A smart Fabric-to-the-Edge network that drives efficiencies and mitigates risks

With approximately 3,300 employees, 217 million single journeys made in 2022 and a turnover of NOK 5 billion (around EUR 430 million), Sporveien AS is by far the largest and most prominent provider of public transport in all Norway. The company, fully owned by the Oslo municipality, is responsible for maintaining, managing and developing the entire infrastructure linked to the subway and trams in the Greater Oslo Region, as well as a large portion of the tender-based bus traffic in southern and central parts of the country. The list includes rails, five subway lines, stations, tunnels, signaling systems and other properties, as well as the maintenance of trams and subway cars.

True to its vision and mission, which is delivering more value for the money by transporting as many satisfied passengers as possible – quickly, safely and at the lowest possible cost to society and the environment – the company has been continuously developing and adapting to the growing needs of local communities. Over the last decade, Sporveien AS has ran services more efficiently through two strategy periods: ‘Best 2015’ and ‘Best 2020’. Results? A constantly growing quality of services and operational savings exceeding EUR 100 million annually, compared to 2011.

To further lower the costs, increase revenue, and drive better public transportation system in general, Sporveien AS has decided to carry out a comprehensive, end-to-end modernization of the network infrastructure, beginning in 2021. The scope of the project included everything from the network core with firewall to the network edge for all of the company's 43 locations. The main objective? To create a flexible, cost-efficient, resilient, and secure foundation that would accommodate the company’s needs of both today and tomorrow.

Back in the day, Sporveien’s IT team would have to rely on a traditional network built around VLANs. As time went by and the company’s IT environment grew more and more complex, limitations of the legacy solution, stemming from the rigid and sophisticated architecture, became more and more apparent. For example, deploying new services each time required configuring as many as 100 network switches. Not only did it eat through the IT budget and resources, but it also created a considerable risk of human error, resulting in a potential network downtime. The use of IP addressing also posed a certain threat-factor as well from the security perspective.

Enhancing security and resiliency, on the other hand, can negatively impact the simplicity and agility of the network, which in turn tends to drive the operational costs up. To break free from this rather vicious cycle, Sporveien’s IT team understood they needed a completely new approach. It became clear that a new network based on Shortest Path Bridging (SPB) protocol IEEE 802.1aq would be a perfect fit, especially considering redundancy in a demanding physical cabling infrastructure, with independent services (I-SIDs) on top.

During the tender, some of the participants proposed Extreme Fabric Connect, the industry’s leading SPB technology from Extreme Networks, as a base for the new solution. Initially, the company considered a fairly traditional approach with Fabric switches in the core and EXOS switches on the network edge. Eventually, Netsecurity, one of Norway's leading suppliers of services and solutions within IT security and infrastructure, came up with a far more elegant and comprehensive solution.

“After a careful study of Sporveien’s needs and challenges, we asked ourselves: ‘why couldn’t we extend the simplicity of fabric networking to all those production and maintenance locations like workshops or traffic control centers?’ Together with the customer we decided that in order to achieve the desired level of cost-efficiency, redundancy, and security, we wanted to base the new solution on Extreme Fabric Connect from the network core all the way up to the access switches and Wi-Fi”, says Frode Slangsvold, Senior Network Security Engineer at Netsecurity, who boasts more than ten years of experience with Extreme’s fabric solution.

“We didn't want to make it too complicated. If you make it complicated, things will stop working after a while, and you just end up with a complicated network on your hands. It’s fairly easy to make network more complex, but eliminating those complexities was crucial for us in regards to basically everything, including managing, operating, troubleshooting, and deploying services”, adds Gunnar Gulberg, Network Manager at Sporveien AS.

Considering the nature of Sporveien’s operation – its key role in the functioning of the municipality and its citizens, a large number of geographically dispersed locations, all connected to the production network, and last but not least, the sheer amount of work needed to be done around the transport infrastructure each day – the need for operational efficiencies and cost savings couldn’t be more apparent. And that’s where the first big advantage of the new SPB network is shining through.

Today, with the Extreme Fabric Connect solution in place, Sporveien’s IT team is enjoying much faster and far more easier onboarding of new equipment, applications, services, and users. The foundation of this automation lies in the auto-sense ports feature.

Fabric edge switches from Extreme support a full ‘zero-touch’ deployment. It means that when switches are deployed, all ports are automatically auto-sense enabled by default – they're just up and running. Next, the switches create an onboarding I-SID, essentially allowing anything that connects to this infrastructure, including other SPB nodes or client devices, to be automatically onboarded to the network management infrastructure. This service is created by default.

What does it mean in practice? For one, there’s no need to send a highly-qualified network engineer on site every time there is a need for a network change.

“It really comes in handy for our production network, especially when the employees are working night shifts. Network engineers don’t need to be there, they can ask electricians to just plug in a switch and once they show up for work next morning, it’s already there, working like a charm. Our network team is just two people, so if anything should happen and we’d be away or unavailable, basically anybody in the office can take the switch, drive up to the location, replace the device and it’ll be up and running in just a couple of minutes”, says Gunnar Gulberg.

What’s also crucial in the Sporveien’s case, the new network solution not only greatly simplifies moves, adds and changes, but also makes it easier to connect existing, traditional networks through the fabric or extend the fabric network to third party locations over any type of connectivity and network topology.

“We have had a case with our partner who was not connected to our network, a bus company with many locations spread all over Oslo, requiring access to the Internet. We couldn't have done that earlier, at least not without a tremendous amount of work. Now, we are able to deliver the same service as we do here in the office or anywhere in the network, almost instantly instead of three weeks”, says Gunnar Gulberg.

“What we essentially did was extend the native fabric services to the partner’s locations over a private IP VPN connection using VXLAN tunnels, going over from the edge far away to the firewall and providing the same automation and security benefits as in the Sporveien’s locations. Instant onboarding enabled their devices to automatically attach to the fabric and be provisioned with new services. Most importantly, it was done with just a few clicks, because it's fabric to the edge, even over layer 3 connections. With the legacy solution, all of that would require lots of work in terms of routing, IPsec and so on”, Frode Slangsvold explains.

Any system is only as good as its reliability – this universal truth applies to both public transportation and IT networks. In Sporveien’s case, achieving better resilience and redundancy of critical network infrastructure to reduce downtime was paramount to the modernization project.

Earlier, the company had to rely on routing protocols with the spanning tree and switch clustering which allowed to achieve some level of redundancy, however only limited to the central parts of the city. Today, the risk of network downtime related to the integration of equipment is significantly reduced across the entire infrastructure.

“With the new solution in place, it’s not dangerous to automate the Sporveien’s network anymore, because you are only touching the edge. The automatic process for onboarding switches also ensures that there are no loops, and that's because of the Fabric Connect solution in the backbone. As a result, the company doesn’t need to worry about the loops or human error”, says Frode Slangsvold.

The thing about enhancing network redundancy is that it often comes at a certain price – be it actual costs or an increased level of complexity (which again, translates into costs). Traditionally, businesses and organizations would need to ask themselves the old-age question: how far are we really willing to go to be really redundant?  However, as an added benefit, the introduction of the new fabric solution enabled Sporveien to utilize their existing fiber connections for redundancy more effectively, increasing the return on that particular investment. Thanks to the plug-and-play functionality, almost everything is redundant, even at the network edge.

“Shortest Path Bridging technology makes it a lot easier to build redundancy in challenging physical environments like the one at Sporveien’s, without making it more difficult to maintain and manage. Today, the customer can enjoy both a simple network and redundancy for critical services. This is fabric networking at its finest”, Frode Slangsvold adds.

The saved time can be used to focus on more strategic tasks and introducing further innovations in the IT area. But maybe what’s more important, it translates into tangible efficiencies that save Sporveien’s money, resources, and reputation.

“Earlier the downtime times were longer. And if some of our critical locations like the ones responsible for managing the metro or tram systems couldn’t do their job in the morning, there would be a lot of delays in the traffic, resulting in actual fines that our organization would normally need to pay. So this means savings are all around”, Gunnar Gulberg adds.

Like for just about any public transportation company, network security is naturally top of mind for Gunnar Gulberg and his colleagues from the IT team. The implemented solution addresses this need in an interesting fashion. First of all: the logical segmentation into separate networks for network administration, management, and technical tasks for transport leaders like overseeing traffic, controlling all the trains etc.

“It's not possible to reach the service layers of the network from the management layer of this fabric. You can connect to whatever port you like and because of the very way the fabric is built, you'll never reach the management. That's a significant security achievement on its own”, says Frode Slangsvold.

What makes this particular case even more interesting, is that Netsecurity basically built this fabric network on layer 2 only. This means that there are no VLANs and no IP addresses that potential attackers could exploit to gain access to Sporveien’s network.

One of the things the customer also wanted to introduce was network access control, which now covers about 98% of all the ports in their network. The implemented ExtremeControl solution provides Sporveien with a centralized in-depth control over all endpoints across their network. The ability to locate, authenticate, and apply targeted policies to users and devices has been key to further increasing Sporveien’s network security posture.

To accommodate a mobile and flexible work environment, one of the Sporveien’s top priorities for the network modernization was to rethink the wireless part of the infrastructure as well. Gunnar Gulberg and his colleagues didn’t want Wi-Fi to just serve as a primary access method for employees – its intended purpose would go far beyond that.

“At the basic level, we wanted to have a seamless connectivity in every corner of every office, for all the employees. We also wanted to expand the wireless network to cover the carriage maintenance areas, which are very big. Additionally, whenever a tram stop at any of the stations, we use that moment to collect data from it and deliver it to the transport leaders. So we needed good coverage and capacity in some rather challenging environments, both indoors and outdoors”, says Gunnar Gulberg.

To support that vision, Netsecurity rolled out more than 600 Wi-Fi 6 access points from Extreme. The new wireless infrastructure was redesigned in a way that maximizes the capabilities of the devices. What’s crucial here, the industry’s first software-defined 802.11ax access points are supporting not only a dual 5 GHz capability, but also two software-programmable modes, allowing the Sporveien’s IT team to optimally manage radios to provide the highest level of client performance. All that can be done very easily, either locally or in the cloud with the implementation of the ExtremeCloud IQ management platform suite.

When you’re dealing with an IT environment that is as large and complex as the one at Sporveien’s, centralized and unified network management goes a long way in helping the IT team work more efficiently and meet the escalating business demands.

To that end, Sporveien decided to implement ExtremeCloud IQ – Site Engine, an end-to-end network management platform that allows task automation, real-time analytics, service assurance, and orchestration – all from a simple, flexible, and easy to consume dashboard that enables the view of the entire network and all network devices, without having to piece together multiple applications.

Finally, the implementation of the ExtremeAnalytics solution provided Sporveien with a centralized, comprehensive insight over all user applications running in their network, and how they perform as against the overall network performance. This helps the network operators pinpoint exactly which application requires troubleshooting or… whether it requires an intervention in the first place.

“We sometimes hear people complaining about slow network connection, when, in reality, it’s not so much a network issue as it is an application issue. Earlier it would take us a lot of time to prove the network’s innocence, now we just can take a quick peek into the ExtremeAnalytics and see that there’s this one application that’s responding slow or not responding at all. We’re no longer in the dark and can fix issues a lot faster this way”, Gunnar Gulberg concludes.

Netsecurity is a Norwegian owned company delivering their services from Norway and Sweden. We currently employ around 150 people, have offices in Oslo, Kristiansand, Grimstad, Stavanger, Bergen and Stockholm.

For several decades, Netsecurity has offered expertise, solutions and innovative services within IT security in the Norwegian market. We help businesses detect and stop attacks, minimize both consequences and costs. Our experts include strategic advisors, security consultants, product specialists, penetration testers and ethical hackers. The expertise and services we offer contribute to our customers being better prepared and protected against serious attacks from the outside.

We include IT security in everything we do, from pure security services to thinking about security in other IT services, and thereby safeguarding security in the entire value chain for our customers. Our IT experts are available 24/7 - 365 days a year.

During spring 2023, Netsecurity and Data Equipment merged, becoming one of Norway's largest IT security companies. Data Equipment was founded in 1983, and like Netsecurity, has delivered cutting-edge expertise and services throughout the digital customer journey since the very start.