A joint event by OCS and SOFINET, a Russian developer and manufacturer of network equipment. During the online meeting, the vendor's experts presented new wireless Wi-Fi solutions that provide high performance, reliability, and security for corporate networks.
They also discussed how SOFINET solutions enable the creation of a flexible and scalable network for offices or industrial facilities, and introduced the features of integrating the manufacturer's equipment into the existing infrastructure, including the use of the unified operating system SOFOS.
Today's event was opened by Oleg Savin, Development Director at SOFINET.
While SOFINET is currently a Russian brand, I hope that in the near future our company will become a Russian manufacturer. Our products do not contain components from unfriendly countries, which minimizes any possible sanctions. In addition, we have our own unified operating system called SOFOS, which is registered as an Operating System and runs on all our equipment.
We have predictable production times. We have a large warehouse located in Russia. We offer a full warranty. We are still a relatively young company, only two years old. But we are located in the beautiful small city of Orel, where our central office, main production, and all warehouses are located. Also in Orel is the technical support center, our laboratory, and testing center. In Moscow, we have a team working with partners and customers. All the main logistics are in Moscow, as well as our presales and training. We conduct training at a licensed training center. We also have a representative office in Yekaterinburg and St. Petersburg.
We have been involved in network equipment for many years and want to continue making the coolest switches. We make both access switches, starting from L2+ level, and routers. Our equipment is well suited for customers from the corporate and public sectors.
Our equipment is installed in one of the major banks. There is a video on YouTube where the bank itself talks about choosing us instead of Cisco, and now all branches of this bank have our switches installed, with plans for further expansion. We are very well represented in the industry and in the oil and gas sector because we have transparent pricing and a unified operating system.
We not only make network equipment. We help partners and customers develop optimal solutions for their networks, selecting the most suitable SOFINET equipment that allows achieving high network performance with optimal investment costs. We also help to create technical specifications.
We provide training for network engineers and architects with preparation levels from beginner to expert. We have courses that we conduct simply as a kind of elective. And in the licensed training center, there is a three-day course with time off from production.
We offer free testing of our equipment. We have a basic warranty on it. It is valid for one year. In addition, we offer technical support.
I give the floor to our Technical Director Grigory Kulikov.
Wi-Fi is built on hardware controllers. We offer two different models, which are identical in functionality. They differ depending on the number of access points and the bandwidth of the controllers. Access points are Wi-Fi 6 standard, AX technology. Architecturally, it is a hardware controller and access points. There are two types of controllers.
One, SFN5500-WLC-256, is simpler and designed for a maximum of 256 points. It has built-in POE ports, which are mainly used for testing, to connect an access point to the controller and quickly set up Wi-Fi, gigabit optical uplinks, and 8 gigabit copper POE ports. It comes with a license for 64 points. That is, 64 points can be connected to this controller for free, as this is already included in the basic license.
And another controller, SFN5500-WLC-1024. It is a bit more interesting and powerful, for 1024 access points. By default, it comes with a license for 128 points. Here, 10-gigabit optical uplinks and a few more gigabit ports appear. There are no POE interfaces here, but usually large controllers are located somewhere in the data center, and POE functionality is not so critical there. They also differ in that the small controller has one built-in power supply. Of course, they are both hardware-reliable, but with two replaceable power supplies. The functionality that the controllers have is listed on the slide. These are: local or centralized switching, radio air management, centralized authorization, Static/RIP/OSPF routing, wireless traffic mirroring, automatic configuration and updating of access points.
Access points. There are four models.
The most basic access point is the SFN320-AP. This is an indoor access point with built-in omnidirectional antennas. Inside this access point, there are two radio modules, 2.4 GHz and 5 GHz. The point consumes no more than 13 W, which allows its Wi-Fi 6 to be used on older switches that only provide the AF standard up to 13.3 W and cannot provide up to 30 W. SFN320-AP is the most basic, most popular office point. And it is used in 90% of our projects.
The second point is outdoor, the SFN300t-AP. Again, Wi-Fi 6. Outdoor version. Temperature range - from minus 40 to plus 65 degrees Celsius. IT 67 protection, i.e., it can be watered from a hose in the cold, and nothing will happen to it. From a technical point of view, it also has two radio modules, 2.4 GHz and 5 GHz. Here is an interesting solution: inside this point is a built-in directional antenna of 10 dBi. That is, it is a fairly narrow beam. Often, such outdoor points are hung on top of masts, and in this way, it is quite convenient to shine a narrow beam down towards customers. The outdoor point has an optical SFP port. If suddenly the access point is located somewhere in the territory far from the distribution center, then it can also be hooked up via optics. But still, it will need to be powered either locally or with a POE injector.
And there are two more points that we plan to launch. These are SFN350-AP, an access point for scenarios with high client density. In fact, this is the 320th, to which another radio module has been added. That is, the 350th point will have one radio module for 2.4 GHz and two radio modules for 5 GHz. The SFN350-AP will also have a built-in indoor omnidirectional antenna for installation indoors.
And a separate SFN315-AP access point, this is such a standard form factor for hotels and dormitories. It hangs on the wall and has a built-in switch with the ability to separate by VLAN. Usually, these switches are used to connect a telephone or television. From the point of view of the radio module, there is also 2.4 GHz 2x2 and 5 GHz 2x2.
Regarding the operating system. We have a unified OS installed on all switches, routers, and now also on Wi-Fi controllers. This is our distinctive feature. It is called SOFOS.
A unified OS is convenient from the point of view of administration when the entire network of the customer is built on the equipment of one vendor. One operating system means less chance of error, and less time needs to be spent on training personnel. From the point of view of administration, the CLI interface is similar to Cisco. That is, if an engineer was trained on Cisco or similar devices, he will also not have any problems with our operating system, because the configuration ideology is exactly the same. The commands are similar, but not absolutely. For those who do not like CLI, there is a Web interface, both in switches for basic settings, and in controllers there is a Web interface for setting up the controller itself. Because the controller is essentially a switch with the ability to Wi-Fi service access points. Well, and because the controller is also a switch, you can raise dynamic routing in the controller, and there are various functionalities that came to it from ordinary switches. That is, all the standard network strapping is present in the controller.
About licensing. We in SOFINET have such an ideology that licensing is practically not used anywhere. And only Wi-Fi is the only product where licensing appears. Licensing by the number of access points.
All available functionality, namely the functionality of the controller, is available out of the box. This applies to switches, routers, and controllers. We do not have any subscriptions, no separate licenses for any separate functionality in the software. Only the number of access points is licensed. On the junior controller, the license is for 64 access points, in the base already on the senior controller for 128 access points. On the slide, you see packs of 32 access points, 64 points, and 128 access points.
L2/L3 usage scenarios.
The first usage scenario is simple L2, when we have both access points and a controller or controllers in one VLAN. In this case, the access points will automatically find the controller, no additional configuration is required. This scenario is used in basic testing and in small installations when we have a controller somewhere nearby, and it can be placed in one subnet with all access points. And in the L3 scenario, when the controller is located in the central node, and the access points have only L3 connectivity with the F-controller. In this case, the access points need to find the IP address of the controller or controllers. And this is done with a fairly standard mechanism through DHCP option 67. The IP addresses of the central controllers are prescribed there. Here, of course, you will need to configure the DHCP server, but this is a fairly simple task.
Both local switching and centralized switching of user traffic are supported.
Local switching is shown on the left of the slide. The controller has a management tunnel to each access point. CAPWAP tunneling is used for both management and data. In a system with local switching, the data stream from the Wi-Fi client goes directly through the wires via ordinary Ethernet, without getting into the controller. It is possible to use centralized switching when the controller has a management tunnel to each access point, but also traffic from clients through the CAPWAP tunnel goes first to the controller. The controller disassembles this tunnel and then switches, routes according to its tables. In our system, these two systems can be combined. For example, separately SFID to allocate to centralized switching. Usually, this is some kind of guest traffic, it is usually pulled to the controller, and ordinary Enterprise SFID can be given simply to local switching in order to provide greater bandwidth, less delay, and everything related to flow optimization.
Roaming is the process of transferring a client between access points. The main task of the entire Wi-Fi system is to provide the client with the same conditions, the same connections to new access points that he had on the previous access point.
That is, the task is to save the client's session, various encryptions, VLAN, the IP address should not change on the client. In this sense, we have both L2 and L3 roaming working. L2 roaming, when the SSID on the access points, and the access points themselves, are in the same VLAN. L3, when we have part of the access points, for example, broadcasting Wi-Fi and SSID, which already belong to other VLANs. Both L2 and L3 roaming work. The only thing is that centralized switching is necessary for L3 roaming. That is, the SSID, which we want to provide with L3 roaming, must have centralized switching through the controller.
The so-called "help" mechanisms are supported for clients so that the client can quickly determine in the radio raw material which access points he has nearby, which access points it is better for him to switch to. And for fast roaming, we use key caching on the controller. The controller stores all the encryption keys of all connected clients. This allows you to do fast roaming, switching from one access point to another.
There is a built-in RRM (Radio Resource Management) functionality.
This is the automatic distribution of access points by channels and the automatic distribution of power on each radio interface. After RRM, access points submit to the list of channels from the list of allowed, i.e., we can influence which channel the access point can use and which not. The functionality works in 2.4 GHz and 5 GHz, automatic adjustment of radiation power and automatic adjustment of channels are used. The RRM mechanism is configurable, i.e., it can be turned on, for example, once a day at night or during the day, or once an hour. The frequency of RRM triggering is configured.
Naturally, it is possible to take into account only your access points when distributing by channels. That is, you can make the system not work on the appearance of some third-party access points. It often happens that in the office, millions of neighbors turn on or off their Wi-Fi access points. You can make our system not react to this.
There is a rather tricky autonomous AP mode.
Generally speaking, the access point, at least during the initial "deploy", must find a controller for itself, and must "pull" its configuration from this controller. After that, the link to the controller, the connection to the controller, may be broken. It often happens that the controller is somewhere in our central office, and the access point is hanging on a remote site, and the connection to this remote site is not always stable. Even in the absence of connectivity with the controller, the access points continue to shine Wi-Fi, the access points continue to provide services. Clients at this moment are not disconnected from the access point. And new clients can also connect to this access point. The configuration of the access point in this sense is stored locally on it, that is, the access point can even be reloaded, if suddenly the power, for example, disappears. After it is loaded, Wi-Fi will work again at the remote site. WPA/WPA2, both personal and Enterprise, will work. WPA3 is not supported in this mode. Only local switching is possible. This is natural, since we have no connection to the controller, we simply have nowhere to tunnel traffic with data. And authorization through the portal becomes open. That is, if we had an SSID with portal authorization on the controller, then such an SSID, in the absence of connectivity with the portal, in fact, with the controller, will connect everyone who wants to connect to Wi-Fi.
A little about security. The standard mechanism for detecting and suppressing third-party access points, the so-called RogueAP, is supported.
When someone brings a home access point to the customer's office, for example, and starts broadcasting, for example, the same SSID, or similar to the SSID. For example, in our office, access points broadcast naturally on the SSID SOFINET. If some scoundrel brings his access point and writes SOFINET, for example, the letter "o" through zero or in small letters, then the system will also work on such an SSID, and will also suppress such a third-party access point. Suppression occurs quite standardly, a deassociation packet is sent to the client and to the access point.
It is possible to use Whitelist and Blacklist. This is a standard access list mechanism by MAC addresses. Isolation of users from each other (wired/wireless) is supported. This is often required in a hotspot so that clients do not see each other. Clients are connected to one radio, one access point, or to different radios on different access points. They will not see each other.
Blocking Static IP on clients, you can configure it so that the client can connect to Wi-Fi only if he receives a dynamic IP address from the centralized HTTP server. If suddenly a static IP address is written to him, the system will not connect such a user.
Traffic encryption WPA2, this is standard AS-256 encryption and possible encryption of CAPWAP tunnels from the access point to the controller. Encryption of both the tunnel with user data and the management tunnel. Tunnels can be made encrypted.
Clustering capabilities.
There are situations when we need to back up the controller. The simplest and most understandable scheme is controllers in the Active-Backup scheme. One controller is active, and an active tunnel from the access points goes to it, and at the same time, each access point builds a backup tunnel to the backup controller. But they do not use it until the active controller is turned off. IP connectivity is necessary between the controllers in order to combine them into a clustering group.
For large installations, the picture is a little more complicated.
If we do not have enough capabilities of one controller, we can make a bundle of several controllers. The first group of access points is distributed over the first and second controllers, using Active-Backup. Another group of points, for example, the second, clings to the main active tunnel on the middle controller, and the third controller is used as a backup. Thus, this design can be expanded almost infinitely to the right. That is, you can draw group 3, group 4 on the right, and thus make a large installation with access point redundancy. Each individual access point will be reserved on two controllers.
And the second option for using clustering is the Active-Active scheme. In fact, we divide our access points into two groups. One group has the first active controller, the second backup, and other access points, on the contrary, have the second active controller, and the backup on the first.
When clustering controllers, an additional L3 connection is used. On the slide, this is presented simply as a link. This is often done, they simply throw an additional link. In order not to rewrite the same configurations manually on the backup controller, you can synchronize from the main controller. And it is also possible to configure the so-called succession, when the active controller for some reason turned off, all access points switched to the backup, and here the former active controller, for example, turned on again. Here you can influence whether the access points should switch back to the first backup controller, or not. They are often turned off, because the fewer switches in the system, the more stable it is.
It is necessary to mention additional features. For example, Load-Balance is supported, and of two types.
They differ either by the number of clients or by the amount of traffic. So, if there are, for example, 10 clients on one point, and 5 on the other, then new clients will most likely connect to the access point on which there are 5 clients. In the case when Load-Balance is configured to connect new clients based on the amount of traffic, then it is a little more technically interesting here. For example, there are 10 clients on one access point, but they are not doing anything, and on the other there are 5 clients, but they are all, for example, watching 4K video. And in this case, new clients will connect to the access point that is less loaded.
Band Steering is supported. If the client can simultaneously connect to both 2.4 GHz and 5 GHz, then the system will try to bring such clients to the 5 GHz range.
Forced disconnection of "weak" clients. If the client is too far from the access point, we simply deassociate it. Thus, our Wi-Fi cell stops degrading due to such remote "weak" clients.
We have support for a technology called "Statistics of third-party clients for marketing". It is needed in cases where access points are hung, for example, in a shopping center, and we need to see how many clients we have statistically come on different days of the week, how they are distributed over the areas, how much time they spend here or there.
Detailed logging of Wi-Fi connections. In the logs, you can find information about each client, when he connected/disconnected, what his roaming was, etc. By default, this functionality is disabled, but it can be enabled, thereby saving such a history.
Access points can detect non-Wi-Fi radiation. This is a common story with all Bluetooth devices that are constantly near access points and interfere with the radio air.
Remote mirroring of wireless traffic with wireless headers is supported for "troubleshooting", for viewing client problems during roaming. This is a pretty useful thing. Now it is not necessary to go to the site to see what is happening in the radio air, you can do it all remotely.
Illustrations are provided by the SOFINET press service
Now on home
Герой России Гарнаев: никто из профессионалов о возобновлении производства на КАЗ всерьёз не говорит
Система отслеживает спутники на высотах до 50 000 км и ведёт за ними наблюдение
The armored vehicle is equipped with a KamAZ-740.35-400 diesel engine with a power of 400 hp.
Constant improvements in avionics, weapons and tactical capabilities will make the aircraft a flexible response to future challenges
The exterior of the KamAZ-54901 features fairings on the cab and chassis for fuel economy
Fighters are in demand both domestically and abroad
Tyazhpromexport and Venezuela Agree on Plant Revival
The company not only completed the state order, but also quickly mastered the production of AK-12K for special forces
Experts have developed a photogrammetric complex with a resolution of less than 1 cm
