Full Enterprise Network Design & Build — Food Manufacturing Site
End-to-end enterprise network design and full configuration for a food manufacturing site — delivered by Frodingham Consulting on behalf of the site's MSP provider. Three-tier Aruba switching, FortiGate HA firewall cluster, LACP across redundant multipath fibre, OSPF routing, and complete OT/IT network segmentation.
3
Tier network architecture
Core · Distribution · Access — fully redundant
HA
FortiGate firewall cluster
Active-passive, zero failover downtime
0
Single points of failure
Dual fibre, LACP, OSPF ECMP throughout
100%
OT/IT network isolation
Production floor fully segmented from corporate
The Brief
A full enterprise build — delivered for the MSP's client
An MSP contracted to deliver a new enterprise network for a food manufacturing client came to Frodingham Consulting to design and build the solution. The MSP held the client relationship and the contract. Frodingham provided the specialist network engineering depth to design and deliver an architecture the MSP's internal team could not build independently.
The food manufacturing environment added complexity that a standard enterprise build does not carry. Production line continuity is directly tied to network availability — a network outage does not mean engineers cannot access email, it means manufacturing stops, product is lost, and food safety monitoring goes dark. The architecture had to be built with zero tolerance for single points of failure at every layer.
Critically, the site operated both corporate IT and operational technology — PLCs, HMIs, SCADA systems on the production floor — which required complete network segmentation. OT systems on a food manufacturing site must be treated as safety-critical infrastructure. Any unauthorised access or connectivity between the OT network and the corporate or internet-facing layer represents both a cybersecurity risk and a regulatory compliance failure.
Client environment
Multi-building food manufacturing site with corporate offices, production floor, warehouse, and cold storage areas — each with distinct network requirements.
MSP delivery model
Frodingham delivered as the specialist technical layer behind the MSP — full design and build, with the MSP retaining the client relationship and ongoing support responsibility.
OT/IT requirement
SCADA and PLC systems on the production floor required complete network isolation from corporate IT and internet-facing services — enforced at both the switching and firewall layer.
Redundancy requirement
No single point of failure permitted at any layer. Dual fibre paths, LACP aggregation, OSPF ECMP, and FortiGate HA cluster required throughout.
Network Topology
Interactive network design — select any node to explore
The full topology from WAN perimeter to end device — click any node to see the hardware, protocols, features, VLANs, and connections at that layer.
Interactive Network Topology
Select any node to view configuration detail
Internet
WAN / ISP
Perimeter
FortiGate HA
Core
Aruba CX 8400
Distribution
Aruba CX 6300
Access
Aruba CX 2930F
Endpoints
Devices
Office
· Workstations
· IP Phones
· Aruba APs
· Printers
Production
· PLCs
· HMIs
· SCADA (isolated)
· IP Cameras
Warehouse
· WMS Terminals
· Handheld Scanners
· Env. Sensors
· IP Cameras
↑ SELECT A NODE TO VIEW TECHNICAL DETAIL
Firewall Architecture
FortiGate HA cluster — six security zones, deny by default
Two FortiGate units in active-passive high availability. Session state is synchronised between nodes — a primary failure results in sub-second failover with no session reset for active connections. All inter-zone traffic is denied by default. Every permitted flow is explicitly defined and documented.
Internet uplink — dual ISP with SD-WAN failover. All inbound traffic denied by default.
Externally accessible services only. No route to internal zones without explicit policy.
Standard office network. Internet permitted. No access to OT or SCADA without explicit allow.
Production floor and SCADA. No internet. No inbound from corporate. Outbound strictly controlled.
Internal server VLAN. Access from corporate on defined ports only. No direct internet.
Out-of-band management only. Accessible from management hosts only. Deny all others.
Security Features
FortiGate HA — Active/Passive
Two FortiGate units configured in active-passive high availability. Heartbeat links monitor primary node health. Failover is sub-second — sessions are synchronised between nodes so active connections survive a primary failure without reset.
IPS & Application Control
FortiGuard IPS signatures enforced on all inter-zone traffic. Application control identifies and controls over 5,000 application signatures — blocking or rate-limiting non-business applications and enforcing acceptable use policy at the firewall layer.
SSL Deep Inspection
Outbound SSL/TLS traffic is decrypted, inspected for threats and policy violations, and re-encrypted before forwarding. Applied to corporate and guest zones. OT/SCADA zones are explicitly excluded to avoid interference with industrial protocol encryption.
OT / IT Segmentation
The production floor (OT) and SCADA networks are treated as separate security zones with explicit deny-all inter-zone policy as the baseline. Any permitted communication between OT and corporate is individually justified, documented, and enforced by firewall policy — not assumed.
802.1X Port Authentication
Aruba ClearPass provides RADIUS-based 802.1X authentication at every access port. Devices are identified and assigned to the correct VLAN based on identity, certificate, or MAC address. Unauthenticated devices land in a quarantine VLAN with no network access.
DHCP Snooping & DAI
DHCP snooping prevents rogue DHCP servers on any access port. Dynamic ARP inspection validates ARP packets against the DHCP binding table — preventing ARP spoofing and man-in-the-middle attacks at Layer 2. Applied across all access VLANs.
OSPF & Multipath Fibre
Dynamic routing with automatic failover
OSPF runs across all three tiers of the network. The core switches form OSPF Area 0 — the backbone. Distribution switches operate in stub areas, summarising routes upward to the core and receiving a default route in return. This keeps the routing table lean at the distribution and access layers while maintaining full dynamic reconvergence.
Dual fibre paths connect every tier. OSPF Equal-Cost Multi-Path (ECMP) load shares traffic across both paths simultaneously — doubling available bandwidth under normal conditions. If one path fails, OSPF reconverges within seconds and all traffic moves to the surviving path with no manual intervention required.
LACP (802.3ad) link aggregation bundles the physical fibre links at every tier. Each LAG presents as a single logical interface with combined bandwidth and automatic failover if an individual member link fails — below the OSPF layer, before the routing protocol even needs to reconverge.
OSPF Area 0 (Core)
Backbone area on core VSF stack. Full routing table. ECMP across dual uplinks to FortiGate cluster.
OSPF Stub Areas (Distribution)
Per-zone stub areas. Summarised prefixes only. Default route injected from core. Rapid reconvergence.
LACP LAGs — All Tiers
802.3ad active-active aggregation. Dual fibre per LAG. Sub-second member failover before OSPF reconverges.
ECMP Load Sharing
Traffic distributed across all equal-cost paths simultaneously. Full bandwidth utilisation under normal conditions.
Fibre Diversity
Physically diverse fibre routes between core and distribution — separate conduits, separate patch panels, no shared failure domain.
Delivery Phases
Site survey to signed-off, documented handover
01 — Site Survey & Requirements
Physical site survey across all buildings and production areas. Documented existing infrastructure, cabling routes, power availability, and rack locations. Captured operational requirements from IT, production management, and the MSP — including OT device inventory, SCADA system dependencies, and compliance requirements.
02 — Network Architecture Design
Produced full logical and physical network design — three-tier topology, VLAN scheme, IP addressing plan, OSPF area design, LACP link map, and FortiGate zone architecture. Design reviewed and signed off by the MSP before any configuration work began.
03 — IP Scheme & VLAN Register
Allocated IP address ranges across all 10 VLANs with room for growth. Documented subnet allocations, gateway IPs, DHCP pool ranges, and reserved address blocks. VLAN register produced mapping VLAN ID to purpose, subnet, gateway, and authorised device types.
04 — Core & Distribution Build
Racked, cabled, and configured Aruba CX 8400 core stack and CX 6300 distribution switches. VSF stacking configured on core. OSPF adjacencies brought up across all tiers. LACP LAGs built and verified across all fibre uplinks. Inter-VLAN routing validated at core.
05 — FortiGate HA Cluster
FortiGate pair configured in active-passive HA. HA heartbeat links verified, session synchronisation confirmed. Firewall zones defined, inter-zone policies built and tested. IPS, application control, SSL inspection, and web filtering profiles applied per zone.
06 — Access Layer Deployment
Aruba CX 2930F access stacks built and deployed per zone — office, production floor, warehouse, CCTV. 802.1X with ClearPass configured on all access ports. PoE verified for APs, phones, and cameras. DHCP snooping, DAI, and storm control applied across all access VLANs.
07 — OT/SCADA Isolation & Testing
Production floor and SCADA zones brought up in isolation first — no connectivity to corporate until explicitly verified. Inter-zone firewall policy tested from both sides. SCADA vendor provided a test device to confirm no unintended reachability from corporate or internet.
08 — Full Site Testing & Sign-Off
End-to-end connectivity testing across all VLANs and zones. HA failover tested — primary FortiGate powered off, failover verified, sessions confirmed live on secondary. OSPF reconvergence tested with fibre path failures. All results documented and signed off by MSP.
09 — Documentation & Handover
Complete documentation package delivered — physical and logical topology diagrams, IP and VLAN register, FortiGate policy documentation, OSPF routing baseline, LACP link register, ClearPass configuration reference, HA failover procedure, and full operational runbooks for the MSP support team.
The Outcome
Production-grade. Fully redundant. Completely documented.
The site received a full enterprise-grade network — three-tier Aruba switching with VSF stacking at the core, OSPF routing with ECMP across multipath fibre throughout, LACP aggregation at every tier, and a FortiGate HA cluster enforcing security policy across ten network segments.
The OT and SCADA networks were completely isolated from corporate IT and internet-facing services — enforced at both the switching layer (separate VLANs, no inter-VLAN routing without firewall traversal) and the firewall layer (explicit deny-all inter-zone baseline, individually justified exceptions). Production floor network connectivity was verified independently before any corporate integration was permitted.
FortiGate HA failover was tested under load — primary node powered off with active sessions, secondary node assumed control with no session reset, and all traffic continued without interruption. OSPF reconvergence was tested with physical fibre failures at each tier. Every failure scenario was tested, documented, and passed.
The MSP received a complete documentation package and a network the client's production environment could depend on. Frodingham delivered the technical depth. The MSP retained the relationship. That is exactly how the model works.
In their words
"We won the contract because we could demonstrate the capability. We could demonstrate the capability because Frodingham built it. The client got an enterprise network that would survive any single failure. We got a client who trusted us to deliver — and a documentation package we could actually hand to our support team."
MSP Provider
Enterprise Delivery · Food Manufacturing Site · United Kingdom
Need specialist network engineering behind your next MSP delivery?
We design and build what your team can't — and hand it over fully documented.