You are on page 1of 108

Wireless Communication 10EC81

Department of ECE,SJBIT Page 1

Subject Code : 10EC81 IA Marks : 25
No. of Lecture Hrs/Week : 04 Exam Hours : 03
Total no. of Lecture Hrs. : 52 Exam Marks : 100

Introduction to wireless telecommunication systems and Networks, History and evolution
Different generations of wireless cellular networks 1G, 2g,3G and 4G
6 Hours
UNIT - 2
Common Cellular System components, Common cellular network components, Hardware
and software, views of cellular networks, 3G cellular systems components, Cellular
component identification Call establishment.

6 Hours
UNIT - 3
Wireless network architecture and operation, Cellular concept Cell fundamentals, Capacity
expansion techniques, Cellular backbone networks, Mobility management, Radio resources
6 Hours
UNIT - 4
GSM and TDMA techniques, GSM system overview, GSM Network and system

6 Hours
UNIT - 5
GSM system operation, Traffic cases, Cal handoff, Roaming, GSM protocol architecture.
TDMA systems
6 Hours
Wireless Communication 10EC81
Department of ECE,SJBIT Page 2
UNIT - 6
CDMA technology, CDMA overview, CDMA channel concept CDMA operations.
8 hours

UNIT - 7
Wireless Modulation techniques and Hardware, Characteristics of air interface, Path loss
models, wireless coding techniques, Digital modulation techniques, OFDM, UWB radio
techniques, Diversity techniques, Typical GSM Hardware.

6 Hours
UNIT - 8
Introduction to wireless LAN 802.11X technologies, Evolution of Wireless LAN
Introduction to 802.15X technologies in PAN Application and architecture Bluetooth
Introduction to Broadband wireless MAN, 802.16X technologies.
8 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.


1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.

2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.

3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 3
Sl.No Unit & Topic of Discussion Page no.
UNIT --- 1
1 Introduction to wireless telecommunication systems
5 to 19
2 Introduction to wireless telecommunication Networks
3 History of different generations of wireless cellular
4 Evolution of different generations of wireless cellular
5 1G,2G networks
6 3G and 4G networks
7 Common Cellular System components

20 to 30
8 Common cellular network components
9 Hardware and software
10 Views of cellular networks
11 3G cellular systems components
12 Cellular component identification Call establishment
13 Call release
14 Wireless network architecture and operation

31 to 42
15 Cellular concept , Cell fundamentals
16 Capacity expansion techniques, Cellular backbone
17 Mobility management
18 Radio resources and power management
19 Wireless network security
UNIT --4

43 to 54
20 GSM and TDMA techniques
21 GSM system overview
22 GSM Network
23 system Architecture
Wireless Communication 10EC81
Department of ECE,SJBIT Page 4
24 GSM channel concepts
25 GSM identifiers
26 GSM system operation

55 to 67
27 Traffic cases
28 Call handoff
29 Roaming
30 GSM protocol architecture
31 TDMA systems
33 CDMA technology

68 to 81

34 CDMA overview
35 CDMA channel concept CDMA operations
36 CDMA channel concept CDMA operations
37 CDMA channel concept
38 CDMA channel assignement
40 Wireless Modulation techniques and Hardware

82 to 94
41 Characteristics of air interface , Path loss models
42 Wireless coding techniques
43 Digital modulation techniques, OFDM, UWB radio
44 Diversity techniques
45 Typical GSM Hardware
46 Introduction to wireless LAN 802.11X technologies

95 to 108
47 Evolution of Wireless LAN
48 Introduction to 802.15X technologies in PAN
49 802.16X technologies

Wireless Communication 10EC81
Department of ECE,SJBIT Page 5
UNIT - 1
Introduction to wireless telecommunication systems and Networks, History and Evolution
Different generations of wireless cellular networks 1G, 2g,3G and 4G networks.

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.


1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 6

Introduction to wireless telecommunication systems and networks

1.1 Introduction to wireless telecommunication systems and networks

Communication is the transfer of information form one point to another. Invention
of telephone by Bell in 1876 was the first manually switched wireline network.
Radio or wireless was invented during 20
century which had the convenience of
mobile operation to electronic communication. Advances in IC technology gave the
cordless telephones during late 1970s , and in 1983 the public had the opportunity
to subscribe for cellular telephone systems. These wireless systems gave access to
public switched telephone network which had mobile access.

The wireless and mobile communications was found useful in commerce,
education, defense etc., according to the nature of particular application they can be
used in home based, industrial, commercial, military environment. For example, in
commercial wireless communications can be employed for purchase or selling of
goods, services , playing audio and video, payment of telephone bills , airline , bus
reservations etc.,

1.2 History and Evolution of Wireless Radio Systems

In 1887 , Heinrich Hertz performed laboratory experiments which proved the
existence of EM waves .

From 1895 to 1901 Marconi experimented with a wireless telegraph system who
built several radio telegraph stations in England and started commercial service
between England and France in 1899.

Early AM wireless systems

The early wireless transmitter consists of inductance and capacitance which is used
to tune the output frequency of the spark gap. Max power is generated at lower freq
and longer wavelength. The transmitter emits the signal either long or short
duration depending on length of time telegraph key is closed. The transmitter
signal is the EM noise produced by the spark gap discharge.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 7

Fig 1. Typical early wireless transmitter

The transmitter signal propagates through the air to a receiver which is located at some
distance . At the receiver the detected signal is interpreted by the operator as either a dot or
dash depending upon its duration by use of Morse code.

Modern AM :

Amplitude modulation is used for low frequency radio broadcasting the AM include
quadrature amplitude modulation which is used for high speed data transmission at RF

1.2 The Development of Modern Telecommunications Infrastructure

The early days of telecommunications
The public switched telephone network
The local exchange
Intraoffice calls

Wireless Communication 10EC81
Department of ECE,SJBIT Page 8

Fig: 1.2 A PSTN intraoffice call through a local exchange

Circuit-switched calls
Interoffice calls
T-carrier transport

Fig: 1.3 A PSTN intraoffice call over an inter-exchange trunk line

Wireless Communication 10EC81
Department of ECE,SJBIT Page 9
Signaling System #7
Signal transfer points
Service switching points
Service control points
Operations support systems
Signalling System No. 7 (SS7) is a set of telephony signaling protocols which are used to
set up most of the world's public switched telephone network telephone calls. The main
purpose is to set up and tear down telephone calls. Other uses include number translation,
local number portability, prepaid billing mechanisms, short message service (SMS), and a
variety of other mass market services.
It is usually referenced as Signalling System No. 7 or Signalling System #7, or simply
abbreviated to SS7. In North America it is often referred to as CCSS7, an abbreviation for
Common Channel Signalling System 7. In some European countries, specifically the
United Kingdom, it is sometimes called C7 (CCITT number 7) and is also known as
number 7 and CCIS7 (Common Channel Interoffice Signaling 7). In Germany it is often
called as N7 (Signalisierungssystem Nummer 7).
There is only one international SS7 protocol defined by ITU-T in its Q.700-series
There are however, many national variants of the SS7 protocols. Most
national variants are based on two widely deployed national variants as standardized by
ANSI and ETSI, which are in turn based on the international protocol defined by ITU-T.
Each national variant has its own unique characteristics. Some national variants with rather
striking characteristics are the China (PRC) and Japan (TTC) national variants.
The Internet Engineering Task Force (IETF) has also defined level 2, 3, and 4 protocols
that are compatible with SS7:
Message Transfer Part (MTP) level 2 (M2UA and M2PA)
Message Transfer Part (MTP) level 3 (M3UA)
Signalling Connection Control Part (SCCP) (SUA)
The public data network
Connectionless systems
Private data networks
Virtual private data networks
Tunneling protocols

Wireless Communication 10EC81
Department of ECE,SJBIT Page 10

Fig: 1.4 Network elements of the SS7 system

1.3 Different Generations of wireless cellular networks:

1G Cellular Systems
AMPS system components and layout
Radio base stations
Communications links
Mobile switching office
First-generation cellular systems have been around for a few decades now, and we expect
them to remain in place for some time because of the significant infrastructure investments
made by operators. All of these systems support circuit data services and may be utilized
for various forms of mobile VPN, albeit not without difficulties. This section provides a
high-level overview of the air interfaces utilized by most widely deployed 1G systems.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 11
All 1G cellular systems rely on analog frequency modulation for speech and data
transmission and in-band signaling to move control information between terminals and the
rest of the network during the call. Advanced Mobile Phone
System is a good example of first-generation analog technology mostly used in the United
States. AMPS is based on FM radio transmission using the FDMA principle where every
user is assigned their own frequency to separate user channels within the assigned spectrum
(see Figure 3.2). FDMA is based on narrowband channels, each capable of supporting one
phone circuit that is assigned to a particular user for the duration of the call. Frequency
assignment is controlled by the system, and transmission is usually continuous in both
uplink and downlink directions. The spectrum in such systems is allocated to the user for
the duration of the call, whether it is being used to send voice, data, or nothing at all.

As with other 1G technologies, in AMPS a circuitrepresented by a portion of spectrum
is allocated to the user and must remain available for this user, similar to the telephone
copper pair used for voice communications. Similar to the analog wireline connection, a
modem is also used for data access (see Chapter 4 for more on this). Error correction
protocols used by wireless modems tend to be more robust than their landline counterparts,
because of the necessity of dealing with a more challenging physical environment with
inherently higher interference and signal-to-noise ratios than copper or fiber. The peak data
rate for an AMPS modem call under good conditions is usually up to 14.4 Kbps, and as low
as 4.8 Kbps under poor conditions. It can take anywhere up 20 seconds or more to establish
an AMPS data connection.

Fig 1.5 An early AMPS cellular system

Information flow over AMPS channels
Wireless Communication 10EC81
Department of ECE,SJBIT Page 12
Analog color codes
Digital color codes
Signaling tones

Fig 1.6 AMPS forward and reverse control and voice channels

Typical AMPS operations
AMPS security and identification
Summary of basic AMPS operations

Fig 1.7 AMPS mobile phone initialization

AMPS ongoing idle mode tasks
Wireless Communication 10EC81
Department of ECE,SJBIT Page 13
Mobile-to-land calls
Handshaking operations
Signaling operations
Service requests

Fig 1.8 AMPS mobile originated call

Land-to-mobile and mobile-to-mobile calls
ID information exchange
Control messages
Wireless Communication 10EC81
Department of ECE,SJBIT Page 14

Fig 1.9 AMPS mobile terminated call

AMPS network operations
Radio base station operations
Base station control operations
Mobile switching center operations

Fig 1.10 AMPS network operations for a mobile originated call

Wireless Communication 10EC81
Department of ECE,SJBIT Page 15
Handoff operations
Handshaking operations
Signal strength measurements
MSC operations during handoff
Confirmation messages

Fig 1.11 AMPS handoff operation

2G Cellular Systems

Second-generation (2G) digital cellular systems constitute the majority of cellular
communication infrastructures deployed today. 2G systems such as GSM, whose rollout
started in 1987, signaled a major shift in the way mobile communications is used
worldwide. In part they helped fuel the transition of a mobile phone from luxury to
necessity and helped to drive subscriber costs down by more efficient utilization of air
interface and volume deployment of infrastructure components and handsets.
Major geographical regions adopted different 2G systems, namely TDMA and CDMA in
North America, GSM in Europe, and Personal Digital Cellular (PDC) in Japan.
cellular systems. It effectively shows how the GSM system has been successful and why it
is now being adopted in geographical areas other than Europe (such as North America,
China, the Asia-Pacific region, and more recently, South America). CDMA, which
Wireless Communication 10EC81
Department of ECE,SJBIT Page 16
originated in North America, has also proliferated in South America and later in the Asia-
Pacific region. TDMA remains to be widely deployed in North and South America regions,
but it is expected to decline mostly because of the decisions taken by few major North
American carriers to convert their TDMA networks to GSM.

This second-generation system, widely deployed in the United States, Canada, and South
America, goes by many names, including North American TDMA, IS-136, and D-AMPS
(Digital AMPS). For the sake of clarity, we will refer to it as North American TDMA, as
well as simply TDMA, when the context makes it clear. TDMA has been used in North
America since 1992 and was the first digital technology to be commercially deployed there.
As its name indicates, it is based on Time Division Multiple Access. In TDMA the
resources are shared in time, combined with frequency-division multiplexing (that is, when
multiple frequencies are used). As a result, TDMA offers multiple digital channels using
different time slots on a shared frequency carrier. Each mobile station is assigned both a
specific frequency and a time slot during which it can communicate with the base station.

The TDMA transmitter is active during the assigned time slot and inactive during other
time slots, which allows for power-saving terminal designs, among other advantages. North
American TDMA supports three time slots, at 30 kHz each, further divided into three or six
channels to maximize air interface utilization. A sequence of time-division multiplexed
time slots in TDMA makes up frames, which are 40 ms long. The TDMA traffic channel
total bit rate is 48.6 Kbps. Control overhead and number of users per channel, which is
greater than one, decrease the effective throughput of a channel available for user traffic to
13 Kbps. TDMA is a dual-band technology, which means it can be deployed in 800-MHz
and 1900-MHz frequency bands. In regions where both AMPS and TDMA are deployed,
TDMA phones are often designed to operate in dual mode, analog and digital, in order to
offer customers the ability to utilize coverage of the existing analog infrastructure.

Global System for Mobile Communications (GSM)

There are still some analog cellular systems in operations in Europe, but their number is
declining, and some regional networks are being completely shut down or converted to
Global System for Mobile Communications. The GSM cellular system initiative was
initiated in 1982 by the Conference of European Posts and Telecommunications
Administrations (CEPT) and is currently governed by European Telecommunications
Standards Institute (ETSI), which in turn has delegated GSM specifications maintenance
and evolution to 3GPP (reviewed in part in Chapter 1). The intent behind GSM
introduction was to have a common approach to the creation of digital systems across
European countries, to allowamong other advantages of a common standardeasy
international roaming and better economies of scale by decreasing handset and
infrastructure components costs through mass production. In hindsight, this was a smart
political decision, which contributed to the worldwide success of European cellular
infrastructure providers and equipment manufacturers.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 17

2.5g Cellular Systems

"2.5G" is an informal term, invented solely for marketing purposes, unlike "2G" or "3G"
which are officially defined standards based on those defined by the International
Telecommunication (ITU). The term "2.5G" usually describes a 2G cellular system
combined with General Packet Radio Services (GPRS), or other services not generally
found in 2G or 1G networks.Wireless telecommunication technology like CDMA200 1x-
RTT, Enhanced Data Rates for GSM Evolution (EDGE) or Enhanced General Packet
Radio Service (EGPRS), since they have data transmission rates of 144 kbps or higher,
may qualify as 3G technology. However, they are usually classified as 2.5G technology
because they have slower network speeds than most 3G services.

GPRS is a service commonly associated with 2.5G technology. It has data transmission
rates of 28 kbps or higher. GPRS came after the development of the Global System for
Mobile (GSM) service, which is classified as 2G technology, and it was succeeded by the
development of the Universal Mobile Telecommunication Service (UMTS), which is
classified as 3G technology.A 2.5G system may make use of 2G system infrastructure, but
it implements a packet-switched network domain in addition to a circuit-switched domain.
This does not necessarily give 2.5G an advantage over 2G in terms of network speed,
because bundling of timeslots is also used for circuit-switched data services (HSCSD).
The services and infrastructure of a 2.5G network may be used on a per-transaction basis
rather than a per-minute-of-use basis, thanks to its packet-switched domain. This makes its
infrastructure more efficient and improves the service delivery. This impetus is known as
the "always-on" capability.2.5G networks may support services such as WAP, MMS, SMS
mobile games, and search and directory.

3G Cellular Systems

Cell phones and systems are classified by the generation they belong to. Third generation
(3G) phones were developed in the late 1990s and 2000s. The goal was to improve the data
capability and speed. 3G phones were defined by the Third Generation Partnership Project
(3GPP) and later standardized by the ITU-T. Generally known as the Universal Mobile
Telecomunications System (UMTS), this 3G system is based on wideband CDMA that
operates in 5 MHz of bandwidth and can produce download data rates of typically 384 kb/s
under normal conditions and up to 2 Mb/s in some instances. Another 3G standard,
cdma2000, was developed by Qualcomm. It uses 1.25 MHz bands to produce data rates to
2 Mb/s. Another version of cdma2000 is an improved IS-95 version. It is a 3GPP2
standard. It can transmit data at a rate to 153 kb/s and up to 2 Mb/s in some cases.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 18
3G phone standards have been expanded and enhanced to further expand data speed and
capacity. The WCDMA phones have added high speed packet access (HSPA) that use
higher level QAM modulation to get speeds up to 21 or 42 Mb/s downlink (cell site to
phone) and up to 7 and/or 14 Mb/s uplink (phone to cell site). AT&T and T-Mobile use
HSPA technology. The cdma2000 phones added 1xRTT as well as Rev. A and Rev B
modifications that boost speed as well. Verizon and Sprint use cdma2000 3G standard
technology. Virtually all standard and smartphone models and most tablets still use some
form of 3G.

Fig 1.12 3G operating environments
Wireless Communication 10EC81
Department of ECE,SJBIT Page 19

Table 1.1 3G characteristics by cell size and mobile speed

4G Cellular Systems and Beyond

The fourth generation has been defined but we are not in it, yet. Yes, many if not most of
the mobile carriers and the various phone and equipment manufacturers actually advertise
4G now. The formal definition of 4G as declared by the 3GPP and the ITU-T is something
called Long Term Evolution-Advanced (LTE-A). The standard has not been fully
completed but basically it is an improved and enhanced version of LTE that uses wider
bandwidth channels and a greater number of MIMO antennas. The theoretical upper data
rate is 1 Gb/s. That remains to be seen in practice.
As for what the various companies are calling 4G, Verizon says that their LTE network is
4G. AT&T promotes their LTE and HSPA networks as 4G. T-Mobile indicates that their
HSPA+ networks are 4G. Furthermore Sprint and Clearwire say that their WiMAX
network is 4G. As mentioned, WiMAX is actually defined as a 3G technology by ITU-T
like LTE.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 20

UNIT - 2
Common Cellular System components, Common cellular network components, Hardware
and software, views of cellular networks, 3G cellular systems components, Cellular
component identification Call establishment.

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.


1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 21
It is very much essential to implement increased system functionality to meet the demands
of the increasing number of subscribers with the more sophisticated wireless cellular
network. To achieve this the various hardware network elements used to create the wireless
cellular network plays an important role.
The network element scan be divided into three basic groups
1.The mobile or subscriber device (providers the user link to the wireless network.
2.Base station ( provides wireless system links to the subscriber over air interface)
3.Network switching system (provides interface to the PSTN and PDN )


Fig 2.1 Typical wireless cellular system components
During 1G wireless cellular system , it consists of several subsystems to perform certain
operations in support of the entire system. For 2G and 2.5G cellular networks , the air
interface functions are performed by fixed Radio Base Station and Mobile Station or
Subscriber device that provide user mobility. The radio base station is controlled by a base
station controller which is referred as base station system.
The base station system is connected to a fixed switching system that handles the routing of
both voice calls and data services to and from the mobile switching centre and various
databases and functional nodes to support the mobility management and security operations
of the system. The switching system is usually connected to the PSTN , the PDN , other
public land mobile networks(PLMN ) and various data messaging networks through gate
way switches.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 22
The various network elements that make up the wireless system are interconnected by
communication links that transport system messages between network elements to facilitate
network operations and deliver the actual voice call or data services information.
The subscriber device is the link between the customer and the wireless network. The SD
must be able to provide a means for the subscriber to control and input information to the
phone and display its operation status.

Fig 2.2 subscriber device
The subscriber device must be able to sample , digitize and process audio and other
multimedia signals, transmit and receive RF signals, process system control messages and
provide the power needed to operate the complex electronics subsystems .
A SD consists of man machine interface, an RF transceiver section a signal processing
section , a system control processor and a power supply/ management section.

The Base station system handles all radio interface related functions for the wireless
network .The BSS consists of several to many radio base stations , a base station
contr5oller , Transcoder controller .The radio equipment required to serve one cell is
typically called a base transceiver system. A single radio base station might contain three
base transceiver systems which is used to serve a cell site that consists of three 120 degree
sectors or cells.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 23

Fig 2.3 components of base station system

Typical CDMA wireless system
The base station controller functions as the interface between mobile switching centre and
packet core network and all the radio base stations controlled by BSC. The BSC system
provides timing signals and connectivity to every subsystem within it and computer
interfaces to the entire system. The BSC will supply signaling towards the MSC using
message transfer part protocol to transfer the message over a PCM link connected to SS7
signaling terminals located within MSC and the BSC.
The TRC consists of subsystems that perform transcoding and rate adaptation which can be
either stand alone or combined.
It is a database that temporarily stores information about any mobile station that attaches to
a RBS in the area services by a particular MSC. This temporary subscriber information is
required by the MSC to provide service to a visiting subscriber .
It is a data base that stores information about every user that has a cellular service contract
with specific wireless service provider . This database stores permanent data about the
networks subscribers, information about the subscribers present location. The HLR also
plays a major role in the process of handling calls terminating at the MS. The HLR
analyzes the information about the incoming call and controls the routing of the call.
AUC Interconnection:
The AUC provides authentication and encryption information for the MS being used in the
cellular network. Upon a request from a VLR the HLR will be delivered a triplet for a
particular mobile subscriber .the HLR receives the triplet information in response to a
Wireless Communication 10EC81
Department of ECE,SJBIT Page 24
request to the AUC for verification of a subscriber. The HLR forwards the random
number and returns it to the MSC/VLR and from there to the HLR .The AUC contains a
processor, a database for the storage of key information for each subscriber maintenance
functions for subscriber and an interface fro communication with HLR.
Then EIR database is used to validate then status of mobile equipment . This global
database is updated daily to reflect the current status of an MS. The MS can be black listed
indicating that it has been reported stolen or missing and does not approve for network

IWUs are required to provide an interface to various data networks. These nodes are used
to connect the base station controller and hence the radio base stations to various data
services networks.

GATEWAYS and its types
1. Gateway MSC: (GMSC)gateway MSC is an MSC that interfaces the wireless
mobile network to other telecommunication networks. A cellular network will have
numerous MSCs to facilitate coverage of large area but all switching centers need to
be connected to other wireline network .to support its function as gateway the
GMSC will have ability to reroute a call to an MS using the information provided
by the HLR of a subscriber.
2. Billing gateway : (BGW) this collects billing information from various wireless
network elements which becomes a file use by customer administrative system to
generate billing information for the system subscribers like monthly access fees,
home usage , roaming , data and special services etc.,
3. Service order Gateway :(SOG) It is used to connect a customer administrative
system to the switching system. This system is used to input new subscriber data to
the HLR or to update current subscriber data already contained in the HLR. The
SOG allows access to the AUC and EIR for equipment administration. When a
customer signs a service contract with cellular service provider the information
about the contract is entered into the customer administrative system.

Hardware view of a cellular network
Serving areas
MSC boundaries
Wireless Communication 10EC81
Department of ECE,SJBIT Page 25

Fig 2.4 Hardware view of cellular network
Software view of a cellular network
Location area identity
Cell global identity
Mobile country code and network code

Fig 2.5 Software view of Cellular system

2.3 3G Cellular System Components
Core network
Radio access network
Wireless Communication 10EC81
Department of ECE,SJBIT Page 26
Radio network controller
Radio base station

Fig 2.6 The 3G radio network controller

2.4 Cellular Component Identification
Subscriber device identification
Mobile station ISDN identification number
North American version
The rest of the world

Wireless Communication 10EC81
Department of ECE,SJBIT Page 27

Fig 2.6 Formation of MSISDN number
Cellular Component Identification
International mobile subscriber identity

Fig 2.7 Formation of IMSI number
International mobile equipment identity

Fig 2.8 Formation of IMEI number

Cellular system component addressing
Location area identity
Cell global identity
Radio base station identity code
Wireless Communication 10EC81
Department of ECE,SJBIT Page 28
Location numbering
Addressing cellular network switching nodes
Global title and global title translation

2.5 Call Establishment
Mobile-terminated call
PSTN messages
GMSC operations
MSC/VLR operations
BSC operations

Fig 2.9 Mobile terminated call operations

Mobile-originated call
Mobile operations
Radio base station operations
Base station controller operations
MSC operations
Wireless Communication 10EC81
Department of ECE,SJBIT Page 29

Fig 2.10 Mobile originated call operations
Call release
Connection management operations
Radio resource operations
Wireless Communication 10EC81
Department of ECE,SJBIT Page 30

Fig 2.11 Call release

The above figure shows the operation during release of a mobile call through MSC . the
steps involved as shown in detail which is self explanatory.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 31

UNIT - 3
Wireless network architecture and operation, Cellular concept Cell fundamentals, Capacity
expansion techniques, Cellular backbone networks, Mobility management, Radio resources
and power management Wireless network security

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.


1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 32


3.1 The Cellular Concept

Solves the problem of spectral congestion and user capacity,Offer very high capacity in
a limited spectrum without major technological changes,Reuse of radio channel in
different cells.Enable a fix number of channels to serve an arbitrarily large number of
users by reusing the channel throughout the coverage region.Simplex and duplex

Each cellular base station is allocated a group of radio channels within a small
geographic area called a cell.Neighboring cells are assigned different channel groups.
By limiting the coverage area to within the boundary of the cell, the channel groups
may be reused to cover different cells.Keep interference levels within tolerable limits.
Frequency reuse or frequency planning seven groups of channel from A to G.footprint
of a cell - actual radio coverage ,omni-directional antenna v.s. directional antenna

Steps for frequency reuse:

Consider a cellular system which has a total of S duplex channels.
Each cell is allocated a group of k channels, .
The S channels are divided among N cells.
The total number of available radio channels

The N cells which use the complete set of channels is called cluster.
The cluster can be repeated M times within the system. The total number of
channels, C, is used as a measure of capacity

The capacity is directly proportional to the number of replication M.
The cluster size, N, is typically equal to 4, 7, or 12.
Small N is desirable to maximize capacity.
The frequency reuse factor is given by
Hexagonal geometry has
exactly six equidistance neighbors
the lines joining the centers of any cell and each of its neighbors are
separated by multiples of 60 degrees.
Only certain cluster sizes and cell layout are possible.
The number of cells per cluster, N, can only have values which satisfy
Co-channel neighbors of a particular cell, ex, i=3 and j=2.

The Cellular Concept
Cellular hierarchy
Wireless Communication 10EC81
Department of ECE,SJBIT Page 33
Megacells and femtocells

Fig 3.1 Cellular concept

3.2 Cell Fundamentals
The use of hexagons
Reuse number
Cellular reuse patterns

Fig 3.2 Frequency reuse concept

Frequency reuse scheme
increases capacity
Wireless Communication 10EC81
Department of ECE,SJBIT Page 34
minimize interference
Channel assignment strategy
fixed channel assignment
dynamic channel assignment
Fixed channel assignment
each cell is allocated a predetermined set of voice channel
any new call attempt can only be served by the unused channels
the call will be blocked if all channels in that cell are occupied
Dynamic channel assignment
channels are not allocated to cells permanently.
allocate channels based on request.
reduce the likelihood of blocking, increase capacity.
Cell Fundamentals
Reuse number
Frequency reuse distance
The reuse distance can be calculated by using the equation:

Fig 3.3 Frequency Reuse number

Cell Fundamentals
Cellular interference issues
Signal-to-interference ratio
Channel assignments

Fig 3.4 Cellular calculations

3.3 Capacity Expansion Techniques

Cell splitting
Wireless Communication 10EC81
Department of ECE,SJBIT Page 35

Split congested cell into smaller cells.
Preserve frequency reuse plan.
Reduce transmission power.
Transmission power reduction from to Examining the receiving power at the new
and old cell boundary

If we take n = 4 and set the received power equal to each other

The transmit power must be reduced by 12 dB in order to fill in the original
coverage area.
Problem: if only part of the cells are splited
Different cell sizes will exist simultaneously
Handoff issues - high speed and low speed traffic can be simultaneously

Fig 3.5 cell splitting

Capacity Expansion Techniques
Cell sectoring
Sectoring concept

Decrease the co-channel interference and keep the cell radius R unchanged
Replacing single omni-directional antenna by several directional antennas
Radiating within a specified sector

Wireless Communication 10EC81
Department of ECE,SJBIT Page 36

Fig 3.6 Cell sectoring

Capacity Expansion Techniques
Overlaid cells
Overlay concept

Fig 3.7 Cell overlaid

Capacity Expansion Techniques
Channel allocation
Other capacity expansion schemes
Lees microcell technology
Smart antenna technology
Migration to digital technology

3.4 Cellular Backhaul Networks
Standards for PSTN carriers

Wireless Communication 10EC81
Department of ECE,SJBIT Page 37

Fig 3.8 cellular backhaul network

Fig 3.9 cellular backhaul network

3.5 Mobility Management
Location management
Location updating

Wireless Communication 10EC81
Department of ECE,SJBIT Page 38

Fig 3.10 Location management in cellular network

Mobility Management
Paging messages
Different paging schemes
Transmission of the location information between network elements
Mobility Management
Handoff management
Handoff control
Handoff operation
Handoff algorithm

When a mobile moves into a different cell while a conversation is in progress, the
MSC automatically transfers the call to a new channel belonging to the new base
Handoff operation
identifying a new base station
re-allocating the voice and control channels with the new base station.
Handoff Threshold
Minimum usable signal for acceptable voice quality (-90dBm to -100dBm)
Handoff margin cannot be too large or too small.
If it is too large, unnecessary handoffs burden the MSC
If it is too small, there may be insufficient time to complete handoff before
a call is lost.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 39

Fig 3.10 Mobility management in cellular network

Handoff must ensure that the drop in the measured signal is not due to momentary
fading and that the mobile is actually moving away from the serving base station.

Running average measurement of signal strength should be optimized so that
unnecessary handoffs are avoided.
Depends on the speed at which the vehicle is moving.
Steep short term average -> the hand off should be made quickly
The speed can be estimated from the statistics of the received short-term
fading signal at the base station

Dwell time: the time over which a call may be maintained within a cell without

Dwell time depends on

Wireless Communication 10EC81
Department of ECE,SJBIT Page 40
Handoff measurement
In first generation analog cellular systems, signal strength measurements
are made by the base station and supervised by the MSC.
In second generation systems (TDMA), handoff decisions are mobile
assisted, called mobile assisted handoff (MAHO)
Intersystem handoff: If a mobile moves from one cellular system to a different
cellular system controlled by a different MSC.
Handoff requests is much important than handling a new call.

Different type of users

High speed users need frequent handoff during a call.
Low speed users may never need a handoff during a call.

Microcells to provide capacity, the MSC can become burdened if high speed users
are constantly being passed between very small cells.
Minimize handoff intervention
handle the simultaneous traffic of high speed and low speed users.
Large and small cells can be located at a single location (umbrella cell)
different antenna height
different power level
Cell dragging problem: pedestrian users provide a very strong signal to the base
The user may travel deep within a neighboring cell

Handoff for first generation analog cellular systems ,10 secs handoff time, is in the
order of 6 dB to 12 dB,Handoff for second generation cellular systems, e.g., GSM 1 to
2 seconds handoff time, mobile assists handoff , is in the order of 0 dB to 6 dB
Handoff decisions based on signal strength, co-channel interference, and adjacent
channel interference.

IS-95 CDMA spread spectrum cellular system ,Mobiles share the channel in every
cell.No physical change of channel during handoff ,MSC decides the base station with
the best receiving signal as the service station Handoff within a cell, No channel re-
assignment, Switch the channel to a different zone site, Reduce interference, Low
power transmitters are employed

Frequency reuse - there are several cells that use the same set of frequencies
co-channel cells
co-channel interference

To reduce co-channel interference, co-channel cell must be separated by a
minimum distance.

When the size of the cell is approximately the same
Wireless Communication 10EC81
Department of ECE,SJBIT Page 41
co-channel interference is independent of the transmitted power
co-channel interference is a function of
R: Radius of the cell
D: distance to the center of the nearest co-channel cell

Increasing the ratio Q=D/R, the interference is reduced.

Q is called the co-channel reuse ratio

Fig 3.11 Handoff management

Wireless Communication 10EC81
Department of ECE,SJBIT Page 42

Fig 3.12 analysis of handoff operation

3.6 Radio Resources and Power Management

Power control
Power saving schemes
Discontinuous transmission
Sleep modes
Energy efficient designs
Radio resource management

3.7 Wireless Network Security

Wireless network security requirements
Network security requirements
Network security

Wireless Communication 10EC81
Department of ECE,SJBIT Page 43
UNIT - 4
GSM and TDMA techniques, GSM system overview, GSM Network and system
Architecture, GSM channel concepts, GSM identifiers

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.

1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 44
4.1 Introduction to GSM and TDMA
Global System for Mobile Communications (GSM) services are a standard collection of
applications and features available to mobile phone subscribers all over the world. The
GSM standards are defined by the 3GPP collaboration and implemented in hardware and
software by equipment manufacturers and mobile phone operators. The common standard
makes it possible to use the same phones with different companies' services, or even roam
into different countries. GSM is the world's most dominant mobile phone standard.
The design of the service is moderately complex because it must be able to locate a moving
phone anywhere in the world, and accommodate the relatively small battery capacity,
limited input/output capabilities, and weak radio transmitters on mobile devices.
In order to gain access to GSM services, a user needs three things:
A billing relationship with a mobile phone operator. This is usually either where
services are paid for in advance of them being consumed (prepaid), or where bills
are issued and settled after the service has been consumed (postpaid).
A mobile phone that is GSM compliant and operates at the same frequency as the
operator. Most phone companies sell phones from third-party manufacturers.
A Subscriber Identity Module (SIM) card, which is activated by the operator once
the billing relationship is established. After activation the card is then programmed
with the subscriber's Mobile Subscriber Integrated Services Digital Network
Number (MSISDN) (the telephone number). Personal information such as contact
numbers of friends and family can also be stored on the SIM by the subscriber.
After subscribers sign up, information about their identity (telephone number) and what
services they are allowed to access are stored in a "SIM record" in the Home Location
Register (HLR).
Once the SIM card is loaded into the phone and the phone is powered on, it will search for
the nearest mobile phone mast (also called a Base Transceiver Station/BTS) with the
strongest signal in the operator's frequency band. If a mast can be successfully contacted,
then there is said to be coverage in the area. The phone then identifies itself to the network
through the control channel. Once this is successfully completed, the phone is said to be
attached to the network.
The key feature of a mobile phone is the ability to receive and make calls in any area where
coverage is available. This is generally called roaming from a customer perspective, but
also called visiting when describing the underlying technical process. Each geographic area
has a database called the Visitor Location Register (VLR), which contains details of all the
mobiles currently in that area. Whenever a phone attaches, or visits, a new area, the Visitor
Location Register must contact the Home Location Register to obtain the details for that
phone. The current cellular location of the phone (i.e., which BTS it is at) is entered into
Wireless Communication 10EC81
Department of ECE,SJBIT Page 45
the VLR record and will be used during a process called paging when the GSM network
wishes to locate the mobile phone.
Every SIM card contains a secret key, called the Ki, which is used to provide authentication
and encryption services. This is useful to prevent theft of service, and also to prevent "over
the air" snooping of a user's activity. The network does this by utilising the Authentication
Center and is accomplished without transmitting the key directly.
Every GSM phone contains a unique identifier (different from the phone number), called
the International Mobile Equipment Identity (IMEI). This can be found by dialing *#06#.
When a phone contacts the network, its IMEI may be checked against the Equipment
Identity Register to locate stolen phones and facilitate monitoring.

It can be easily adapted to the transmission of data and voice communication.
TDMA offers the ability to carry data rates of 64 kbps to 120 Mbps (expandable in
multiples of 64 kbps). This enables operators to offer personal communication-like
services including fax, voiceband data, and short message services (SMSs) as well as
bandwidth-intensive applications such as multimedia and videoconferencing.
It will not experience interference from other simultaneous transmissions
Unlike spread-spectrum techniques which can suffer from interference among the
users all of whom are on the same frequency band and transmitting at the same time,
TDMAs technology, which separates users in time, ensures that they will not
TDMA is the only technology that offers an efficient utilization
of hierarchical cell structures (HCSs) offering pico, micro, and macrocells. HCSs
allow coverage for the system to be tailored to support specific traffic and service
Wireless Communication 10EC81
Department of ECE,SJBIT Page 46
needs. By using this approach, system capacities of more than 40-times AMPS can
be achieved in a cost-efficient way. TDMA allows service compatibility with the use of
dual-mode handsets because of its inherent compatibility with FDMA analog systems.

4.2 GSM Network and System Architecture
Mobile station
Subscriber identity module
Base station system
Network switching system
SMS gateway
Flexible numbering register
Operation and support system and other nodes
Administrative and control system

Fig 4.1 components of GSM network
GSM network interfaces and protocols
GSM interfaces
Abis interface
A interface
Wireless Communication 10EC81
Department of ECE,SJBIT Page 47
Um interface
Layered structure/OSI model

Fig 4.2 interfaces in GSM
GSM network interfaces and protocols
GSM protocols and signaling model
Um interface
Abis interface
A interface
Ater interface

The network structure is defined within the GSM standards. Additionally each interface
between the different elements of the GSM network is also defined. This facilitates the
information interchanges can take place. It also enables to a large degree that network
elements from different manufacturers can be used. However as many of these interfaces
were not fully defined until after many networks had been deployed, the level of
standardisation may not be quite as high as many people might like.

1. Um interface The "air" or radio interface standard that is used for exchanges
between a mobile (ME) and a base station (BTS / BSC). For signalling, a modified
version of the ISDN LAPD, known as LAPDm is used.
2. Abis interface This is a BSS internal interface linking the BSC and a BTS, and it
has not been totally standardised. The Abis interface allows control of the radio
equipment and radio frequency allocation in the BTS.
3. A interface The A interface is used to provide communication between the BSS
and the MSC. The interface carries information to enable the channels, timeslots
and the like to be allocated to the mobile equipments being serviced by the BSSs.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 48
The messaging required within the network to enable handover etc to be undertaken
is carried over the interface.
4. B interface The B interface exists between the MSC and the VLR . It uses a
protocol known as the MAP/B protocol. As most VLRs are collocated with an
MSC, this makes the interface purely an "internal" interface. The interface is used
whenever the MSC needs access to data regarding a MS located in its area.
5. C interface The C interface is located between the HLR and a GMSC or a SMS-G.
When a call originates from outside the network, i.e. from the PSTN or another
mobile network it ahs to pass through the gateway so that routing information
required to complete the call may be gained. The protocol used for communication
is MAP/C, the letter "C" indicating that the protocol is used for the "C" interface. In
addition to this, the MSC may optionally forward billing information to the HLR
after the call is completed and cleared down.
6. D interface The D interface is situated between the VLR and HLR. It uses the
MAP/D protocol to exchange the data related to the location of the ME and to the
management of the subscriber.
7. E interface The E interface provides communication between two MSCs. The E
interface exchanges data related to handover between the anchor and relay MSCs
using the MAP/E protocol.
8. F interface The F interface is used between an MSC and EIR. It uses the MAP/F
protocol. The communications along this interface are used to confirm the status of
the IMEI of the ME gaining access to the network.
9. G interface The G interface interconnects two VLRs of different MSCs and uses
the MAP/G protocol to transfer subscriber information, during e.g. a location
update procedure.
10. H interface The H interface exists between the MSC the SMS-G. It transfers short
messages and uses the MAP/H protocol.
11. I interface The I interface can be found between the MSC and the ME. Messages
exchanged over the I interface are relayed transparently through the BSS.
Although the interfaces for the GSM cellular system may not be as rigorously defined as
many might like, they do at least provide a large element of the definition required,
enabling the functionality of GSM network entities to be defined sufficiently.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 49

Fig 4.3 GSM network interfaces and protocols
4.3 GSM Channel Concept
Time division multiple access
A single GSM RF carrier can support up to eight MS subscribers simultaneously. Each
channel occupies the carrier for one eighth of the time.
This is a technique called Time Division Multiple Access. Time is divided into discrete
periods called timeslots . The timeslots are arranged in sequence and are
conventionally numbered 0 to 7. Each repetition of this sequence is called a TDMA
frame . Each MS telephone call occupies one timeslot (07) within the frame until the
call is terminated, or a handover occurs.
The TDMA frames are then built into further frame structures according to the type of
channel. We shall later examine how the information carried by the air interface builds into
frames and multi-frames and discuss the associated timing. For such a system to work
correctly, the timing of the transmissions to and from the mobiles is critical. The MS or
Base Station must transmit the information related to one call at exactly the right moment,
or the timeslot will be missed. The information carried in one timeslot is called a
burst . Each data burst, occupying its allocated timeslot within successive TDMA
frames, provides a single GSM physical channel carrying a varying number of logical
channels between the MS and BTS.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 50

Fig 4.4 TDMA time frame structure
GSM Channel Concept
Logical channels
Broadcast channels
Broadcast control channel
Frequency correction channel
Synchronization channel
Logical channels
Common control channels
Paging channel
Random access channel
Access grant channel
Dedicated control channels
Stand-alone dedicated control channel
Slow associated control channel
Fast associated control channel
Cell broadcast channel
Speech processing
Bit rate

GSM speech processing
Wireless Communication 10EC81
Department of ECE,SJBIT Page 51

Fig 4.5 GSM processing of speech
Timeslots and TDMA frames
TDMA frames
TDMA multiframes
26 frame
51 frame
Timeslot bursts
Normal burst
Frequency correction burst
Synchronization burst
Access burst
Dummy burst

Wireless Communication 10EC81
Department of ECE,SJBIT Page 52

Fig 4.6 TDMA Hyperframe structure
A hyperframe is a multiframe sequence that is composed of 2048 superframes and is
largest time interval in the GSM system (3 hours, 28 minutes, 53 seconds). Every time slot
during a hyperframe has a sequential number (represented by an 11 bit counter) that is
composed of a frame number and a time slot number. This counter allows the hyperframe
to synchronize frequency hopping sequence, encryption processes for voice privacy of
subscribers' conversations. The hyperframe in an IS-136 TDMA system consists of 192
The basic GSM frame defines the structure upon which all the timing and structure of the
GSM messaging and signalling is based. The fundamental unit of time is called a burst
period and it lasts for approximately 0.577 ms (15/26 ms). Eight of these burst periods are
grouped into what is known as a TDMA frame. This lasts for approximately 4.615 ms
(i.e.120/26 ms) and it forms the basic unit for the definition of logical channels. One
physical channel is one burst period allocated in each TDMA frame.
In simplified terms the base station transmits two types of channel, namely traffic and
control. Accordingly the channel structure is organised into two different types of frame,
one for the traffic on the main traffic carrier frequency, and the other for the control on the
beacon frequency.

GSM multiframe
Wireless Communication 10EC81
Department of ECE,SJBIT Page 53
The GSM frames are grouped together to form multiframes and in this way it is possible to
establish a time schedule for their operation and the network can be synchronised.
There are several GSM multiframe structures:
Traffic multiframe: The Traffic Channel frames are organised into multiframes
consisting of 26 bursts and taking 120 ms. In a traffic multiframe, 24 bursts are used
for traffic. These are numbered 0 to 11 and 13 to 24. One of the remaining bursts is
then used to accommodate the SACCH, the remaining frame remaining free. The
actual position used alternates between position 12 and 25.
Control multiframe: the Control Channel multiframe that comprises 51 bursts and
occupies 235.4 ms. This always occurs on the beacon frequency in time slot zero
and it may also occur within slots 2, 4 and 6 of the beacon frequency as well. This
multiframe is subdivided into logical channels which are time-scheduled.
GSM Superframe
Multiframes are then constructed into superframes taking 6.12 seconds. These consist of 51
traffic multiframes or 26 control multiframes. As the traffic multiframes are 26 bursts long
and the control multiframes are 51 bursts long, the different number of traffic and control
multiframes within the superframe, brings them back into line again taking exactly the
same interval.

GSM Hyperframe
Above this 2048 superframes (i.e. 2 to the power 11) are grouped to form one hyperframe
which repeats every 3 hours 28 minutes 53.76 seconds. It is the largest time interval within
the GSM frame structure.
Within the GSM hyperframe there is a counter and every time slot has a unique sequential
number comprising the frame number and time slot number. This is used to maintain
synchronisation of the different scheduled operations with the GSM frame structure. These
include functions such as:
Frequency hopping: Frequency hopping is a feature that is optional within the
GSM system. It can help reduce interference and fading issues, but for it to work,
the transmitter and receiver must be synchronised so they hop to the same
frequencies at the same time.
Encryption: The encryption process is synchronised over the GSM hyperframe
period where a counter is used and the encryption process will repeat with each
hyperframe. However, it is unlikely that the cellphone conversation will be over 3
hours and accordingly it is unlikely that security will be compromised as a result.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 54

UNIT - 5
GSM system operation, Traffic cases, Cal handoff, Roaming, GSM protocol architecture.
TDMA systems

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.

1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 55

5.1 GSM Identities
To switch a call to a mobile subscriber, the right identities need to be involved. It is
therefore important to address them correctly. Followings are those identities;
Mobile Station ISDN Number (MSISDN)
The MSISDN is a number, which uniquely identifies a mobile telephone
subscription in the public switched telephone network numbering plan. These are
the digits dialed when calling a mobile subscriber.
The MSISDN is consisted with followings;
Country Code (CC)
National Destination Code (NDC)
Subscriber Number (SN)
International Mobile Subscriber Identity (IMSI)
The IMSI is a unique identity allocated to each subscriber to allow correct
identification over the radio path and through the network and is used for all
signaling in the PLMN. All network-related subscriber information is connected to
the IMSI. The IMSI is stored in the SIM, as well as in the HLR and in the serving
The IMSI is consisted with followings;
Mobile Country Code (MCC)
Mobile Network Code (MNC)
Mobile Subscriber Identification Number (MSIN )
Temporary Mobile Subscriber Identity (TMSI)
The TMSI is a temporary number used instead of IMSI to identify an MS. The
TMSI is used for the subscribers confidentiality on the air interface. The TMSI has
only local significance (that is, within the MSC/VLR area) and is changed at certain
events or time intervals.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 56

International Mobile Equipment Identity (IMEI)
The IMEI is used for equipment identification and uniquely identifies a MS as a
piece or assembly of equipment.
The IMEI is consisted with followings;
Type Approval Code (TAC), determined by a central GSM body
Final Assembly Code (FAC), identifies the manufacture
Serial Number (SNR), uniquely identifies all equipment within each TAC &
Spare, a spare bit for future use.
IMEI = TAC + FAC + SNR + Spare

Mobile Station Roaming Number (MSRN)
A MSRN is used during the call setup phase for mobile terminating calls. Each
mobile terminating call enters the GMSC in the PLMN. The call is then re-routed
by the GMSC, to the MSC where the called mobile subscriber is located. For this
purpose MSRN is allocated by the MSC and provided to the GMSC.
The MSRN is consisted with followings;
Country Code (CC)
National Destination Code (NDC)
Subscriber Number (SN)
Location Area Identity (LAI)
The LAI is used for paging, to indicate to the MSC in which Location Area (LA)
the MS is currently situated and also for location updating of mobile subscribers.
The LAI is consisted with followings;
Mobile Country Code (MCC)
Mobile Network Code (MNC)
Location Area Code (LAC)
Wireless Communication 10EC81
Department of ECE,SJBIT Page 57
Cell Global Identity (CGI)
Each cell is identified by cell identity (CI). A CI is unique within a location area
CGI is consisted with following;
Mobile Country Code (MCC)
Mobile Network Code (MNC)
Location Area Code (LAC)
Cell Identity (CI)
Base Station Identification Code (BSIC)
In GSM, the mobile station uses BSIC to distinguish between neighboring base
The BSIC is consisted with
Network Colour Code (NCC)
Base Transceiver Colour Code (BCC).

5.2 GSM System Operations (Traffic Cases)
Registration, call setup, and location updating
Call setup
Interrogation phase
Radio resource connection establishment
Service request
GSM System Operations (Traffic Cases)
Call setup
Ciphering mode setting
IMEI check
TMSI reallocation
Call initiation procedure
Wireless Communication 10EC81
Department of ECE,SJBIT Page 58
Assignment of a traffic channel
Call confirmation, call accepted, and call release
GSM System Operations (Traffic Cases)
Other aspects of call establishment
Location updating
Normal location updating (idle mode)
IMSI detach/attach location updating
Periodic location updating

Fig 5.1 GSM channel assignment

Wireless Communication 10EC81
Department of ECE,SJBIT Page 59

Fig 5.2 GSM channel establishment

GSM System Operations (Traffic Cases)
Call handoff
Intra-BSC handover
The process that occurs during the handover intra BSC as follows:

A). During the call, MS will measure the strength and quality of the signal on the
TCH and the signal strength from the neighboring cell. MS to evaluate and assess
the average for each cell.

MS send the results to the BTS measurements every two times in one second cell
not only on their own but also the results of measurements from the BTS
neighboring cell.

B). The BTS will send the results of measurements on the TCH to the BSC. In the
BSC, the function is activated when the placement is required to handover to
another cell.

C). When the handover is done, BSC will check whether the channel had requested
be met by another cell, if not the BSC will be the new BTS to enable TCH.

D). BSC will ask the BTS for a long time to send a message to MS with information
about the frequency, time slot, and the output power for the change.

E). MS choose a new frequency handover and access to the appropriate time slot.

F). When the BTS to detect the handover, the BTS will send the information
contains the physical "timing advance" (the distance between MS to the BTS) to
Wireless Communication 10EC81
Department of ECE,SJBIT Page 60
MS. BTS also inform the BSC to send a "message HO detection" so that point on
the new GS is connected.

G). MS send a "HO complete message."

H). Last time the BTS ordered not to activate the old TCH.

Fig 5.3 Intra BSC handover
Inter-BSC handover
In this case BSC1, (old BSC) does not control the better cell which is the target for
the handover. This means that the MSC will be part of the link procedure between
BSC1 and BSC2 (new BSC).
Handover request - BSC1 will use the MSC to send a handover request to
BSC2. The MSC will know which BSC controls that cell.
Activation of new channel - BSC2 will allocate a TCH in the targetcell and then
order the BTS to activate it. The chosen HO ref. no. will be part of the activation
message. The BTS will acknowledge that the activation has been made.

Handover command - After the activation the new BSC commands the MS to
change to the new channel. The message is sent on FACCH via the old channel and
will contain a full description of the new channel and the HO ref. no.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 61
3. Handover bursts - When the MS has changed to the new channel, it will send
handover bursts on the new channel. The information content is the HO ref. no.
The bursts are as short as the access bursts. This is because the MS does not know
the new Timing Advance (TA) value yet. On the detection of the handover bursts,
and check of HO ref. no., the new BTS will send the new TA.

4. Handover complete - Now the MS is ready to continue the traffic and will
send a handover complete message, which will be addressed to the old BSC as
a clear command.

5. Release of old channel - When the old BSC receives the clear command
from the MSC, the BSC knows that the handover was successful. The BSC
orders the BTS to release the TCH and the BTS will acknowledge.

Fig 5.4 Inter BSC handover

Inter-MSC handover
Handing over a GSM call is a complicated procedure. It is even more so when the
source and target GSM cells are controlled by different MSCs. The following call flows
analyze the different steps involved in a inter-MSC handover:
The source BSC analyzes the signal quality measurement reports and initiates a
The source MSC finds that the call needs to be handed over to a cell controlled by a
different MSC.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 62
The source MSC and target MSC interact and then command the UT to move to the
new cell.
The target MSC informs the source MSC when the call has been successfully
handed over.
The source MSC releases the radio resources for the call. Note that the call is still
routed via the source MSC

Fig 5.5 Inter MSC handover
GSM Infrastructure Communications (Um Interface)
A GSM network is a bearer data communication protocol families. Any protocol stack
for data communication, for example TCP/IP, can be implemented to use a bearer.
GSM protocol architecture is - as for ISDN - structured into three independent planes .
User plane ,Control plane,Management plane
The user plane defines protocols to carry connection oriented voice and user data. At
the radio interface Um, user plane data will be carried by the logical traffic channel
called TCH. The control plane defines a set of protocols for controlling these
connections with signalling information, for example signalling for connection setup.
Such signalling data is carried over logical control channels called D-channels (Dm-
Wireless Communication 10EC81
Department of ECE,SJBIT Page 63
channels). As the control channels often have spare capacities, also user data, the
packet oriented SMS data, is transported over these channels (see Figure gsm8). All
logical channels, however, will be finally multiplexed onto the physical channel.

Management plane function are:
plane management functions related to the system as a whole including plane
functions related to resources and parameters residing in the layers of the control
and/or user plane.
Management of network element configuration and network element faults are
examples of management plane functionality
The basic GSM bearer service, Circuit Switched Data (CSD), simply consists of
transmitting and receiving signals representing data instead of voice across the air
interface. Modems are used for the conversion between data bit streams and modulated
radio signals. Data transmission is either transparent or non-transparent.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 64

Fig: 5.6 Three layers of interface in GSM

Wireless Communication 10EC81
Department of ECE,SJBIT Page 65

Fig: 5.7 Linking of Three layers of interface in GSM

GSM Infrastructure Communications (Um Interface)
Layer 3: Networking layer operations
Connection management
Mobility management
Radio resource management

Wireless Communication 10EC81
Department of ECE,SJBIT Page 66

Fig: 5.8 Linking of RR, RM and MM in GSM

GSM Infrastructure Communications (Um Interface)
Layer 2: Data Link layer operations
LAPD operations
Service access points
Data link procedures
Physical services required by the Data Link layer
Data link timers
North American TDMA
TIA/EIA-136 basics
TIA/EIA-136 channel concept
TIA/EIA-136 timeslots and frame details

Wireless Communication 10EC81
Department of ECE,SJBIT Page 67

Fig: 5.9 NA -TDMA structure

Wireless Communication 10EC81
Department of ECE,SJBIT Page 68
UNIT - 6
CDMA technology, CDMA overview, CDMA channel concept CDMA operations.

8 Hours
1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.

1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 69



6.1 Introduction to CDMA

Cellular services are now being used every day by millions of people worldwide. The
number of customers requiring such services is increasing exponentially, and there is a
demand for integration of a variety of multimedia services. The range of services includes
short messaging, voice, data, and video. Consequently, the bit rate required for the services
varies widely from just 1.2 kbps for paging up to several Mbps for video transmission.
Furthermore, supporting such a wide range of data rates with flexible mobility management
increases network complexity dramatically.
The CDMA is a digital modulation and radio access system that employs signature codes
(rather than time slots or frequency bands) to arrange simultaneous and continuous access
to a radio network by multiple users. Contribution to the radio channel interference in
mobile communications arises from multiple user access, multipath radio propagation,
adjacent channel radiation and radio jamming.
The spread spectrum systems performance is relatively immune to radio interference. Cell
sectorisation and voice activity used in CDMA radio schemes provide additional capacity
compared to FDMA and TDMA. However, CDMA still has a few drawbacks, the main one
being that capacity (number of active users at any instant of time) is limited by the access
interference. Furthermore, Near-far effect requires an accurate and fast power control
scheme. The first cellular CDMA radio system has been constructed in conformity with IS-
95 specifications and is now known commercially as cdmaOne.

Fig 6.1 comparison of different techniques
Wireless Communication 10EC81
Department of ECE,SJBIT Page 70

Fig 6.2 channel allocation

6.2 CDMA Network and System Architecture

There is increasing demand for data traffic over mobile radio. The mobile radio industry has to
evolve the current radio infrastructures to accommodate the expected data traffic with the efficient
provision of high-speed voice traffic. The General Packet Radio Service (GPRS) is being introduced
to efficiently support high-rate data over GSM. GPRS signalling and data do not travel through
GSM network. The GPRS operation is supported by new protocols and new network nodes:
Serving GPRS support node (SGSN) and Gateway GPRS support node (GGSN). One prominent
protocol used to tunnel data through IP backbone network is the GPRS tunnel protocol (GTP).
GPRS obtains user profile data using location register database of GSM network. GPRS supports
quality of service and peak data rate of up to 171.2 kbps with GPRS using all 8 timeslots at the
same time. GPRS uses the same modulation as that used in GSM, that is Gaussian Minimum Shift
Keying (GMSK) with 4 coding schemes. GPRS packetises the user data and transports it over 1 to
8 radio channel timeslots using IP backbone network.
The Enhanced Data Rates for GSM Evolution (EDGE) employs an Enhanced GPRS (EGPRS) to
support data rate up to 384 kbps through optimised modulation. EGPRS support 2 modulation
schemes, namely GMSK with 4 coding schemes and 8-PSK with 5 coding schemes. Unlike GPRS
where header and data are encoded together, headers are encoded separately in EGPRS.

Fig 6.3 Network architecture of CDMA
CDMA Network and System Architecture
Wireless Communication 10EC81
Department of ECE,SJBIT Page 71
Mobile-services switching center and visitor location register
Interworking function
Mobile positioning system
Unified messaging/voice mail service
HLR/AC, PPCS, and other nodes

Fig 6.3 Packet Network architecture of CDMA

6.2 CDMA Network and System Architecture
Base station subsystem
Base station controller
Radio base station
PLMN subnetwork
Circuit core network
CDMA radio access network
CDMA Network and System Architecture
PLMN subnetwork
Packet core network
AAA server
Home agent
Packet data serving node
Foreign agent

Wireless Communication 10EC81
Department of ECE,SJBIT Page 72

Fig 6.5 Packet core Network architecture of CDMA

CDMA Network and System Architecture
Network management system
Network management
Subnetwork management and element management
System communications links

Fig 6.6 Network interface architecture of CDMA

6.3 CDMA Channel Concept
Wireless Communication 10EC81
Department of ECE,SJBIT Page 73

Introduction to Walsh codes
Other pseudorandom noise codes
Short and long PN codes
Spreading procedure

Fig 6.7 CDMA channel concept
The IS-95 CDMA system is a narrow band radio system. Bandwidth is limited to 1.25 MHz
and a chip rate of 1.2288 Mcps. The system is intended to provide voice and low bit rate
data service using circuit-switching techniques. Data rate varies from 1.2 kbps to 9.6 kbps.
Forward (base station to mobile) and reverse (mobile to base station) link structures are
different and each is capable of distinctive capacity. Forward transmission is coherent and
synchronous while the reverse link is asynchronous. The 'chanellisation' in each link is
achieved by using 64- chip orthogonal codes, including provision for pilot,
synchronisation, paging, and network access. Consequently, the number of active users
able to simultaneously access the network is limited by the level of interference, service
provisions and the number of 'channels' available. In IS-95B, an active mobile always has a
fundamental code channel at 9.6 kbps and when high data rate is required, the base station
assign the mobile up to 7 supplementary code channels.
The Wideband CDMA (W-CDMA) system is the major standard in the next-generation
Global Mobile Telecommunications standard suite IMT-2000. The W-CDMA supports
Wireless Communication 10EC81
Department of ECE,SJBIT Page 74
high data rate transmission, typically 384 kbps for wide area coverage and 2 Mbps for local
coverage for multimedia services. Thus W-CDMA is capable of offering the transmission
of voice, text, data, picture (still image) and video over a single platform. However, in
addition to the drawbacks arising from the mobile environment and multiple access
interference, high bit rate transmission causes Inter-symbol interference (ISI) to occur. The
ISI therefore has to be taken into account during transmission. The W-CDMA has 2
versions: frequency division duplex (FDD) and time division duplex (TDD).
The FDD version of W-CDMA will operate in either of the following paired bands:
Uplink: 1920 - 1980 MHz Downlink: 2110 - 2170 MHz
Uplink: 1850 - 1010 MHz Downlink: 1930 - 1990 MHz
The 3GPP architecture of the Universal Mobile Telecommunications System (UMTS) is
composed of IP-based core network (CN) connected to the user equipment through UMTS
Terrestrial Radio Access Network (UTRAN). The UTRAN consists of a set of radio
network subsystem comprising a radio controller and one or more node base station. The
network controller is responsible for the handover decisions that require signalling to the
user equipment. Each subsystem is responsible for the resources of its set of cells and each
node B has one or more cells.

Fig 6.8 Walsh code in CDMA

CDMA Channel Concept
Forward logical channels
Pilot channel
Synchronization channel
Paging channel
Traffic/power control channels

Wireless Communication 10EC81
Department of ECE,SJBIT Page 75

Fig 6.9 I channel pilot signals

Fig 6.10 Power control systems

CDMA Channel Concept
Reverse logical channels
Differences from forward channel
Wireless Communication 10EC81
Department of ECE,SJBIT Page 76
PN code derivation
Access channels
Traffic/power control channels

Fig 6.11 reverse logic channels

CDMA Channel Concept
CDMA frame format
Vocoding details and formats
Forward channel frame formats
Reverse channel frame formats
Burst transmission

6.4 CDMA System (Layer 3) Operations
Status dependent operation

Wireless Communication 10EC81
Department of ECE,SJBIT Page 77

Fig 6.12 State transition of Initialization of a call

6.4 CDMA System (Layer 3) Operations
Call establishment
Initialization state
Idle state
Access state
Access channel probing
Optimal opportunistic spectrum access (OSA) policies for a transmitter in a multichannel
wireless system, where a channel can be in one of multiple states. Each channel state is
associated with either a prob- ability of transmission success or a transmission rate. In such
systems, the transmitter typically has partial informa- tion concerning the channel states,
but can deduce more by probing individual channels, e.g. by sending control pack- ets in
the channels, at the expense of certain resources, e.g., energy and time. The main goal of
this work is to derive op- timal strategies for determining which channels to probe (in what
sequence) and which channel to use for transmission. We consider two problems within
this context, the constant data time (CDT) and the constant access time (CAT) prob- lems.
For both problems, we derive key structural proper- ties of the corresponding optimal
strategy. In particular, we show that it has a threshold structure and can be de- scribed by
Wireless Communication 10EC81
Department of ECE,SJBIT Page 78
an index policy. We further show that the opti- mal CDT strategy can only take on one of
three structural forms. Using these results we present a two-step lookahead CDT (CAT)
strategy. This strategy is shown to be optimal for a number of cases of practical interest.

Fig 6.13 Channel probing

CDMA System (Layer 3) Operations
Traffic state
Mobile-originated call
Mobile-terminated call
Call termination
Operation details
Wireless Communication 10EC81
Department of ECE,SJBIT Page 79

Fig : 6.14 mobile originate call in CDMA

Fig : 6.14 mobile terminated call in CDMA

Wireless Communication 10EC81
Department of ECE,SJBIT Page 80
6.4 CDMA System (Layer 3) Operations
Call handoff
Idle/access handoff
Soft handoff
Soft, softer, and soft-softer handoff
Handoff logistics

CDMA System (Layer 3) Operations
Call handoff
Hard handoff
Due to intercarrier handoff
Due to disjointed regions
Border and transition cells
CDMA System (Layer 3) Operations
Power control
Need for sophisticated power control
Near-far effect
Forward link power control details
Reverse open loop details
Fast closed loop details

6.5 IS-95-B, cdma2000, and W-CDMA
IS-95B forward and reverse channels
Supplementary code channels
Cdma2000 differences from IS-95B
Cdma2000 forward and reverse channel structures

Wireless Communication 10EC81
Department of ECE,SJBIT Page 81

IS-95-B, cdma2000, and W-CDMA
Evolution of GSM technology
UMTS details
W-CDMA details
TD-CDMA and TD-SCDMA spectrums

Wireless Communication 10EC81
Department of ECE,SJBIT Page 82

UNIT - 7
Wireless Modulation techniques and Hardware, Characteristics of air interface, Path loss
models, wireless coding techniques, Digital modulation techniques, OFDM, UWB radio
techniques, Diversity techniques, Typical GSM Hardware.

6 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.

1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 83


Wireless Modulation Techniques and Hardware

7.1 Transmission Characteristics of Wireline and Fiber Systems
Conductor-based transmission lines
Transmission line function
Wireline transmission lines
Wireline characteristics
Fiber-optic cables
Physical characteristics
Transport technologies - SONET

7.2 Characteristics of the Air Interface

Early usage
Radio wave propagation and propagation models
Wave propagation below 2 MHz
Wave propagation between 2 and 30 MHz
Wave propagation above 30 MHz
Wave propagation effects at UHF and above
Multipath propagation
Indoor and outdoor propagation examples
Path loss models for various coverage areas
Free space
Other path loss models
Two-ray model
Okumura model
Okumura-Hata model
Multipath and Doppler effects
Rayleigh fading
Multipath delay spread

Wireless Communication 10EC81
Department of ECE,SJBIT Page 84

Fig 7.1 Wireline transmission lines

Fig 7.2 Wireless transmission lines
Wireless Communication 10EC81
Department of ECE,SJBIT Page 85

Fig 7.3 comparison of responses

7.3 Wireless Telecommunications Coding Techniques
Error detection and correction coding
Error fundamentals
Block codes
Convolutional and turbo encoders
Wireless Communication 10EC81
Department of ECE,SJBIT Page 86

Fig 7.4 Block diagram of convolution encoder

Speech coding
Rates and subrates
Block interleaving
Examples of coding and interleaving

Fig 7. 5 Diagrammatic rep of block interleaving

Wireless Communication 10EC81
Department of ECE,SJBIT Page 87

Fig 7.6 Block diagram of channel encoder

GSM channel encoding
Classes of bits
Interleaving operations

7.4 Digital Modulation Techniques
Review of digital modulation techniques
FSK, MSK, n-PSK, and n-QAM
Bandwidth efficiency
Typical QPSK transmitter

Fig 7.7 Block diagram of FSK

Digital frequency modulation
First generation systems
Second generation systems
Digital phase modulation
IS-95 CDMA application
NA-TDMA application
Theory of operation
Wireless Communication 10EC81
Department of ECE,SJBIT Page 88
Orthogonality principle
Multiple carriers and multirate modems
Present uses - wireless LANs
Future uses

7.5 Spread Spectrum Modulation Techniques
Frequency hopping spread spectrum
History of development
Theory of operation
Example of FHSS

Fig 7.6 Representation of frequency hopping

Direct sequence spread spectrum
Spreading chips
Walsh codes
Other coding forms

7.6 Ultra-wideband Radio Technology
Challenges of implementation
Wireless Communication 10EC81
Department of ECE,SJBIT Page 89
Wireless PAN applications

7.7 Diversity Techniques
Introduction to diversity operation
Specialized receiver technology
RAKE receiver
Signal resolution
Usage problems

Fig 7.7 Diversity techniques for modualtion

7.7 Diversity Techniques
Space diversity
Space and polarization diversity
Practical implementations

Single antenna interference cancellation
Smart antennas
Theory of operation
Wireless Communication 10EC81
Department of ECE,SJBIT Page 90

Fig 7.8 Use of antennas for modulation

7.8 Typical GSM System Hardware
Base station controller
Specific BSC parts
Group switch, sub-rate switch exchange/interface circuits,
transcoder rate adaptation unit, system control, power supply,
and environmental conditioning unit
BSC radio network operations

Fig 7.9 GSM system hardware

Wireless Communication 10EC81
Department of ECE,SJBIT Page 91

Fig 7.10 components of GSM system hardware

7. 8 Typical GSM System Hardware

Radio base station
Radio base station subsystems
Distribution switch unit, timing and control,
transmitter/receiver units, and combining and distribution

RBS transceiver unit
Signal processing and control subsystem, transmitter units,
and receiver units
Wireless Communication 10EC81
Department of ECE,SJBIT Page 92

Fig 7.11 Typical RBS

Fig 7.12 Block diagram of TR unit

Wireless Communication 10EC81
Department of ECE,SJBIT Page 93

RBS antenna systems
Combining and distribution unit example
Typical antenna configurations
Hybrid combiner
Duplex filter

Fig 7.13 Block diagram of duplexer

RBS antennas and antenna amplifiers
Antenna amplifier theory
Software handling/maintenance
OMT software
Field replaceable units

7.10 Subscriber Devices
CDMA mobile radios
Block diagram
RF transmitter, system control, man-machine interface, RF output
power control, RF receiver, RAKE receiver, system memory, DSP,

Wireless Communication 10EC81
Department of ECE,SJBIT Page 94

Fig 7.14 Block dia of subscriber unit

Wireless Communication 10EC81
Department of ECE,SJBIT Page 95

UNIT - 8
Introduction to wireless LAN 802.11X technologies, Evolution of Wireless LAN
Introduction to 802.15X technologies in PAN Application and architecture Bluetooth
Introduction to Broadband wireless MAN, 802.16X technologies.

8 Hours

1. Wireless Telecom Systems and networks, Mullet: Thomson Learning 2006.

1. Mobile Cellular Telecommunication, Lee W.C.Y, MGH, 2002.
2. Wireless communication - D P Agrawal: 2
Edition Thomson learning 2007.
3. Fundamentals of Wireless Communication, David Tse, Pramod Viswanath,
Cambridge 2005.

Wireless Communication 10EC81
Department of ECE,SJBIT Page 96
Unit- 8

Wireless LANs/IEEE 802.11x

8.1 Introduction to IEEE 802.11x Technologies

802.11X authentication involves three parties: a supplicant, an authenticator, and an
authentication server. The supplicant is a client device (such as a laptop) that wishes to
attach to the LAN/WLAN - though the term 'supplicant' is also used interchangeably to
refer to the software running on the client that provides credentials to the authenticator. The
authenticator is a network device, such as an Ethernet switch or wireless access point; and
the authentication server is typically a host running software supporting the RADIUS and
EAP protocols.
The authenticator acts like a security guard to a protected network. The supplicant (i.e.,
client device) is not allowed access through the authenticator to the protected side of the
network until the supplicants identity has been validated and authorized. An analogy to
this is providing a valid visa at the airport's arrival immigration before being allowed to
enter the country. With 802.1X port-based authentication, the supplicant provides
credentials, such as user name / password or digital certificate, to the authenticator, and the
authenticator forwards the credentials to the authentication server for verification. If the
authentication server determines the credentials are valid, the supplicant (client device) is
allowed to access resources located on the protected side of the network.

8.2 Evolution of Wireless LANs

Wireless LANs have gone through rapid changes with respect to their security architecture
in recent years. One view has been to incorporate WLANs under already existing VPN
umbrellas and to view them merely as an alternative access method --- thus preserving
existing VPN infrastructure. Another view has been to address the security of the airwaves
which has been demonstrated to be extremely vulnerable. The evolution of security
standardisation based upon the work of the IEEE has evolved from WEP to WPA which
introduced new key management and integrity mechanisms through to WAP2 (IEEE
802.11i) which maintains the management and integrity mechanisms of WPA but
introduces AES encryption as well as moving much of the security functionality to the
hardware. This paper traces the evolution and development of this new WLAN security

Initialization On detection of a new supplicant, the port on the switch (authenticator) is
enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed;
other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 97
Initiation To initiate authentication the authenticator will periodically transmit EAP-
Request Identity frames to a special Layer 2 address on the local network segment. The
supplicant listens on this address, and on receipt of the EAP-Request Identity frame it
responds with an EAP-Response Identity frame containing an identifier for the supplicant
such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS
Access-Request packet and forwards it on to the authentication server. The supplicant may
also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator,
which will then reply with an EAP-Request Identity frame.
Negotiation (Technically EAP negotiation) The authentication server sends a reply
(encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an
EAP Request specifying the EAP Method (The type of EAP based authentication it wishes
the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL
frame and transmits it to the supplicant. At this point the supplicant can start using the
requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with
the EAP Methods it is willing to perform.
Authentication If the authentication server and supplicant agree on an EAP Method, EAP
Requests and Responses are sent between the supplicant and the authentication server
(translated by the authenticator) until the authentication server responds with either an
EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-
Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is
successful, the authenticator sets the port to the "authorized" state and normal traffic is
allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the
supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the
authenticator then sets the port to the "unauthorized" state, once again blocking all non-
EAP traffic.

Fig 8.1 Frequency band designation

Extensions to 802.11
Extensions to 802.11
Wireless Communication 10EC81
Department of ECE,SJBIT Page 98
Extensions to 802.11
Layer 1: Overview
WLAN radio cards
WLAN access points
Ad hoc or peer-to-peer connection
WLAN radio link

8.2 Introduction to 802.15X technologies in PAN applications and architecture.

Bluetooth is a wireless technology standard for exchanging data over short distances (using
short-wavelength radio transmissions in the ISM band from 24002480 MHz) from fixed
and mobile devices, creating personal area networks (PANs) with high levels of security.
Created by telecom vendor Ericsson in 1994, it was originally conceived as a wireless
alternative to RS-232 data cables. It can connect several devices, overcoming problems of
Bluetooth is managed by the Bluetooth Special Interest Group, which has more than 17,000
member companies in the areas of telecommunication, computing, networking, and
consumer electronics. The SIG oversees the development of the specification, manages the
qualification program, and protects the trademarks. To be marketed as a Bluetooth device,
it must be qualified to standards defined by the SIG.
A network of patents is required to
implement the technology and are licensed only for those qualifying devices.
Bluetooth uses a radio technology called frequency-hopping spread spectrum, which chops
up the data being sent and transmits chunks of it on up to 79 bands (1 MHz each; centered
from 2402 to 2480 MHz) in the range 2,4002,483.5 MHz (allowing for guard bands). This
range is in the globally unlicensed Industrial, Scientific and Medical (ISM) 2.4 GHz short-
range radio frequency band. It usually performs 800 hops per second, with Adaptive
Frequency-Hopping (AFH) enabled.

Originally Gaussian frequency-shift keying (GFSK) modulation was the only modulation
scheme available; subsequently, since the introduction of Bluetooth 2.0+EDR, /4-DQPSK
and 8DPSK modulation may also be used between compatible devices. Devices
functioning with GFSK are said to be operating in basic rate (BR) mode where an
instantaneous data rate of 1 Mbit/s is possible. The term Enhanced Data Rate (EDR) is used
to describe /4-DPSK and 8DPSK schemes, each giving 2 and 3 Mbit/s respectively. The
combination of these (BR and EDR) modes in Bluetooth radio technology is classified as a
"BR/EDR radio".
Wireless Communication 10EC81
Department of ECE,SJBIT Page 99
Bluetooth is a packet-based protocol with a master-slave structure. One master may
communicate with up to 7 slaves in a piconet; all devices share the master's clock. Packet
exchange is based on the basic clock, defined by the master, which ticks at 312.5 s
intervals. Two clock ticks make up a slot of 625 s; two slots make up a slot pair of
1250 s. In the simple case of single-slot packets the master transmits in even slots and
receives in odd slots; the slave, conversely, receives in even slots and transmits in odd
slots. Packets may be 1, 3 or 5 slots long but in all cases the master transmit will begin in
even slots and the slave transmit in odd slots.
Bluetooth provides a secure way to connect and exchange information between devices
such as faxes, mobile phones, telephones, laptops, personal computers, printers, Global
Positioning System (GPS) receivers, digital cameras, and video game consoles. It was
principally designed as a low-bandwidth technology.
Communication and connection
A master Bluetooth device can communicate with a maximum of seven devices in a
piconet (an ad-hoc computer network using Bluetooth technology), though not all devices
reach this maximum. The devices can switch roles, by agreement, and the slave can
become the master (for example, a headset initiating a connection to a phone will
necessarily begin as master, as initiator of the connection; but may subsequently prefer to
be slave).
The Bluetooth Core Specification provides for the connection of two or more piconets to
form a scatternet, in which certain devices simultaneously play the master role in one
piconet and the slave role in another.
At any given time, data can be transferred between the master and one other device (except
for the little-used broadcast mode
[citation needed]
). The master chooses which slave device to
address; typically, it switches rapidly from one device to another in a round-robin fashion.
Since it is the master that chooses which slave to address, whereas a slave is (in theory)
supposed to listen in each receive slot, being a master is a lighter burden than being a slave.
Being a master of seven slaves is possible; being a slave of more than one master is
[citation needed]
The specification is vague as to required behaviour in scatternets.
Many USB Bluetooth adapters or "dongles" are available, some of which also include an
IrDA adapter. Older (pre-2003) Bluetooth dongles, however, have limited capabilities,
offering only the Bluetooth Enumerator and a less-powerful Bluetooth Radio
[citation needed]
Such devices can link computers with Bluetooth with a distance of
100 meters, but they do not offer as many services as modern adapters do.
Bluetooth is a standard wire-replacement communications protocol primarily designed for
low power consumption, with a short range (power-class-dependent, but effective ranges
vary in practice; see table below) based on low-cost transceiver microchips in each
Because the devices use a radio (broadcast) communications system, they do not
Wireless Communication 10EC81
Department of ECE,SJBIT Page 100
have to be in visual line of sight of each other, however a quasi optical wireless path must
be viable
Bluetooth profiles
To use Bluetooth wireless technology, a device has to be able to interpret certain Bluetooth
profiles, which are definitions of possible applications and specify general behaviors that
Bluetooth enabled devices use to communicate with other Bluetooth devices. These
profiles include settings to parametrize and to control the communication from start.
Adherence to profiles saves the time for transmitting the parameters anew before the bi-
directional link becomes effective. There are a wide range of Bluetooth profiles that
describe many different types of applications or use cases for devices.
A typical Bluetooth mobile phone headset.
Wireless control of and communication between a mobile phone and a handsfree
headset. This was one of the earliest applications to become popular.
Wireless control of and communication between a mobile phone and a Bluetooth
compatible car stereo system
Wireless Bluetooth headset and Intercom.
Wireless networking between PCs in a confined space and where little bandwidth is
Wireless communication with PC input and output devices, the most common being
the mouse, keyboard and printer.
Transfer of files, contact details, calendar appointments, and reminders between
devices with OBEX.
Replacement of previous wired RS-232 serial communications in test equipment,
GPS receivers, medical equipment, bar code scanners, and traffic control devices.
For controls where infrared was often used.
For low bandwidth applications where higher USB bandwidth is not required and
cable-free connection desired.
Sending small advertisements from Bluetooth-enabled advertising hoardings to
other, discoverable, Bluetooth devices.

Wireless bridge between two Industrial Ethernet (e.g., PROFINET) networks.
Three seventh and eighth generation game consoles, Nintendo's Wii
and Sony's
PlayStation 3, PSP Go and PS Vita, use Bluetooth for their respective wireless
Dial-up internet access on personal computers or PDAs using a data-capable mobile
phone as a wireless modem.
Short range transmission of health sensor data from medical devices to mobile
phone, set-top box or dedicated telehealth devices.

Allowing a DECT phone to ring and answer calls on behalf of a nearby mobile
Real-time location systems (RTLS), are used to track and identify the location of
objects in real-time using Nodes or tags attached to, or embedded in the objects
tracked, and Readers that receive and process the wireless signals from these tags
to determine their locations

Wireless Communication 10EC81
Department of ECE,SJBIT Page 101
Personal security application on mobile phones for prevention of theft or loss of
items. The protected item has a Bluetooth marker (e.g. a tag) that is in constant
communication with the phone. If the connection is broken (the marker is out of
range of the phone) then an alarm is raised. This can also be used as a man
overboard alarm. A product using this technology has been available since 2009.

Calgary, Alberta, Canada's Roads Traffic division uses data collected from
travelers' Bluetooth devices to predict travel times and road congestion for
Bluetooth vs. Wi-Fi (IEEE 802.11)
Bluetooth and Wi-Fi (the brand name for products using IEEE 802.11 standards) have
some similar applications: setting up networks, printing, or transferring files. Wi-Fi is
intended as a replacement for cabling for general local area network access in work areas.
This category of applications is sometimes called wireless local area networks (WLAN).
Bluetooth was intended for portable equipment and its applications. The category of
applications is outlined as the wireless personal area network (WPAN). Bluetooth is a
replacement for cabling in a variety of personally carried applications in any setting and
also works for fixed location applications such as smart energy functionality in the home
(thermostats, etc.).
Wi-Fi is a wireless version of a common wired Ethernet network, and requires
configuration to set up shared resources, transmit files, and to set up audio links (for
example, headsets and hands-free devices). Wi-Fi uses the same radio frequencies as
Bluetooth, but with higher power, resulting in higher bit rates and better range from the
base station. The nearest equivalents in Bluetooth are the DUN profile, which allows
devices to act as modem interfaces, and the PAN profile, which allows for ad-hoc
A Bluetooth USB dongle with a 100 m range. The MacBook Pro, shown, also has a built in
Bluetooth adaptor.Bluetooth exists in many products, such as telephones, tablets, media
players, Lego Mindstorms NXT, PlayStation 3, PS Vita, the Nintendo Wii, and some high
definition headsets, modems, and watches. The technology is useful when transferring
information between two or more devices that are near each other in low-bandwidth
situations. Bluetooth is commonly used to transfer sound data with telephones (i.e., with a
Bluetooth headset) or byte data with hand-held computers (transferring files).
Bluetooth protocols simplify the discovery and setup of services between devices.

Bluetooth devices can advertise all of the services they provide.
This makes using
services easier because more of the security, network address and permission configuration
can be automated than with many other network types
Air interface
The protocol operates in the license-free ISM band at 2.4022.480 GHz.
To avoid
interfering with other protocols that use the 2.45 GHz band, the Bluetooth protocol divides
the band into 79 channels (each 1 MHz wide) and changes channels, generally 800 times
Wireless Communication 10EC81
Department of ECE,SJBIT Page 102
per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s.
Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR) and reach
2.1 Mbit/s. Technically, version 2.0 devices have a higher power consumption, but the
three times faster rate reduces the transmission times, effectively reducing power
consumption to half that of 1.x devices

ZigBee is a specification for a suite of high level communication protocols using small,
low-power digital radios based on an IEEE 802 standard for personal area networks.
ZigBee devices are often used in mesh network form to transmit data over longer distances,
passing data through intermediate devices to reach more distant ones. This allows ZigBee
networks to be formed ad-hoc, with no centralized control or high-power
transmitter/receiver able to reach all of the devices. Any ZigBee device can be tasked with
running the network.
ZigBee is targeted at applications that require a low data rate, long battery life, and secure
networking. ZigBee has a defined rate of 250 kbit/s, best suited for periodic or intermittent
data or a single signal transmission from a sensor or input device. Applications include
wireless light switches, electrical meters with in-home-displays, traffic management
systems, and other consumer and industrial equipment that requires short-range wireless
transfer of data at relatively low rates. The technology defined by the ZigBee specification
is intended to be simpler and less expensive than other WPANs,
ZigBee is a low-cost, low-power, wireless mesh network standard. The low cost allows the
technology to be widely deployed in wireless control and monitoring applications. Low
power-usage allows longer life with smaller batteries. Mesh networking provides high
reliability and more extensive range. ZigBee chip vendors typically sell integrated radios
and microcontrollers with between 60 KB and 256 KB flash memory.
ZigBee operates in the industrial, scientific and medical (ISM) radio bands; 868 MHz in
Europe, 915 MHz in the USA and Australia and 2.4 GHz in most jurisdictions worldwide.
Data transmission rates vary from 20 to 250 kilobits/second.The ZigBee network layer
natively supports both star and tree typical networks, and generic mesh networks. Every
network must have one coordinator device, tasked with its creation, the control of its
parameters and basic maintenance. Within star networks, the coordinator must be the
central node. Both trees and meshes allows the use of ZigBee routers to extend
communication at the network level.ZigBee builds upon the physical layer and medium
access control defined in IEEE standard 802.15.4 (2003 version) for low-rate WPANs. The
specification goes on to complete the standard by adding four main components: network
layer, application layer, ZigBee device objects (ZDOs) and manufacturer-defined
application objects which allow for customization and favor total integration.
Besides adding two high-level network layers to the underlying structure, the most
significant improvement is the introduction of ZDOs. These are responsible for a number
of tasks, which include keeping of device roles, management of requests to join a network,
Wireless Communication 10EC81
Department of ECE,SJBIT Page 103
device discovery and security.ZigBee is not intended to support powerline networking but
to interface with it at least for smart metering and smart appliance purposes.
Because ZigBee nodes can go from sleep to active mode in 30 ms or less, the latency can
be low and devices can be responsive, particularly compared to Bluetooth wake-up delays,
which are typically around three seconds.
Because ZigBee nodes can sleep most of the
time, average power consumption can be low, resulting in long battery life.
Application profiles
The current list of application profiles either published, or in the works are:
Released specifications
o ZigBee Home Automation
o ZigBee Smart Energy 1.0
o ZigBee Telecommunication Services
o ZigBee Health Care
o ZigBee RF4CE Remote Control
o ZigBee RF4CE Input Device
o ZigBee Light Link
Specifications under development
o ZigBee Smart Energy 2.0
o ZigBee Building Automation
o ZigBee Retail Services
The ZigBee Smart Energy V2.0 specifications define an IP-based protocol to monitor,
control, inform and automate the delivery and use of energy and water. It is an
enhancement of the ZigBee Smart Energy version 1 specifications,
adding services for
plug-in electric vehicle (PEV) charging, installation, configuration and firmware download,
prepay services, user information and messaging, load control, demand response and
common information and application profile interfaces for wired and wireless networks. It
is being developed by partners including:
HomeGrid Forum responsible for marketing and certifying ITU-T technology
and products
HomePlug Powerline Alliance
International Society of Automotive Engineers SAE International
IPSO Alliance
SunSpec Alliance
Wi-Fi Alliance.
In 2009 the RF4CE (Radio Frequency for Consumer Electronics) Consortium and ZigBee
Alliance agreed to jointly deliver a standard for radio frequency remote controls. ZigBee
RF4CE is designed for a wide range of consumer electronics products, such as TVs and
set-top boxes. It promises many advantages over existing remote control solutions,
including richer communication and increased reliability, enhanced features and flexibility,
Wireless Communication 10EC81
Department of ECE,SJBIT Page 104
interoperability, and no line-of-sight barrier. The ZigBee RF4CE specification lifts off
some networking weight and does not support all the mesh features, which is traded for
smaller memory configurations for lower cost devices, such as remote control of consumer
With the introduction of second Zigbee RF4CE application profile in 2012, and increased
momentum in MSO market, Zigbee RF4CE team provided an overview on current status of
standard, applications, and future of the technology.
Configurable functionality
A number of network properties can be pre-configured. The network is initialised by the
Co-ordinator, at which time these configuration values are taken into account. These
properties determine the maximum size (in terms of the maximum number of nodes) and
shape of the network, and are as follows:
Network Depth: The depth of a device in a network is the number of nodes from the root of
the network tree (the Co-ordinator) to the device. The maximum network depth is then the
maximum number of hops from the Co-ordinator to the most distant device in the network.
This determines the overall diameter for the network. Note that a Star network has a
network depth of 1.
Number of Children: Each Router in the network can have a number of child devices
attached to it. These may be either Routers or End Devices. The Co-ordinator specifies the
maximum number of child devices allowed per Router.
Number of Child Routers: In addition to the number of children per Router, a limit is put
on how many of these children may be Routers themselves. The Co-ordinator uses the
above information during initialisation to allocate blocks of network addresses to the
branches of the network tree. In turn, the Routers use it to allocate subsets of these address
blocks to their children.
Forming a ZigBee Network: The Co-ordinator is responsible for starting a ZigBee network.
Network initialisation involves the following steps:
Search for a Radio Channel
The Co-ordinator first searches for a suitable radio channel (usually the one which has least
activity). This search can be limited to those channels that are known to be usable - for
example, by avoiding frequencies in which it is known that a wireless LAN is operating.
Assign PAN ID
The Co-ordinator starts the network, assigning a PAN ID (Personal Area Network
identifier) to the network. The PAN ID can be pre-determined, or can be obtained
dynamically by detecting other networks operating in the same frequency channel and
Wireless Communication 10EC81
Department of ECE,SJBIT Page 105
choosing a PAN ID that does not conflict with theirs. At this stage, the Co-ordinator also
assigns a network (short) address to itself. Usually, this is the address 0x0000.
Start the Network
The Co-ordinator then finishes configuring itself and starts itself in Co-ordinator mode. It is
then ready to respond to queries from other devices that wish to join the network.
Joining a ZigBee Network: Once the network has been created by the Co-ordinator, other
devices (Routers and End Devices) can join the network. Both Routers and the Co-
ordinator have the capability to allow other nodes to join the network. The join process is
as follows:
Search for Network
The new node first scans the available channels to find operating networks and identifies
which one it should join. Multiple networks may operate in the same channel and are
differentiated by their PAN IDs.
Select Parent
The node may be able to see multiple Routers and a Co-ordinator from the same network,
in which case it selects which one it should connect to. Usually, this is the one with the best
Send Join Request
The node then sends a message to the relevant Router or Co-ordinator asking to join the
Accept or Reject Join Request
The Router or Co-ordinator decides whether the node is a permitted device, whether the
Router/Co-ordinator is currently allowing devices to join and whether it has address space
available. If all these criteria are satisfied, the Router/Co-ordinator will then allow the
device to join and allocate it an address. Typically, a Router or Co-ordinator can be
configured to have a time-period during which joins are allowed. The join period may be
initiated by a user action, such as pressing a button. An infinite join period can be set, so
that child nodes can join the parent node at any time.
Message Propagation: The way that a message propagates through a ZigBee network
depends on the network topology. However, in all topologies, the message usually needs to
pass through one or more intermediate nodes before reaching its final destination. The
message therefore contains two destination addresses:
Address of the final destination
Address of the node which is the next hop
Wireless Communication 10EC81
Department of ECE,SJBIT Page 106
The way these addresses are used in message propagation depends on the network
topology, as follows:
Star Topology: All messages are routed via the Co-ordinator. Both addresses are
needed and the next hop address is that of the Co-ordinator.
Tree Topology: A message is routed up the tree until it reaches a node that can
route it back down the tree to the destination node. Both addresses are needed and
the initial next hop address is that of the parent of the sending node. The parent
node then resends the message to the next relevant node - if this is the target node
itself, the final destination address is used. The last step is then repeated and
message propagation continues in this way until the target node is reached.
Mesh Topology: In this case, the propagation path depends on whether the target
node is in range:
o If the target node is in range, only the final destination address is used.
o If the target node is not in range, the initial next hop address is that of the
first node in the route to the final destination. The message propagation
continues in this way until the target node is reached.
Route Discovery: The ZigBee stack network layer supports a route discovery facility in
which a mesh network can be requested to find the best available route to the destination,
when sending a message. Route discovery is initiated when requested by a data
transmission request.
Route Discovery Options There are three options related to route discovery for a mesh
network (the required option being indicated in the message):
SUPPRESS route discovery: The message is routed along the tree.
ENABLE route discovery: The message is routed along an already discovered mesh
route, if one exists, otherwise the Router initiates a route discovery. Once this is
complete, the message will be sent along the calculated route. If the Router does not
have the capacity to store the new route, it will direct the message along the tree.
FORCE route discovery: If the Router has the route capacity, it will initiate a route
discovery, even if a known route already exists. Once this is complete, the message
will be sent along the calculated route. If the Router does not have the route
capacity, it will route the message along the tree. Use of this option should be
restricted, as it generates a lot of network traffic.
Route Discovery Mechanism: The mechanism for route discovery between two End
Devices involves the following steps:
A route discovery broadcast is sent by the parent Router of the source End Device.
This broadcast contains the network address of the destination End Device.
All Routers eventually receive the broadcast, one of which is the parent of the
destination End Device.
The parent Router of the destination node sends back a reply addressed to the parent
Router of the source.
Wireless Communication 10EC81
Department of ECE,SJBIT Page 107
As the reply travels back through the network, the hop count and a signal quality
measure for each hop are recorded. Each Router in the path can build a routing table
entry containing the best path to the destination End Device.
Eventually, each Router in the path will have a routing table entry and the route
from source to destination End Device is established. Note that the corresponding
route from destination to source is not known the route discovered is
The choice of best path is usually the one with the least number of hops, although if a hop
on the most direct route has a poor signal quality (and hence a greater chance that retries
will be needed), a route with more hops may be chosen.
Device and Service Discovery: The ZigBee specification provides the facility for devices to
find out information about other nodes in a network, such as their addresses, which types of
applications are running on them, their power source and sleep behaviour. This information
is stored in descriptors on each node, and is used by the enquiring node to tailor its
behaviour to the requirements of the network. Discovery is typically used when a node is
being introduced into a user-configured network, such as a domestic security or lighting
control system. Once the device has joined the network, its integration into the network
may require the user to start the integration process by pressing a button or similar. The
first task is to find out if there are any other devices that it can talk to. For example, a
device implementing the switch conforming to the HCL profile tries to find devices
containing HCL load controllers to which it could potentially send its switch state
information (the process of associating the switch with a particular load controller is
handled by the binding process).
There are two types of discovery, Device and Service Discovery:
Device Discovery: Device Discovery involves interrogating a remote node for address
information. The retrieved information can be either:
the MAC (IEEE) address of the node with a given network address
the network address of the node with a given MAC address.
If the node being interrogated is a Router or Co-ordinator, it may optionally supply the
addresses of all the devices that are associated with it, as well as its own address. In this
way, it is possible to discover all the devices in a network by requesting this information
from the Co-ordinator and then using the list of addresses corresponding to the children of
the Co-ordinator to launch queries about their child nodes.
Service Discovery: Service discovery involves interrogating a remote node for information
about its capabilities. This information is stored in a number of descriptors on the remote
node, and includes:
The device type and capabilities of the node (Node Descriptor)
The power characteristics of the node (Node Power Descriptor)
Information about each application running on the node (Simple Descriptor)
Wireless Communication 10EC81
Department of ECE,SJBIT Page 108
Requests for these descriptors are made by a device during its configuration and integration
into a ZigBee network.
ZigBee protocols are intended for embedded applications requiring low data rates and low
power consumption. The resulting network will use very small amounts of power
individual devices must have a battery life of at least two years to pass ZigBee

Typical application areas include:

Home Entertainment and Control Home automation, smart lighting, advanced
temperature control, safety and security, movies and music
Wireless sensor networks Starting with individual sensors like Telosb/Tmote and
Iris from Memsic
Industrial control
Embedded sensing
Medical data collection
Smoke and intruder warning
Building automation
Device types
Zigbee devices are of three types:
ZigBee Co-ordinator (ZC): The most capable device, the Co-ordinator forms the
root of the network tree and might bridge to other networks. There is exactly one
ZigBee Co-ordinator in each network since it is the device that started the network
originally (the ZigBee LightLink specification also allows operation without a
ZigBee Co-ordinator, making it more usable for over-the-shelf home products). It
stores information about the network, including acting as the Trust Center &
repository for security keys.

ZigBee Router (ZR): As well as running an application function, a Router can act as
an intermediate router, passing on data from other devices.
ZigBee End Device (ZED): Contains just enough functionality to talk to the parent
node (either the Co-ordinator or a Router); it cannot relay data from other devices.
This relationship allows the node to be asleep a significant amount of the time
thereby giving long battery life.