Networking

Enlighted’s Wireless Architecture

The Best of Both Worlds: a physically-wired connection for critical functions (controls) and wireless functionality for non-critical reporting (data collection, monitoring, analytics).

While other “intelligent lighting systems” completely rely on the wireless network to control lighting from the centralized or distributed system, Enlighted’s Smart sensors are hard-wired to each individual fixture.
Enlighted’s intelligent lighting controls solution hardwires control over dimming and other functional aspects of lighting while using its wireless network for monitoring and data collection. In this way, lighting performance is independent of wireless network performance. Once loaded with their individual automation profiles, Enlighted’s Smart Sensors make locally optimized decisions ensuring safety, occupant comfort, and energy savings in a distributed, fault-tolerant architecture.

Other lighting control systems completely rely on the wireless network to control equipment at the light fixture from a centralized or distributed system. As a result, they are prone to malfunction when the wireless network suffers from RF interference and disruptions. Should an Enlighted wireless network be disrupted, there may be a delay in data transmissions, but lighting levels and resultant energy savings would be preserved. Furthermore, Enlighted Smart Sensor transmissions place only minimum requirements on the network in terms of latency and bandwidth.

The No Disruption Solution: With a centralized control system, if the wireless controller is malfunctioning or simply powered off, the lighting system does not work. With Enlighted’s distributed system, lighting control maintains performance when the wireless network is down. Energy savings, occupant comfort, and productivity are not disrupted. Neither the facility nor IT teams are disrupted.

ZigBee and Wi-Fi’s Problematic Co-existence

Wi-Fi (IEEE 802.11 WLAN) and ZigBee (IEEE 802.15.4 WPAN) operate in the 2.4GHz license-exempt band. Wi-Fi is designed for Internet access, video streaming, etc., whereas ZigBee targets low duty-cycle monitoring and control applications such as health care and home/industrial automation. They may run simultaneously and in close proximity within buildings. Signal interference between Wi-Fi and ZigBee has been extensively reported by both industry groups and academic research communities. Under light Wi-Fi traffic, ZigBee is known to suffer less from the collision with Wi-Fi and can recover loss via retransmission [2], [3]. However, under moderate to high Wi-Fi traffic, ZigBee performance has proven to be less reliable. Furthermore, a channel assignment strategy does not work with modern Wi-Fi implementations that are channel bond (for 802.11n) and channel hop that use the entire spectrum.

Enlighted’s Enhancements for Better Co-existence with Wi-Fi

ZigBee/IEEE 802.15.4 chip vendors have data rates available up to 2Mbps -- more than 8 times the 250Kbps limitation imposed by ZigBee. Enlighted leverages this higher data rate to improve network performance. With ZigBee/IEEE 802.15.4 chips, the air is shared. The less amount of time medium and large packets are in the air, the possibility for transmission to be interrupted (by signal collision and available bandwidth reductions) is greatly reduced.

The Enlighted Wireless Network is designed to consume very little airtime (data transmission only), thus reducing the probability of collision with Wi-Fi traffic.

History

Enlighted was founded by networking experts who have worked at companies like Cisco, Cabletron, 3COM, Novell, Intel, Tropos and Trapeze with decades of experience in scalable, reliable and secure networking. The Enlighted team evaluated all of the known state-of-the-art Ethernet, Powerline and wireless networking options before deciding upon an approach. When they weighed ease of deployment, power consumption, security, robustness and cost, the wireless option struck the best balance of these factors.

The Enlighted Wireless Network is based on the IEEE 802.15.4 standard and operates in the 2.4 GHz ISM spectrum. As an open standard, IEEE 802.15.4 is one of the only reliable and low-cost networking options available today.

Future Compatibility of Enlighted’s Architecture / Upgradeability

Enlighted uses hardware supporting a version of IEEE 802.15.4 that is capable of being upgraded to support ZigBee/ZigBee PRO and 6LoWPAN network stacks in the future.

Summary

	Enlighted	ZigBee	Comments
Physical and MAC layer	IEEE 802.15.4	IEEE 802.15.4	Standard – for 6LoWPAN also
Data Rate(100-byte airtime)	1 Mbps(1 ms)	250 Kbps(4 ms)	Lower data rate causes 4x the interference with Wi-Fi because packets are in the air longer
Security	AES-128	AES-128	Very secure encryption
Solution Architecture Benefits	Distributed No network dependency Immune to interference	Controller-based Network dependent Interference can cause failure	Makes the wireless issue moot
Upgradability	Fully upgradeable software. Network stack can be replaced by ZigBee, 6L0WPAN, other	End-points have limited upgradeability	As standards converge, Enlighted’s deployed HW is ready to support them

References

[1] Cooperative Carrier Signaling: Harmonizing Coexisting WPAN and WLAN Devices Xinyu Zhang and Kang G. Shin Department of Electrical Engineering and Computer Science - University of Michigan

[2] Crossbow Technology Inc., “Avoiding RF interference between Wi-Fi and ZigBee,” Technical Report, 2004.

[3] Schneider Electrics, “ZigBee Wi-Fi Coexistence,”http://www.ZigBee.org/LearnMore/WhitePapers.aspx,

[4] Gummadi, H. Balakrishnan, and S. Seshan, “Metronome: Coordinating Spectrum Sharing in Heterogeneous Wireless Networks,” in First International Workshop on Communication Systems and Networks (COMSNETS), 2009.

[5] C-J. M. Liang, N. B. Priyantha, J. Liu, and A. Terzis, “Surviving Wi-Fi Interference in Low Power ZigBee Networks,” in Proc. of ACM SenSys,

[6] S.Pollin, I. Tan, B. Hodge, C. Chun, and A. Bahai, “Harmful Coexistence Between 802.15.4 and 802.11: A Measurement-based Study,” in Proc. of CrownCom, 2008.

[7] J-H. Hauer, V. Handziski, and A. Wolisz, “Experimental Study of the Impact of WLAN Interference on IEEE 802.15.4 Body Area Networks,” in Proc. of EWSN,

Downloads

Network Topology Options

The network topology diagrams provided below show how the network components should connect to each other. These diagrams have been designed to be as generic as possible and hence have been simplified. As a result, the diagrams may exclude details specific to a particular type of implementation.

The Enlighted network provides the following three topology options.

1. Manage On-Premise with Independent Gateway Network (DHCP from Manage)
2. Manage On-Premise with Gateways on Customer Network (DHCP from Customer)
3. Manage in the Cloud 

The following table summarizes the various network configurations and supported applications.

In all cases, Manage is not to be addressable outside a local area network.

Network Configuration	Gateway Network	DHCP Provider	Manage Internet Connection	Connected Lighting	BACnet Integration	Space	Location Intelligence (RTLS)
1. Manage on Premise	Independent	Manage	Customer Network or 4G
2. Manage on Premise	Customer	Customer	Customer Network
3. Manage in Cloud	Customer	Customer	Customer Network

The network topology diagrams for each of the above options are detailed below.

1. On-Premise Manage with Independent Gateway Network
    (DHCP from Manage)

2. On-Premise Manage with Gateways on Customer Network
    (DHCP from Customer)

3. Manage in the Cloud

Recommended articles:

• Assigning Network IP Addresses (for on-premise Manage Server)
• Network and IT Design Guidance

Network and IT Design Guidance

Contents:

• Overview
• Wireless Network Overview
• Coexisting with Wi-Fi
• Channel Selection
• Low Airtime Consumption
• Interference Tolerance
• Enlighted Network Design Guidelines
• Sensors, Plugloads, and Switches
• Gateways
• Hopper Guidelines
• Manage
• On-Premise Manage
• Deployment
• Manage in the Cloud
• Enlighted Security
• Physical Security / Onsite Network Security / Wireless Security /Multi-site Security
• Network Topology Options

Overview

The feature that most differentiates Enlighted Lighting Control from other wireless, networked building management solutions is the autonomy of Enlighted sensors. Each Enlighted sensor is a full-fledged computing and communications device that controls light levels locally. With the bulk of control instructions transmitted over a wired connection to the control unit and ballast, traffic on the Enlighted wireless network is kept minimal.

Wireless networking is used mainly to gather and transport energy, environmental, and occupancy data to Enlighted Manage. Manage provides an interface to the sensor network, simplifying configuration and lighting behavior management and data monitoring and reporting.

Enlighted sensors communicate with Manage through the Enlighted Gateways using the IEEE 802.15.4 wireless communication protocol that includes AES encryption to ensure secure links. The communication between Manage and the Gateway is done using SSL (TLS) encryption over Ethernet (TCP/IP).

The on-premise Enlighted Manage may be on the customer IT network or a stand-alone network. Manage in the Cloud must be on the customer network. All of the Manage configurations may be connected to the Enlighted Cloud (eCloud). The Enlighted Manage's intuitive graphical user interface can be accessed via a standard secured browser connection. Manage integrates seamlessly with Building Management Systems (BMS) using well-defined REST APIs and BACnet interface. The figure below provides an overview of the on-premise network design.

Wireless Network Overview

The Enlighted wireless network is based on the IEEE 802.15.4 standard and operates in the 2.4 GHz ISM spectrum. Both Wi-Fi (802.11) and IEEE 802.15.4 have the IEEE 802 family of wireless standards in common and share the same radio spectrum. A Co-existence Assurance document ensures that the IEEE 802.15.4 standard coexists with existing 802 standards when operating at the same time.

Please avoid using Enlighted Channel 15.

In addition to coexisting with existing networks sharing the radio spectrum, security is another critical aspect of any wireless network. A secure network will be resistant to intrusion from external networks and prevent the use of the network to intrude upon other external networks. The Enlighted wireless network addresses security through strong encryption (AES 128) and isolation from IT networks.

Coexisting with Wi-Fi

The Enlighted wireless network employs three techniques to either eliminate or drastically reduce its impact on Wi-Fi networks:

• Channel Selection: This technique involves identifying Enlighted wireless network channels that do not overlap with the current Wi-Fi deployment.
• Low Airtime Consumption: The Enlighted wireless network is designed to consume very little airtime during steady-state operation, significantly reducing the probability of collision with Wi-Fi traffic.
• Interference Tolerance: Enlighted's wireless network is designed to work reliably despite encountering some interference.

Channel Selection

As shown in the figure below, IEEE 802.15.4 channels are narrower than Wi-Fi channels and are meant to fit between the commonly used US Wi-Fi channels 1, 6, and 11. In other regions where the Wi-Fi channels 1, 5, 9, and 11 are commonly used, the channels can be selected to fall on the Wi-Fi channels' edges to minimize interference. In most regions, Enlighted channel 15/IEEE802.15.4 and channel 26 do not overlap with any Wi-Fi channel that is used.

Low Airtime Consumption

Enlighted recognizes that it is not always possible to select non-overlapping channels. Many Wi-Fi access points aggressively use the available spectrum to maximize performance. The Enlighted wireless network is designed to send two messages every five minutes per sensor to coexist with such solutions. The following example shows the airtime consumption for a 50,000 square-foot installation.

Airtime Consumption = # sensors*msgs_per_sensor*airtime_per_msg/5mins*100%
 50,000 square feet = 500 sensors
 1.5 ms of airtime per message
 Airtime Consumption = 500 * 2 * 1.5ms/5mins * 100%
 Typical Airtime Consumption = 0.5%

With such low airtime consumption, the Enlighted wireless network will easily coexist with Wi-Fi networks whether or not non-overlapping channels are used.

Interference Tolerance

In addition to ensuring that there is no impact on Wi-Fi installations, the Enlighted wireless network must be tolerant of these Wi-Fi networks' interference. The selection of non-overlapping channels serves to avoid the potential problem. Also, the Enlighted solution is designed to be less tolerant. The Enlighted wireless network protocol increases transmission reliability using acknowledgments and packet re-transmission. As a result, when a packet is lost, the loss is detected and corrected through re-transmission. Additionally, the Enlighted solution is designed to perform lighting control without requiring network communication. In the event of a complete wireless failure, lighting control will continue to operate.

Enlighted Network Design Guidelines

Designing the Enlighted system is easy as long as you follow the best practices for each of the individual components in the Enlighted network.

Sensors, Plugloads, and Switches

Enlighted recommends one sensor per 100 sq. feet for full visibility of the building area. The Enlighted sensor captures data in a ~100 sq. feet area beneath it and utilizes it to model the environment and activity in the space. Areas without sensors will not have visibility and will be digital blind spots when the Enlighted applications are activated.

Use a wireless switch for each room or area where you would like to have manual control. The sensors in the area are connected to the switch via the Enlighted software allowing for a wide variety of configurations and groupings to meet your design goals.

Plug load circuits that require occupancy-based control need one Enlighted Plug Load Control device per 20Amp circuit controlled.

Gateway

Wireless signal strength between the sensors and gateways varies depending on the environment. However, signal strength is typically dependable at a 150 to 180-foot radius. Between 180-200 feet, operations become unstable, and only fixture statistic communication works well. After 200 feet, none of the communications are dependable or predictable.

The Enlighted Gateway can support up to 100 connected devices per Gateway for lighting and energy applications and real estate occupancy analysis. Enlighted recommends designing the system with one Gateway per 100 connected devices, including plugloads within a 150-foot radius of the Gateway. For real-time location services such as Enlighted Where application, limit the maximum number of sensors per Gateway to 50 since these applications have a higher bandwidth network usage. Designing the network to operate at 80% full capacity will ensure a robust network to accommodate any signal transmission losses or future addition of devices to the network.

For applications using the Surface sensors, USB, for desk occupancy and ceiling sensors located in the same space, Enlighted recommends not more than 100 sensors per Gateway.

Consider the number of obstacles, building material types, and quantities in your project when considering Gateway count and location. As a rule, if you have to penetrate more than three walls or barriers with the signal, reduce the communication range to be lower than a 150-foot radius between the devices and the Gateway.

Refer to a detailed calculation of 2.4 GHz signal transmission losses through common building materials here: http://www.am1.us/Protected_Papers/E10589_Propagation_Losses_2_and_5GHz.pdf

For multiple floor projects, connect gateways to sensors on the same floor.  For a robust wireless network, distribute Gateways equally throughout the space for the Enlighted system to communicate. When possible, locate Gateways at the intersection of hallways and openings of corridors.

Hopper Guidelines

Within the wireless network, sensors can be enabled as signal repeaters, or hoppers, to carry data to the Gateway. There is no technical limitation regarding how many hoppers can connect to the Gateway.  However, the use of hoppers in installations less than 12’ will create wireless congestion on the 802.15 network. Hoppers are jammers and installations with high sensor densities, the sensors closest to the hopper will experience higher data loss.

For Outdoor installations, all sensors can be configured as hoppers when sensors are spaced at 40’ or more.  For sensors placed less than 40’ apart, consider enabling every other sensor to be a hopper to avoid data loss.

Firmware Upgrades on Hoppers

Doing firmware upgrades for hoppers in indoor installations chokes the network. Hence it is not recommended. Instead, disable the sensors as hoppers before upgrading the firmware. However, since the likelihood of collision is very small for outdoor installations, it is okay to upgrade firmware in sensors configured as hoppers.

RTLS Applications:

Avoid configuring sensors as hoppers in RTLS installations. If there are communication issues reaching some devices, then additional Gateways should be added to reach the problematic sensors reliably.

Hopper Design:

Whether it is an open office space or a more segmented kind of building, it is best to use a quadrant design style to logically divide the building into quarters or appropriately segment it based on sensor count and gateway position. The hoppers should be positioned in each quadrant within the gateway zone. For example, it should look like the number five on dice with the Gateway in the middle, as shown in the figure below. This design will ensure good connectivity and a high level of reliability in the design. Note that increasing the number of hoppers beyond what is required for connectivity will limit the network performance.

Manage

The Enlighted Manage can be located on-premise and connected to the Enlighted Cloud (eCloud) or can reside in the cloud as 'Manage in the Cloud'. The Enlighted Where app requires Manage. The Enlighted Space application works with the on-premise Manage connected to eCloud.

On-Premise Manage

The on-premise Manage servers are available in three ruggedized platforms: a Celeron based server providing support for 1500 sensors, a mid-range i7 based server supporting up to 5000 sensors, or an Enterprise option providing support for up to 18000 sensors on a single server.

The figure below shows a typical on-premise Manage connected to the Enlighted Cloud (eCloud). eCloud provides data resiliency, remote access and diagnostics, and the opportunity to upgrade to Space.

To program the network ports and DNS address, set up the Manage network, as shown below. The two Ethernet interfaces available are the Gateway network and the Corporate network.

Deployment

The table below summarizes the four deployment options along with the scalability limits when BACnet is included to allow you to make the correct design choice for any given deployment.

Deployment	Product Code	Sensor Licenses Included	Max. Sensor Support	Max. BACnet Point Support	Additional Sensors Product Code
Base Manage	EM-2-02	1000	1500	3500	EM-SW-1 (1 sensor) EM-SW-1000 (1000 sensors)
Midrange Manage	EM-2-03	1000	5000	7000
Enlighted Enterprise Manage (EEM)	EM-03-01	5000	10,000 with BACnet 18,000 without BACnet	35000
Manage in the Cloud	None	0	10,000	Not Supported	EMC-SWC-01

Manage in the Cloud

Starting with version 3.6.1, Manage can reside in the cloud as 'Manage in Cloud'. This is the most preferred option as it is scalable and provides easier administration across multiple sites and Enlighted applications. The figure below shows the network architecture for Manage in the Cloud, along with the other components in the network design:

When Manage is on-premise, it may act as the DHCP server for all Gateways in the network and provide IP addresses. With Manage in the Cloud, the Gateways act as the SSL client, initiate the communication with the cloud and register themselves using the Manage in the Cloud portal. DHCP addressing of the Gateways is done locally. The customer network also needs to provide DNS support to allow the Gateways to communicate with Manage in the Cloud.

All the communication between the on-premise Gateways and Manage in the Cloud is done over HTTPS and the Web Sockets protocol. Encryption is done using SSL (TLS), and all the communication is done using 2048-bit SSL certificates with SHA256 hashing for maximum security. SSL 3.0 has been disabled along with the usage of the older and weak ciphers like RC4-MD5, DES-CBC3-SHA.

Enlighted Security

The Enlighted System incorporates hardware devices, secure communications, user roles, and active monitoring and auditing.

Physical Security

The key information stored in a sensor cannot be retrieved by direct inspection of the sensor's persistent storage or by tracing the execution logic. The on-premise Enlighted Manage is typically installed in a physically secure location, and the Enlighted wireless communication network is physically isolated from IT networks.

Onsite Network Security

All wired communication in the Enlighted system utilizes strong encryption techniques. The communication between Manage and Gateway utilizes SSL (TLS) encryption with 2048-bit certificates and SHA 256 Ciphers. HTTPS communication protocol is used between Manage and web clients.

In all cases, Manage is not to be addressable outside a local area network.

Wireless Security

To prevent intrusion from external networks and being used as an intrusion point, the Enlighted Wireless network is isolated from all IT-managed networks. The Enlighted Manage maintains a strict separation between the wireless network and any external, IT-managed networks. Enlighted wireless network traffic is never routed to the IT networks, and a host on the IT network can never communicate with sensors on the Enlighted wireless network.

In addition to isolation from IT networks, the Enlighted wireless network provides security against tampering through the wireless network. All Enlighted wireless network traffic is AES128 encrypted to prevent snooping and tampering. The commissioning process of the wireless network assigns a Network Key and Network ID. The value of both the Network Key and Network ID (as well as the wireless 802.15.4 channel) must be known to communicate with commissioned devices in an Enlighted wireless network. Thus, it is not possible to take a commissioned sensor from one Enlighted wireless network where the Network ID and key are known and use it in another Enlighted wireless network where the Network ID and Key are not known. Additionally, the likelihood of tampering with the Enlighted wireless network is low due to the lack of availability of 802.15.4 interfaces for laptops and hand-held devices.

Multi-site Security

Enlighted supports large campuses consisting of multiple buildings. These can be viewed and administered seamlessly at the campus level viewed via Manage. All communication between nodes uses SSL (TLS) or Secure Shell encryption. Communication between Manage and web clients is HTTPS. Further, on-premise Manage has the capability to connect the Enlighted system to the BMS for monitoring and advisory HVAC Control.

Network Topology Options

The Enlighted network provides four topology options. Refer to the network topology diagrams for each of the options.

Recommended articles:

• Network Topology Options
• Assigning Network IP Addresses (for on-premise Manage)
• Enlighted Gateway Channel Selection Guidelines

Network and Security Audit Process

Review the Enlighted Network documents given below to respond to the customer's network and security audit requirements. 

Step1:

For customers who would like to connect using one of Enlighted's on-premise or Cloud (eCloud) deployment options, the Enlighted Networking Options document provides an overview of how the Enlighted components network together and the protocols used to address encryption and security concerns that our customers typically have. The network topology diagrams describe the available network connectivity methods. These documents can be shared with the customer to review all the network connectivity possibilities.

Step 2:

Once the network connectivity option is agreed upon and worked into the design, the customer typically provides a security audit questionnaire for Enlighted to respond. Each customer has their own version typically, but most questions are common and these are consolidated in the generic Security Audit Questionnaire for reference.

For questions that are not addressed in one of the above documents, contact Enlighted Customer Support.

Step 3:

If the customer requests to see results of the security scans with Enlighted software, the Qualys OS and Application Web Scan Results are available and can be shared with the customer. 

Downloads:

Network & Security Audit D​​​​​ocuments​

As more and more customers are added to Cloud, it becomes imperative to have a process ready to respond to customer audit requirements. Typically, each customer has their own network audit process/questionnaire and the documents available here will be the guides to go through the process. ​​​​​