Decoupled by Design: Why Cloud-managed Networks Still Require On-premises Data Plane Aggregation

Cloud management decoupled the control plane from the data plane. It never eliminated the need for on-premises data plane aggregation, and the market is now correcting for having assumed otherwise. 

That correction became explicit in 2025 when Cisco launched the Campus Gateway, a centralized data-plane aggregation appliance for its Meraki cloud-managed wireless stack. The launch didn't arrive in a vacuum. Juniper Networks had already built this capability into its Mist Edge architecture following its 2019 acquisition of Mist Systems, and the simultaneous convergence of two major enterprise networking vendors on the same architectural answer is worth examining closely. When competitors arrive at the same conclusion independently, the underlying problem tends to be real, broadly felt and no longer optional to solve.

What looks like a product feature in two competing vendor launches is better understood as an architectural correction: a recognition that distributed data plane defaults, while operationally simple at small scale, create segmentation, roaming and VLAN (virtual local area network) sprawl problems that enterprise environments cannot ignore. 

This piece examines what that correction means, where the pattern extends beyond wireless networking and what enterprise network architects should consider before committing to an architecture.

The core challenge is familiar to anyone who has deployed cloud-managed Wi-Fi at scale. In the simplest model, access points terminate traffic locally; each AP trunks client VLANs directly to the access switch. This works fine for small sites, but as campus environments grow, the implications compound quickly: security VLANs must be extended across every switch that touches an AP, guest and IoT traffic sprawls across the switching fabric, and seamless client roaming across subnets becomes operationally painful to engineer. The distributed data plane, while elegant in its simplicity, trades short-term ease for long-term complexity.

The on-premises controller world solved this years ago. By tunneling AP traffic back to a centralized wireless LAN controller (WLC), organizations could keep client VLANs contained, enforce consistent policy at a single chokepoint and provide transparent roaming across a campus without re-engineering the switching layer. The trade-off was the controller itself: a costly, on-premises appliance that required manual management, firmware coordination and capacity planning.

What modern cloud-managed architectures deliver is the best of both worlds: the operational simplicity and AI-driven intelligence of cloud management for the control plane, combined with on-premises centralized aggregation for the data plane. This hybrid model, which includes cloud control and local data forwarding, is not a compromise. It is a deliberately engineered architecture that unlocks capabilities not achievable in either a fully distributed or fully on-premises model alone.

Why this matters beyond Wi-Fi

As Samuel Clements noted in a recent WWT blog post, this pattern extends well beyond any single product launch. Cloud-managed wireless networks are rediscovering a concept that on-premises controller shops never really abandoned: centralized data-plane aggregation.

The re-centralization pattern is not unique to wireless. Across SD-WAN, IoT/OT network segmentation and zero-trust access architectures, the same fundamental design principle applies: decouple where intelligence lives (the cloud or a centralized controller) from where traffic is processed (close to the source, for performance and compliance). This pattern has direct implications for how enterprise networks are designed across every traffic domain.

Juniper Mist Edge: The industry pioneer

Before Cisco launched its Campus Gateway, Juniper Networks was already shipping the answer. The Juniper Mist Edge, introduced alongside the Mist AI cloud platform following Juniper's 2019 acquisition of Mist Systems, was among the first solutions to architecturally separate a cloud-native control plane from an on-premises centralized data plane in an enterprise wireless context, and it did so with a microservices-first design philosophy that was genuinely ahead of its time.

The core innovation of Mist Edge was not simply that it tunneled traffic. It was how it integrated into the cloud management model without becoming the operational anchor that legacy centralized wireless LAN controllers had been. In the Mist Edge architecture, all management, AI analytics and control functions remain entirely in the Mist AI cloud. The Edge appliance, available as dedicated hardware in multiple capacity tiers or as a virtual machine, runs only the tunneling microservice on-premises, accepting L2TPv3 tunnels from APs to centralize VLAN traffic without requiring the APs to know anything about the downstream switching topology.

What made Mist Edge architecturally distinctive

• Microservices architecture: Unlike a monolithic WLC, Mist Edge runs discrete, independently updatable service modules. The tunneling microservice can be upgraded in under three seconds with no reboot and no AP firmware dependency. This is a stark contrast to the coordinated firmware lock-step that plagued traditional controller upgrades.
• Firmware independence: AP firmware and Mist Edge service versions are fully decoupled. This alone eliminates one of the most operationally burdensome aspects of controller-based wireless management.
• Flexible data-plane topology: APs can simultaneously support locally bridged WLANs and tunneled WLANs. Guest traffic can be tunneled to a DMZ Mist Edge while corporate traffic breaks out locally, all configured through the same cloud dashboard.
• Scale without limits: The Mist Edge cluster architecture scales horizontally. The flagship X10 appliance supports up to 10,000 APs and 100,000 concurrent clients in a single cluster, with additional nodes added for capacity without redesigning the architecture.
• Teleworker and branch extension: Beyond campus, Mist Edge extends the same centralized model to remote workers via IPsec, replacing legacy VPN infrastructure with a cloud-managed, AP-anchored teleworker architecture that delivers corporate-grade segmentation to the home office.

Juniper's position in the Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure has reflected this innovation, with recognition as a Leader for five consecutive years and the furthest position in Completeness of Vision for four consecutive years (Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure, June 25, 2025). 

In WWT's own customer engagements, Marvis, Juniper's AI-driven virtual network assistant, has consistently proven to be the most operationally impactful capability in the Juniper stack, reducing mean time to resolution and trouble ticket volume more than any other platform feature.

For enterprises evaluating cloud-managed wireless between 2020 and 2024, Mist Edge was often the differentiating capability that tipped the decision toward Juniper, particularly in healthcare, higher education and large financial services environments where VLAN containment, guest isolation and seamless roaming were non-negotiable requirements. 

WWT's own customer engagements during this period reflect that Mist Edge was frequently the answer to the question: "We want cloud management, but we need the operational model of a centralized controller."

Cisco Campus Gateway: The incumbent responds

Cisco's Campus Gateway, launched in 2025 and built on the CW9800 hardware platform (SKU: CW9800H1), brings centralized data-plane aggregation to the Meraki cloud-managed stack for the first time, and it does so with a characteristic Cisco advantage: deep integration into one of the broadest enterprise networking ecosystems in the industry. 

The architectural premise is similar to Mist Edge: APs tunnel client traffic to the Campus Gateway rather than bridging it locally at the access switch, eliminating the need to extend VLANs across the switching fabric and enabling cleaner segmentation and seamless roaming. Where Campus Gateway stands out is how it extends and complements the broader Cisco portfolio.

Where Cisco brings differentiated value

Zero Trust and Security Group Tag (SGT) Integration

Perhaps the most compelling enterprise differentiator is Campus Gateway's native integration with Cisco's Software-Defined Access (SDA) and TrustSec security group tag framework. Adaptive Policy with security group tags enables network segmentation to be driven by user and device identity rather than by VLAN topology, a capability that aligns directly with zero-trust architectural principles. 

For enterprises already investing in Cisco Identity Services Engine (ISE), Cisco Duo and Catalyst Center-based network access control, Campus Gateway becomes a natural extension of a policy framework that already spans wired, wireless, and SD-WAN domains. Juniper's equivalent requires third-party integration for full zero-trust coverage; Cisco's is native.

ThousandEyes and Application Assurance

Cisco's acquisition of ThousandEyes brought end-to-end application observability into the campus networking stack in a way that no wireless-only vendor can match. With Campus Gateway integrated into Meraki Dashboard and ThousandEyes, network operators gain correlation between wireless data-plane events and application-layer performance, a capability that is increasingly demanded by enterprise IT teams managing hybrid work environments. Juniper's Mist AI offers strong wireless-level SLE metrics and Marvis-driven anomaly detection, but lacks native deep packet inspection (DPI) and application assurance outside of Zoom API integration.

Stateful switchover (SSO)

Campus Gateway supports stateful failover between a primary and standby appliance, preserving client sessions during a failover event. This is a meaningful operational consideration for environments that cannot tolerate wireless disruption, such as healthcare facilities, trading floors and manufacturing plants. This represents a gap in the current Juniper Mist Edge architecture, which operates in active-active cluster mode but does not offer stateful session preservation on failover.

Unified Portfolio Migration Path

Cisco has made a deliberate architectural commitment to unify its Meraki and Catalyst wireless stacks under a common hardware platform (the CW9800 series) that can operate in either cloud-managed or on-premises mode. For organizations running Cisco Catalyst 9800 WLCs today and considering a transition to cloud management, Campus Gateway provides a migration path that preserves hardware investment while shifting to the Meraki management model. This dual-mode capability, unique in the market, significantly lowers the barrier to cloud adoption for Cisco's substantial installed base.

Ecosystem breadth

Cisco's advantage has always been the breadth of its portfolio. Campus Gateway sits within an ecosystem that spans Cisco Catalyst switching, Catalyst SD-WAN, Cisco Secure (formerly Umbrella, Firepower and Duo), Cisco Spaces for location intelligence and Webex for collaboration. For organizations seeking a single-vendor reference architecture spanning the campus access layer, WAN edge and security stack, Cisco's integration depth remains unmatched.

A note on analyst positioning: In the 2025 Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure, the recognized Leaders are Juniper Networks, Fortinet and HPE Aruba. Gartner evaluations reflect overall portfolio maturity and are not assessments of individual product capability. Campus Gateway is a recent launch and should be evaluated on its architectural fit within an existing Cisco environment. That is where the solution's integration advantages are most clearly realized.

Head-to-head: Architecture decision framework

Deciding on a centralized data-plane aggregation solution does not take place in a vacuum. Organizations with existing Cisco infrastructure will find Campus Gateway to be the natural evolution of their current architecture. Organizations running Juniper Mist or evaluating greenfield deployments will find Mist Edge an architectural fit. The more important point is that both ecosystems have now converged on the same architectural principle. Data-plane aggregation is no longer a differentiator; it is a baseline expectation. 

Source links:

Juniper: https://www.mist.com/documentation/mist-edge-design-guide/

Cisco: https://www.cisco.com/c/en/us/products/collateral/wireless/campus-gateway-faq.html

The pattern goes beyond Wi-Fi: Where else does this apply?

That principle is the deliberate, policy-driven placement of data-plane functions based on business requirements, not on topology defaults. This principle is reshaping how enterprise networks are designed across every traffic domain. Recognizing it reframes the architectural conversation well beyond the AP and the wiring closet.

1. SD-WAN: A study in intentional data plane placement

SD-WAN is actually the architectural mirror image of what Campus Gateway and Mist Edge are doing, and that contrast makes the broader principle clearer, not murkier. Where cloud-managed wireless is re-centralizing the data plane to solve scale and roaming problems, SD-WAN spent the last decade decentralizing it. The entire value proposition of SD-WAN was breaking the hub-and-spoke MPLS model, pushing local internet breakout to the branch, and eliminating the centralized data center as a mandatory forwarding chokepoint. The control plane is centralized; the orchestrator manages policy and routing intelligence, but the data plane was deliberately distributed closer to the user.

These are not contradictory trends. They are the same underlying discipline applied to different problems: the data plane should live where business requirements dictate, not where the architecture defaulted. 

In wireless environments, the distributed default created roaming, segmentation and VLAN sprawl at scale, so the data plane is moving back toward the center. 

On the WAN side, the centralized default created latency, cost and availability problems, so the data plane moved to the edge. The unifying principle is intentional placement, and organizations that apply it consistently across traffic domains arrive at architectures that are operationally simpler, more secure and easier to evolve than those built around vendor defaults.

2. SASE / Security Service Edge: Where both trajectories converge

SASE is where the SD-WAN and wireless centralization stories meet. As enterprises mature their SD-WAN deployments, they face a new requirement: certain traffic flows need centralized security inspection for ZTNA enforcement, DLP, SWG filtering or CASB policy, regardless of where the user is sitting or what device they're on. The answer is selective re-centralization: steering specific flows through cloud-hosted security enforcement points (Zscaler, Palo Alto Prisma Access, Cisco SSE) while everything else continues to break out locally.

That selective steering to a centralized enforcement point is architecturally identical to what Campus Gateway and Mist Edge do for wireless client traffic. The AP is the edge node. The gateway is the enforcement point. Policy determines which traffic is tunneled and which is routed locally. Replace "AP" with "branch SD-WAN edge" and "gateway" with "cloud security PoP," and you have SASE. The pattern is the same. What changes is the traffic domain and the enforcement technology.

The teams advising on wireless data-plane centralization and on SD-WAN-to-SASE migration are solving the same architectural problem from different entry points. Organizations that recognize the pattern converge faster, make fewer redundant decisions and arrive at a security posture that is coherent end-to-end rather than a patchwork of point solutions that each solved one problem without awareness of the others.

3. IoT and OT traffic segmentation

IoT and OT device traffic represents one of the most operationally compelling use cases for centralized data-plane aggregation. It is also one where the consequences of getting it wrong are most severe. IoT devices typically cannot participate in 802.1X authentication, cannot run agents and often span dozens of implicit VLAN segments across an entire campus. Extending those VLANs to every access switch that touches an AP creates exactly the same scale and complexity problem as distributed Wi-Fi. This is compounded by the fact that these devices represent the largest unmanaged attack surface in most enterprise environments.

Centralized data plane models address this directly. Mist Edge, for example, explicitly supports IoT segmentation as a production use case, tunneling IoT device traffic from APs to a centralized enforcement point without requiring per-switch VLAN configuration. The segmentation policy lives at the gateway, not distributed across hundreds of access switches. As IT/OT convergence accelerates in manufacturing, healthcare and smart facilities, this architectural pattern shifts from a convenience to essential infrastructure. The wireless gateway becomes a natural enforcement point for problems that were previously solved poorly or not at all.

4. Wired access: EVPN/VXLAN fabric and campus fabric overlays

The same control/data-plane separation principle extends to wired access via campus fabric architectures. Cisco's Software-Defined Access (SDA) uses LISP for host mobility and policy tracking, with VXLAN for data-plane encapsulation across the underlay fabric. Juniper's EVPN-VXLAN campus architecture applies BGP EVPN as the control plane with VXLAN tunneling across the underlay. In both cases, client identity and segmentation policy travel with the endpoint regardless of physical switch attachment. This is the same outcome that Mist Edge and Campus Gateway deliver for wireless clients, but it is achieved through overlay fabric rather than AP tunneling.

The integration point matters here. When wireless traffic is tunneled into these fabric overlays rather than locally bridged at the access switch, the wired and wireless data planes unify under a single policy model. This is the architectural end state that both Cisco SDA and Juniper Mist are building toward: a campus where identity-driven policy is enforced consistently regardless of whether the client is wired or wireless, stationary or roaming.

5. Remote work and branch extension

The teleworker use case for Mist Edge applies the same centralization model to the distributed workforce that a client-based VPN cannot replicate. Software VPN clients on user devices come with agent management, split-tunneling complexity and device posture dependencies. The Mist Edge teleworker model eliminates all of that by making the AP itself the tunnel termination point.

An AP ships to an employee's home, establishes an IPsec tunnel back to the corporate Mist Edge, and the home office receives the same VLAN segmentation, guest isolation and corporate policy enforcement that exists on campus. The user's devices require no configuration. The IT team manages one policy model.

This matters beyond convenience. As organizations architect for permanent hybrid work, hardware-anchored remote access provides a consistent enforcement posture that client-based ZTNA alone cannot guarantee, particularly for unmanaged or shared devices. It also extends the campus data plane model to the home, providing the same AIOps visibility, SLE metrics and Marvis-driven troubleshooting that apply on campus to the remote worker's AP. The home office becomes a managed network node, not a blind spot.

Conclusion: An architectural conversation, not a product feature

The re-centralization of the wireless data plane is best understood not as a product feature but as an architectural correction. It is a recognition that the simplicity of distributed cloud-managed Wi-Fi, while operationally attractive, left a gap that large enterprises could not ignore. Juniper Mist Edge identified and solved this gap early. Cisco's Campus Gateway, arriving in 2025, validates that the architectural need is real, broadly felt and no longer a matter of debate.

The broader principle extends well beyond wireless. Every traffic domain — WAN, security, IoT, wired access and remote work — is navigating the same fundamental questions: where should data be processed, and where should policy be enforced?

The organizations asking those questions deliberately and answering them with architectural intent are building networks that will remain coherent as AI-driven automation, Zero Trust enforcement and hybrid work permanently reshape what the network is asked to do. 

Organizations still accepting vendor defaults across wireless, WAN, security and IoT are accumulating architectural debt that will become harder to unwind as AI-driven automation and Zero Trust enforcement raise the stakes for getting the underlying design right.