Ciena uses cookies to ensure that we give you the best experience when visiting our website, as well as to enhance the overall quality of our site. By continuing, we assume that you consent to receive all cookies on all Ciena websites. To consent to receive all cookies on all Ciena websites, click I acknowledge. To learn more, view our privacy policy.

Ciena virtual WiFi Access Gateway (vWAG)

End-users have high expectations when it comes to WiFi availability, performance, and Quality of Experience (QoE). In response, WiFi networks have become more sophisticated in their handling of subscriber management, control, and security. Ciena’s virtual WiFi Access Gateway (vWAG) is a scalable, carrier-grade solution capable of addressing the high-performance demands of several WiFi use cases including public/community WiFi, smart cities, venue WiFi, and several others.

Why Ciena vWAG?

Ciena’s vWAG enables the use of cost-effective WiFi Access Points (APs) and supports multi-vendor WiFi networks without compromising functionality. It assists with user authentication and assignment of IP addresses and dynamically applies per-user policies for bandwidth, traffic routing, and security.

Multiple deployment options

Within the WAG family of products, Ciena has affordable options based on network scale and desired entry point. Our virtual Business Access Gateway (vBAG) is a low-scale version of the vWAG. It is primarily for gateways up to 14 Gb/s bandwidth and 1,000 tunnels, but licensing does allow for higher capacities. Both the vWAG and vBAG can be deployed in Virtual Machine (VM) environments or as a bare metal appliance. In both cases, x86 Commercial Off the Shelf (COTS) servers are used for the hardware. The flexibility in design enables Ciena’s vWAG to be used in several use cases.


No. 1

Multi-vendor WiFi aggregation via GRE, L2TPv3, or Virtual LANs (VLANs) from CPE access points

No. 2

Authentication, Authorization, and Accounting (AAA) proxy and load balancing

No. 3

Carrier-grade Network Address Translation (CGNAT) and stateful firewall

No. 4

Mobility across WiFi APs as well as different WiFi networks

No. 5

Content filtering and malware/phishing protection

No. 6

Policy enforcement per access point, per VLAN, or per subscriber


  • + Gateway support
    • Business Access Gateway (BAG)
    • WiFi Access Gateway (WAG)
  • + Tunnel connectivity
    • Soft GRE, GRE over UDP
    • L2TPv3, L2TPv3 over IP, L2TPv3 over UDP
    • GRE over IPSec and IKEv2
    • VLAN as a tunnel (subscriber VLANs)
  • + Authentication, Authorization, and Accounting (AAA)
    • RADIUS AAA client support
    • RADIUS accounting
    • 802.1x with EAP authentication
    • RADIUS AAA server groups
    • RADIUS AAA load balancing or primary/ secondary scheduling
    • RADIUS custom dictionaries and VSAs
  • + Management
    • CLI, Telnet, SSH
    • SNMPv1, v2c, v3; 400+ MIBs
    • FTP, TFTP, SFTP, FTP client/server
    • PING, traceroute, MTU settings
    • Management ACLs
    • NTP
    • Syslog
    • TACACS+
  • + High availability
    • N+1 active/active, active/standby
    • VRRP (for Layer 2 networks)
    • BGP Anycast (for Layer 3 networks)
    • 802.1ad link aggregation
    • Link Aggregation Group (LAG)
    • VLAN over LAG
  • + QoS and bandwidth management
    • Rate limiting (subscriber/device, VLAN, tunnel)
    • DSCP classification and marking
  • + IP addressing and IP features
    • DHCP v4/v6 server
    • IPv4, IPv6, and dual stack
    • IPv4/v6 block fragmented packets
    • DNS v4/v6 client/resolver
    • DNS server v4/v6 options
    • DNS bridge
  • + L2/L3 routing
    • Static
    • BGP
    • OSPFv4
    • IS-IS
    • BFD
    • Equal Cost Multi Path (ECMP)
    • Route maps
    • 1 million IPv4 routes
    • ARP
    • IP v4/v6 fragmentation handling
    • Static IP on CPE (B2B static IP)
    • L3VPN with B2B static IP
  • + Security
    • VLANs
    • Standard and extended ACLs, IPv4/v6
    • ACLs per port, per subscriber, per tunnel, per tunnel VLAN
    • IPv4 firewall
    • Carrier-Grade NAT (CGNAT)
    • CGNAT port block
    • In-use Syslog/SNMP alarm threshold
    • Wildcard DNS ACLs
    • Tunnel broadcast prevention
    • Parental controls
    • Content filtering
    • Malware and phishing protection
    • Lawful intercept
    • Subscriber mirroring
    • WiFi AP mirroring
  • + Guest user services
    • Captive portal redirect
    • HTTP enrichment
    • Splash page—one time redirection
    • Walled-garden services
    • Guest user mobility
    • Unauthorized and authorized user policies
  • + Analytics
    • SNMP MIB stats
    • Port and VLAN utilization metrics
    • Other related tools:
      • Operations Subscriber Simulator for performance monitoring

Questions? Ask the community.


Want to know more about the Ciena’s Virtual WiFi Access Gateway (vWAG)? Let's talk.

Contact us
Can we help you answer a question?
Are you a current Ciena customer?
Do you need support on an existing product?
We're happy to help!
Do you want to learn more about Ciena's products?
Here's some useful information
Do you want to learn more about Ciena's products?
Do you need support on an existing product?
Here's some useful information
Subscribe now for the latest Network Insights.
White close image
Thank you! You have subscribed successfully.
White close image