By Nathaniel Moore, Aerohive Networks.
For many years, Multi-Dwelling Unit (MDU) environments have struggled to effectively manage and secure their network. A fundamental requirement of an MDU (student accommodation, hotels, assisted living facilities etc.) is to provide a secure, isolated network environment for each user and their associated room.
The traditional approach has been to provide each room with a unique SSID (Service Set Identifier or ‘wireless network name’) and VLAN (Virtual Local Area Network). Ever been to one of those fancy hotels where each room has its own SSID, usually broadcast via the TV? Pretty cool right? Unfortunately, this design results in substantial overhead, ultimately degrading network performance and user experience.
What kind of overhead am I talking about? Did you know that every time you broadcast an additional SSID (even if it’s on the same AP) you introduce extra management frames into your wireless network? Those frames consume airtime that could otherwise be used for data transmission. Guess what happens in an MDU environment where every room has its own SSID? It’s bad. If you want to know exactly how bad, this SSID overhead calculator is a great tool.
Adding yet more overhead and configuration complexity, you will typically find these environments operate a unique VLAN for each room. Now you’ve got a huge amount of tagged traffic traversing your network where each switch port has to be configured properly. Make a mistake anywhere and it’s like finding a needle in a haystack. On top of that, VLANs are a limited quantity, do you really want to consume them on a room-by-room basis?
There’s another problem with this design (this blog is not all negative, I promise). Ok, so imagine you have connected to the SSID on that TV. What happens when you walk down to the restaurant or the lobby? Say bye-bye to the Wi-Fi! It only works in that room! Roaming is so yesterday, who needs it anyway?
Joking aside, what is the solution? How do we deliver effective network separation on a room-by-room basis without creating unnecessary overhead and breaking the roaming?
Enter Private Client Groups (PCG), the world’s first Room Area Network (RAN) technology.
Privet Client Groups provides secure, isolated, per-room networks while operating across a single SSID and VLAN(say goodbye to that overhead!). Network containerization is deliveredwith micro-location-based PPSKs, providing secure end-to-end AES encryption, device-agnostic authentication and granular identity-driven security. To address the issues of mobility, cross-AP roaming is achieved with no drop in client connectivity, thanks to intelligent hand-off mechanisms and GRE(Generic Routing Encapsulation)-based roaming protocols.
Wait, what happens when roaming to another AP? If the user is associating to an AP that has the same SSID and VLAN, but it doesn’t belong to their room, surely, they can access that Room Area Network? Actually, this is where the technology shines…
An AP will recognize ‘trusted’ users via their PPSK (Private Pre-Shared Key). If the PPSK is associated with that RAN, the client will have unfiltered access. If the PPSK belongs to another RAN, it will facilitate the connection (roaming does not break) but a dynamic firewall protects that RAN so the client cannot access anything in that network. Instead, the AP establishes a dynamic GRE tunnel to the RAN from which the client belongs. The client can now access its own RAN without issue, while the ‘foreign’ RAN remains inaccessible. This all happens really fast by the way, with no drop in connection.
What is a Room Area Network? Well, at long last, per-room networks can be created without compromise. A secure network environment based on micro-location with no SSID overhead, no complicated VLAN configuration and roaming that actually works!