Network Administrator introduces a new wrinkle

Thanks for posting this, Erich -- very timely and potentially immensely impactful to all of us. My first suggestion would be something already posted above: no campus WiFi in the theater.

I have not run into this very scenario, but I recently helped convince a major hospitality firm here in Vegas to create a standard for new construction whereby all new venues (and existing venues, as they are upgraded) must have a dedicated A/V/L network that doesn't touch the corporate network and has a dedicated tunnel to the outside world (via a dedicated cable modem). Educating the corporate IT folks about the protocols show networks employ has also been very helpful: i find that once you mention multicast, port forwarding and IGMP (with snooping!), they quickly agree to a separate, dedicated network.

Good luck, and please keep this thread updated as you sort through this -- I am curious how it all turns out.
 
Another tag on the end here:

Your network and WLAN configuration will be complicated a bit further: You're going to have production people, who need access to the production-net *and* the Internet, and you'll probably have guests who need Internet access, but shouldn't be allowed to even know the production net exists.

This almost requires a 3-port router with VLAN, and wifi nodes also with VLAN and multi-SSD support, to *really* do it properly.

I would probably do it with a WatchGuard, and UBNT Unifi flying saucers, myself...
 
Jay's described situation is what I've ended up with here- My phone ends up on the regular vlan, but my user privileges grant me access to the theatre VLAN. It CAN be done, you just need the network guys to be willing to work with you.
 
This isn't a manufacturer reference, but note in this article that the issue we're discussion -- systems to look for rogue APs and attack their connections -- is *recommended* by PCI DSS (the credit card security council) for networks that process card transactions:

https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system

In the article it says: "WIPS should understand the difference between rogue APs and external (neighbor’s) APs".
This is the issue. The isolated and dedicated Sound and Lighting system WAPS are 'the neighbors', not 'rouge WAPs'. I am beginning to think the System Admin for the School District doesn't get the difference. Well, if their approach doesn't work, I'll fall back to 'splainin' this to them, again.

You mentioned Aruba, and yes, this is their system they are using.

Having worked at many schools that have a policy for everything, usually there isn't anyone high enough up to make a decision that overrides a district wide capital improvement, which is what I assume this is.
You are correct.

You can easily test the search and destroy protocol they have, but my understanding is they need to be on the same wired network in order to work. They can't kill rogue access points that are just closeby.
Yes, this is the situation. The dedicated Lighting and sound WAPs were planned to be 'closeby', not a part of their system.

you should easily be able to run your own wired network and have your own physically hidden APs. Like put them in a black cardboard box in the catwalk. I'd recommend making the ssid hidden and obscure like Netgear123, just in case there is an inspection.

Well if the cat wasn't already out of the bag that our WAPs would exist, that is what we would recommend. Too late for that, though. They know.

Thanks to everyone for the input. It's helping me clarify the situation. I'll report back once the dust settles.
 
I don't know that it's that they don't get it, Erich.

I think it's that their policy says "no SSIDs except those specifically authorized"... and no one has authorized them.
 
That’s why I was pointing out that THEIR policy of “no SSID’s except those specifically authorized” should not by law and regulation supercede the FCC rules which prohibit active blocking of those SSID’s I would kind of raise that point with them, and the school board, and it might not hurt to remind the school board that active blocking of non intrusive signals has the potential to be expensive for them down the road should someone complain that their hotspot was squelched.
 
It's a people problem, not a tech problem. In addition to your technical requirements, you should detail the consequences of not having them. Are we talking inconvenience during rehearsal and programming, or significant risk to the smooth-running of a show? You also need to acknowledge the good reasons backing their plan. An easier-to -manage network, better wireless performance throughout the school, an opportunity to upgrade their aging infrastructure for cheap because this company is offering them a deal.

How can you compromise? Does your wireless network require internet access? If so, assure them people can't use it as a backdoor around their firewalls and filtering. In addition to running your equipment, do the people in your space need/want wifi internet? If so, then you're going to need their hardware to support them because hell if you're going to play helpdesk when some conference attendee can't check Facebook.

You might not be the right person to convince the IT folks leading the charge that the wifi disruption feature is not worth the hassle - but they should be honestly evaluating the actual value here. Are they dazzled by a sales rep into solving a problem they don't even have? If you're stuck with it, team up with your IT crew to badger the vendor into supporting 'zoning' of the seek-and-destroy feature. There are other scenarios besides theatre where you might need ad-hoc wifi networks to pop up.

In any case, make sure they start with your area when they begin the rollout so you can work together to test your requirements ASAP.
 
Has the option of creating SSID's with Audio and Lighting VLAN's without access to the rest of the network, and by extension the internet, been discussed with IT? If they are going ham on security I could see MAC filtering being an obnoxious obstacle but that's far from the end of the world. Are we talking console(s) access only here? Outside of that, I don't personally understand the level of concern raised on this thread. If you have to start integrating AV network traffic onto the venue's network that does bring a different batch of headaches but even then my biggest frustrations with integrated networks comes down to 2 things, low level network engineers who fight with me on required settings (IGMP, QOS, and jumbo packets) and the BS method of discovery Audinate opted for.
 
  • Bluetooth also operates in the WiFi band, so will this 'seek and destroy' mess-up simple things like Bluetooth wireless keyboards, mice, and headsets? Will it disrupt a wireless sound feed from a guest's phone into our sound system?

Bluetooth is usually unaffected by the practice you describe. It is specific to WiFi.

  • Any WiFi band (2.4 or 5GHz) type DMX extenders become useless in this environment.
  • [...]
  • WiFi links between camera memory cards and bulk storage or a laptop will be shot to hell.
  • Any guest artist that might bring a WiFi or Bluetooth connection between their own equipment will be hammered into non-usability.

True, except for bluetooth.

  • Any casual use of a laptop or phone to create a local temporary WiFi hotspot is shot to hell.

That is often one of the goals. Usually, the IT department wants to avoid any sort of WiFi access it cannot control and filter, as a means of making their policy enforcement more effective by controlling gaming, messaging, file sharing, porn, and other prohibited sites.



What other gotcha's might I need to look-out for?

Open for comment. The systems aren't up and flying yet, but will be within a month or so. Fingers crossed.

If you are on an isolated segment of their network, then:
  • Sooner or later they will make a configuration mistake which breaks your system. Perhaps years from now, after personnel changes, when no one remembers why things are the way they are.
  • Sooner or later they will make a configuration mistake which undoes the isolation of your system.
  • It would be reasonable for you to ask them to provide an on-call list of IT people who can become involved in troubleshooting if there are problems controlling the lighting.
  • Sooner or later there will be an equipment failure that they will not notice because it only affects you.
  • Any emergency plans (e.g. lighting control during power failure) will have to consider the IT portion of the system.
Your best bet is to emphasize the extra on-call responsibilities, and ongoing planning responsibilities, they will taken on. They can shut off what you call the "seek and destroy" feature on a location by location basis. Have them shut it off in the theater.
 

Users who are viewing this thread

Back