shall unless repugnant to the subject or context thereof,
shall mean and include its successors and permitted assigns) of the OTHER PART;
And Whereas
1. _________________________________________ is carrying on business of
providing
_________________________________,
has
agreed
to
__________________________ for the Bank and other related tasks.
2. For purposes of advancing their business relationship, the parties would need to
disclose certain valuable confidential information to each other. Therefore, in
consideration of covenants and agreements contained herein for the mutual disclosure of
confidential information to each other, and intending to be legally bound, the parties
agree to terms and conditions as set out hereunder.
NOW IT IS HEREBY AGREED BY AND BETWEEN THE PARTIES AS UNDER
1.
Confidential Information and Confidential Materials:
(a) ―Confidential Information‖ means non-public information that Disclosing Party
designates as being confidential or which, under the circumstances surrounding
disclosure ought to be treated as confidential. ―Confidential Information‖ includes,
without limitation, information relating to installed or purchased Disclosing Party
software or hardware products, the information relating to general architecture of
Disclosing Party‘s network, information relating to nature and content of data stored
within network or in any other storage media, Disclosing Party‘s business policies,
practices, methodology, policy design delivery, and information received from others that
Disclosing Party is obligated to treat as confidential. Confidential Information disclosed
to Receiving Party by any Disclosing Party Subsidiary and/ or agents is covered by this
agreement
(b) Confidential Information shall not include any information that: (i) is or subsequently
becomes publicly available without Receiving Party‘s breach of any obligation owed to
Disclosing party; (ii) becomes known to Receiving Party prior to Disclosing Party‘s
disclosure of such information to Receiving Party; (iii) became known to Receiving Party
from a source other than Disclosing Party other than by the breach of an obligation of
confidentiality owed to Disclosing Party; or (iv) is independently developed by Receiving
Party.
(c) ―Confidential Materials‖ shall mean all tangible materials containing Confidential
Information, including without limitation written or printed documents and computer
disks or tapes, whether machine or user readable.
2.
Restrictions
(a) Each party shall treat as confidential the Contract and any and all information
(―confidential information‖) obtained from the other pursuant to the Contract and shall
Page 276
RFP for procurement of Switching
solution for Data Centres
not divulge such information to any person (except to such party‘s own employees and
other persons and then only to those employees and persons who need to know the same)
without the other party‘s written consent provided that this clause shall not extend to
information which was rightfully in the possession of such party prior to the
commencement of the negotiations leading to the Contract, which is already public
knowledge or becomes so at a future date (otherwise than as a result of a breach of this
clause). Receiving Party will have executed or shall execute appropriate written
agreements with its employees and consultants specifically assigned and/or otherwise,
sufficient to enable it to comply with all the provisions of this Agreement. If the Service
Provider shall appoint any Sub-Contractor then the Service Provider may disclose
confidential information to such Sub-Contractor subject to such Sub Contractor giving the
Bank an undertaking in similar terms to the provisions of this clause.
(b) Receiving Party may disclose Confidential Information in accordance with judicial or
other governmental order to the intended recipients (as detailed in this clause), provided
Receiving Party shall give Disclosing Party reasonable notice prior to such disclosure and
shall comply with any applicable protective order or equivalent. The intended recipients
for this purpose are:
(1) the statutory auditors of the Bank and
(2) regulatory authorities regulating the affairs of the Bank and inspectors and
supervisory bodies thereof
(c) The foregoing obligations as to confidentiality shall survive any termination of this
Agreement
(d) Confidential Information and Confidential Material may be disclosed, reproduced,
summarized or distributed only in pursuance of Receiving Party‘s business relationship
with Disclosing Party, and only as otherwise provided hereunder. Receiving Party agrees
to segregate all such Confidential Material from the confidential material of others in
order to prevent mixing.
(e) Receiving Party may not reverse engineer, decompile or disassemble any software
disclosed to Receiving Party.
3.
Rights and Remedies
(a) Receiving Party shall notify Disclosing Party immediately upon discovery of any
unauthorized used or disclosure of Confidential Information and/ or Confidential
Materials, or any other breach of this Agreement by Receiving Party, and will cooperate
with Disclosing Party in every reasonable way to help Disclosing Party regain possession
of the Confidential Information and/ or Confidential Materials and prevent its further
unauthorized use.
(b) Receiving Party shall return all originals, copies, reproductions and summaries of
Confidential Information or Confidential Materials at Disclosing Party‘s request, or at
Disclosing Party‘s option, certify destruction of the same.
(c) Receiving Party acknowledges that monetary damages may not be the only and / or a
sufficient remedy for unauthorized disclosure of Confidential Information and that
disclosing party shall be entitled, without waiving any other rights or remedies (as listed
below), to injunctive or equitable relief as may be deemed proper by a Court of competent
jurisdiction.
a. Suspension of access privileges
b. Change of personnel assigned to the job
c. Financial liability for actual, consequential or incidental damages
d. Termination of contract
(d) Disclosing Party may visit Receiving Party‘s premises, with reasonable prior notice
and during normal business hours, to review Receiving Party‘s compliance with the term
of this Agreement.
Page 277
RFP for procurement of Switching
solution for Data Centres
4.
Miscellaneous
(a) All Confidential Information and Confidential Materials are and shall remain the
property of Disclosing Party. By disclosing information to Receiving Party, Disclosing
Party does not grant any expressed or implied right to Receiving Party to disclose
information under the Disclosing Party patents, copyrights, trademarks, or trade secret
information.
(b) Any document provided under this Agreement is provided with RESTRICTED
RIGHTS.
(c) Neither party grants to the other party any license, by implication or otherwise, to use
the Confidential Information, other than for the limited purpose of evaluating or
advancing a business relationship between the parties, or any license rights whatsoever in
any patent, copyright or other intellectual property rights pertaining to the Confidential
Information.
(d) The terms of Confidentiality under this Agreement shall not be construed to limit
either party‘s right to independently develop or acquire product without use of the other
party‘s Confidential Information. Further, either party shall be free to use for any purpose
the residuals resulting from access to or work with such Confidential Information,
provided that such party shall maintain the confidentiality of the Confidential
Information as provided herein. The term ―residuals‖ means information in non-tangible
form, which may be retained by person who has had access to the Confidential
Information, including ideas, concepts, know-how or techniques contained therein.
Neither party shall have any obligation to limit or restrict the assignment of such persons
or to pay royalties for any work resulting from the use of residuals. However, the
foregoing shall not be deemed to grant to either party a license under the other party‘s
copyrights or patents.
(e) This Agreement constitutes the entire agreement between the parties with respect to
the subject matter hereof. It shall not be modified except by a written agreement dated
subsequently to the date of this Agreement and signed by both parties. None of the
provisions of this Agreement shall be deemed to have been waived by any act or
acquiescence on the part of Disclosing Party, its agents, or employees, except by an
instrument in writing signed by an authorized officer of Disclosing Party. No waiver of any
provision of this Agreement shall constitute a waiver of any other provision(s) or of the
same provision on another occasion.
(f) In case of any dispute, both the parties agree for neutral third party arbitration. Such
arbitrator will be jointly selected by the two parties and he/she may be an auditor, lawyer,
consultant or any other person of trust. The said proceedings shall be conducted in
English language at Mumbai and in accordance with the provisions of Indian Arbitration
and Conciliation Act 1996 or any Amendments or Re-enactments thereto.
(g) Subject to the limitations set forth in this Agreement, this Agreement will inure to the
benefit of and be binding upon the parties, their successors and assigns.
(h) If any provision of this Agreement shall be held by a court of competent jurisdiction to
be illegal, invalid or unenforceable, the remaining provisions shall remain in full force and
effect.
(i) All obligations created by this Agreement shall survive change or termination of the
parties‘ business relationship.
5. Suggestions and Feedback
(a) Either party from time to time may provide suggestions, comments or other feedback
to the other party with respect to Confidential Information provided originally by the
other party (hereinafter ―feedback‖). Both party agree that all Feedback is and shall be
entirely voluntary and shall not in absence of separate agreement, create any
confidentially obligation for the receiving party. However, the Receiving Party shall not
disclose the source of any feedback without the providing party‘s consent. Feedback shall
be clearly designated as such and, except as otherwise provided herein, each party shall be
free to disclose and use such Feedback as it sees fit, entirely without obligation of any kind
to other party. The foregoing shall not, however, affect either party‘s obligations
hereunder with respect to Confidential Information of other party.
Page 278
RFP for procurement of Switching
solution for Data Centres
Dated this __________ day of _________ 2016 at __________
(month)
(place)
For and on behalf of ___________________________
Name
Designation
Place
Signature
For and on behalf of ___________________________
Name
Designation
Place
Signature
Page 279
RFP for procurement of Switching
solution for Data Centres
ANNEXURE- 5.12
PRE CONTRACT INTEGRITY PACT
(TO BE STAMPED AS AN AGREEMENT)
General
This pre-bid pre-contract Agreement (hereinafter called the Integrity Pact) is made
on day of the month of
201, between, on the one hand, the State Bank
of India a body corporate incorporated under the State Bank of India Act, 1955 having its
Corporate Centre at State Bank Bhavan, Nariman Point, Mumbai through its ----------------------Department
/
Office
at
----------------,----------------,
(hereinafter called the "BUYER", which expression shall mean and include, unless the
context otherwise requires, its successors) of the First Part and M/s
represented by
Shri
, Chief Executive Officer (hereinafter called the
"BIDDER/Seller which expression shall mean and include, unless the context otherwise
requires, its / his successors and permitted assigns of the Second Part.
WHEREAS the BUYER proposes to procure (Name of the Stores/Equipment/Item) and
the BIDDER/Seller is willing to offer/has offered the stores and
WHEREAS the BIDDER is a private company/public company/Government
undertaking/partnership/registered export agency, constituted in accordance with the
relevant law in the matter and the BUYER is an Office / Department of State Bank of
India performing its functions on behalf of State Bank of India.
NOW, THEREFORE,
To avoid all forms of corruption by following a system that is fair, transparent and free
from any influence/prejudiced dealings prior to, during and subsequent to the currency of
the contract to be entered into with a view to :
Enabling the BUYER to obtain the desired service / product at a competitive price in
conformity with the defined specifications by avoiding the high cost and the distortionary
impact of corruption on public procurement; and
Enabling BIDDERs to abstain from bribing or indulging in any corrupt practice in order
to secure the contract by providing assurance to them that their competitors will also
abstain from bribing and other corrupt practices and the BUYER will commit to prevent
corruption, in any farm, by its officials by following transparent procedures.
The parties hereto hereby agree to enter into this Integrity Pact and agree as follows:
Commitments of the BUYER
1.1 The BUYER undertakes that no official of the BUYER, connected directly or indirectly
with the contract, will demand, take a promise for or accept, directly or through
intermediaries, any bribe, consideration, gift, reward, favour or any material or
immaterial benefit or any other advantage from the BIDDER, either for themselves or for
any person, organisation or third party related to the contract in exchange for an
advantage in the bidding process, bid evaluation, contracting or implementation process
related to the contract.
1.2 The BUYER will, during the pre-contract stage, treat all BIDDERs alike, and will
provide to all BIDDERs the same information and will not provide any such information
to any particular BIDDER which could afford an advantage to that particular BIDDER in
comparison to other B1DDERs.
1.3 All the officials of the BUYER will report to the appropriate authority any attempted or
completed breaches of the above commitments as well as any substantial suspicion of
such a breach.
2. In case any such preceding misconduct on the part of such official(s) is
reported by the BIDDER to the BUYER with full and verifiable facts and the same is prima
facie found to be correct by the BUYER, necessary disciplinary proceedings, or any other
action as deemed fit, including criminal proceedings may be initiated by the BUYER and
Page 280
RFP for procurement of Switching
solution for Data Centres
such a person shall be debarred from further dealings related to the contract process. In
such a case while an enquiry is being conducted by the BUYER the proceedings under the
contract would not be stalled.
3. Commitments of BIDDERs
3.1. The BIDDER commits itself to take all measures necessary to prevent corrupt
practices, unfair means and illegal activities during any stage of its bid or during any precontract or post-contract stage in order to secure the contract or in furtherance to secure
it and in particular commit itself to the following:
3. 2 The BIDDER will not offer, directly or through intermediaries, any bribe, gift,
consideration, reward, favour, any material or immaterial benefit or other advantage,
commission, fees, brokerage or inducement to any official of the BUYER, connected
directly or indirectly with the bidding process, or to any person, organisation or third
party related to the contract in exchange for any advantage in the bidding, evaluation,
contracting and implementation of the contract.
3.3 The BIDDER further undertakes that it has not given, offered or promised to give,
directly or indirectly any bribe, gift, consideration, reward, favour, any material or
immaterial benefit or other advantage, commission, fees, brokerage or inducement to any
official of the BUYER or otherwise in procuring the Contract or forbearing to do or having
done any act in relation to the obtaining or execution of the contract or any other contract
with State Bank of India for showing or forbearing to show favour or disfavour to any
person in relation to the contract or any other contract with State Bank of India.
3.4 * Wherever applicable, the BIDDER shall disclose the name and address of agents and
representatives permitted by the Bid documents and Indian BIDDERs shall disclose their
foreign principals or associates, if any.
3.5* The BIDDER confirms and declares that they have not made any payments to any
agents/brokers or any other intermediary, in connection with this bid/contract.
3.6* The BIDDER further confirms and declares to the BUYER that the BIDDER is the
original vendors or service providers in respect of product / service covered in the bid
documents and the BIDDER has not engaged any individual or firm or company whether
Indian or foreign to intercede, facilitate or in any way to recommend to the BUYER or any
of its functionaries, whether officially or unofficially to the award of the contract to the
BIDDER, nor has any amount been paid, promised or intended to be paid to any such
individual, firm or company in respect of any such intercession, facilitation or
recommendation.
3.7 The BIDDER, at the earliest available opportunity, i.e. either while presenting the bid
or during pre-contract negotiations and in any case before opening the financial bid and
before signing the contract, shall disclose any payments he has made, is committed to or
intends to make to officials of the BUYER or their family members, agents, brokers or any
other intermediaries in connection with the contract and the details of services agreed
upon for such payments.
3.8 The BIDDER will not collude with other parties interested in the contract to impair
the transparency, fairness and progress of the bidding process, bid evaluation, contracting
and implementation of the contract.
3.9 The BIDDER will not accept any advantage in exchange for any corrupt practice,
unfair means and illegal activities.
Page 281
RFP for procurement of Switching
solution for Data Centres
3.10 The BIDDER shall not use improperly, for purposes of competition or personal gain,
or pass. on 'to° others, any -information provided by the BUYER as part of the business
relationship, regarding plans, technical proposals and business details, including
information contained in any electronic data carrier. The BIDDER also undertakes to
exercise due and adequate care lest any such information is divulged.
3.11 The BIDDER commits to refrain from giving any complaint directly or through any
other manner without supporting it with full and verifiable facts.
3.12 The BIDDER shall not instigate or cause to instigate any third person to commit any
of the actions mentioned above.
3.13 If the BIDDER or any employee of the BIDDER or any person acting on behalf of the
BIDDER, either directly or indirectly, is a relative of any of the officers of the BUYER, or
alternatively, if any relative of an officer of the BUYER has financial Interest/stake in the
BIDDER's firm, the same shall be disclosed by the BIDDER at the time of filing of tender.
The term 'relative' for this purpose would be as defined in Section 6 of the Companies Act
1956.
3.14 The BIDDER shall not lend to or borrow any money from or enter into any monetary
dealings or transactions, directly or indirectly, with any employee of the BUYER.
4. Previous Transgression
4.1 The BIDDER declares that no previous transgression occurred in the last three years
immediately before signing of this Integrity Pact, with any other company in any country
in respect of any corrupt practices envisaged hereunder or with any Public Sector
Enterprise / Public Sector Banks in India or any Government Department in India or RBI
that could justify BIDDER's exclusion from the tender process.
4.2 The BIDDER agrees that if it makes incorrect statement on this subject, BIDDER can
be disqualified from the tender process or the contract, if already awarded, can be
terminated for such reason.
5. Earnest Money (Security Deposit)
5.1 While submitting commercial bid, the BIDDER shall deposit an amount
(specified
in RFP) as Earnest Money/Security Deposit, with the BUYER through any of the mode
mentioned in the RFP / bid document and no such mode is specified, by a Bank Draft or a
Pay Order in favour of State Bank of India from a nationalized Bank including SBI or its
Subsidiary Banks. However payment of any such amount by way of Bank Guarantee, if so
permitted as per bid documents / RFP should be from any nationalized Bank other than
SBI or its Subsidiary Banks and
promising payment of the guaranteed sum to the
BUYER on demand within three working days without any demur whatsoever and
without seeking any reasons whatsoever. The demand for payment by the BUYER shall be
treated as conclusive proof for making such payment to the BUYER.
5.2 Unless otherwise stipulated in the Bid document / RFP, the Earnest Money/Security
Deposit shall be valid upto a period of five years or the complete conclusion of the
contractual obligations to the complete satisfaction of both the BIDDER and the BUYER,
including warranty period, whichever is later.
5.3 In case of the successful BIDDER a clause would also be incorporated in the Article
pertaining to Performance Bond in the Purchase Contract that the provisions of Sanctions
for Violation shall be applicable for forfeiture of Performance Bond in case of a decision
by the BUYER to forfeit the same-without assigning any reason for imposing sanction for
violation of this Pact.
5.4 No interest shall be payable by the BUYER to the BIDDER on Earnest Money/Security
Deposit for the period of its currency.
Page 282
RFP for procurement of Switching
solution for Data Centres
6. Sanctions for Violations
6.1 Any breach of the aforesaid provisions by the BIDDER or any one employed by it or
acting on its behalf (whether with or without the knowledge of the BIDDER) shall entitle
the BUYER to take all or any one of the following actions, wherever required:
(i) To immediately call off the pre contract negotiations without assigning any reason and
without giving any compensation to the BIDDER. However, the proceedings with the
other BIDDER(s) would continue, unless the BUYER desires to drop the entire process.
(ii) The Earnest Money Deposit (in pre-contract stage) and/or Security
Deposit/Performance Bond (after the contract is signed) shall stand forfeited either fully
or partially, as decided by the BUYER and the BUYER shall not be required to assign any
reason therefore.
To
immediately
cancel
the
contract,
if
already
signed,
without
giving any compensation to the BIDDER.
To recover all sums already paid by the BUYER, and in case of an Indian BIDDER with
interest thereon at 2% higher than the prevailing Base Rate of State Bank of India, while
in case of a BIDDER from a country other than India with interest thereon at 2%. higher
than the LIBOR. If any outstanding payment is due to the BIDDER from the BUYER in
connection with any other contract for any other stores, such outstanding could also be
utilized to recover the aforesaid sum and interest.
To encash the advance bank guarantee and performance bond/warranty bond, if
furnished by the BIDDER, in order to recover the payments, already made by the BUYER,
along with interest.
(vi) To cancel all or any other Contracts with the BIDDER. The BIDDER shall be liable to
pay compensation for any loss or damage to the BUYER resulting from such
cancellation/rescission and the BUYER shall be entitled to deduct the amount so payable
from the money(s) due to the BIDDER.
vii) To debar the BIDDER from participating in future bidding processes of the BUYER or
any of its Subsidiaries for a minimum period of five years, which may be further extended
at the discretion of the BUYER.
viii) To recover all sums paid, in violation of this Pact, by BIDDER(s) to any middleman or
agent or broker with a view to securing the contract.
ix) Forfeiture of Performance Bond in case of a decision by the BUYER to forfeit the same
without assigning any reason for imposing sanction for violation of this Pact.
(x) Intimate to the CVC, IBA, RBI, as the BUYER deemed fit the details of such events for
appropriate action by such authorities.
6.2 The BUYER will be entitled to take all or any of the actions mentioned at para 6.1(i) to
(x) of this Pact also on the Commission by the BIDDER or any one employed by it or
acting on its behalf (whether with or without the knowledge of the BIDDER), of an offence
as defined in Chapter IX of the Indian Penal code, 1860 or Prevention of Corruption Act,
1988 or any other statute enacted for prevention of corruption.
6.3 The decision of the BUYER to the effect that a breach of the provisions of this Pact has
been committed by the BIDDER shall be final and conclusive on the BIDDER. However,
the BIDDER can approach the Independent Monitor(s) appointed for the purposes of this
Pact.
7.
Fall Clause
7.1 The BIDDER undertakes that it has not supplied/is not supplying similar
product/systems or subsystems at a price lower than that offered in the present bid in
respect of any other Ministry/Department of the Government of India or PSU or any
other Bank and if it is found at any stage that similar product/systems or sub systems was
supplied by the BIDDER to any other Ministry/Department of the Government of India or
a PSU or a Bank at a lower price, then that very price, with due allowance for elapsed
time, will be applicable to the present case and the difference in the cost would be
refunded by the BIDDER to the BUYER, if the contract has already been concluded.
Page 283
RFP for procurement of Switching
solution for Data Centres
8. Independent Monitors
8.1 The BUYER has appointed Independent Monitors (hereinafter referred to as
Monitors) for this Pact in consultation with the Central Vigilance Commission (Names
and Addresses of the Monitors to be given).
……………………………
……………………………
……………………………
……………………………
8.2 The task of the Monitors shall be to review independently and objectively, whether
and to what extent the parties comply with the obligations under this Pact.
8.3 The Monitors shall not be subjected to instructions by the representatives of the
parties and perform their functions neutrally and independently.
8.4 Both the parties accept that the Monitors have the right to access all the documents
relating to the project/procurement, including minutes of meetings.
8.5 As soon as the Monitor notices, or has reason to believe, a violation of
this Pact, he will so inform the Authority designated by the BUYER.
8.6 The BIDDER(s) accepts that the Monitor has the right to access without restriction to
all Project documentation of the BUYER including that provided by the BIDDER. The
BIDDER will also grant the Monitor, upon his request and demonstration of a valid
interest, unrestricted and unconditional access to his project documentation. The same is
applicable to Subcontractors. The Monitor shall be under contractual obligation to treat
the information and documents of the BIDDER/Subcontractor(s) with confidentiality.
8.7 The BUYER will provide to the Monitor sufficient information about all meetings
among the parties related to the Project provided such meetings could have an impact on
the contractual relations between the parties. The parties will offer to the Monitor the
option to participate in such meetings.
8.8 The Monitor will submit a written report to the designated Authority of
BUYER/Secretary in the Department/ within 8 to 10 weeks from the date of reference or
intimation to him by the BUYER / BIDDER and, should the occasion arise, submit
proposals for correcting problematic situations.
9. Facilitation of Investigation
9. In case of any allegation of violation of any provisions of this Pact or payment of
commission, the BUYER or its agencies shall be entitled to examine all the documents
including the Books of Accounts of the BIDDER and the BIDDER shall provide necessary
information and documents in English and shall extend all possible help for the purpose
of such examination.
10. Law and Place of Jurisdiction
This Pact is subject to Indian Law. The place of performance and jurisdiction is the seat of
the BUYER.
11. Other Legal Actions
The actions stipulated in this Integrity Pact are without prejudice to any other legal action
that may follow in accordance with the provisions of the extant law in force relating to any
civil or criminal proceedings.
12. Validity
12.1 The validity of this Integrity Pact shall be from date of its signing and extend upto 5
years or the complete execution of the contract to the satisfaction of both the BUYER and
Page 284
RFP for procurement of Switching
solution for Data Centres
the BIDDER/Seller, including warranty period, whichever is later. In case BIDDER is
unsuccessful, this Integrity Pact shall expire after six months from the date of the signing
of the contract, with the successful bidder by the BUYER.
12.2 Should one or several provisions of this Pact turn out to be invalid; the remainder of
this Pact shall remain valid. In this case, the parties will strive to come to an agreement to
their original intentions.
13. The parties hereby sign this Integrity Pact at
on
For BUYER
Name of the Officer.
Designation
Office / Department / Branch
State Bank of India.
For BIDDER
CHIEF EXECUTIVE OFFICER
Witness
Witness
1.
2.
* Provisions of these clauses would need to be amended/ deleted in line with the policy of
the BUYER in regard to involvement of Indian agents of foreign suppliers.
(Note: This agreement will require stamp duty as applicable in the State where it is
executed)
Page 285