CERN

Aruba delivers uninterrupted campus-wide coverage and a programmable network at CERN.

The European Organization for Nuclear Research, CERN, was founded in 1954, and was one of Europe’s first joint ventures and now has 22 member states. Its main campus is located on the French-Swiss border, near Geneva, boasting a community of 13,000 users.

CERN conducts boundary-pushing scientific work; its physicists and engineers are probing the fundamental structure of the universe. Yet in many respects it is a typical workplace: employees need to collaborate on the go, work away from their desks, and use modern productivity tools.

Scientific work that pushes boundaries

"We’ve had Wi-Fi infrastructure for a good 15 years," says Dr Tony Cass, who leads CERN’s Communications Systems Group in the Information Technology Department. " But, because we started early, it was all based on independent access points; we didn’t have roaming capabilities or a visitor network. Delivering a seamless roaming experience, simplifying access for visitors and being able to manage the traffic are what I wanted to achieve."

Creating a modern, connected workplace

CERN
© CERN

The CERN campus comprises 200 buildings, covering 400,000sqm of floor space. Like many modern workplaces, much of the work takes place away from the desk. The main restaurant, auditorium and walkways between hubs were all Wi-Fi blackspots. Building 40, one of the main workspaces, poses unique challenges with thick, concrete walls and a circular layout.

The demands on the CERN Wi-Fi systems have grown in recent years. For example, the introduction of the eduroam network access service, which automatically enables trusted visiting researchers to establish a full connection to CERN’s network environment, has led to an increase in the number of devices being used.

"When we enabled eduroam, the number of Wi-Fi devices almost doubled," Cass says. "It was a complex process for people before as they had to register their MAC address to use our network. They would register one device, but they would have eduroam enabled on all of them. So when we enabled eduroam, all of these phones and tablets suddenly connected to our network, as well as the main device that people had registered. So we have tens of thousands of mobile devices, tablets, PCs, MacBooks all the time."

The programmability and openness of the Aruba Mobile First Architecture, together with the network monitoring and management capabilities it offers, enables us to undertake large-scale deployments in an automated and reliable manner. This will create a true mobile experience for our community.
Vincent Ducret, Network engineer, CERN

And there is a second audience for wireless. CERN attracts upwards of 100,000 visitors a year, either business guests, students or tourists viewing the permanent exhibition or taking the guided tours. Providing wireless visitor access is now a hospitality requirement, laying the foundation for delivering mobile services and information – such as site maps and enriched content for the permanent exhibitions.

CERN’s expectation was, therefore, to have 20,000 devices connected at any one time. The institute needed a solution that would allow users to move freely across the campus, but, with that number of connections, intelligent enough for them to manage automatically.

An intelligent architecture, designed for scalability

While evolving the older setup of discrete access points to a unified and centrally controlled architecture, Tony Cass and his team ensured the adoption of the latest technologies and standards to future-proof their environment. Providing coverage for 400,000sqm of floor space spread across 500 acres of the CERN campus with increasing numbers of mobile devices, meant that the migration to 802.11ac was a necessity. But enabling seamless and uninterrupted roaming on Wi-Fi was an even more important expectation from all users. The Aruba ClientMatch solution has ensured this experience for over 20,000 concurrent users.

The coverage will only grow over the next months, with plans to expand to over 4,000 access points within a year – indoors and outdoors – fostering the increase of use of wireless over static wired connections. Today, approximately 50% of the connections are wireless in the already deployed buildings and this trend is expected to accelerate.

CERN
© CERN

One of the major milestones for this network refresh has been the migration to the Aruba OS 8.x (AOS 8.x), which offers programmability, automation and increased manageability capabilities. Through the use of open API integrations, CERN have integrated their Print Services with the Wi-Fi network in order to deliver location-based, automated printer connectivity to authorised users. Based on their location, users are offered a list of available, local printers to which they can connect securely.

Deploying over 4,000 APs across 400,000sqm is no simple task. AOS 8.x has also simplified this task by allowing CERN to automate the roll-out of the configurations to all new APs, significantly reducing the deployment time and costs and ensuring that Vincent Ducret and his team can meet their very tight timelines.

New analytics capabilities of AOS 8.x also arm the team with the intelligence and proactive information to effectively manage and troubleshoot the entire network.

There are three distinct environments at CERN, each with their dedicated Mobility Controllers, Mobility Masters and APs, developed to enable the development of new initiatives and the introduction of new technologies, to driving pilots and then deploying campus-wide:

  1. The test lab – 1 x 7240 and 2 x 7220 Mobility Controllers
  2. Three IT buildings and one restaurant as a pilot environment – 2 x 7220 controllers and 2 virtual Mobility Masters
  3. The campus as the final production deployment with 200+ buildings – 4 x 7240 Mobility Controllers and 2 x virtual Mobility Masters

“The programmability and openness of the Aruba Mobile First Architecture, together with the monitoring and management capabilities it offers, gives us the possibility to undertake large-scale deployments in an automated and reliable manner,” says Vincent Ducret, network engineer, CERN. “This is a key enabler for completing a campus-wide mobile coverage within a very aggressive timeframe and create a true mobile experience for our community.”

Fostering mobile collaboration

CERN
© CERN

While the Aruba Mobile First architecture is now in place and has helped to enhance CERN’s pioneering digital workplace environment, it is too early to detect significant cultural changes as it will take some time for all the teams to move to using only Wi-Fi. Vincent Ducret expects that the majority of connections will be on Wi-Fi within the next 2 years or so.

The most obvious initial impact for IT and facilities, he says, is on the cabling. “We want more users on wireless than wired connections,” says Ducret, “but we still need wired connections. We can’t remove all cabling, but the Aruba solution means we have far less of it – which is a savings in terms of infrastructure costs and disruptions.”
Some new cabling is inevitable since the existing connections are often at the wrong places and in most buildings the cabling is reaching the end of its expected lifetime.

Seamless roaming, uninterrupted coverage

“We now have one big pool of IP addresses for all of CERN rather than lots of little pools for each building,” says Ducret. “For example, when people are in our main restaurant for lunch, they’ll be able to get an IP address just as easily as if they were in their office.” With full roaming and uninterrupted coverage, people will even keep their IP address and connection as they walk to lunch from the main physics building, and accelerator control experts can keep their connections as they move between their offices and CERN’s Control Centre.

Managing all user connections and routing the traffic centrally allows CERN to introduce an improved “visitor” Wi-Fi network. Short-term visitors are able to quickly establish a network connection, identifying themselves by means of a code sent to a mobile phone without needing to wait for a contact at CERN to approve their request. Computer security is bolstered as users connected to this “visitor” network are on a network which is separate from CERN’s private network. However, they can connect to the Internet and access public resources. Trusted academic visitors are able to use the eduroam access service to establish a full connection to CERN’s network environment. Therefore, cases where people visiting CERN need such access are now rare and the new light-weight authorisation for an isolated network is much more in line with visitor needs.

Dr Tony Cass concludes: “With the mobility demands of our staff and scientists increasing, we knew that installing the right wireless infrastructure was critical to enabling a productive workplace. The Aruba network addresses our current challenges, and we are confident it will help ensure that we’re prepared for future growth.”