The safest solution to centralized WLAN traffic in a controller-less architecture: Guest Traffic Tunneling Services

The OmniAccess Stellar WLAN architecture is distributed and controller-less. This presents multiple advantages from both performance and cost points of view. However, there are specific use cases where it would be beneficial to have traffic concentrated in a central choke point:

• Guest Traffic: Guest user traffic should be completely isolated from corporate traffic for security reasons. This can be achieved by tunnelling guest traffic from Access Points to a DMZ resulting in traffics cannot mix at any points and guarantee network integrity.
• Security Policy: security services, such as IPS, require to be deployed in-line with traffic. Wireless traffic can be tunnelled such that traffic can be scrubbed and security policies can be applied.
• Migration: When migrating from a controller-based architecture to a distributed one, it may be undesirable to deploy additional VLANs at the edge. By tunnelling wireless traffic to a central location, no additional VLANs are required at the edge and any VLAN configuration would be done only at the central location.

GTTS is based on the L2 GRE Tunneling protocol. Layer 2 Generic Routing Encapsulation (L2 GRE) tunneling is a mechanism that is used to identify and isolate device traffic from the rest of the internal network traffic. The implementation of L2 GRE tunneling works as follow:

• L2 GRE tunnelling provides a Layer 2 overlay network that is used to tunnel encapsulated traffic over an IP network between two L2 GRE tunnels end points. One endpoint is the Access Point, the other one is a network switch acting as a Tunnel Aggregation Switch.

• L2 GRE is implemented as a service and can also be associated with a UNP profile.

The user traffic is tunneled directly after the SSID association. It means that access points can broadcast both isolated and corporate SSIDs at the same time, without the need of deploying another cluster of APs dedicated to isolated traffic.

An L2 GRE tunnel is defined by configuring an L2 GRE end point on an Access Point and an L2 GRE end point on a tunnel aggregation switch. Here is the list of the switches that can act as a tunnel aggregation switch:

To conclude, here are three key points to remember:

• GTTS is mainly designed to isolate Guest traffic from sensitive one, but it can be used in other scenarios where having centralized traffic brings additional benefits.
• It is based on the L2 GRE tunneling protocol, working by establishing a tunnel between 2 tunnel endpoints: one AP and one switch.

• The entire family of ALE OmniAccess Stellar Access Points is compliant with GTTS. If you own any ALE core switch, you can easily deploy a GTTS architecture without any additional cost or license.

If you are interested in what you just read, we strongly advise you to maintain momentum by looking for the GTTS Application Note. This document describes the configuration of the GTTS functionality and its different redundancy mechanisms through specific use cases and provides configuration examples and design guidelines.