Cloud based router with policy enfbrcement. In some implementations, a system is
provided. The system includes a plurality ofaccess points. The plurality ofaccess points
receive data packets from a plurality ofclient devices. The system also includes a plurality of
tunnel devices coupled to the plurality olaccess points. The plurality of tunnel devices generate
encapsulated packets based on the data packets received by the plurality of access points. The
system further includes a plurality of packet lbrwarding components coupled to the plurality of
tunnel devices via a first set oftunnels, The plurality ofpacket forwarding components receive
the encapsulated packels from the plurality oltunnel devices and forward the encapsulate
packas. The system further includes a plurality of network access controllers coupled to the
plurality of packet forwarding components via a second set oftunnels. The plurality of network
access controllers enforce one or more network policies for the plurality of client delices, as the
plurality of client devices move between the plurality of access points.