This article outlines the different possible topologies to deploy Wi-Fi hotspot in an organization. But first, let's define some interesting terms.
Central Switching/Local Switching
This term is related to the way the Wireless infrastructure will manage the traffic from your guests to internet. Local Switching means that the Wi-Fi Access Point will send the guest traffic to the local LAN/WAN/firewall infrastructure. In Central Switching, the Access Point will send this traffic to a central collection point (usually the wireless controller hosted in data center) in order to be centrally managed (in term of routing and security).
This schema from Cisco explain this clearly:
Captive portal redirection
When a guest user connects to a hotspot service, they are typically required to provide certain information before gaining access to the internet. The most common method is to redirect the guest’s HTTP traffic to a web captive portal hosted by the hotspot solution. This can be achieved either by the wireless infrastructure (a feature commonly referred to as Web Authentication) or by the hotspot solution itself, in which case the solution must be positioned on the path between the guests and the internet.
DHCP, DNS, firewall, web security and other network features
When deploying a hotspot service, the focus is often on the captive portal itself. However, it is important to remember that several network services must be implemented for guests to access the internet.
- DHCP and DNS to connect the network and resolve URL
- Firewall and/or web security to filter Internet access and log the traffic (for analytics and regulatory purpose)
With the technical terms established, the two main deployment topologies can be described. The choice between them depends on the organization’s network configuration. If there is a single internet access point in a central location (such as a data center or headquarters), the hotspot service will most likely be deployed centrally. Conversely, if individual locations have their own internet access, the hotspot deployment will be distributed.
Central hotspot
This topology relies on the Central Switching feature of the wireless infrastructure and all network services available in the central location (DHCP, DNS, security…). All guest users are redirected by the Access Point to the data center and split into multiple VLANs (usually 1 VLAN = 1 captive portal). Then the hotspot solution is connected directly to the data center (wherever it is a appliance or a cloud solution).
Advantages: This topology can be deployed very quickly because all network services are provided by the data center. This eliminates the need to make network changes at remote locations—a significant advantage for some organizations. If an appliance-based hotspot solution is planned, only one (or a few) appliances are required.
Drawbacks: The main limitation is scalability. All guest traffic must travel over the organization’s private network (such as a costly MPLS connection) to the data center and then to the internet, which can create bandwidth and capacity challenges. For example, capacity planning for the central guest subnet can be complex, as every device attempting to connect to the hotspot consumes a DHCP lease—even if it connects only for a few seconds. In large deployments with thousands of sites, this can lead to excessive IP address usage. One observed case involved a Wi-Fi infrastructure where over 2,000 IP addresses were in use, yet only 40 users were authenticated. This issue was largely due to devices automatically checking for internet-enabled Wi-Fi networks.
Distributed hotspot
When using this topology, you will rely on your remote site’s network to deploy the hotspot service. The Wi-Fi access points will switch the traffic locally in a dedicated VLAN and the local infrastructure will connect that VLAN to the hotspot service (whatever it is appliance based or cloud based).
Advantages: This approach is efficient because the path from the guest to the internet is short. It is scalable, as capacity planning is done on a location-by-location basis. It can also be cost-effective if the local internet access is used for other purposes, such as employee web browsing or backup to the main connection.
Drawbacks: Deployment time can be significant, as changes must be applied at each location. This is particularly true for appliance-based hotspots, which require delivery and installation at every site. Monitoring can also be a challenge—since the service is provided locally, central monitoring systems may not be compatible.
Conclusion
Depending on the current network infrastructure, an organization can choose the most suitable topology. In practice, both topologies are often deployed—using the central topology to activate the service quickly, followed by the distributed topology at a later stage. It is recommended to rely on the distributed internet link for other services (such as WAN backup, employee web browsing, or out-of-band management) to maximize the value of these links.
Romain Pillon, IT consultant.
.jpg)
