Table of Contents
The following case is a strong example of a growing trend. At least three of our customers, both in domestic and internationally, have adopted Asterfusion’s open campus network solution to operate as local MSPs. By deploying SONiC-based switches, OpenWiFi-compliant APs, and compatible unified controllers, they’ve built a streamlined architecture from access to aggregation, enabling unified wired and wireless management.
The solution supports multi-tenant isolation, access control, unified authentication, and visualized O&M—greatly simplifying network operations while improving efficiency. More importantly, it empowers customers to deliver flexible, on-demand network services to campus tenants and unlock new revenue streams through commercialized network operations.
Background: The “Management Dilemma” of Campus Networks
In traditional industrial campuses, network management has long been a complex challenge. Tenant enterprises operated independently: they purchased internet services from telecom operators, relied on campus IT teams to provision wired LANs, and typically built their own wireless networks by procuring equipment. This model led to several pain points:
- Fragmented and Tedious Operations: Tenant onboarding, relocation, or office space changes required manual reconfiguration of extensive network settings, which was time-consuming and error-prone.
- Inefficient Management: Inconsistent wireless equipment standards led to fragmented management, increasing security risks and operational burdens.
- Resource Bottlenecks: With growing network demands, limited campus IT resources struggled to keep up, impacting service quality and tenant satisfaction.
This traditional “management-driven” model could no longer meet the needs of modern campuses, necessitating a shift to a more efficient and scalable “service-driven” approach.
From Management to Service: Our Client Becomes Network Operator
Recognizing these challenges, the Shijiazhuang Sci-Tech Center proactively assumed responsibility for building and operating the entire campus network infrastructure. The Center deployed Asterfusion’s cloud-based networking solution, powered by enterprise-grade SONiC, across 4 buildings that house thousands of tenant companies.
This transformation eliminates the need for tenant companies to build their own networks. Instead, they simply apply for a Wi-Fi authentication account from the Service Center to gain quick, secure access to a high-performance wireless network. From access and authentication to daily operations and maintenance, the Center now provides comprehensive managed network services—marking a fundamental shift from a “management” to a “service” model,which has evolved into a full-fledged Managed Service Provider (MSP).
Client Background: Shijiazhuang Sci-Tech Center
The Shijiazhuang Sci-Tech Center is a government-backed organization dedicated to fostering the growth and success of local tech startups. Serving as a launchpad for emerging tech companies, the Center provides critical support, including office spaces, funding guidance, and resources to transform innovative ideas into market-ready products.
Solution: Asterfusion’s Open Campus Network Empowers Service-Driven Operations
To achieve this transformation, the Center deployed Asterfusion’s next-generation cloud-native campus network solution, built on a data center-grade Spine/Leaf architecture, full Layer 3 network design, and a cloud-native management platform, creating an efficient, secure, and scalable multi-tenant network.
1.Network Infrastructure: High Performance Meets Future Scalability
- Wired Network: The solution adopts a streamlined, highly reliable Spine/Leaf architecture, operating a full Layer 3 network with 25G high-bandwidth links to meet tenant business needs, IoT device connectivity, and server interconnections. The loop-free design eliminates broadcast storms, and horizontal scalability ensures capacity for the next 5–8 years.
- Wireless Network: A distributed gateway design creates a large-scale roaming domain, enabling seamless cross-building roaming. The network follows users, with policies dynamically applied, balancing security and convenience.
Core Devices:
- Spine switches: 2 × CX308P-48Y-M
- Leaf switches: 14 × CX204Y-24GT-M-SWP2 and 46 × CX204Y-48GT-M-SWP4
- Wireless APs: 1763× AP6020W, ensuring full coverage
- Software : Powered by enterprise-grade SONiC (AsterNOS), supporting open standards like OpenWiFi/OLS for seamless integration with third-party products and cloud-native deployment.
2.Multi-Tenant Resource Isolation: Securing Business Operations
Using BGP EVPN technology, the solution builds independent virtual networks for each tenant, supporting flexible expansion while ensuring isolation and security through:
- Port Isolation: Layer 2 traffic is fully isolated, with all traffic forwarded via Layer 3 routing to eliminate broadcast interference.
- ACL Isolation:Configure access control lists (ACLs) for different tenant VLANs to restrict inter-tenant access and protect business privacy.
- AP Strict Forwarding: Wireless APs do not forward traffic directly; all traffic is processed through switches via table lookups, ensuring robust security.
3.Wireless Network Services: Seamless Onboarding and Robust Authentication
The center provides tenants with a one-stop wireless network service, enabling them to quickly obtain Wi-Fi authentication accounts through a simple application process. Asterfusion’s solution supports efficient service delivery through the following approaches:
Portal Authentication with Dynamic VLAN Assignment:
When tenant employees connect to the wireless network, they must complete Portal authentication to gain access. The PacketFence authentication platform stores tenant, device, and authorized VLAN mapping information, enabling dynamic VLAN assignment and precise access control.
Authentication Process:
- The user connects to the AP and obtains an IP address from an unauthorized VLAN, with access limited to authentication-related resources.
- The AP redirects the user’s HTTP traffic to the Portal server and completes authentication via the RADIUS protocol.
- Upon successful authentication, the AP forces the device to reconnect and assigns an IP address from the authorized enterprise VLAN, allowing normal network access.
MAC-Priority Authentication:
After the initial authentication, the RADIUS server records the device’s MAC address to enable automatic recognition for future connections, eliminating the need for repeated authentication. Combined with device type verification and roaming anomaly detection, this helps promptly identify potential spoofing risks.
Open API Integration:
The authentication system and underlying network devices offer robust APIs, seamlessly integrating with the Center’s management system to streamline Asteriaount provisioning and management.
4.Simplified Operations and Maintenance: Automation Boosts Service Efficiency
Leveraging the Asterfusion Openwifi Controller, the Center achieves efficient, automated network management. The Openwifi Controller provides a cloud-native management platform, supporting local or cloud deployment, enabling “minute-level” service provisioning for over 2,000 tenant enterprises while significantly enhancing operational efficiency through centralized management and intelligent analytics. Below are its core features and real-world applications:
4.1 Minute-Level Service Provisioning: Rapid Response to Tenant Needs
The Openwifi Controller offers a streamlined, user-friendly automation process, drastically simplifying network service provisioning:
One-Click Network Planning: Operators use the Controller’s graphical interface to plan network topology based on campus layout and tenant needs. The system automatically generates VLAN and IP allocation plans, minimizing manual errors.
Batch VLAN Configuration: For example, in a campus network designed to support up to 2,000 tenants, a complete VLAN resource pool can be pre-configured during the initial deployment phase to cover the network isolation needs of all potential tenants. When a new enterprise moves in, access authorization is granted simply by creating an authentication account; when the enterprise leaves, the account is deleted. Throughout this process, there is no need for frequent changes to the underlying network configuration, which simplifies operations and enhances the network’s stability and scalability.
Graphical Pre-Configuration Deployment: Operations personnel can predefine network policies (such as bandwidth allocation and access permissions) through the Asteria interface and deploy them to all relevant devices (switches, APs, etc.) with a single click, ensuring configuration consistency and rapid deployment. For example, when a new tenant moves in, the administrator simply selects a preset template in the interface, enters the tenant information, and the network is instantly provisioned.
4.2 Centralized Wired and Wireless Management: Full Network Visibility
The Openwifi Controller unifies management of gateways, switches, and wireless APs, offering comprehensive operational capabilities:
Device Management: Supports configuration updates for individual or multiple devices. For example, operators can batch-update switch firmware or adjust AP channel settings, eliminating manual operations.
Status Monitoring: Real-time visualization of device metrics, including CPU usage, memory consumption, hardware health, IP assignments, per-device/port traffic, link status, interface status, and PoE status. The Controller aggregates all online device data, presenting a comprehensive health score via a dashboard.
Alerts and Diagnostics: The Controller automatically triggers alerts for anomalies (e.g., link failures, traffic spikes), notifying operators for swift resolution. For instance, when an AP’s signal quality drops, the Controller alerts the team with the device’s location.
Use Case: A tenant reports network latency. Operators use the Openwifi Controller to identify abnormal traffic on a Leaf switch port, resolve the issue in 5 minutes, and restore normal operations.
4.3 Intelligent Terminal Management: Precision Insights and Rapid Troubleshooting
The Openwifi Controller enhances tenant network experiences through fingerprinting and traffic tracing:
Statistics and Fingerprinting: Automatically collects terminal data, including device type (e.g., smartphones, laptops, IoT devices), operating system, online status, signal strength, and signal-to-noise ratio. It also logs browsing behavior and traffic statistics, enabling operators to analyze usage patterns. For example, the Controller reveals that 80% of campus devices are mobile, prompting optimized wireless coverage.
Terminal Traffic Tracing: Tracks a device’s full connection history, including status, signal quality, negotiated rates, signal-to-noise ratio, and connected AP location. This allows rapid fault localization. For instance, when an employee reports Wi-Fi disconnections, the Controller shows frequent AP handoffs at a building boundary, prompting operators to optimize AP placement.
Anomaly Detection and Alerts: Using MAC address verification and behavior analysis, the Controller detects unauthorized Asteria or traffic surges, triggering alerts. For example, a device attempting unauthorized VLAN Asteria prompts an immediate warning to operators.
Use Case: An enterprise reports unstable Wi-Fi. The Controller traces the issue to low signal-to-noise ratio at an AP, enabling operators to adjust power settings and restore connectivity in minutes.
4.4 Flexible Cloud and Local Deployment
The Openwifi Controller supports both local and cloud deployment to suit diverse needs. The Center opted for cloud deployment, leveraging Asterfusion’s cloud services for remote management, reducing local hardware maintenance costs. Cloud-based Controller also enables unified management across multiple campuses, supporting future expansion.
Results: A Leap from Management to Service
By deploying Asterfusion’s cloud-native campus network solution, the Shijiazhuang Sci-Tech Center transformed from a traditional “management-driven” IT operation to a “service-driven” network operator, delivering exceptional experiences for campus tenants:
- Service Efficiency Surge: Automated provisioning reduced Wi-Fi Asteriaount setup from hours to minutes, dramatically improving tenant onboarding speed.
- Enhanced Tenant Experience: Seamless roaming and dynamic policy enforcement ensured smooth cross-building mobility for employees.
- Robust Security: BGP EVPN and multi-level isolation mechanisms prevent interference between tenants, while MAC-based authentication enhances access security.
- Elevated Business Capabilities: API integration and automated workflows enabled the Center to deliver fast, reliable network services to tenants.
- Future-Proof Scalability: The Spine/Leaf architecture supports elastic expansion, ensuring growth for years to come.
🌟 Outcome: A Single Deployment, Sustained Operations By adopting Asterfusion’s open network architecture and cloud-native platform, the Center built a manageable, controllable, and service-oriented campus network operations platform:
- Enabled elastic service provisioning for tenant onboarding and offboarding.
- Significantly reduced manual configuration workloads.
- Improved user access experience and network security.
- Supported efficient growth of multi-tenant campus operations. This transformation not only made the campus network smarter and more efficient but also positioned the Center as a high-value player in the campus ecosystem.
Conclusion
By leveraging Asterfusion’s SONiC-based cloud-native network solution, the Shijiazhuang Sci-Tech Center successfully transitioned from “management-driven” to “service-driven” operations, optimizing campus network management and delivering secure, seamless wireless services to tenants. This case study showcases how Asterfusion’s innovative, open, and programmable network architecture empowers service providers to build efficient, flexible, and future-ready smart campus network ecosystems, setting a benchmark for multi-tenant environments.
