I was listening to a presentation on the evolution of the WLAN architecture. Most of these presentations begin with the advent of the “fat” AP (autonomous) and then transition to the newer “thin” (controller based architectures). Some are now talking of a 3rd generation which speaks to a hybrid AP architecture where the AP can be “fit”. By far the biggest change between the 1st and 2nd generation is the use of a controller (or wireless switch). This was initially pitched by the likes of Airespace, Aruba and Trapeze as the “end all, be all” way to centrally manage a wireless LAN. What I find very interesting is that the 1st generation WLAN deployed at the enterprise actually used a controller. Yes, it got very little press, but nonetheless they did use a controller.

Let me explain. When most corporations began deploying WiFi back in 2002 the only real security option they had built into the access points was WEP based encryption. WEP was easily hacked and made all kinds of press early on. Plus WEP took care (sort of) over the air encryption but didn’t really protect an enterprise from unauthorized users. So enterprises began using their existing infrastructure to secure the WLAN - those existing VPN servers. What they did was they created VLANs for the wireless APs that were basically unprotected - pretty much a DMZ. Wireless users could associate to the APs but the only place they could get to was the VPN server. A wireless user would then pull open their VPN client, authenticate and then they would be re-routed back to the corporate network. Enterprises treated wireless users as if they were remote. I thought that this was a great solution using existing infrastructure plus the enterprise got authentication and real encryption for their WLAN.

The major downside to all this is two-fold: first, the VPN infrastructure wasn’t robust enough and second, the packet flow was sub-optimal. Most corporations built out remote access via VPN to support maybe 5% of their user population. VPN concentrators can be pretty expensive and a bit difficult to support. Once wireless users began using this infrastructure usage patterns went through the roof. Corporations were finding themselves having to invest even more money in VPN servers as wireless users doubled and even tripled their previous pure remote access usage patterns. The network access path for wireless users was also kind of strange. You basically took a user sitting within the corporate walls, forced them outside of the corporate network, put them on the internet and then forced them back into the corporation and then to their local network. Not the most obvious and efficient flow.

So what did the industry learn from all this? First, an enterprise security solution had to have authentication and strong encryption (now we have 802.11i). Second, having a separate data plane (VLAN) for wireless was OK as long as it didn’t become too circuitous. The second generation WLAN vendors took this to heart and offered controllers that would be deployed on local subnets. They started out by offering layer 2 solutions but eventually moved to layer 3 as customer wanted to leverage their existing open switch ports.

Now we are left with 2 camps, those that offer some form of “unified” architecture and those that are “overlay” solutions. Unified solutions promise to integrate wired and wireless functionality - basically to add controller like functionality into existing switches and routers. Cisco and HP ProCurve are the leading vendors here. The overlay vendors say that wireless still needs to be kept separate and re-routed onto the LAN once users have been approved (Aruba). Sitting in the middle in a more hybrid architecture are companies like Trapeze (they OEM to Nortel, 3Com and Enterasys) that say that authentication and configuration information should be communicated back to a controller (overlay) but data traffic should be put directly on to the LAN. I can see this last approach showing a lot of merit as it leverage the second rule we learned from the VPN solutions.

I also see a lot of merit in the unified approach once these vendors truly integrate the WLAN controller functions into their switch and router software. Today all of these solutions take the form factor of a controller (most controllers today are just PCs) and shove it into a blade or card that goes into an existing wired switch or router. The only thing that is integrated is that these functions sit in the same box. Truly unified WLAN solutions will encompass a switch or router that does not care if you are wired or wireless, and if you are wireless they will have the intelligence to authenticate and encrypt your traffic while you traverse the network in a direct manner.