City Wi-Fi as an example of dormitories in Moscow universities

    Hello, Habr! Today we will deviate a little from the usual course and tell you not about the video surveillance system, but about how Wi-Fi works in Moscow. We must say right away that the publication will be without hardcore technical details, for one simple reason: the Internet is provided according to the “service model”. Simply put, the customer makes requirements for the necessary communication services, and the contractors provide these communication services on a competitive basis. To date, two major operators are engaged in providing communications in Moscow under the Wi-Fi in hostels project: VimpelCom and MGTS, selected based on the results of competitive procedures. It is the work of these two operators that determines the quality and availability of the network.





    Wireless access to the Internet in hostels is part of the City Wi-Fi project, which includes other public facilities: city parks, cultural sites, pedestrian and bicycle paths. Dormitories of universities are one of the main parts of the project, and we will talk about them in today's article.

    At the time of writing, 5561 radio access points have been installed by two operators in total, all of them are located in 121 dormitories of Moscow universities, in which about 77 thousand students live.

    There are many requirements for the work of operators, and one of them is the stable operation of at least 10-15 subscribers at each point. At the same time, 10-15 people are not the maximum number of subscribers (the upper threshold has not yet been set), but the estimated number of people who need to be served stably (there are places where up to 30 subscribers are stably serviced).

    Soon, SMS authorization will be available for all areas of the city project “City Wi-Fi”, which will operate using the Unified Mobile Platform. And until this happens, authorization is implemented on the operator’s networks.

    As an example, let us consider in more detail the model of providing communication services for hostels from the MGTS operator.

    MGTS network is deployed using solutions from Hewlett-Packard. Wi-Fi access points operating in the 2.4 and 5 GHz bands are connected via aggregating switching equipment to the trunk communication channel based on GPON technology. To provide centralized management, two geographically dispersed clusters are used, consisting of HP 870 Unified Wired-WLAN Appliance hardware controllers and N + M connected in combination with the HP iMC Wireless Services Manager management system.


    Client Access Level Block Diagram

    As access points selected products HP4xx series with two radio interfaces with support for two bands of 2.4 and 5 GHz. This allows you to start the service at each access point in the 2.4 GHz band (the most popular, but at the same time the most "noisy" band), and in 5 GHz. Radio Resource Management (RRM) technology helps to connect user devices with support for 5 GHz (or both bands) primarily in these frequencies, which improves the quality of communication for the user. RRM also constantly analyzes the environment and automatically adjusts the radiation power of all access points, achieving optimal coverage. Thanks to seamless roaming, the user can move around the hostel without disconnecting.

    When trying to connect to the network, the user is redirected to the web-portal for authorization by mobile phone number. After entering the password received by SMS, the user is given access to the Internet. Currently, the system supports up to 15,000 concurrent users. The portal is implemented on the basis of the software module User Access Manager (UAM) of the HP iMC management system, the same module performs the function of a RADIUS server. A single solution management interface is provided by the Wireless Service Manager (WSM) module of the HP iMC system. This module allows operators to see the map of the wireless network, coverage areas and the location of equipment on the floor plan, create, run or turn off services. At all,

    A more detailed description of the solution
    The scheme consists of three main functional blocks:

    - The core of the wireless network
    - The transport network between the core and the objects
    - The LAN on the site

    Wireless core


    The core is geographically distributed. Each site consists of Wi-Fi controllers, an HP IMC management server, a captive portal server with an SMS gateway, and authentication servers (RADIUS). Wi-Fi controllers provide centralized access point management, radio resource management and user session management. Unauthorized user device traffic flows through the controller into an isolated VLAN. Traffic of authorized users is switched to local VLANs at sites with Internet access.

    To ensure access to the Internet for all users, the Cisco Carrier Grade NAT operator solution is used, implemented on the basis of high-performance CGSE + modules installed in the Cisco CRS-3 ASBR. The declared performance of the CGSE + module is up to 80 Gb / s half-duplex and 80 million NAT translations.

    Transport network


    The last mile at the facilities is GPON. 3 VLANs are connected to each object in a tagged interface on the ONT.

    • VLAN WIFI-HP-CONTROL is connected to the corresponding VRF and serves for two purposes: device management (switches and gateways) from the core of the wireless network. Installing CAPWAP tunnels from access points to controllers that host point management traffic and unauthorized device traffic.
    • VLAN WIFI-HP-INET-DPI is connected to the corresponding VRF and serves to pass Internet traffic with the corresponding rules (QoS and so on).
    • The MGMT VLAN is connected to the corresponding VRF and is used to manage switches and gateways from the operator’s network.

    LAN on site


    Consists of access points, switches, and a multifunction device called UTM Fortigate. L2 is a collection of switches connected to each other in a ring. Fortigate is also part of the ring.

    Contains 3 VLANs. VLAN MGMT, VLAN WIFI-HP-CONTROL, VLAN INTERNET, into which authorized devices are connected.

    UTM Fortigate contains dhcp-relay to the Wi-Fi core and CG NAT. Potentially used as DPI, webfilter, mail inspection, ssl inspection, device recognition, etc. FSTEC approved with low encryption license.

    To ensure the best coverage, specialists conducted a comprehensive radio survey, according to the results of which the optimal access points were selected with both built-in and remote antennas. All access points are connected using PoE technology, and uninterruptible power supplies guarantee the power supply of aggregation and channel-forming equipment. This scheme guarantees the correct operation of the network during short-term blackouts or drops in the power supply network.

    In those educational institutions where access is already granted, there are information plates with contact information, so if you live in a dormitory at a university with urban wireless access, and something suddenly does not work, feel free to call the indicated numbers: the operator will accept the application, it has been processed should be within 4 hours.

    Device authorization scheme:



    If suddenly you are a Wi-FI user in a hostel of some Moscow university or you just have some questions (or even better - suggestions) on how this service works, we will be glad to see them in the comments.



    And yet a few words about video surveillance :) The work is actively continuing with your help, we want to say thanks again for the feedback that you send as part of testing our system on a joint special project .

    We want to note one important change. During testing, we created a limited number of accounts, while the number of people wishing to take part in the test exceeded all our expectations. Therefore, we decided to proceed as follows: if you have an account on the Moscow portal of the State Service , you can leave a request for testing on the page of the special project using the portal login. We will try to process your application as quickly as possible and provide access for tests.

    And the last one. The main goal of the special project is not just to let the professional community play with cameras, but to help you make our service better (to make playing with cameras more convenient in the future). Therefore, after you make up your mind about the service, we ask you to share with us your impressions and ideas for improving it. Any feedback with regards to the service will come in handy: from interface texts and typesetting to bugs in work or even information about vulnerabilities. During the special project, many useful wishes were sent (some of which have already been taken into account), but here, as in a joke - I want pills for greed, but more, more!

    Your opinion is really important to us.
    Thanks for attention!

    Read also in our blog on Habré:
    "130 thousand surveillance cameras - how to make them work?
    " Habraeffect for 130,000 cameras in Moscow
    " Information technology feeds more than 750 thousand people in Moscow
    " Blog of the Moscow City Department of Information Technologies at Habrahabr

    Also popular now: