Over the past few years, the number of mobile devices connected to the CERN network has increased from a handful in 2006 to more than 10,000 in 2015. Wireless access is no longer a “nice to have” or just for conference and meeting rooms. Support for mobility is expected by most, if not all, of the CERN community
In this context, the IT Department has launched a Wi-Fi service enhancement project in order to fully renew the CERN Wi-Fi network.
The goal of this project is to deliver a state-of-the-art Campus-wide Wi-Fi Infrastructure providing users with:
- coverage in at least all the office buildings and public areas;
- the possibility to maintain Wi-Fi connections as one moves about within the coverage area; and
- an end-user experience comparable, for most applications, to a wired connection;
To meet these goals we will be installing some 4,000+ Access Points supporting the latest Wi-Fi technologies (802.11ac Wave 2) connected to central controllers—controllers that will also improve our ability to analyse and manage the Wi-Fi environment.
This project will require works in all of the buildings concerned, but we hope that the improved mobility and flexibility for end-users will more than compensate for the inevitable disruption.
The existing Wi-Fi infrastructure has been deployed progressively since 2006 and consists of some 1,500 Wi-Fi Access Points of several different models which operate independently. This means that, firstly, they are each configured independently and, secondly, that one Access Point doesn’t know what is happening with its neighbours. Although we have developed tools to automate and simplify management of the Access Points themselves, the Access Points cannot work together to ensure support for roaming or to have one take over if another fails. The current configuration is also not able to support a “guest” Wi-Fi service that isolates visitor traffic from the CERN intranet.
To address these problems we need new Access Points that work together in a so-called “controller-based infrastructure”. In this new Wi-Fi architecture, central devices manage and control all the Wi-Fi Access Points and all traffic from mobile devices. As the controllers have a full overview of the Wi-Fi environment, they can ensure that Access Points work together to provide seamless coverage and, as all traffic is routed through them, we can ensure that traffic from unknown visitors will be routed only to the external network.
You might think that central controllers would be a bottleneck for Wi-Fi traffic but these devices have improved significantly in recent years and we are confident that the controllers we install will be scalable and will be more than capable of supporting the number of Access Points we need, as well as the traffic volumes we expect in the future.
Initially, for office buildings and for conference and meeting rooms elsewhere. This initial deployment covers some 200 buildings across the different CERN sites, buildings that house over 9x% of the CERN user community.
Support for mobility in technical areas is planned, either in a later deployment phase for Wi-Fi, by exploiting 3G/4G mobile telephony services or a combination of the two.
The high-level planning overview is currently as follows (see below for more details about these individual steps):
June 2015 – September 2016
Oct. 2015 – mid-2018
November 2016 – end 2018
The final schedule will depend on the budget and budget profile.
You can find the list of already deployed buildings at the bottom of this page.
The main impact will be inconvenience and noise when we survey your building to decide where to place Access Points and when we install cabling for the new Wi-Fi infrastructure. This will last from a few days to a month depending on the size of your building. Please see below for more details about the work that will be done, and why.
If you have Wi-Fi coverage today, this will remain until the new Access Points have been deployed. There will then be a short interruption when we make the switchover, but this will be scheduled as much as possible out of working hours. An e-mail is sent to all occupants of the building to warn them about the activation of the new Wi-Fi infrastructure.
If you do not have Wi-Fi coverage today in your office, you will have to wait for the new Wi-Fi solution to be deployed in your building. If your request concerns a building not covered by the project (technical buildings for instance), you can send a request as detailed here.
Please see below, for details of the benefits for you after the deployment of the new infrastructure.
In order to ensure adequate Wi-Fi coverage for a building, we have to make a radio-frequency simulation and then validate this with an on-site survey. The aim of these simulations and site surveys is to ensure that the Wi-Fi Access Points are positioned to provide an optimal coverage taking into account issues such as radio wave propagation and interference.
Our simulation tools are reasonably good at predicting the coverage inside a building but the plans are not always sufficiently accurate or clear about the type of material (whether walls are concrete, wood or plaster, for example). We therefore need to make a quick check of the building before the simulation and then verify the results. The first step shouldn’t really disturb you, but don’t be surprised if you see technicians checking each and every room.
The second, validation, step is more intrusive, however. For this we have to install test Access Points in positions suggested by the simulation, and check the Wi-Fi coverage using a laptop with a dedicated application. This means technicians will have to install Access Points on tripods and then visit all rooms to check the coverage. Depending on the size of the building, this step can last from a few hours to several days.
During the survey, please help us by not moving the tripods or unplugging the Access Points, otherwise the measurements will be wrong and, in the worst case, the site-survey will need to be redone (which means lost time for us, and more disturbance for you).
Although we are planning a Wireless infrastructure, we still need cables! Mobile devices connect wirelessly to the Access Points, but these Access Points are connected to the network infrastructure using Ethernet cables. New cables are needed for two reasons:
- Firstly, we will be deploying Access Points in places where there is no Ethernet outlet available. Specifically, we foresee locating Access Points inside offices, close to the door and at ceiling level, and there is usually no outlet nearby.
- Secondly, the existing structured cabling infrastructure is now quite old and not able to support the bandwidth requirements of the future Access Points.
The new Wi-Fi infrastructure is here to provide not simply Wi-Fi coverage, but also a signal quality which can deliver an end-user experience comparable, for most applications, to a wired connection. In order to provide such a service level, the Access Points need to be located where the users are most of the time, i.e. inside the offices. Of course, corridors will also be covered, but by installing the Access Points inside the offices, the Access Point coverage can be better targeted, reducing the number of clients per Access Point and so providing a better service quality to those clients.
The picture below shows the signal propagation difference between an Access Point deployed in a corridor and an Access-Point deployed inside an office, for the level of signal we target.
|- Coverage with the Access-Point in the corridor -||- Coverage with the Access-Point in the office -|
Placing Access Points in the offices provides a better signal quality for end-user. This also helps increase battery lifetime for mobile devices as they can transmit at lower power if the Access Point is nearer.
As you can see in the picture above, we need on average one Access Point per three offices in order to provide full high-quality coverage.
Nevertheless, in the cabling phase, we will be installing an Ethernet outlet in each office. The main reasons for this cabling choice are the following:
- it gives us flexibility: if we need to move an Access Point (because there is some work in the building, reorganisation of the offices, radio environment modification, etc.), this can be done easily if we have one outlet available per office;
- the cabling will last for at least the next 20 years and future technologies, such as the 802.11ad Wi-Fi standard or “Li-Fi” data transmission with LED lights may require one Access Point per office. It makes sense to install the necessary sockets now rather than coming back with more disruption in future.
As explained above, Access Point positions have been carefully chosen to meet our targets for coverage and signal quality. As an Access Point in one office provides coverage not only there but also in the area around, interfering with the device in your office will affect others.
Disconnecting or moving a Wi-Fi Access Point is a contravention of the CERN Computing Rules, and especially article II.8a of the Operational Circular Nº5 and its subsidiary Rules of Use: “Users must not attempt to reconfigure any elements of the CERN network infrastructure.”
We are entirely convinced that our installation is fully in line with all applicable regulations and poses no health risk, an opinion supported by specialists in HSE. (see HSE comment at the end of this CERN Bulletin article: https://cds.cern.ch/record/2196959?ln=en)
For more details, an interesting study has been published by the WHO on http://www.who.int/peh-emf/about/WhatisEMF/en/index1.html. According to this report "Despite extensive research, to date there is no evidence to conclude that exposure to low level electromagnetic fields is harmful to human health."
If you have any health concern related to your workplace, please discuss this with your management.
If you have Wi-Fi coverage today, whether in a meeting room or your office, you will still have easy access to the network using the same procedures as today. If you don’t have coverage in your office today, then coverage in your office, for your laptop, tablet or phone will be the first benefit. In both cases:
- you will be able to move seamlessly within the Wi-Fi coverage area without losing your network connection - so you will be able to keep your, say, ssh connection open as you rush from your office to a meeting;
- the quality of the connection and the throughput provided by the 802.11ac standard mean that you will be able to work wirelessly with a service level comparable, for most applications, to that of a wired connection - no need any longer to look for an Ethernet outlet for better bandwidth, and smartphones, tablets and other mobile devices will see the same web performance, say, as a desktop PC.
Introduction of the new Wi-Fi infrastructure will also enable us to add some new services, notably an internet-only Wi-Fi service for visitors, see mode details below.
Yes, this is a new service provided by the new Wi-Fi infrastructure.
A new SSID has been introduced, named "CERN-Visitors". As its names implies, it is dedicated for visitors, and allows only access to Internet (and thus to CERN resources publicly available on Internet). This new Wi-Fi network allows people to identify themselves by a code sent to a mobile phone (rather than needing to be authorised by someone at CERN).
Simply connect the device to the "CERN-Visitors" network, and you will be redirected to a registration portal (either automatically or by opening a web browser). The first page of the portal allows you to access some resources without any registration (public links).
After having accepted the CERN Computing rules, you will be prompted for an e-mail address and a phone number. You will then receive a code via SMS to register yourself.
Once registered, you will have access to Internet. As of today, we only allow http/https traffic, but some other protocols may be open later on. This service is currently available in all the buildings where new infrastructure was already deployed (see details in the table below).
Please note that this service is dedicated for visitors who do not need to access to CERN internal resources. If you connect using a laptop or smartphone already registered for access to the CERN network, no traffic will be allowed and you will be prompted to connect to the "CERN" Wi-Fi network.
The new Wi-Fi solution is based on Aruba products (now part of HPE). It relies on controllers which centralise the clients’ traffic and manage all the radio part of the infrastructure. Wi-Fi signal is provided in the two available bands: 5GHz band (for 802.11a/n/ac) and 2.4GHz band (for 802.11g/n). The latest standard, which provides better performance, is 802.11ac, and is available on most recent mobile devices.
The controllers have a global overview of all the Access Points and are able to calculate dynamically the best settings in term of radio channel and transmit power:
- concerning the channel settings, the new infrastructure is configured with only 20MHz channels in the 2.4GHz band, and 40MHz channels in the 5GHz channel (80MHz channel, supported by some 802.11ac clients, may be allowed in some specific location like auditorium, but due to radio frequency technical constraints, it is not possible to have it active globally over the campus);
- in term of transmit power, the new Wi-Fi infrastructure is configured to set the transmit power level of office Access Points between 4 mW and 31 mW for the 2.4 GHz band, and between 15 mW and 125 mW for the 5 GHz band. The system assigns the power dynamically in order to provide the best radio coverage, and according to the tests done during 3 months in the pilot buildings (28/31), the power levels observed on the Access Points installed in a closed office are in reality between 5 mW and 6.5 mW for the 2.4 GHz channel and between 15 mW and 30 mW for the 5 GHz channel. As a comparison, current regulation limits in France and Switzerland are 100 mW in the 2.4 GHz channel and 200 mW in the 5 GHz channel. Note that these power values correspond to the power emitted by the Access Points. This power level decreases very quickly with the distance: in the pilot buildings, the power level measured at the user desk location are between 0.0000003 mW (0.3 nanowatts, or -65 dBm, in the office next to the one where the Access Point is installed) and 0.00001 mW (10 nanowatts, or -50 dBm, in the same office as the Access Point).
If you want more technical details about this solution, we invite you to have a look at the following links:
- CERN Bulletin (https://cds.cern.ch/record/2196959?ln=en)
- IT Technical Forum presentation done in June 2016 (https://indico.cern.ch/event/524994/)
- HEPIX Fall 2016 presentation (https://indico.cern.ch/event/531810/contributions/2298917/)
- CHEP 2016 presentation (https://indico.cern.ch/event/505613/contributions/2227409/)
- CHEP 2016 publication (http://iopscience.iop.org/article/10.1088/1742-6596/898/8/082010/).
You can see the status of all buildings by looking at https://gis.cern.ch/gisportal/IT_equipment.htm (login required). You need to select on the top menu: "Data (Données) > Equipements > IT_Equipements > Wifi_deployment_by_building". Once selected, the different buildings will be coloured depending on their status (expand the left menu "Wifi_deployment_by_building" to see the full color code). The map is updated dynamically with information from the project management tool.
Moreover, the table below will be updated regularly during the deployment. It gives you a list of buildings which have already been deployed with the new Wi-Fi infrastructure.
|Building Number||Date of Activation||Comments|
|1||August 24th 2017|
|2||January 12th 2018|
|5||October 12th 2017|
|6||May 12th 2017|
|7||December 19th 2017|
|8||May 12th 2017|
|9||May 12th 2017|
|10||May 12th 2017|
|11||November 15th 2017|
|12||November 15th 2017|
|13||November 15th 2017|
|14||November 15th 2017|
|15||December 19th 2017|
|22||December 19th 2017|
|23||December 19th 2017|
|24||December 19th 2017|
|27||June 1st 2017|
|28||December 7th 2016||Project pilot building|
|30||July 11th 2017|
|31||December 7th 2016||Project pilot building|
|33||July 4th 2017|
|40||July 22nd 2017|
|42||July 22nd 2017|
|48||August 24th 2017|
|49||December 7th 2016||Project pilot building|
|51||August 24th 2017|
|57||December 19th 2017|
|60||October 13th 2017|
|61||October 13th 2017|
|62||October 13th 2017|
|64||October 13th 2017|
|72||January 12th 2018|
|73||November 24th 2017|
|100||January 12th 2018|
|108||October 26th 2017|
|119||November 24th 2017|
|124||August 24th 2017|
|129||October 16th 2017|
|130||December 19th 2017|
|132||October 31st 2017|
|143||June 16th 2017||Microcosm|
|148||October 16th 2017|
|158||December 19th 2017|
|159||December 19th 2017|
|160||December 7th 2017|
|161||December 7th 2017|
|164||October 26th 2017|
|188||June 21st 2017|
|194||October 16th 2017|
|252||November 15th 2017|
|300||December 7th 2017|
|301||December 7th 2017|
|304||August 24th 2017|
|311||December 19th 2017|
|363||September 20th 2017|
|500||October 13th 2017|
|501||October 6th 2017||Restaurant 1|
|503||October 13th 2017|
|504||December 5th 2016||Project pilot building - Restaurant 2|
|505||December 19th 2017|
|510||January 12th 2018|
|512||October 31st 2017|
|544||November 15th 2017|
|555||October 26th 2017|
|573||March 16th 2017|
|574||March 16th 2017|
|589||October 26th 2017|
|600||December 7th 2016||Project pilot building|
|607||March 16th 2017|
|772||October 18th 2017|
|864||June 14th 2017|
|865||May 31th 2017|
|866||June 14th 2017|
|892||October 18th 2017|
|895||October 18th 2017|
|904||October 18th 2017|
|918||January 12th 2018|
|933||October 18th 2017|
|935||December 5th 2017|
|946||October 19th 2017|
|974||October 23rd 2017|
|2006||May 12th 2017|