Over the last few years, the number of mobile devices connected to the CERN network has increased from a handful in 2006 to more than 10,000 in 2015. Wireless access is no longer a “nice to have” or just for conference and meeting rooms. Support for mobility is expected by most, if not all, of the CERN community
In this context, the IT Department has launched a Wi-Fi service enhancement project in order to fully renew the CERN Wi-Fi network.
The goal of this project is to deliver a state-of-the-art Campus-wide Wi-Fi Infrastructure providing users with:
- coverage in at least all the office buildings and public areas;
- the possibility to maintain Wi-Fi connections as they move about within the coverage area; and
- an end-user experience comparable, for most applications, to a wired connection;
To meet these goals we will be installing some 4,000+ Access-Points supporting the latest Wi-Fi technologies (802.11ac Wave 2) connected to central controllers—controllers that will also improve our ability to analyse and manage the Wi-Fi environment.
This project will require works in all of the buildings concerned but we hope that the improved mobility and flexibility for end users will more than compensate for the inevitable disruption.
The existing Wi-Fi infrastructure has been deployed progressively since 2006 and consists of some 1,500 Wi-Fi Access-Points of several different models which operate independently This means that, firstly, they are each configured independently and, secondly, that one Access-Point doesn’t know what is happening with its neighbours. Although we have developed tools to automate and simplify management of the Access-Points themselves, the Access-Points cannot work together to ensure support for roaming or to have one take over if another fails. The current configuration is also not able to support a “guest” Wi-Fi service that isolates visitor traffic from the CERN intranet.
To address these problems we need new Access-Points that work together in a so-called “controller based infrastructure”. In this new-Wi-Fi architecture, central devices manage and control all the Wi-Fi Access-Points and all traffic from mobile devices. As the controllers have a full overview of the Wi-Fi environment, they can ensure that Access-Points work together to provide seamless coverage and, as all traffic is routed through them, we can ensure that traffic from unknown visitors will be routed only to the external network.
You might think that central controllers would be a bottleneck for Wi-Fi traffic but these devices have improved significantly in recent years and we are confident that the controllers we install will be scalable and will be more than capable of supporting the number of Access-Points we need as well as the traffic volumes we expect in the future.
Initially, for office buildings and for conference and meeting rooms elsewhere. This initial deployment covers some 200 buildings across the different CERN sites, buildings that house over 9x% of the CERN user community.
Support for mobility in technical areas is planned, either in a later deployment phase for Wi-Fi, by exploiting 3G/4G mobile telephony services or a combination of the two.
The high level planning overview is currently as follows (see below for more details about these individual steps):
June 2015 – September 2016
Oct. 2015 – mid-2018
November 2016 – end 2018
The final schedule will depend on the budget and budget profile.
You can find the list of already deployed buildings at the bottom of this page.
The main impact will be inconvenience and noise when we survey your building to decide where to place Access-Points and when we install cabling for the new Wi-Fi infrastructure. This will last from a few days to a month depending on the size of your building. Please see below for more details about the work that will be done, and why.
If you have Wi-Fi coverage today, this will remain until the new solution Access-Points have been deployed. There will then be a short interruption when we make the switchover, but this will be scheduled as much as possible out of working hours.
If you do not have Wi-Fi coverage today then this will also stay the same. As we are devoting effort to deploying the new infrastructure, we cannot accept requests for extension of the current Wi-Fi service. If your office is not covered, you will have to wait for the new Wi-Fi solution to be deployed (more details here).
Please see below, for details of the benefits for you after the deployment of the new infrastructure.
In order to ensure adequate Wi-Fi coverage for a building, we have to make a radio-frequency simulation and then validate this with an on-site survey. The aim of these simulations and site surveys is to ensure that the Wi-Fi Access-Points are positioned to provide an optimal coverage taking into account issues such as radio wave propagation and interference.
Our simulation tools are reasonably good at predicting the coverage inside a building but the plans are not always sufficiently accurate or clear about the type of material (whether walls are concrete or plaster, for example). We therefore need to make a quick check of the building before the simulation and then verify the results. The first step shouldn’t really disturb you, but don’t be surprised if you see technicians checking each and every room.
The second, validation, step is more intrusive, however. For this we have to install test Access-Points in positions suggested by the simulation, and check the Wi-Fi coverage using a laptop with a dedicated application. This means technicians will have to install Access-Points on tripods and then visit all rooms to check the coverage. Depending on the size of the building, this step can last from a few hours to several days.
During the survey, please help us by not moving the tripods or unplugging the Access-Points, otherwise the measurements will be wrong and, in the worst case, the site-survey will need to be redone (which means lost time for us, and more disturbance for you).
Although we are planning a Wireless infrastructure, we still need cables! Mobile devices connect wirelessly to the Access-Points, but these Access-Points are connected to the infrastructure network using Ethernet cables. New cables are needed for two reasons.
- Firstly, we will be deploying Access-Points in places where there is no Ethernet outlet available. Specifically, we foresee siting Access-Points inside offices, close to the door and at ceiling level and there is usually no outlet nearby.
- Secondly, the existing structured cabling infrastructure is now quite old and not able to support the bandwidth requirements of the future Access-Points.
The new Wi-Fi infrastructure is here to provide not simply Wi-Fi coverage, but also a signal quality which can deliver an end-user experience comparable, for most applications, to a wired connection. In order to provide such a service level, the Access-Points needs to be located where the users are most of the time, i.e. inside the offices. Of course, corridors will also be covered, but by installing the Access-Points inside the offices, the Access-Point coverage can be better targeted, reducing the number of clients per Access-Point and so providing a better service quality to those clients.
The picture below shows the signal propagation difference between an Access-Point deployed in the corridor and an Access-Point deployed inside the office, for the level of signal we target.
|- Coverage with the Access-Point in the corridor -||- Coverage with the Access-Point in the office -|
Placing Access-Points in the offices provides a better signal quality for end-user. This also helps increase battery lifetime for mobile devices as they can transmit at lower power if the Access-Point is nearer.
As you can see in the picture above, we need on average one Access-Point per three offices in order to provide full high quality coverage.
Nevertheless, in the cabling phase, we will be installing an Ethernet outlet in each office. The main reasons for this cabling choice are the following:
- it gives us flexibility: if we need to move an Access-Point (because there is some work in the building, reorganisation of the offices, radio environment modification, etc…), this can be done easily if we have one outlet available per office;
- the cabling will last for at least the next 20 years and future technologies, such as the 802.11ad Wi-Fi standard or “Li-Fi” data transmission with LED lights may require one Access-Point per office. It makes sense to install the necessary sockets now rather than coming back with more disruption in future.
As explained above, Access-Point positions have been chosen carefully to meet our targets for coverage and signal quality. As an Access-Point in one office provides coverage not only there but also in the area around, interfering with the device in your office will affect many others.
Disconnecting or moving a Wi-Fi Access-Point is a contravention of the CERN Computing Rules, and especially article II.8a of the Operational Circular Nº5 and its subsidiary Rules of Use: “Users must not attempt to reconfigure any elements of the CERN network infrastructure.”
We are entirely convinced that our installation is fully in line with all applicable regulations and poses no health risk, an opinion supported by specialists in HSE. (see HSE comment at the end of this CERN Bulletin article: https://cds.cern.ch/record/2196959?ln=en)
For more details, an interesting study has been published by the WHO on http://www.who.int/peh-emf/about/WhatisEMF/en/index1.html. According to this report "Despite extensive research, to date there is no evidence to conclude that exposure to low level electromagnetic fields is harmful to human health."
If you have any health concern related to your workplace, please discuss these with your management.
If you have Wi-Fi coverage today, whether in a meeting room or your office, you will still have easy access to the network using the same procedures as today. If you don’t have coverage in your office today, then coverage in your office, for your laptop, tablet or phone will be the first benefit. In both cases:
- you will be able to move seamlessly within the Wi-Fi coverage area without losing your network connection - so you will be able to keep your, say, ssh connection open as you rush from your office to a meeting;
- the quality of the connection and the throughput provided by the 802.11ac standard mean that you will be able to work wirelessly with a service level comparable, for most applications, to that of wired connection - no more need to look for an Ethernet outlet for better bandwidth and smartphones, tablets and other mobile devices will see the same web performance, say, as a desktop PC.
Introduction of the new Wi-Fi infrastructure will also enable us to add some new services, notably an internet-only Wi-Fi service for visitors, but the full details and rollout schedules for these aren’t fully defined yet. Watch this space!
The new Wi-Fi solution is based on Aruba products (now part of HPE). It relies on controllers which centralise the clients’ traffic and manage all the radio part of the infrastructure. Wi-Fi signal is provided in the two available bands: 5GHz band (for 802.11a/n/ac) and 2.4GHz band (for 802.11g/n). The latest standard, which provides the better performances, is 802.11ac, and is available on most of the latest mobile devices.
The controllers have a global overview of all the access-points and are able to calculate dynamically the best settings in term of radio channel and transmit power:
- concerning the channel settings, the new infrastructure is configured with only 20MHz channels in the 2.4GHz band, and 40MHz channels in the 5GHz channel (80MHz channel, supported by some 802.11ac clients, may be allowed in some specific location like auditorium, but due to radio frequency technical constraints, it is not possible to have it active globally over the campus);
- in term of transmit power, the new Wi-Fi infrastructure is configured to set the office Access-Points transmit power level between 4 mW and 31 mW for the 2.4 GHz band and between 15 mW and 125 mW for the 5 GHz band. The system assigns the power dynamically in order to provide the best radio coverage, and according to the tests done during 3 months in the pilot buildings (28/31), the power levels observed on the access-points installed in a closed office are in reality between 5 mW and 6.5 mW for the 2.4 GHz channel and between 15 mW and 30 mW for the 5 GHz channel. As a comparison, current regulation limits in France and Switzerland are 100 mW in the 2.4 GHz channel and 200 mW in the 5 GHz channel. Note that these power values correspond to the power emitted by the access-points. This power level decrease very quickly with the distance: in the pilot buildings, the power level measured at the user desk location are between 0.0000003 mW (0.3 nanowatts, or -65 dBm, in the office next to the one where the access-point is installed) and 0.00001 mW (10 nanowatts, or -50 dBm, in the same office as the access-point).
If you want more technical details about this solution, we invite you to have a look at the following links:
- CERN Bulletin (https://cds.cern.ch/record/2196959?ln=en)
- IT Technical Forum presentation done in June 2016 (https://indico.cern.ch/event/524994/)
- HEPIX Fall 2016 presentation (https://indico.cern.ch/event/531810/contributions/2298917/)
- CHEP 2016 presentation (https://indico.cern.ch/event/505613/contributions/2227409/)
- CHEP 2016 publication (link will be provided as soon as it will be available).
You can see the status of all buildings by looking at https://gis.cern.ch/gisportal/IT_equipment.htm (login required). On the left part, ensure to select "Wifi_deployment_by_building" checkbox, and expand this menu to see the full color code. Thsi map is updated dynymically with information from the project managemenet tool.
Moreover, the table below will be updated regularly during the deployment. It gives you a list of buildings which have already been deployed with the new Wi-Fi infrastructure.
|Building Number||Date of Activation||Comments|
|1||August 24th 2017|
|6||May 12th 2017|
|8||May 12th 2017|
|9||May 12th 2017|
|10||May 12th 2017|
|27||June 1st 2017|
|28||December 7th 2016||Project pilot building|
|30||July 11th 2017|
|31||December 7th 2016||Project pilot building|
|33||July 4th 2017|
|40||July 22nd 2017|
|42||July 22nd 2017|
|48||August 24th 2017|
|49||December 7th 2016||Project pilot building|
|51||August 24th 2017|
|124||August 24th 2017|
|143||June 16th 2017|
|188||June 21st 2017|
|304||August 24th 2017|
|363||September 20th 2017|
|504||December 5th 2016||Project pilot building - Restaurant2|
|600||December 7th 2016||Project pilot building|
|864||June 14th 2017|
|865||May 31th 2017|
|866||June 14th 2017|