Connect802 is a nationwide wireless network equipment reseller providing system design consulting, equipment configuration, and installation services.


CSS Mega Menu



Centralized Wireless LAN Management

EZ Suite Control functionality provides centralized control and management of your 802.11 Wi-Fi wireless LAN through an intuitive web-based user interface. WLAN 802.11 system management and control is performed uniformly for all the managed 802.11 Wi-Fi access points throughout the overall managed wireless network system.


Characteristics Defined During Connect EZ Suite Control Discussions

"Lifecycle Management" Systems

The lifecycle of a Wi-Fi wireless LAN proceeds from initial configuration and installation to software upgrades and on-going configuration changes. During the lifecycle there may be equipment failures that need the immediate attention of the support staff. When a wireless LAN implements "lifecycle management" the centralized wireless network appliance or software provides support for centralized configuration, firmware updates, and alarm/alert processing. Simple "lifecycle management" controllers don't enforce rules and policies on the wireless LAN users - they manage configuration and status of the network.

"Client-Aware" Systems

When the functionality of a centralized wireless network controller extends to the activities of the user it is referred to as a "client aware" controller. Being "aware" doesn't imply a high degree of control over the user's activities; simply a degree of ability, on the part of the controller, to interact with and report the behavior of wireless network users. For example, a "client-aware" controller may provide a captive portal, access control user login web gateway or may offer RADIUS authentication services. It may also provide reporting and threshold alarms for user activity. A "client-aware" controller may provide Access Control Lists (ACLs) to implement static packet filtering. This functionality examines a network data packet based on information in the packet header (like MAC address, IP address, VLAN ID). "Client-aware" functionality stops at the point where a full, session-oriented, stateful packet inspection firewall functionality is required to enforce specific access rights for individual users and groups.

"Stateful Firewall" Systems

At the top of the hierarchy of centralized wireless LAN switch controller functionality is the full, stateful firewall. Stateful packet inspection (also referred to as dynamic packet filtering) tracks each connection to make sure it's valid. A stateful inspection firewall also monitors the state of each connection and creates a state table on which packet filtering decisions can be made on the context that has been established by prior packets that have been seen. A stateful firewall identifies the start, middle and end of an individual data stream and understands the expected behavior during each part of the data exchange. This prevents a number of sophisticated hacking attempts where an intruder attempts to forge their identity and insert themselves into an otherwise valid connection. For example, a stateful firewall can detect that a hacker has spoofed the IP address of an authorized user who is already logged in. When the hacker tries to create a connection using the authorized user's credentials they are blocked.

Access Point Type

  • "FAT (Local) Access Point" - The AP has all 802.11 and user management functions (RADIUS, ACLs, etc). built in and the central LAN controller is strictly used for lifecycle management. User traffic goes from the wireless network to the Ethernet where the access point is connected (as opposed to being forced back to a central controller for inspection).
  • "Thin Access Point" - The AP performs 802.11 authentication and encryption but user management (ACLs or firewall support) is provided through a centralized wireless LAN switch. Often, thin access points are hardwired back to a Layer 2 switch to create a port-based VLAN for management. User traffic is contained in the wireless network VLAN. Multiple SSIDs could be created so an untagged VLAN allowed traffic to go to the local Ethernet directly from the AP while other traffic was bounded by a VLAN that forced inspection through the central wireless LAN controller.
  • "Hybrid Access Point" - The AP can be configured with multiple SSIDs such that one SSID operates as if the AP were "FAT" while another operates as if the AP were "thin."
  • "Radio Head" or "Ultra-Thin Access Point"- The "access point" on the wall is actually only the radio transceiver unit associated with a typical access point. All traffic to and from the wireless LAN is passed through the "radio head" and simply converted from 802.11 wireless to 802.3 Ethernet. The traffic is always passed between the radio head and the wireless LAN controller. This is done using a tunneling protocol like Generic Routing Encapsulation (GRE). All 802.11 management and control, user authentication, and all encryption and decryption are performed in the wireless LAN switch. Advanced firewall features can also be integrated into the wireless LAN switch since all wireless traffic will always pass through the switch before being visible or active on the wired Ethernet.
  • "Remote Access Point" - A "remote AP" is a self-contained access point and autonomous routing device that creates a tunneled connection to a controller through the public Internet. It allows a remote user (at home, in a hotel, or at a field office) to have the same user experience, permissions and restrictions, and view of the corporate network that they would have had if they were at the actual company site.

Important Considerations For Your Suite Control Capabilities

The Connect802 sales and engineering team will want to understand your requirements for data encryption and user authentication. The following encryption and authentication questions should be considered.

Are there more than ten access points in the system? If so, the convenience of even a simple centralized configuration management appliance may provide significant value apart from other, more sophisticated, centralized Wi-Fi wireless LAN control and management functions.
Does the natural overall topology of the proposed network bring all traffic back to a central location? If the network is designed as a spoke-and-wheel (with, for example, the data center or Internet connection being at a single, central point) then user traffic will be required to route to that central location apart from any central wireless LAN control. If this is the case then there are no concerns for traffic flow relative to deploying a centralized WLAN management appliance or controller.
Are there requirements related to multiple SSIDs (network names) advertised across the wireless LAN with each SSID being mapped to a VLAN that is trunked from the controller to an existing VLAN switch? If VLANs are used in the existing network and they need to be extended to wireless users then VLAN trunking will be a Connect EZ Suite Control feature that's critical to success.