CTF Cheat Sheet

Real Madrid Bernabéu Stadium Network Technologies

Software-Defined Access Overview

SDA uses one unified fabric to apply policy across both wired and wireless access.

  • Intent-based model: IT defines policy once and the fabric applies it consistently.
  • One converged fabric spans seating, concourses, hospitality, and operations areas.
  • Automates onboarding, segmentation, and access control for users and devices.
  • Carries key venue services: BMS, Vision Edge digital signage, app traffic, video, guest Wi-Fi, and operations traffic.

SDA Architecture

What this means in plain English: Users and devices can move across the stadium while keeping the same security policy.

  • Catalyst Center: Centralized "brain" used to design, provision, manage, and assure the network. It centrally manages configuration, policy, and monitoring for all switches in the campus fabric.
  • ISE: Identity Services Engine. Authenticates users/devices, assigns security groups, enables automated policy assignment using SGTs and TrustSec.
  • Fabric Edge Nodes: Access switches where end devices connect (wired ports and wireless APs). Encapsulate traffic into VXLAN tunnels.
  • Border Nodes: Gateways to external networks (data center, internet, WAN).
  • Control Plane Node: "Map-server" that maintains a centralized database of where endpoints are located in the fabric.
  • Underlay: Physical Layer 3 routed network using protocols such as IS-IS or OSPF.
  • Overlay: Virtual network using VXLAN and LISP so multiple isolated virtual networks (VNs) share the same physical infrastructure.
  • Fusion Router: Route-leaking between VRFs. Connects virtual networks to shared services (DHCP, DNS, NTP).

SDA Glossary

Context note: Here, "fabric" means SDA campus access architecture (underlay + overlay + policy), not IP Fabric for Media.

Term Definition
Software Defined Access (SDA)Campus access architecture combining underlay, overlay, and policy across wired and wireless networks.
Catalyst CenterCentralized appliance to design, provision, manage, and assure the network; centrally manages configuration, policy, and monitoring for all switches in the campus fabric.
Identity Services Engine (ISE)Authentication and authorization. Maps users/devices to security groups for policy assignment.
Scalable Group Tag (SGT)Security label assigned to users/devices that enables group-based access policy across the SDA fabric.
Cisco TrustSecPolicy framework that uses identity/group tags (SGTs) for microsegmentation and consistent access control.
Fabric EdgeAccess-layer switches where end devices connect; they encapsulate user traffic into VXLAN tunnels across the fabric.
Border NodeGateway connecting SDA fabric to external networks (data center, internet, WAN).
Control Plane NodeMap-server that maintains a centralized database of endpoint locations in the fabric.
UnderlayLikely in QuizPhysical Layer 3 routed network using IS-IS or OSPF.
OverlayLikely in QuizVirtual network built on the underlay using VXLAN and LISP; supports multiple isolated virtual networks (VNs) on the same physical infrastructure.
Fusion RouterPerforms route leaking between VRFs so users in the fabric can access shared services like DHCP, DNS, and NTP outside user-specific virtual networks.
Virtual Routing and Forwarding (VRF)Isolated routing table instance that separates traffic between different virtual networks and services.
Virtual Network (VN)Isolated virtual network in the SDA overlay that shares the same physical underlay infrastructure.
Virtual Extensible Local Area Network (VXLAN)Likely in QuizEncapsulates Layer 2 frames in Layer 3 packets. Enables Layer 2 connectivity over routed networks.
Locator/ID Separation Protocol (LISP)Overlay protocol that decouples device identity from location and enables mobility.
Dynamic Host Configuration Protocol (DHCP)Automatic IP assignment.
Domain Name System (DNS)Name-to-IP resolution.
Network Time Protocol (NTP)Time synchronization.
Building Management System (BMS)Stadium infrastructure system (for example lighting, HVAC, and retractable pitch) managed through the SDA network.
Vision EdgeDigital signage platform called out as part of the Bernabeu fan experience services.

ACI Overview

ACI is a policy-driven SDN fabric for data centers. At Bernabeu, the data center runs an ACI Multipod design.

  • Single policy model across network, security, compute, and virtual environments.
  • Application requirements drive network policy.
  • Multiple ACI pods are controlled by one APIC cluster.
  • Pods communicate through the IPN (Inter-Pod Network).

Architecture

What this means in plain English: Traffic follows predictable leaf-to-spine paths, while APIC applies policy centrally.

  • Spine Switches: Fabric backbone connecting all leaf switches (Nexus 9000 series).
  • Leaf Switches: Access layer where endpoints connect (servers, storage, and APIC).
  • Traffic Flow: All leaf-to-spine links use ECMP for load balancing and loop prevention.
  • Underlay Routing: IS-IS protocol inside each pod distributes routes efficiently.
  • APIC: Unified management point translating application policies to fabric configuration.
  • Pod: Independent ACI unit (spine + leaf switches) with its own control system.

Multipod and IPN

Multipod: Multiple ACI pods under one APIC cluster. Faults can stay local to one pod while pods still interconnect.

  • IPN: Layer 3 network connecting spine layers across pods.
  • Links: High-speed 40GE connections in full-mesh topology (spine ↔ IPN nodes).
  • Routing: Single OSPF area in a dedicated VRF.
  • Overlay: VXLAN tunnels carry tenant traffic between pods seamlessly.
  • Other recall terms: TEP Pool for VXLAN loopback addresses, COOP for endpoint tracking, MP-BGP for pod reachability, and vPC for one logical link across two switches.
  • Goal: High-speed, resilient pod-to-pod backbone with fault isolation.

ACI Glossary

Term Definition
Application Policy Infrastructure Controller (APIC)Unified point of automation and management for the ACI fabric; provides policy enforcement and health monitoring.
Inter-Pod Network (IPN)Layer 3 network joining spine layers across multiple pods.
PodIndependent ACI fabric unit with spine and leaf switches and its own control system.
Control PlanePart of the network that carries signalling traffic and is responsible for routing.
Equal-Cost Multipath (ECMP)Likely in QuizRouting method that load-balances traffic across multiple equal-cost paths and helps prevent loops in the ACI fabric.
Intermediate System to Intermediate System (IS-IS)Likely in QuizRouting protocol inside each ACI pod. Distributes routes.
Tunnel Endpoint Pool (TEP Pool)IP address range for switch loopback interfaces. Source and destination addresses for VXLAN tunnels.
Council of Oracles Protocol (COOP)Protocol used by ACI to track endpoint information within the fabric.
Multiprotocol BGP (MP-BGP)Shares endpoint reachability between pods.
Virtual Port Channel (vPC)Redundant link across two switches. Appears as a single logical link.
Application Centric Infrastructure (ACI)Cisco software-defined networking solution that automates and manages data center networks based on application requirements.

Wi-Fi Infrastructure Overview

Bernabeu Wi-Fi is designed for high-density coverage, availability, and security across all zones.

  • Coverage spans seating, concourses, hospitality, and operations zones.
  • Centralized controller model keeps policy, RF management, and visibility consistent.
  • Primary stack: Catalyst 9800 WLC + Catalyst 9130AX APs.
  • Lightweight AP model: configuration and policy are centralized on the controller.

Controller and AP Model

What this means in plain English: APs are managed from one place, so wireless settings stay consistent across the venue.

  • Autonomous AP: Standalone mode; each AP is configured and managed independently.
  • Lightweight AP: Controller-driven policy, firmware, and RF operations; no local configuration until the AP joins the controller.
  • LWAPP: Legacy Cisco Unified Wireless control mode referenced in the source; CAPWAP is the Layer 3 control path between APs and controller.
  • Catalyst 9800 WLC: Central point for security policies, QoS, intrusion prevention, RF management, mobility, and control transactions like 802.1X authentication.
  • Catalyst 9130AX: Lightweight AP platform used in Bernabéu deployment.
  • Benefits: Centralized control, consistent policy, and simpler operations at scale.
CAPWAP-based control and traffic flow
CAPWAP is the control path between lightweight APs and the controller.

Deployment and CAPWAP

  • APs sit on dedicated infrastructure VLAN (e.g., VLAN 2045).
  • AP management subnet stays separate from user/client subnets.
  • AP switchports configured as access ports to the AP VLAN.
  • APs run in local mode and connect on access ports mapped to the AP VLAN.
  • For non-SDA SSIDs, client traffic traverses a CAPWAP tunnel between AP and controller.
Example switchport configuration for access points
Typical AP access-port baseline configuration.

Wi-Fi 6, 6E, and 7 Essentials

What this means in plain English: Newer Wi-Fi versions improve efficiency in crowds and reduce latency for interactive services.

  • Wi-Fi 6 (802.11ax): Improves efficiency in dense environments; OFDMA lets multiple clients share transmissions efficiently.
  • Wi-Fi 6E: Extends Wi-Fi 6 into 6 GHz for additional spectrum.
  • Wi-Fi 7 (802.11be): Adds MLO, wider channels (up to 320 MHz), and lower, more predictable latency.
Quick 6/6E/7 comparison.
MLO: simultaneous multi-band operation.

Wi-Fi 7 vs Wi-Fi 6E (Quick Comparison)

  • Channel width: Wi-Fi 6/6E up to 160 MHz; Wi-Fi 7 up to 320 MHz.
  • Peak data rate: Wi-Fi 6/6E up to 9.6 Gbps; Wi-Fi 7 up to 40 Gbps (target).
  • Modulation: Wi-Fi 6/6E uses 1024-QAM, while Wi-Fi 7 moves to 4096-QAM for higher data density.
  • Operational outcome: Wi-Fi 6/6E improves dense-client efficiency; Wi-Fi 7 improves throughput and latency for real-time experiences.

Band Select Behavior

  • Why it exists: 2.4 GHz is usually more congested, so Band Select steers dual-band clients toward 5 GHz.
  • Default state: Band Select is disabled per SSID by default.
  • How it works: The controller delays some 2.4 GHz probe responses so 5 GHz is more attractive during initial join.
  • Caution: For interactive voice/video traffic, Band Select can impair roaming on some client types.

RRM in Daily Operations

  • RRM auto-onboarding: Detects new lightweight APs and automatically tunes channel/power to balance coverage and capacity.
  • Continuous sensing: APs perform short off-channel scans (not greater than 60 ms) for noise, interference, and rogues.
  • Low overhead: Each AP spends about 0.2% of time scanning, limiting client impact.
  • Distributed timing: Adjacent APs are staggered so they do not scan off-channel at the same time.
  • Practical value: Keeps RF plans adaptive in high-density venues with less manual retuning.

Rogue Management and aWIPS Workflow

  • Core threat model: Rogue APs can hijack clients, capture credentials, and disrupt service (including man-in-the-middle and denial-of-service attacks).
  • Platform integration: WLC + DNAC integration centralizes monitoring and rogue visibility.
  • aWIPS role: Signature-based and anomaly-based detection with alarms for faster response.
  • Operational view: Rogue and aWIPS dashboards support triage and policy tuning.
  • Governance caution: Auto-containment may have legal/policy implications and should be used with clear operational controls.

RF Operations

  • Band Select: Useful when 2.4 GHz is crowded, but it can hurt roaming for some real-time voice/video clients.
  • RRM: Auto-adjusts AP channel and power to keep coverage and capacity balanced.
  • Bottom line: These tools reduce manual RF tuning, but should be used with client behavior in mind.

Wireless Security

  • Detection stack: Managed APs + DNAC dashboards provide rogue visibility and alarms.
  • aWIPS: Signature/anomaly-driven threat detection and policy monitoring.
  • Operational caution: Auto-containment can have legal and policy implications.

Wi-Fi Glossary

Term Definition
Wireless LAN Controller (WLC)Central controller for system-wide wireless LAN functions such as security policies, intrusion prevention, RF management, QoS, and mobility.
Lightweight Access Point Protocol (LWAPP)Legacy Cisco Unified Wireless control mode for controller-managed APs.
Control and Provisioning of Wireless Access Points (CAPWAP)Layer 3 protocol used for communication between lightweight access points and the controller over UDP/IP.
Orthogonal Frequency Division Multiple Access (OFDMA)Wi-Fi 6 feature that allows multiple devices to share a single transmission efficiently.
Multi-Link Operation (MLO)Wi-Fi 7 feature using 2.4, 5, and 6 GHz simultaneously for higher throughput and resilience.
QAM (1024/4096-QAM)Modulation method: higher QAM packs more bits per symbol, increasing throughput but requiring cleaner RF conditions.
Radio Resource Management (RRM)Automatically detects and configures new lightweight access points, then adjusts RF power and channel to optimize coverage and capacity.
Adaptive Wireless Intrusion Prevention System (aWIPS)Wireless intrusion threat detection and mitigation mechanism using signature-based techniques and anomaly detection.
Quality of Service (QoS)Traffic prioritization ensuring critical apps get bandwidth and low latency.
IEEE 802.1XPort-based network access control framework used to authenticate users/devices before granting network access.
Cisco DNA Center (DNAC)Centralized management and monitoring platform where Rogue Management and aWIPS dashboards are used to monitor wireless threats, policies, and alarms.
Service Set Identifier (SSID)Wi-Fi network name. Broadcast identifier clients see and select.

IP Fabric for Media Overview

What this means in plain English: IPFM replaces one-cable-per-signal SDI with scalable IP transport for broadcast video and audio flows.

IP Fabric for Media (IPFM): Replaces rigid SDI cabling with a flexible IP network for video, audio, and ancillary data.

  • Carries video (4K/8K), audio, and ancillary data as multiple simultaneous streams.
  • Uses a spine-and-leaf architecture for scale and consistent, predictable latency.
  • Uses Cisco Nexus 9000 switches with NDFC (DCNM in source notes) for management and automation.
  • Media traffic primarily uses UDP multicast so one source stream reaches many receivers efficiently.
  • Advanced capabilities include Multi-Site, NAT, and RTP flow monitoring.
  • At Bernabéu: 2,500+ screens, 80,000+ fan devices, worldwide broadcast.

Protocols and Standards

What this means in plain English: These protocols handle routing, multicast delivery, timing, and stream-quality checks for live production.

  • OSPF: Unicast routing within fabric.
  • PIM + IGMP: Multicast delivery and receiver join/leave control for media streams.
  • PTP: Precision timing so broadcast workflows stay synchronized to nanosecond-level accuracy.
  • SMPTE 2110: Standard for carrying video, audio, and ancillary data as separate IP streams.
  • AES67: Standard for transporting high-quality professional audio over IP.
  • NBM: Non-Blocking Multicast. Bandwidth-aware multicast routing helps prevent link oversubscription.
  • RTP: Real-Time Transport Protocol used to monitor packet loss and stream quality.

Why this protocol set matters for IPFM: PTP timing + multicast control + RTP monitoring keep live streams synchronized, low-latency, and stable.

IP Fabric Glossary

Context note: "IP Fabric" here means a high-throughput spine-and-leaf transport network for media flows, which is different from SDA campus fabric.

Term Definition
IP Fabric (IPFM)Specialized IP transport network for broadcast and media workflows, replacing rigid SDI infrastructure with a flexible, scalable IP-based network.
User Datagram Protocol (UDP)Likely in QuizConnectionless transport used by media traffic; UDP multicast lets one source stream reach multiple receivers efficiently.
Open Shortest Path First (OSPF)Likely in QuizHandles unicast routing within the fabric.
Protocol Independent Multicast (PIM)Multicast routing. Distributes one media stream to multiple receivers.
Internet Group Management Protocol (IGMP)Allows devices to join/leave multicast groups, signals interest in media streams.
Precision Time Protocol (PTP)Nanosecond-level clock synchronization. Critical for broadcast timing alignment.
SMPTE 2110Standard defining how professional video, audio, and ancillary data are carried over IP as separate streams.
Audio Engineering Society 67 (AES67)Standard defining how high-quality professional audio is carried over IP.
SMPTE 2022-6Standard defining how an entire SDI signal is encapsulated and carried over IP.
Non-Blocking Multicast (NBM)Bandwidth-aware multicast that distributes flows across available paths to prevent oversubscription.
Nexus Dashboard Fabric Controller (NDFC)Provides centralized management and automation for IPFM, including configuration templates, visibility, analytics, and policy management.
Data Center Network Manager (DCNM)Earlier Cisco SDN network controller naming/function used with Nexus 9000 in IP Fabric for Media deployments.
Multi-SiteConnects multiple IPFM fabrics across locations for remote production or inter-facility content exchange.
Real-Time Transport Protocol (RTP)Carries media streams. RTP monitoring detects packet loss and stream quality issues.
Network Address Translation (NAT)Translates IP addresses. Used for external broadcast feeds with overlapping IP ranges.
Serial Digital Interface (SDI)Legacy broadcast cable standard. One cable equals one signal. Rigid and difficult to expand.