SPAC AV Network Vision
Goals
- Allow SPAC staff to access AV resources
- Use facility wifi infrastructure for new AV equipment
- Reduce physical network complexity by moving to VLANs
- Simplify management of facility AV
Virtual Layout
The networks use the following VLAN layout:
- ??: SPAC Internal
- 05: SPAC Visitor
- 21: Control Network
- 22: Lighting Network
- 23: Video Network
- 24: Comms Network
- 25: AVoIP(SVSI) Network
- 26: Dante A Network (future)
- 27: Dante B Network (future)
Physical Layout
There are three primary physical networks – the auditorium network, SPAC’s network, and the EIPS network. The EIPS network is mostly out of scope except as a connection to the public internet.
One of the main goals of this proposal is to integrate the auditorium network into the rest of SPAC’s network in a secure way, and the proposed layout makes this possible.
|========================|
| AV EdgeRouter |
|========================|
||
|========================| |========================| |========================|
| AV Stage Switch | <==> | AV Core Switch | <==> | AV Control Room Switch |
|========================| |========================| |========================|
|| ||
|========================| |========================| |========================|
| AVoIP Switch | | AV Secondary Switch | <==> | SPAC Core Switch |
|========================| |========================| |========================|
|| || ||
|========================| |========================| |========================|
| Control Switch | | Dante A | | EIPS Core Switch |
|========================| |========================| |========================|
|| || ||
|========================| |========================| |========================|
| Lighting Switch | | Dante B | | Internet |
|========================| |========================| |========================|
AV Core Switch
The AV Core Switch is a Netgear GSM4248PX, and is located in the left-hand AV rack. It can assign the following VLANs:
- SPAC Internal: for the Projection Mac Studio
- SPAC Visitor: for video / comms network internet access
- Control Network: uplink to the control switch – allows other AV switches to extend the control network
- Lighting Network: uplink to the lighting switch (via the control switch) – allows other AV switches to extend the lighting network
- Video Network: for in-rack video equipment
- Comms Network: for in-rack comms equipment
- AVoIP Network: uplink to the AVoIP switch – allows other AV (and SPAC) switches to extend the AVoIP network
- Dante A Network: uplink to the Dante A network – allows other AV switches to extend the Dante network.
- AV Core Switch DHCP is provided by an attached Ubiquiti Edgerouter. The Edgerouter maintains a DHCP reservation list for all of our AV equipment.
AV Stage Switch
The AV Stage Switch is a Netgear GSM4230PX, and is located under the stage. It can assign the following VLANs:
- SPAC Visitor: allows stage computers to access the internet (if needed)
- Control Network: allows on-stage equipment to be powered on and off remotely
- Lighting Network: enables on-stage lighting ports
- Video Network: enables on-stage video ports
- Comms Network: for future expansion (for instance, allowing comms in the rehearsal room)
- AVoIP Network: enables on-stage AVoIP ports (for instance, for computer video input or output on-stage)
AV Control Room Switch
The AV Stage Switch is a Netgear GSM4230PX, and is located in the control room rack. It can assign the following VLANs:
- Control Network: enables AMX touchscreen support in the control room and power-on-LAN for AV PCs in the room
- Video Network: enables video network access for control room video equipment
- Comms Network: enables comms network access for control room comms equipment
- AVoIP Network: enables control room AVoIP equipment
- Dante A: enables audio recording PC local access and stream monitoring
AVoIP Switch
The AVoIP Switch is a Cisco SG500X switch, and is located in the left-hand AV rack. Its connections can be identified by green ethernet cable. It can only assign the AVoIP VLAN, but passes through all other VLANs over its trunk ports. It is linked to the AV Core Switch with two 10gbps copper SFPs. Its clients are entirely AMX SVSI encoders and decoders.
Control Switch
The Control Switch is a Cisco SG300 switch, and is located in the left-hand AV rack. Its connections can be identified by yellow ethernet cable. It can only assign the Control VLAN, but passes through lighting VLANs over its trunk ports. It is linked to the AVoIP Switch with a 1gbps copper SFP. Its clients include:
- AMX Touchscreens
- AMX Relay Controllers
- PCs
Lighting Switch
The Lighting Switch is a Cisco SG300 switch, and is located in the right-hand M21 AV rack. Its connections can be identified by black ethernet cable. It can only assign the Lighting VLAN, and does not pass through other VLANs traffic. It is linked to the Control Switch with a 1gbps fiber SFP. Its clients include:
- Architectural Controls
- Lighting DMX Gateways
- Lighting PC
- Lighting Touchscreen
AV Secondary Switch
The AV Secondary Switch is a Unifi 16-port POE switch [currently dedicated to SPAC networking], and is located in the right-hand AV rack. It can assign the following VLANs:
- SPAC Internal: enables wifi access to the SPAC Staff network via auditorium and atrium access points
- SPAC Visitor: enables wifi access to the SPAC Guest network via auditorium and atrium access points
- Control Network: enables control network access in the right-hand AV rack.
- Lighting Network: enables lighting network access in the right-hand AV rack.
- Video Network: enables video network access in the right-hand AV rack
- AVoIP Network: enables AVoIP network access in the right-hand AV rack.
Its clients include:
- Auditorium and Atrium Wifi Access points
- Lighting PC (LX + Control + Video)
- SVSI encoders
It is linked to the AV Core Switch using a 10gbps-capable copper SFP running at 1gbps. It is linked to the SPAC Core Switch via a fiber SFP [which will need to be installed in the future].
Dante A
The Dante A Switch is a Cisco SG300 24-port POE switch, and is located in the right-hand AV rack. Its connections can be identified by red ethernet cable. It can only assign the Dante A VLAN, but passes through the Dante B VLAN over its trunk ports. It is linked to the AV Secondary Switch by a 1gbps copper connection [until we upgrade the AV Secondary Switch, at which point we’d go to fiber]. Its clients are all audio equipment.
Dante B
The Dante B Switch is a Cisco SG300 24-port POE switch, and is located in the right-hand AV rack. Its connections can be identified by red ethernet cable. It can only assign the Dante B VLAN. It is linked to the Dante A Switch by a 10gbps copper SFP running at 1gbps. Its clients are all audio equipment, and Dante B acts as a redundant physical layer for critical audio connections.
Additions to SPAC Network
AVoIP
There are currently two AVoIP connections near the SPAC offices – the nursing mothers’ room (across from the office) and AV distribution (in the SPAC server room) are very close to the SPAC core switches and quite far from the AV switches. It would be ideal to extend VLAN 25 out of the auditorium to all the places where AMX SVSI encoders and decoders are placed.
This should later extend to the SVSI boxes placed behind each digital signage TV around the building – this will allow remote automation of these units.
Video
Some office staff need access to resources on the video network – in particular, Felipe needs the ability to pull video off of AV hardware located in the auditorium from the Mac in his office. MacOS has native VLAN support, so it’d probably be easiest to covert the port in his office to a trunk and add VLAN 23 – from there, he’ll be able to access the video network while ensuring that video equipment has no access to anything that’s SPAC-internal. Once we’re able to upgrade the AV Secondary Switch, he’ll be able to take advantage of the 10gbps link on his office machine to pull data from multiple cameras simultaneously.
Security
We need to be sure that AV equipment has no access to SPAC-internal equipment. Some rules that will ensure that:
- Remote access to AV equipment must be via its native VLAN.
- AV networks can optionally access the internet, but only via the SPAC visitor network VLAN.
- The SPAC Internal network is only available to the Projection Mac Studio (so that SPAC Staff can share content to it over the network) – it can’t be accessed by any other device.
Wifi Access for AV Networks
Video Network
There should be a dedicated SSID that allows our cameras and robots to join the Video Network (VLAN 23). Clients will receive an IP address in the 10.0.23.0/24 range from the DHCP server running on the EdgeRouter. The SSID should be called SPAC Video and the password should be V34ZrN. Devices connected to this network will be able to access the internet via the SPAC visitor network.
Comms Network
There should be a dedicated SSID that allows mobile clients to join the Comms Network (VLAN 24). Clients will receive an IP address in the 10.0.24.0/24 range from the DHCP server running on the EdgeRouter. The SSID should be called SPAC Comms and the password should be SPAC-comms-01. Devices connected to this network will be able to access the internet via the SPAC visitor network.
Tech AV Networks
There should be an SSID that allows the technical team to access any of the AV networks. Clients will receive an IP address in the 10.0.0.0/24 range from the DHCP server running on the EdgeRouter. The SSID should be called SPAC Tech and should use RADIUS authentication – a list of users will be provided separately. These users will be SPAC staff and volunteer technical leads. Devices connected to this network will be able to access the internet via the SPAC internal network.