Documente Academic
Documente Profesional
Documente Cultură
0
Design Guide
March 2015
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR
APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL
ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS
BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of
California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved.
Copyright © 1981, Regents of the University of California.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other
countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trade-
marks mentioned are the property of their respective owners. The use of the word partner does not imply a partner-
ship relationship between Cisco and any other company. (1110R).
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and other fig-
ures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone num-
bers in illustrative content is unintentional and coincidental.
GLOSSARY
This Cisco® Connected Mining 1.0 Design Guide serves as a design reference for deploying a core
networking infrastructure in underground mines and can be used for various overlaying services. It also
covers design details for real-time location-tracking systems in underground mines. This document
focuses on the best practices and design details of specific aspects of Connected Mining. Apart from the
end-to-end solution architecture, the scope of this document includes recommendations for technology,
products, and models suitable for underground mining environments and their varied topologies.
This system is provided in partnership with AeroScout® Industrial; thus, the scope and architecture of
this document accounts for the specific needs of deploying location tracking system using the AeroScout
Industrial equipment.
The proposed architecture also anticipates future expansion of various other services for which the
proposed system will be used as the backbone infrastructure. Although most of the current deployments
in mining have separate networks for enterprise and control traffic, considering the evident future
convergence, the current architecture conforms to the needs of unified enterprise and control network.
While many deployments already exist in various mines, this release is the first Cisco Validated Design
(CVD) to provide a comprehensive network that caters to current and anticipated future needs.
This chapter describes the following use cases implemented in the Connected Mining 1.0 release:
• Unified Asset Visibility, page 2-1
• Fleet Management, page 2-1
• Miner Safety, page 2-2
• Telemetry Data from RFID Tags, page 2-2
• Availability of Mine-Wide Location Information, page 2-2
Fleet Management
For many mining enterprises, the mining-transport dispatch system is one of the main tools for
increasing productivity. Proper monitoring and control of the movements of vehicles will have evident
results from fuel and lubricant savings to more rational use of machinery to improved work safety. This
allows for the implementation of an automated traffic dispatch and control system for bolstering
efficiencies and controlling costs across its operations. Fleet management in Connected Mining 1.0
covers the following aspects:
• Tracks the real-time location of vehicles and helps in efficient fleet management (that is, diverting
the nearest vehicle to the pick up spot), thus improving operational efficiency and reducing cost.
• Live ignition monitoring of vehicles and tracking the vehicles runtime help to determine the optimal
time for routine and preventative maintenance, thus reducing downtime. Instead of time-based
routine maintenance, it is possible to schedule maintenance based on the actual runtime of the
vehicle.
Miner Safety
Miner safety, which is mandatory to meet industry regulatory norms, is achieved through the Connected
Mining 1.0 system design in the following ways:
• Enables monitoring of worker movements in dangerous zones (for example, blasting and unsafe
tunnels).
• Reduces incident response and rescue times with real-time worker location tracking.
• Helps to improve operational efficiency with login and logout mechanisms, as well as automatic
tracking of miners logging in for duty and logging out from duty.
• Creates a proactive approach to personal safety by identifying if a miner is not moving. Miners who
are trapped or have fainted can be detected by monitoring the movement of miners in real time. If a
miner is not moving longer than a predefined time, steps can be taken to contact the miner.
• During mock evacuation drills and real emergencies, the status of an evacuation can be monitored;
the number of miners reaching the safe assembly zone can be counted in real time.
• Miners can communicate potential danger or send an emergency alert message by pressing call
buttons equipped in the RFID tags.
This chapter, which describes the overall Connected Mining 1.0 system design, including various
functional blocks, their functionality and hierarchical organization, includes the following major
sections:
• End Devices and Clients, page 3-2
• Wireless Access Layer, page 3-2
• Wired Access Layer, page 3-3
• Distribution Layer, page 3-3
• Core Network Layer, page 3-4
• Data Center Layer, page 3-4
• System Components, page 3-5
Connected Mining 1.0 is a solution from Cisco, in partnership with AeroScout Industrial, for the
real-time asset location tracking and remote telemetry data monitoring requirements in mines, as shown
in Figure 3-1.
Stacked
Cat 3750- X
Defined in Mining 1.0
Fixed Fixed
Client Client
IE2K IE2K IE2K IE2K
RAP RAP
LWAPP LWAPP
LWAPP LWAPP
REP Ring with REP Ring with
SSID 1 wireless mesh SSID1 SSID 1 wireless mesh IE2K SSID1
IE2K IE2K IE2K
Mining Zone
MobileView Clients
MobileView clients are software clients that run on standard laptops, phones, Apple iPads, or PCs.
MobileView clients connect to a MobileView server to display the asset location, maps, alerts, events
and to generate reports. It is expected that MobileView clients will be available at various parts of the
mines.
Exciters
AeroScout Industrial Exciters are mounted at predefined locations such as the entry and exit of various
zones for identifying an asset's precise location. Exciters provide an immediate indication of a tracked
asset or person's location and status for enhanced monitoring and identification purposes. The Exciters’
detection capabilities leverage the same tags and Wi-Fi network for location tracking. Exciters use low
frequency signals to trigger AeroScout Industrial tags as they pass within the range of an Exciter. The
tag then transmits a message that is received by standard Wi-Fi access points. This helps to detect the
accurate location of the tag.
Distribution Layer
The distribution layer interfaces between the access layer and the core layer to provide many key
functions, including:
• Aggregating access layer switches
• Providing intelligent switching, routing, and network access policy functions to access the rest of
the network
• Providing high availability through redundant distribution layer switches in StackWise mode and
equal cost paths to the core, as well as providing differentiated QoS services to various classes of
service applications at the distribution layer
For Connected Mining 1.0, equipment for the distribution layer and above needs to be placed in an
environmentally controlled location, such as a computer room or data center. Distribution layer
equipment needs to be placed in the proximity of the underground mine entrance.
Prime IP Express
Cisco Prime IP Express provides integrated, high-performance, reliable Domain Name System (DNS),
Dynamic Host Configuration Protocol (DHCP), and IP Address Management (IPAM) services for the
enterprise network.
AeroScout MobileView
AeroScout MobileView is a Web-based software platform for asset location monitoring. It integrates
with the ALE and is responsible for a full range of visualization, reporting, management, and automated
alerting options. It also has the ability to deliver context-aware visibility data from many sources, such
as AeroScout Wi-Fi tags and Wi-Fi clients.
MobileView collects location, status, and condition data of assets; displays it on maps; and reports to the
web browsers or applications on end devices. It aids in automating business processes by generating
alerts and events triggered by asset location, status, and condition. It also has the complete application
solution for Incident Monitoring, Asset Utilization, Worker Safety, and Evacuation Monitoring.
MobileView is comprised of three modules: the Gateway, Asset Manager, and Database.
System Components
This section describes the various components, models and software versions used in the Connected
Mining 1.0 system design.
Cisco Products
Table 3-1 shows the Cisco hardware components used in the system design.
Table 3-1 Cisco Hardware Components
Table 3-2 shows the Cisco software components used in the system design.
Table 3-2 Cisco Software Components
AeroScout Products
The AeroScout hardware components used in the system design include the following:
• T2 tags RFD
• T3 tags RFID
• T5 tags RFID
• Exciters (EX5200R/EX2000B)
Table 3-3 shows the AeroScout software components used in the system design.
Table 3-3 AeroScout Software Components
Model Description
MobileView Version 5.0
Location Engine Version 5.0
This chapter describes key design considerations at various layers (wireless access, wired access,
distribution, core, and data center levels) in the Connected Mining 1.0 system architecture. Primary
architectural considerations are described in the following major topics:
• End-to-End System Design, page 4-1
• Services Overview, page 4-6
• Services Flow, page 4-8
• Deployment Models, page 4-11
• System Design Considerations, page 4-21
• Future Readiness Evaluation for an Unified Enterprise and Control Network, page 4-36
• Deployment Examples for Wired Backhaul, page 4-39
• System Design Constraints and Limitations, page 4-41
RAP Standalone
RAP LWAPP
Exciters
LWAPP
IE2K IE2K
Fiber ring Max distance
between nodes 400m
RAP
Area between REP nodes RAP
LWAPP LWAPP
covered with WMESH
SSID 1
SSID 1 WGB MAP SSID 1
LWAPP
SSID 1
Specifications
• WLC, VSM, MV, PI located in Mine Control zone
MV/PI Clients • Tags beacons one directional over CAPWAP
connected to WGB Exciters Connected • Maximum 2 hops wireless mesh
to WGB • SSID -1 for WGB and MV/PI Clients
Exciter connected
374305
to backhaul wired Mining Zone
Inter-System Interfaces
This section describes the high-level inter-system interfaces between the third-party products and Cisco
components. The main inter-system interface present in this solution are AeroScout components (such
as Exciters and tags) interfacing with the Cisco wireless backhaul. The AeroScout tag's traffic needs to
be recognized and processed by Cisco APs and should be able to interface with AeroScout Exciters that
are connected to the network.
process them. When the Cisco AP receives beacons from AeroScout tags, it measures the RSSI and
appends this data to the received packet and forwards to the Cisco WLC over a CAPWAP tunnel.
Figure 4-2 shows the capture of a Lightweight Access Point Protocol (LWAPP) frame (this is replaced
by CAPWAP in later versions).
As the packet is embedded in CAPWAP, the Layer 2 multicast address is not exposed to wired backhaul
or to the REP ring in the network. This Layer 2 multicast packet is intercepted and consumed by the
controller. Further, Cisco MSE queries the WLC at regular intervals to get the tag’s information from it,
which in turn sends this data to AeroScout Location Engine/MobileView. When multiple APs receive
the same tag signal, each of them computes RSSI and report. The data is then used to determine the
location of the tag.
Tag Activators
Tag Activators communicate with the Tag Manager to detect, configure, program, activate, and
deactivate tags. Tag Manager is an AeroScout Industrial application installed in a Windows machine,
which communicates to the Tag Activators via direct or Ethernet network connection. Tag Activators
send commands to tags at 125KHz; tags reply at 2.4GHz using Wi-Fi. Tags are programmed before
deploying in the field. Tag Managers and Tag Activators are not connected to the mining networks.
JMS Queue
Location Data
Source
Location Reports
Cache
Asset Events
Last Manager
Location Alerts Event Engine
Reports
Channel
Distributor
Status Old
changes Locations Alerts
JMS Queue
374307
OLAP DB MV Database
The Asset Locator provides instant visual access to all mining assets' location and status information,
and the ability to view the entire site and drill down to particular locations. The Asset Locator offers a
feature for finding and viewing assets on maps and enables customization of how assets and alerts on
maps are viewed.
MobileView Alert Manager offers the ability to fundamentally transform business processes by bringing
real-time location and status-based alerts about assets directly to users through virtually any channel.
Users can configure a wide variety of context-based events, using asset type, location, and condition.
When the conditions of those events are met, they automatically trigger a variety of alerts (both internal
and external). Alerts can be configured to send by various means such as e-mail, JMS Queue, XML
message, Web Service, and HTTP post. The following event types are supported:
• Entrance/Exit
• Location Changed
• Escort
• Overflow/Shortage
• Dwell/Absence
• Battery Level
• Telemetry
• Tamper
• Temperature
• Humidity
• Call Button
• Out of Sight/In Sight
• Tag Message
• Par Level
MobileView's standard reports set offer the flexibility to generate instant reports on demand or to
pre-define report criteria and then specify a schedule by which to save or e-mail the finished reports.
Reports are available in a variety of formats, such as CSV, PDF, and HTML. In addition, MobileView
offers the ability to quickly and easily creates customized reports. The following reports are available:
• Temperature Report
• Events Report
• Battery Status Report
• Temperature/Humidity Report
• Temperature/Humidity History Report
• Temperature/Humidity Events Report
• Temperature/Humidity Summary Report
• Asset Utilization by Business Status
• Asset Utilization by Location
• Asset Location Summary Report
• All Assets Report
• Out of Sight Report
• Par Level Summary Report
• Par Level History Report
Services Overview
The Connected Mining Release 1.0 system proposes a scalable and resilient design of network
supporting the following services:
• Wireless connectivity throughout the underground mine
• Real-time location services of tags by carrying tag traffic to MobileView
• MV/PI client access to MobileView and Cisco Prime Infrastructure across the mine
SSID Considerations
Within the mining zone, a single SSID-1 is configured with WPA2-802.1x authentication in WLC for
MV/PI Client and WGB association.
VLAN Considerations
The recommendations for system-level VLAN configurations, with specific VLAN information listed in
Table 4-1, are as follows:
• WLC Mgmt interface and AP Manager are configured in VLAN 50 so that all MAPs are configured
in VLAN 10 creating a CAPWAP tunnel with WLC.
• VLAN 40 is configured for the SSID-1 by which MV/PI Wireless clients and WGB are associated.
• No VLAN is configured for wired clients connected to WGB. MV/PI Clients and Exciters traffic
connected to WGB's wired ports will use the configured SSID-1 VLAN (40).
• Fixed MV/PI Clients, which are connected to IE2K/3K, are configured with 802.1x authentication,
and put in Pre-auth VLAN. After successful authentication, MV/PI Clients are put in Service VLAN
41.
• VLAN 60 is configured on access ports where Exciter is connected.
• All access, core devices, and data center systems are part of Management VLAN 70.
Device VLAN
WLC Management/AP Manager Interface 50
Enterprise-SSID-VLAN (MV/PI Wireless Clients and WGB) 40
Data Center Enterprise VLAN 30
Access Point VLAN 10
Exciters connected to IE2K/3K 60
MV/PI Clients connected to IE2K/3K 41
Management VLAN 70
Control-SSID-VLAN 200
Data Center Control Network VLAN 910
Control Clients connected to IE2K/3K 950
IP Allocation
Device/Host Mechanism Remarks
Hosts in data center, access, Fixed IP Address N/A
and core switches
Access points Dynamic IP Address Allocate same IP address every time by binding
IP address with MAC address at DHCP server.
Use a.b.c.0/23 bit mask (510 hosts).
Exciter Fixed IP Address Use a.b.c.0/24 bit mask (254 exciters).
MV/PI clients and WGBs Dynamic IP Address Allocate same IP address every time by binding
IP address with MAC address at DHCP server.
SVI interfaces (VLAN 10, 30, 41, 50, 60, 70) and inter-VLAN routing (10-50, 60-30, and 30-41) are
configured in the distribution layer 3750-X switches. SVI interfaces (VLAN 30, 40, 50 and 70) and
inter-VLAN routing (50-30, 40-30) are configured in the core layer 3750-X switches.
DHCP helper is configured with SSID-1 dynamic interface at WLC to cater to DHCP requests for VLAN
40 in CAPWAP packets (wireless clients and WGB clients). Similarly, to cater to DHCP requests for
VLANs 10, 41, and 60 from non-CAPWAP packets (APs, Exciters & MV/PI fixed clients), the DHCP
helper is configured at the respective data center SVI.
Services Flow
The Connected Mining 1.0 system involves the following traffic flows:
• DHCP and CAPWAP Control Traffic Flow for MAPs
• Tag Traffic Flow
• MV/PI Client Traffic Flow
DHCP and CAPWAP Control Traffic Flow for Mesh Access Points
In a Connected Mining network, RAPs connect to the IE 2000 in a separate VLAN (10) and get IP
addresses from the DHCP server configured in the data center VLAN (30). DHCP packets from APs are
relayed to the DHCP server using an IP helper address configured in AP VLAN SVI of the distribution
switch.
MAPs can use a vendor-specific DHCP Option 43 to join specific WLCs because the WLC is in a
different subnet than the MAP. To facilitate MAP discovery of WLAN controllers that use DHCP Option
43, the DHCP server must be configured to return the WLAN controller management interface IP
addresses based on the Vendor Class Identifier (VCI) of the respective 1550 and 1532 APs.
When the DHCP server sees a recognizable VCI in a DHCP discover from a DHCP client, it returns the
WLC IP address in its DHCP offer to the client as DHCP Option 43.
After the AP knows the WLC management IP address, each RAP/MAP creates a CAPWAP tunnel, with
WLC with its AP Manager Interface, through which respective client CAPWAP data traffic flows.
DHCP Helper
VLAN –30
SVI Stacked
VLAN 30, 40, 50, 70 Cat 3750 -X Mine Control Zone
LWAPP Exciter
IE2K IE2K
MV/PI/Internet client
LWAPP VLAN – 41
802.1x username
RAP
REP Ring: VLAN 10
LWAPP
SSID -1 MAP LWAPP
MAP Exciter
VLAN – 60 Exciter
802.1x MAC addr VLAN –60
802.1x MAC addr
374308
Mining Zone
1. Unsolicited beacons from tags are received by MAPs and sent across to WLC in CAPWAP tunnel.
2. Cisco MSE queries WLC at regular interval to get the tag’s information.
3. MSE sends this data to ALE/MV in order to compute the location tracking of the tags.
DHCP Helper
VLAN –30
SVI
Stacked
VLAN 30, 40, 50, 70 Mine Control Zone
Cat 3750 -X
LWAPP Exciter
IE2K IE2K
MV/PI/Internet client
LWAPP VLAN – 41
802.1x username
RAP
REP Ring: VLAN 10
LWAPP
SSID -1 MAP LWAPP
MAP Exciter
VLAN – 60 Exciter
802.1x MAC addr VLAN –60
802.1x MAC addr
1. MV/PI wireless clients are associated to SSID-1 configured with WPA2-802.1x authentication and
get IP address from VLAN 40.
2. MV/PI wireless clients traffic to data center is forwarded by MAP to WLC in CAPWAP tunnel.
3. WLC will de-encapsulate the CAPWAP traffic and put it in SSID VLAN 40.
4. Core switch will further route the traffic to the data center VLAN in order to reach Mobile View and
Prime Infrastructure components.
5. The return traffic from data center component to MV/PI clients will follow the same path as marked
above.
DHCP Helper
VLAN –30
SVI
Stacked
VLAN 30, 40, 50, 70 Mine Control Zone
Cat 3750 -X
LWAPP Exciter
IE2K IE2K
MV/PI/Internet client
LWAPP VLAN – 41
802.1x username
RAP
REP Ring: VLAN 10
LWAPP
SSID -1 MAP LWAPP
MAP Exciter
VLAN – 60 Exciter
802.1x MAC addr VLAN –60
802.1x MAC addr
374566
Mining Zone
1. MV/PI wired clients connected to IE2K/3K directly are configured with 802.1x authentication.
Before 802.1x authentication, the IE2K/3K ports are configured in pre-auth VLAN and after
successful authentication, they will be put in Service VLAN of 41. Unauthorized clients do not gain
access to the network.
2. MV/PI wired clients traffic to the data center VLAN is getting routed from Service VLAN in
distribution layer switches and reaching the data center VLAN via core layer switches.
3. The return traffic from the data center component to MV/PI clients will follow the same path as
mentioned above and the bidirectional traffic is marked in Figure 4-6.
DHCP Helper
VLAN –30
SVI
Stacked
VLAN 30, 40, 50, 70 Mine Control Zone
Cat 3750 -X
LWAPP Exciter
IE2K IE2K
MV/PI/Internet client
LWAPP VLAN – 41
802.1x username
RAP
REP Ring: VLAN 10
LWAPP
SSID -1 MAP LWAPP
MAP Exciter
VLAN – 60 Exciter
802.1x MAC addr VLAN –60
802.1x MAC addr
374567
Mining Zone
1. MV/PI clients are connected to WGB (819) Ethernet ports. MV/PI wireless clients are associated to
SSID-1 configured with WPA2-802.1x authentication and get IP address from VLAN 40.
Unauthorized clients do not gain access to the network.
2. MV/PI WGB clients traffic to the data center is forwarded by WGB to MAP and then to WLC in the
CAPWAP tunnel.
3. WLC will de-encapsulate the CAPWAP traffic and put it in SSID VLAN 40.
4. The core switch will further route the traffic to the data center VLAN in order to reach Mobile View
and Prime Infrastructure components.
5. The return traffic from the data center component to MV/PI clients will follow the same path as
mentioned above and the bidirectional traffic is marked in Figure 4-7.
Deployment Models
This section illustrates recommended topologies, including wireless and wired access layer models.
Deployment Guidelines
1. Wireless coverage should be available across the mine where tags and assets can reach.
2. Triangulation method is used for location tracking. Tags have a transmission range of 200 meters.
Thus, for better location accuracy with triangulation method, at least three APs should be available
in the vicinity of 200 meters from any location. Refer to Table 4-4 and Table 4-5 for AP deployment
decision and density.
3. Mesh mode is the preferred AP deployment. To keep the mesh convergence time to less than 40 sec,
it is recommended to limit wireless mesh to 2 hops. Also, for Video transportation on wireless mesh
maximum two hop mesh is recommended by Cisco WNBU.
4. To avoid SPOF, multiple RAPs that cover a single mesh area/cell should all parent to different access
switches.
5. Similarly, to avoid SPOF, multiple MAPs that cover a single area/cell should all parent to different
RAPs.
6. Wireless deployment best practices are to be followed such as adjacent APs, which should operate
in different 802.11a Channels (for example, channel 153 for AP1 and Channel 161 for AP2). MAP
backhaul should be on 5GHz and access should be in 2.4GHz channel. In a unified network where
both enterprise and control traffic coexist, it is preferable to have spectral segregation between
enterprise and control network traffic. Thus, 5 GHz can be shared between MAP backhaul and
enterprise wireless access traffic, whereas 2.4 GHz can be used for carrying the sensitive control
traffic.
AP Deployment Models
By considering that most of the areas in the underground mines are tunnel shaped and only a few tens of
meters diameter, the following deployment models should be followed as a guideline for wireless AP
deployment.
• Local Loop—the area between two adjacent IE2K access switches.
• Cell—the physical boundary of an access point and not the RF coverage area.
• Cell Region—the entire area within a cell.
Each local loop is divided into overlapping cells of 200 meters diameter. The overlapping of adjacent
cells should be 50%. An AP (RAP/MAP) should be placed at the center of each cell. Thus, placing one
AP every 100 meters is recommended. See Figure 4-8.
Figure 4-8 Description of Local Loop, Cell Area, and Distance between Adjacent Cells
AP AP AP AP AP
AP AP AP AP
P AP
Distance
between Cell area (Physical
100 m
adjacent boundary of an AP Copper
APs 100m 200m)
Fiber
1. Wherever a wired (copper/fiber) access point can be placed at the center of each cell of a local loop,
provide wireless coverage for the entire local loop with RAPs. The RAPs of all adjacent cells should
connect to different IE2K switches. Refer to Figure 4-9.
Figure 4-9 IE2K at 400 Meters, All APs are Configured as RAP
374310
Fiber
2. If all areas can't be covered with wired APs (RAP), then cover the area with a single hop mesh as
shown in Figure 4-10. Adjacent RAPs should be connected to different IE2K access switches. If this
is not practical, then it can be connected as shown in Figure 4-11.
MAP MAP RAP RAP MAP MAP RAP RAP MAP MAP RAP RAP MAP
374311
Fiber
MAP
LWAPP
MAP
LWAPP
RAP LWAPP
RAP
LWAPP
MAP
LWAPP
MAP
LWAPP
RAP
LWAPP
RAP
LWAPP
MAP
LWAPP
MAP
LWAPP
RAP
LWAPP
RAP
LWAPP
MAP
LWAPP
LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP LWAPP
3. With two hop mesh, a maximum 300 meters can be covered from the nearest RAP. A two-hop mesh
is shown in Figure 4-12.
4. Wired connection should be extended to areas more than 300 meters from the RAP.
Figure 4-12 Recommendation 3: Two Hop Wireless Mesh Covering Nearly 300m
MAP
300 m
MAP
MAP MAP RAP RAP MAP MAP RAP RAP MAP MAP RAP RAP MAP
374313
Copper
Fiber
Recommendation
Order Description Pros and Cons Requirements
1 All APs are • No single point failure (IE2K, • Access switch within
configured as ring, AP). 250m from any location.
RAPs.
• Sub-second convergence time. • Fiber availability to
connect APs from IE2K.
• Tags and other wireless clients
have at least three APs in the
vicinity at every place and time.
2 Single hop wireless • No single point of failure (IE2K, • Access switch within
mesh. ring, AP). 250m from any location.
• Mesh convergence time < 20 sec
(single hop).
• Tags can see at least three APs at
every place and time.
3 Two hop wireless • For the second hop MAP is the • Area to be covered is
mesh. single point of failure. within 300 meters from
the nearest RAP.
• Pockets of location only one MAP
can be seen by tags.
• Mesh convergence time for second
hop < 40sec.
The AeroScout Industrial tags have a maximum wireless range of 200 meters with a clear line of sight,
so ideally having APs at every 100 meters gives the best results, both in terms of continuous location
tracking and high availability. This kind of density is needed in all regions where accurate location
tracking and high availability is critical.
In places where high availability is not mandatory, APs can be deployed up to 400 meters distance in the
tunnel. In this case, high availability cannot be provided; that is, if an AP fails, then tags in that area
cannot be tracked. In this system design, the pros and cons for each recommended topology are also
listed so the customer can choose the best suitable option based on his constraints.
If continuous location tracking is not needed and zone-based tracking is sufficient, then install an Exciter
at the entry and exit of each zone. Within 200 meters from the Exciter, one or two APs need to be
installed depending on whether high availability is needed or not, as shown in Table 4-4.
Table 4-4 Exciter and Access Point Deployment Decision Table
400 m 400 m
400 m 400 m
374314
2. If the underground mine length exceeds 5KM distance, multiple rings can run in parallel, all of them
starting and terminating at the distribution switch. In this topology (when two rings are running in
parallel), the access switch can be connected to alternate rings at alternate hops. For example, at
hop-1, access switch is connected to ring-1, at hop-2, access switch is connected to ring 2. This
provides additional redundancy for the ring failure. Refer to Figure 4-14.
800 m 800 m
800 m
374315
3. If the underground mine has multiple floors and each floor has a tunnel, a separate ring should be
laid for each floor, each ring starting and ending in the distribution switch. Refer to Figure 4-15.
Figure 4-15 Recommendation-1c—Multi Level Mine One Ring per Level (All Rings Terminate at
Distribution Switch)
400 m 400 m
400 m
400 m 400 m
400 m
374316
4. If a ring cannot reach an area in the mine and the area to be covered is larger than the recommended
wireless cell area, then the wired LAN connection should be extended from the nearest IE2K/IE3K
access switch as a hub-and-spoke or star topology. Port channeling should be configured to protect
from a single link or port failure. IE2K/IE3K switch failures remain a limitation for this topology.
The maximum number of hops with this topology should not exceed a single hop or one local loop,
which is nearly 600 meters (400m local loop + 200m cell area). Refer to Figure 4-16.
Figure 4-16 Extended Wired LAN Connection from the Ring Port Channel for Link Redundancy
400 m
400 m 400 m
400 m 400 m
374317
5. If the area exceeds one local loop, then extending the ring is recommended to cover the area, provide
redundancy, and assure resiliency. If the branch size is greater than a single hop and extension of
main ring is not practical, then subtended rings can be used to cover the branch.
Note IE2K and IE3K series switches have a maximum of two GE ports, so the subtended ring will be
an FE ring. Refer to Figure 4-17.
Subtended ring
400 m 400 m
400 m 400 m
374318
Access Switch Deployment Recommendations
Table 4-5 provides a summary of access switch deployment recommendations.
Table 4-5 Access Switch Deployment Recommendations Summary
Recommendation
Order Description Outcome Description Requirements
1 Ring topology 1. Ring topology is preferred as it Fiber ring availability in
optimizes fiber requirement in the mine. the entire mine within 250
Also, ring topology with REP gives the meters.
fast convergence times.
2. No single point of failure (IE2K, ring,
AP).
3. Between 50 to 200msec convergence
time.
Recommendation
Order Description Outcome Description Requirements
2 Extended wired 1. Can be used when a sub tunnel size is Fiber access to extend the
LAN connection less than the size of a local loop. ring.
from the ring
2. Edge access switch and its parent are
single point of failure.
3 Subtended ring 1. Can be used when the branch size is Fiber availability to form a
topology greater than a local loop and fiber ring is ring in the branch.
practical.
2. Similar to ring, this has the sub-second
convergence time.
3. The network can also tolerate one failure
per ring.
4. IE2K and IE3K series switches have
maximum 2 GE ports. Thus, subtended
ring shall be a FE ring.
Figure 4-18 Collapsed Distribution and Core for Small Mine and Co-Located Data Center
Catalyst
Switch
• Wide Area Network (WAN) Internet Enterprise/IT Integration
• Physical or Virtualized Servers Collaboration
• ERP, Email Wireless
of Mining 1.0
Web DNS FTP Outside Enterprise Zone
Patch Management Catalyst Plant Firewalls: Application and Data share
2960- X • Inter -zone traffic segmentation Access Control
Terminal Services
• ACLs, IPS and IDS Threat Protection
Data Share • VPN Services – Remote Site Access
Cisco Video Surveillance Data Share • Portal and Terminal Server proxy
Application Server
Catalyst 2960 -X
AV Server Failover
ASA 55xx-X ASA 55xx-X Industrial Demilitarized Zone
Inside
Active Set Standby Set
1Gb 1Gb
1. Cisco Prime / MSE 1. Cisco Prime / MSE
2. Cisco WLC 5508 2. Cisco WLC 5508
3. AeroScout MobileView 3. AeroScout MobileView
and Location Engine and Location Engine
4. DHCP Server Cat 3750 - X 4. DHCP Server
5. ACS 5. ACS
Distribution
IE2K IE2K layer
374319
Mining Zone
Figure 4-19 Three Layered for Large Mine/Small Mine with Non-co-located Data Center
Catalyst
Switch
• Wide Area Network (WAN) Internet Enterprise/IT Integration
• Physical or Virtualized Servers Collaboration
• ERP, Email Wireless
of Mining 1.0
Web DNS FTP Outside Enterprise Zone
Catalyst Application and Data share
Patch Management 2960 - X Plant Firewalls:
• Inter -zone traffic segmentation Access Control
Terminal Services DMZ Threat Protection
• ACLs, IPS and IDS
Data Share • VPN Services – Remote Site Access
Cisco Video Surveillance Data Share DMZ • Portal and Terminal Server proxy
Application Server Catalyst2960 - X
AV Server Failover Industrial Demilitarized Zone
ASA 55xx-X ASA 55xx-X
Inside
1Gb 1Gb
374320
Mining Zone
Environmental Considerations
Since mines have harsh environmental conditions such as water, high humidity, extreme temperatures,
and vibrations, all equipment used in mines needs to be ruggedized. All wired and wireless access layer
devices need to be Class1, Div2 certified. If a device is not Class 1, Div2 certified, then the equipment
needs to be enclosed in a Class 1 Div2-certified enclosure.
Antenna Recommendation
Considering that wireless coverage should be available 360 degrees in the underground mine for the tags
and wireless clients to communicate, omni-directional antennas can be used in all APs.
Power Considerations
It is assumed that the underground mine has reliable power availability to connect all wired and wireless
access equipment. A standard power source such as 220/110VAC or 48/24DC is expected. Depending
on the power available, appropriate power adapters can be used to connect the devices.
Some of the end devices such as 1532 Access Points and video cameras can be Powered over Ethernet
(PoE). The access switches need to have a PoE/PoE+ provision to connect such devices.
Security Considerations
Disruptions in the network create the greatest impact to the safety and functioning of the production
facility and are the primary consideration in the Connected Mining architecture.
• Security needs to be considered at every part of the network. Various security considerations such
as authentication, authorization/access control, encryption, flood control/DOS attacks, rogue
detection, tamper proof, jamming detection, and disconnection are considered at each part of the
network and appropriate protection need to be configured.
• At the same time, security services must not compromise mining operations or pose a threat to the
availability of the network to the clients in the network. The operational overhead should be
minimal.
• The bridged virtual interface (BVI) MAC address for all MAPs and possible failover APs that are
used in the mesh network should be added into the appropriate controller MAC filtering
authorization list. The controller only responds to discovery requests from MAPs that appear in its
authorization list. If the AP has a self-signed certificate (SSC) and has been added to the AP
Authorization List, the MAC address of the AP does not need to be added to the MAC Filtering List.
• All the CAPWAP control packets from the AP toward the controller are by default encrypted using
dynamic transport layer security (DTLS). However, DTLS for data traffic can also be enabled on an
as-needed basis, since enabling DTLS for data traffic affects system performance.
• MAC ACL in IE2K will be provided for all Exciters connected to the Ethernet port of AP.
• The recommended security encryption for all the wireless clients and WGBs associated with the AP
is WPA2-802.1x. An ACS server can be used for any of the EAP methods for authentication for all
wireless clients associated to AP.
The security considerations at wired access layer are shown in Table 4-6.
Table 4-6 Wired Access Layer Security Considerations
For a description of these switch security features, please refer to Configuring Port-Based Traffic
Control at the following URL:
• http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_s
e/configuration/guide/3750xscg/swtrafc.html
All unused ports should be in shutdown state. DHCP snooping should be enabled on operational ports.
No direct client connections are allowed.
The security considerations at core layer are the same as in the distribution layer.
The user authorization function can be used to restrict access to the Location Engine Manager (LEM)
only to the authorized users who can view and manipulate system settings. Allowed user operations can
be defined with this list. The connection between the LEM and the Engine Server can be secured by TLS.
User authentication and assignment of roles (privilege levels) can be done using the Lightweight
Directory Access Protocol (LDAP) server. The connection to the LDAP server can be secured using
secure LDAP. MD5 can be used to ensure integrity of the database connection. The SMTP server
connection can be encrypted using TLS encryption.
QoS Considerations
This section discusses end-to-end QoS considerations in the system. Voice, Video, and Internet Client
traffic types are considered in this section, although they are not scoped in Connected Mining 1.0.
Number
of B/W Required Priority
Traffic Types at RAP Streams (Mbps) Queuing Description
RAP control traffic 1 0.1 Platinum Mapped by default
Tag traffic 500 0.5 Platinum Mapped by default
MAP control 3 0.1 Platinum Mapped by default
Voice 10 1 Platinum Voice DSCP value mapped
Video surveillance 1 6 Gold Voice DSCP value mapped
Table 4-7 Traffic Types, Required Bandwidth, and Desired Priority at RAP plus Two Levels MAP
Number
of B/W Required Priority
Traffic Types at RAP Streams (Mbps) Queuing Description
MAP data received at RAP 2 23.6 As per Mapped by default
priority queue
at MAP
Total traffic from RAP + 2 35.4
connected MAPs
SSID-1 is manually configured with the Silver profile so that MP/PI clients connected to SSID-1, WGB,
and AP-bridged port will have priority equivalent to the Silver profile. AP Control Traffic and Tag Traffic
have platinum priority by default. Voice and Video traffic are treated with Platinum and Gold priority,
respectively, which is not in scope for the current release, but will be considered in the future.
Per-user bandwidth rate limiting is configured on the Silver profile in order to limit the bandwidth to up
to 2 Mbps for users connecting to SSID-1. Upstream rate limiting for the priority queues is not supported
on mesh mode APs. The WLC, however, can do upstream/downstream rate limiting on its ingress/egress
ports.
1
Internal DSCP-to-CoS mapping in the AP.
2
For the bridged port, priority queuing is not supported in Unified Wireless Release 8.0.
Table 4-9 defines the traffic types, bandwidth, and QoS requirements for this system.
Table 4-9 Traffic Types, Bandwidth and QoS Requirements
1
The traffic calculation is for 100 MV/PI clients, 100 to 125 video cameras, 20,000 tags, and 100 VoIP
calls.
The access layer and core layer switches support QoS at the ingress and egress queues. However, the
Connected Mining architecture and design does not specify ingress QoS for deployment; only egress
QoS is sufficient.
For the wired clients connecting to the access switch, an 802.1x authentication access_accept msg will
be received and Cisco Auto SmartPort macro will be invoked, which will configure the switch port with
DSCP value. For clients such as Exciter that don’t support 802.1x, MAC Authentication Bypass (MAB)
is used and the same method as above is followed. The repository of MAC addresses is maintained at the
Cisco Access Control Server (ACS) server.
Table 4-10 captures the mappings of DSCP/CoS value, bandwidth, and buffer allocation to the individual
queue.
Table 4-10 Egress QoS for Access, Distribution, and Core Switches (IE2K/IE3K and 3750-X)
Q4
Q3
Egress Port
SRR
Q2
Q1
374321
75
MV Client Internet
374322
QoS at the distribution layer is the same as for the wired access layer.
QoS at the core layer is the same as for the wired access layer.
The data center is a non-blocking network. No specific QoS considerations exist at the data center. For
downlink QoS, refer to Table 4-11 above.
• To maintain high probability of delivery, the beacons from tags should reach more than one AP from
any given place at all times.
• More than one AP should broadcast the same SSID in a given area for the client to switch over
during AP failure.
• Adjacent RAPs should connect to different access switches to avoid the access switch being a SPOF
for covering an area.
• MAPs should have at least two neighbor RAPs in the vicinity that are connected to different access
switches. The neighbor RAPs should operate in different channels.
Location Engine
High availability is deployed at the level of the VM. The VM environment is set to duplicate the machine
in case of a failure. In the event of a physical server failure, affected VMs are automatically restarted on
another production server with spare capacity. This production server will come up with the same IP
address. In the case of operating system failure, vSphere high availability restarts the affected VM on
the same physical server. At any given point, only a single virtual machine is up and a single Advanced
Encryption Standard (AES) is running. On an VMware ESX that uses cluster high availability, the
minimum requirement is 8 GB reserved RAM.
MobileView
MobileView high availability is provided at individual module levels—Gateway and Asset Manager.
• Gateway—To ensure high availability, install two gateways. The gateways are configured in active,
stand-by mode. The gateways that form the active-standby pair are defined as a group. When two
gateways are in a single group, both receive location data from the Location Engine, but only one
passes location reports to the Asset Manager server, ensuring the reception of location reports if at
least one gateway in the group is operational.
• Asset Manager—Asset Manager high availability involves two components: Location Report
Detector (LRD) and Web. To provide high availability, two Asset Managers are configured in
clustered mode. At any point, only one node will contain an active LRD, while the other node
remains passive. The passive node will be activated only when the active node fails to report. The
passive node’s data stays up-to-date because the passive nodes receive updates from all the domain
objects at the cache level (just as the active nodes do). This means that at all times the passive nodes
are synchronized with the active nodes, allowing users to be directed to either node.
Approximate BOM
Number of APs needed to cover 100% area in 50 500
underground mine (one AP per 100 meters)
Number of IE2K switches one per 400 meters 12 120
Number of REP rings 1 to 4 10
Number or 12 port 3750-X switches needed at 2 1 G uplink 2 per site
Distribution with StackWise configuration
Number of 12 or 24 port 3750-X switches needed 2
at Core configured in StackWise mode
Table 4-13 summarizes the VM requirements for various applications in the data center. These numbers
are taken based on the recommendations given in the installation and operation guide of respective
products.
Table 4-13 Various Data Center Applications and Their Virtual Machine Requirements
Table 4-13 Various Data Center Applications and Their Virtual Machine Requirements (continued)
Thus, 34 vCPUs, 72 GB RAM and 2.2 TB disk space is needed for all data center applications. With 1+1
redundancy, this requirement will be two times; that is, 68 vCPUs, 144 GB RAM and 4.4 TB disk space.
One UCS-C220M3 LFF box has (UCS-CPU-E52660B) 20 CPU cores, out of which two CPU cores are
reserved for the hypervisor. The remaining 18 CPU cores can be used by applications. Up to four SAS
drives with 1 TB (UCS-HDD1TI2F212) each are supported. With RAID5, three drives per box are
needed. Thus, per box, 2 TB disk space will be available. The above requirements, including redundancy,
can be met with four UCS-C220M3 LFF boxes. The applications can be scaled with additional VMs in
the future. The operating system to be used is Windows 2012. External SAN storage is not considered
for the current phase.
Traffic Segregation
It is important to segregate control and enterprise traffic end-to-end. This is needed from a security and
a QoS perspective. Segregating control traffic from enterprise traffic at the wireless access level at wired
backhaul transport and in the data center is preferred. Thus, contention is avoided and dedicated
bandwidth width is available for the control traffic at all times.
In many deployment scenarios, the control clients will connect to WGB-1532 with a wired interface.
WGB associates to RAP using the Control SSID over 2.4GHz.
The MAP’s AP group will broadcast only Enterprise SSID over 5GHz. Control clients are restricted to
associate only to RAPs due to the convergence limitation of MAPs. To receive tag beacons, MAPs also
enable 2.4GHz on the access. However, no SSID is broadcasted on 2.4GHz at MAP.
Thus, enterprise client and tags can roam across RAPs and MAPs. Control clients are restricted to RAPs
only due to their stringent convergence time requirement.
IDMZ
RAS/ACS
VPN
10
Location Engine MSE, Prime,
DHCP
–9
MobileView VSM
LWAPP VLAN –40, 50, 200
N
VLA
WLC
LWAPP Exciter
IE2K IE2K
MV/PI/Internet client
LWAPP VLAN – 41
802.1x username
2.4 GHz RAP
REP Ring: VLAN 10 Controller
LWAPP Hz 1
5G ID-
SS VLAN – 950
MAP LWAPP
MAP Exciter
VLAN – 60 Exciter
802.1x MAC addr VLAN –60
802.1x MAC addr
374323
Mining Zone
Traffic Type (Generic Name Used) DSCP (Default) CoS Mapping1 WMM Queue (AC)2
Platinum rated 48 6 AC_VO
Gold rated 46 5 AC_VI
Silver rated 34 3 AC_BE
Bronze rated 0 0 AC_BK
1
Internal DSCP-to-CoS mapping in the AP.
2
For the bridged port, priority queuing is not supported in Unified Wireless release 8.0.
Table 4-15 Control Traffic CoS Classification at IE2K
Deployment Example 1
Figure 4-23 shows the wired backhaul connectivity in a multi-floor mine having vertical and horizontal
shafts. Each floor is covered with a horizontal shaft. Multiple tunnels in the same floor join at the
horizontal shaft. The mine is covered with one main ring per floor and multiple subtended rings, one per
tunnel as depicted. Main rings are 1Gbps terminating at the distribution switch and subtended rings are
of 100Mbps terminating at IE2K/IE3K switches. Wireless access is provided across the mine by RAPs
and MAPs connected to the wired backhaul, which is not shown.
Figure 4-23 Multi-Floor Underground Mine Covered with Main and Subtended Ring
1 G bps
100 Mbps
1 Gbps
100 Mbps
100 Mbps
<300m wireless
coverage
>300m extend wired
network, no service
disruption during
extension
374324
Deployment Example 2
Figure 4-24 shows the wired backhaul connectivity in a multi-floor mine. Here each floor is covered with
a ring terminating at the distribution switch. The end of the tunnel, where active digging is in progress,
is covered with wireless MAPs. Wherever wired backhaul is available in the vicinity wireless access is
provided with RAP. The wireless coverage is not shown.
Figure 4-24 Multifloor Underground Mine Existing Tunnel Covered with Wired Backhaul and
Active Mining Area Covered with Wireless
< 300m
Wireless
> 300m
Wired
Deployment Example 3
Figure 4-25 shows the wired backhaul connectivity in a multi-floor mine. Here a main shaft connects to
multiple tunnels. The main shaft is covered with a wired ring. Short tunnels are covered with a wireless
mesh and wired subtended rings are used to cover long tunnels. Wireless access points connect to access
switches connected on the main ring or on the subtended ring.
Figure 4-25 Short Tunnels Covered with Wireless and Long Tunnels Covered with Subtended Ring
and Wireless
100 Mbps
1 G bps
100 Mbps
< 300m
wireless
374326
This appendix shows a comparison of the AeroScout Industrial tags (Table B-1) and then compares the
same tags relative to use cases (Table B-2).
A
AC access category
AP access point
B
BPDU bridge protocol data unit
C
CAPWAP Control and Provisioning of Wireless Access Points
D
DTLS dynamic transport layer security
I
IDS Intrusion Detection System
L
LAP Cisco Aironet Lightweight APs
M
MAP mesh access point
N
NMSP Network Mobility Services Protocol
O
OVA Open Virtualization Archive
P
PI Cisco Prime Infrastructure
R
RAP root access point
S
SSC self-signed certificate
T
TACACS Terminal Access Controller Access Control System
T
TACACS Terminal Access Controller Access Control System
U
UDP User Datagram Protocol
V
VCI Vendor Class Identifier
VM virtual machine
W
WGB Workgroup Bridge