How We Transformed the Network of a Stadium

Reality of a modern stadium requires thorough safety and security planning and designing a robust infrastructure for the network.

We received a task to transform the network infrastructure of a stadium in New Zealand and improve its security, performance and response to failure. 

Existing design of the network infrastructure is presented below:

We identified the lack of redundancy of the network, which included Internet Edge/Firewall and Core/Access switching layers as the main points of failure that had to be resolved in the new design.

Before going to the complete design let’s have a closer look at the separate features of the proposed network infrastructure:

WAN / Internet

Highlighted Problems:

  • Risk of the network failure or unavailability due to a single available  connection to the Internet

Proposed Solution:

  • Introduce Internet redundancy (at least two Internet connections)
  • Connect Internet provider equipment to the Core Switches with two links for each ISP
  • Configure Internet High Availability, applied to both firewalls
  • Configure second WAN connection with SD-WAN technology (SD-WAN seamlessly manages traffic at the Layer 2 level of the OSI model without the need to manage hardware-based switches or WAN controllers)

Proposed WAN/Internet Design:

Internet Edge/Firewalls

The firewall implemented at the edge of a network here consisted of WAN connections, Firewall connections and Non-Local Area Core Switches connections.

Highlighted Problems:

  • Firewalls were configured with a Active/Passive device High Availability single link, but there was no link failover configured to switch to the reductant network
  • Internet  link was connected  to only one firewall, concluding that current design provides a single point of failure
  • Second firewall had only local networks link and HA link connected

Proposed Solution:

  • Migrate all firewall connections (ISP connection, Admin building connection, internal networks connections, WL access connections) to the Core switch
  • Duplicate all connections at the secondary firewall
  • Merge all local/WAN connections to one aggregated channel (trunk), which requires reconfiguration of Firewall interfaces and IP policies
  • Build aggregated channel consisting of two physical links for each firewall  to increase sustainability of the firewall connections (one link connects firewall to top Core switch, another – to bottom switch)
  • Configure  additional link  failover for aggregated data link; for this network the use two heartbeat interfaces on each firewall was suggested for high availability
  • Connect Management (MGMT1) firewall ports to Core switch

Proposed Internet Edge/Firewalls Design:

Wireless Controllers and Equipment

Highlighted Problems:

  • AirWave Management Platform was not configured properly, RAPIDS service had a huge amount of alarms with rogue access points, certificates were out of date
  • Mobility controllers were connected to one of the access switches instead of the Core Switch, which led to sufficient reduction of the service reliability. Moreover, some of the UpLink Controllers to the Core Switch were disabled, therefore controllers lost the connection redundancy
  • Number of licenses on the second Controller was not sufficient (in the case when main one failed)
  • Some SSIDs shared VLANs, which in the case of one network was attacked and flooded, affected the secured networks as well
  • DHCP server for one of the main LAN (AP management) was configured only with one of the Wireless Controllers. In case of switching Access Points to redundant Wireless Controller all the Access Points had no chance to obtain IP addresses
  • The number of AMP licenses was coming to the end

Proposed Solution:

  • Reconfigure AirWave Management Platform
  • Use at least two separate NIC for AirWave Management Platform and connect AirWave Management Platform Network to the Core Switch with two links;
  • Group all SSID with virtual AP and appropriate VLANs;
  • Connect every Controller to Core Switches with two links (one link to the top switch and another one – to the bottom switch). We highly recommended to reconfigure connections as Trunk aggregated links
  • Add DHCP configuration to the second Wireless Controller, check and clean up all controllers’ configurations

Proposed Design for Wireless Controllers and Equipment:

Proposed Network Infrastructure:

The proposed IT system consisted of:

  1. LANs

1.1. Site

  • Firewall Fortigate 400D
  • Aruba 7210 Mobility Controller
  • Core/Distribution Switches Aruba 3810M-16SFP+-2-slot
  • AirWave Management Platform 8.2.3

1.2. Race Track

  • Access switches Aruba JL255A 2930F-24G-PoE+-4SFP+
  • Wireless access points Aruba 207 series
  • Wireless access points Aruba 274 series
  • Wireless access points Aruba 325 series
  • Wireless access points Aruba 275 series
  • Wireless access points Aruba 315 series
  • CCTVs
  1. Internet Connection

2.1. Primary Internet Service Provider

2.2. Secondary Internet Service Provider

  1. Security

2 x Firewall Fortigates 400D with Device/Link Failover

  1. Switching

4.1. Collapsed Core: two stacked 16-port 16SFP+ switches (stacking module)

4.2. Access Layer: six 24 GigabitEthernet + 4SFP+ switches, connected to Core Switches

  1. WiFi Services

5.1. Server AirWave Management;

5.2. Mobility  Wireless Controllers  in All-Master mode with  LMS IP primary/backup redundancy

5.3. WAPs

While Improving IT infrastructure one must keep it cost-efficient while optimising loads, performance and security of the network. It is also important to note that no matter how robust an infrastructure is built, it is essential to have good maintenance and security practices in place.

This article highlights the aspects of the network infrastructure that were proposed for a stadium in New Zealand which can be depicted schematically. Further details, including more technical aspects of network design such as, core layer with its connection matrix, access layer consisting of switching equipment, SSID configuration with mobility controllers or calculations for access points and WAP distributions, were not mentioned in the context of this article. If you want to know more about this network design of the stadium contact us!