Comparar Pontos de Acesso Baseados em Controlador vs. Geridos na Nuvem

Este guia de referência técnica compara arquiteturas de Pontos de Acesso baseadas em controlador e geridas na nuvem para ambientes empresariais. Fornece aos líderes de TI uma estrutura neutra em relação ao fornecedor para avaliar modelos de implementação, custo total de propriedade e capacidades de integração com plataformas de inteligência de convidados como a Purple.

📖 6 min de leitura📝 1,351 palavras🔧 2 exemplos práticos❓ 3 perguntas de prática📚 8 definições principais

Ouça este guia

Ver transcrição do podcast

Comparing Controller-Based vs. Cloud-Managed Access Points
A Purple Technical Briefing — Approximately 10 Minutes

---

INTRODUCTION AND CONTEXT — approximately 1 minute

Welcome to the Purple Technical Briefing series. I'm your host, and today we're tackling a question that lands on the desk of almost every network architect and IT director at some point: should you be running controller-based access points, or is it time to move to cloud-managed APs?

This isn't a theoretical debate. The decision you make here has direct consequences for your capital expenditure, your operational overhead, your security posture, and frankly, your team's sanity at two in the morning when something goes wrong across twelve sites simultaneously.

We'll cover the technical architecture of both approaches, walk through real deployment scenarios from hospitality and retail, and give you a clear decision framework you can apply to your own environment. By the end of this briefing, you should be able to walk into a board meeting or a procurement committee and make the case — either way — with confidence.

Let's get into it.

---

TECHNICAL DEEP-DIVE — approximately 5 minutes

Let's start with the fundamentals. A controller-based access point architecture centralises all the intelligence in a physical or virtual wireless LAN controller — what most of us call a WLC. The APs themselves are typically what the industry calls "thin" or "lightweight" APs. They handle the radio frequency work — transmitting and receiving on 2.4 gigahertz, 5 gigahertz, and increasingly 6 gigahertz under Wi-Fi 6E — but the control plane, the management plane, and often the data plane all run through that controller.

The CAPWAP protocol — that's Control and Provisioning of Wireless Access Points, defined in RFC 5415 — is what binds the AP to the controller. Every configuration change, every roaming decision, every authentication handshake flows through that tunnel. In a high-density environment like a conference centre or a stadium, this architecture gives you extraordinarily fine-grained control. You can tune transmit power, channel assignment, and client load balancing at a granular level that cloud platforms are only beginning to match.

The trade-off is obvious: that controller is a single point of failure unless you've deployed a redundant pair, which adds cost and complexity. You also need qualified engineers on-site or on call who understand the vendor's specific CLI and management interface. Firmware updates require planned maintenance windows. And when you're running fifty sites across a retail estate, managing fifty controllers — or even a cluster of them — is a significant operational burden.

Now, cloud-managed access points flip this model. The APs are still doing the RF work locally, but the management plane lives in the vendor's cloud — or in some cases a private cloud you control. Configuration is pushed down from the cloud; telemetry and diagnostics flow back up. The AP can function autonomously if the cloud connection drops — this is what vendors call "local survivability" — but you lose real-time visibility and the ability to push changes until connectivity is restored.

From a standards perspective, cloud-managed APs still implement the same IEEE 802.11ax or 802.11be radio protocols. They support WPA3-Enterprise with IEEE 802.1X authentication, RADIUS integration, and VLAN segmentation just as controller-based systems do. The difference is purely in where the management intelligence sits.

Security is where this conversation gets nuanced. Under PCI DSS version 4.0, if your APs are handling cardholder data environments — think retail point-of-sale networks — you need to demonstrate that your management traffic is encrypted and that your cloud provider meets the relevant compliance requirements. Most enterprise cloud WiFi vendors now provide SOC 2 Type II attestations and support for data residency requirements, which addresses the bulk of GDPR concerns around data sovereignty. But if you're in a regulated environment — defence, certain healthcare settings, critical national infrastructure — an air-gapped controller-based deployment may still be the only viable option.

Let's talk throughput and density. This is where controller-based systems have historically had an edge. In a stadium deploying 400 APs across a venue that fills with 60,000 people simultaneously, the ability to run centralised RF management — coordinating channel reuse, managing co-channel interference, and handling fast BSS transition under 802.11r for seamless roaming — is genuinely valuable. Cloud-managed platforms have closed this gap considerably, particularly with AI-driven RF optimisation, but if you're running a genuinely high-density, latency-sensitive deployment, you should be stress-testing the cloud platform's local survivability and roaming performance before committing.

For multi-site deployments — a hotel chain with 80 properties, a retail brand with 300 stores — cloud-managed APs are operationally transformative. Zero-touch provisioning means a new AP ships to a site, a local member of staff plugs it in, and it phones home to the cloud, downloads its configuration, and is live within minutes. No engineer on-site, no truck roll, no maintenance window. The operational cost saving here is material.

---

IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes

Let me give you the practical guidance that saves you from the mistakes I see organisations make repeatedly.

First: do not underestimate backhaul dependency in cloud-managed deployments. Your APs need a reliable, low-latency internet connection to maintain cloud connectivity. If you're deploying in a venue where the internet circuit is shared with guest traffic — and it often is — you need to ensure your management traffic is QoS-prioritised and that you have a secondary circuit or 4G failover. I've seen cloud-managed deployments at conference venues where a saturated internet circuit during a peak event caused the management plane to drop, leaving the ops team flying blind.

Second: plan your VLAN architecture before you touch a single AP. Whether you're controller-based or cloud-managed, your guest network, your corporate network, your IoT devices, and your POS systems should be on separate VLANs with appropriate firewall policies between them. This is basic network hygiene, but it's remarkable how often it's an afterthought.

Third: if you're integrating a guest WiFi platform like Purple on top of your AP infrastructure — and you should be, because that's where the analytics and the captive portal and the marketing data live — make sure your AP platform supports the integration method Purple uses. Purple is hardware-agnostic, which means it works with controller-based and cloud-managed APs alike, but you need to confirm that your AP vendor supports the RADIUS accounting and API hooks that Purple uses for session management and analytics.

Fourth: firmware management. Cloud-managed platforms typically push firmware updates automatically, which is a double-edged sword. You get security patches quickly, which is good. But you can also get a firmware update that breaks something in your environment at an inconvenient time. Establish a firmware staging policy — test updates on a subset of APs before rolling out estate-wide.

The most common pitfall I see? Organisations choosing a platform based on the hardware cost alone, without factoring in the total cost of ownership over a five-year horizon. A controller-based system might look cheaper upfront, but when you add the cost of the controller hardware, the support contracts, the engineering time for firmware management, and the operational overhead of multi-site management, cloud-managed often wins on TCO — sometimes significantly.

---

RAPID-FIRE Q AND A — approximately 1 minute

Question: Can I mix controller-based and cloud-managed APs in the same estate?

Answer: Yes, but I'd caution against it unless you have a very clear reason — like a legacy site that isn't worth migrating yet. Managing two separate platforms doubles your operational complexity and your training overhead.

Question: Does cloud-managed mean my data goes to the vendor's servers?

Answer: Management telemetry does, yes. Your guest data traffic typically breaks out locally at the AP and doesn't traverse the vendor's cloud. But check the data processing agreements carefully, especially for GDPR compliance.

Question: Is Wi-Fi 6E only available on cloud-managed platforms?

Answer: No. Wi-Fi 6E hardware is available across both architectures. The 802.11ax and 802.11be standards are independent of the management architecture.

Question: How does Purple integrate with cloud-managed APs?

Answer: Purple is hardware-agnostic. It integrates via RADIUS, API, or captive portal redirect regardless of whether your APs are controller-based or cloud-managed. The analytics and guest WiFi experience are consistent across both.

---

SUMMARY AND NEXT STEPS — approximately 1 minute

Let me leave you with the three things that should drive your decision.

One: if you're managing more than five sites, cloud-managed APs will almost certainly deliver better operational efficiency and lower total cost of ownership. The zero-touch provisioning and centralised visibility alone justify the switch.

Two: if you have strict data sovereignty requirements, a high-density single-site deployment, or a regulated environment, evaluate controller-based carefully — or consider a hybrid approach with a cloud-managed overlay for visibility.

Three: your AP architecture is the foundation, but it's not the whole story. Layering a platform like Purple on top gives you the guest WiFi experience, the analytics, and the marketing intelligence that turns your WiFi infrastructure from a cost centre into a revenue-generating asset.

For the full technical reference guide, including architecture diagrams, worked deployment examples, and the decision framework, visit purple.ai. Thanks for listening.

Principais Conclusões

✓Controller-based architectures centralise RF management and data planes, making them ideal for ultra-high-density venues like stadiums.
✓Cloud-managed architectures decentralise the data plane while centralising management, offering significant OpEx savings for multi-site deployments.
✓Zero-Touch Provisioning (ZTP) is the primary operational advantage of cloud-managed APs, eliminating the need for remote engineering visits.
✓In cloud-managed deployments, user data traffic breaks out locally; only management telemetry traverses the WAN to the cloud.
✓Both architectures can achieve enterprise-grade security and compliance (PCI DSS, GDPR) when proper VLAN segmentation is implemented.
✓Purple's guest intelligence and analytics platform is hardware-agnostic and integrates seamlessly with both controller-based WLCs and cloud-managed dashboards.

Resumo Executivo

Para operadores de espaços empresariais, a decisão arquitetónica entre Pontos de Acesso (APs) baseados em controlador e geridos na nuvem define a agilidade operacional, a postura de segurança e o custo total de propriedade (TCO) da sua rede para os próximos cinco a sete anos. À medida que os espaços em Hotelaria , Retalho e Transportes digitalizam os seus espaços físicos, o WiFi já não é meramente uma comodidade; é a camada de transporte crítica para sensores IoT, sistemas de Ponto de Venda (POS) e plataformas de inteligência de convidados.

Historicamente, as exigências de alta densidade de estádios e grandes centros de conferências exigiam Controladores de LAN Sem Fios (WLCs) no local para gerir a coordenação complexa de RF e o roaming contínuo. No entanto, as arquiteturas modernas geridas na nuvem, aumentadas pela gestão de recursos de rádio (RRM) impulsionada por IA, reduziram significativamente esta lacuna de desempenho, eliminando o custo operacional de gerir dispositivos controladores físicos.

Este guia de referência técnica fornece a arquitetos de rede e diretores de TI uma estrutura neutra em relação ao fornecedor para avaliar arquiteturas de AP. Detalha as distinções técnicas na gestão do plano de controlo, examina cenários de implementação reais e descreve como estas arquiteturas se integram com plataformas empresariais de Guest WiFi e WiFi Analytics para impulsionar resultados de negócio mensuráveis.

Análise Técnica Detalhada: Arquitetura e Planos de Controlo

A distinção fundamental entre APs baseados em controlador e geridos na nuvem reside no local onde os planos de gestão e controlo residem, e como os APs interagem com o resto da infraestrutura de rede.

Arquitetura Baseada em Controlador

Num modelo tradicional baseado em controlador, os APs "leves" terminam a sua gestão e, frequentemente, o seu tráfego de dados num dispositivo de hardware ou virtual centralizado — o Controlador de LAN Sem Fios (WLC). Os APs gerem as funções físicas de radiofrequência (RF) da Camada 1 e Camada 2, mas a inteligência é centralizada.

Dependência de Protocolo: Os APs comunicam com o WLC utilizando o protocolo Control and Provisioning of Wireless Access Points (CAPWAP) (RFC 5415).
Processamento Centralizado: As decisões de roaming, os handshakes de autenticação (como 802.1X/EAP) e as atribuições dinâmicas de canais RF são processados pelo controlador.
Tunelamento do Plano de Dados: Em muitas implementações, o tráfego de dados do cliente é tunelado de volta para o WLC antes de sair para a rede com fios. Isto permite a aplicação centralizada de políticas e a gestão simplificada de VLANs num grande campus, mas cria um potencial gargalo.

Vantagens para Ambientes de Alta Densidade: Os sistemas baseados em controlador destacam-se em ambientes de ultra-alta densidade (por exemplo, estádios, grandes auditórios). Como o WLC tem uma visão holística e em tempo real do ambiente RF em centenas de APs, pode coordenar a mitigação de interferências de co-canal e gerir o roaming 802.11r Fast BSS Transition (FT) com precisão de milissegundos.

Arquitetura Gerida na Nuvem

As arquiteturas geridas na nuvem descentralizam o plano de controlo. Os próprios APs são "gordos" ou autónomos em termos de gestão local de RF e encaminhamento de dados, mas são orquestrados centralmente através de uma plataforma de gestão alojada na nuvem.

Gestão Fora de Banda: O AP estabelece um túnel de gestão seguro (tipicamente HTTPS/TLS) para a nuvem do fornecedor. A configuração, telemetria e atualizações de firmware fluem através desta ligação.
Saída Local: O tráfego de dados do cliente não é tunelado para a nuvem. Sai localmente na porta do switch à qual o AP está ligado.
Sobrevivência Local: Se a ligação à internet para a nuvem cair, o AP continua a servir os clientes existentes, a autenticar novos clientes (se for usado RADIUS local ou PSK) e a encaminhar o tráfego. No entanto, a equipa de TI perde a visibilidade em tempo real e a capacidade de enviar alterações de configuração até que a ligação seja restaurada.

Implicações de Segurança e Conformidade

Ambas as arquiteturas suportam padrões de segurança de nível empresarial, incluindo WPA3-Enterprise, autenticação 802.1X e deteção de APs não autorizados. No entanto, o ónus da conformidade difere.

Com sistemas geridos na nuvem, as equipas de TI devem garantir que a plataforma na nuvem do fornecedor cumpre os requisitos regulamentares relevantes (por exemplo, SOC 2 Tipo II, ISO 27001) e que a residência dos dados está em conformidade com o GDPR ou leis de privacidade locais. Para ambientes altamente sensíveis que exigem um isolamento rigoroso — como certas instalações governamentais ou de defesa — um sistema baseado em controlador que opere inteiramente dentro da LAN local permanece o padrão.

Para ambientes que lidam com dados de pagamento, ambas as arquiteturas podem alcançar a conformidade com PCI DSS. No entanto, a segmentação da rede é crítica. A rede de convidados, os dispositivos corporativos e os terminais POS devem ser isolados em VLANs separadas, independentemente da arquitetura do AP.

Guia de Implementação: Implementação e Integração

O impacto operacional da arquitetura escolhida torna-se mais aparente durante a implementação e a gestão contínua, particularmente em cenários multi-site.

Provisionamento Zero-Touch vs. Implementação Faseada

Gerido na Nuvem: A principal vantagem operacional dos APs geridos na nuvem é o Provisionamento Zero-Touch (ZTP). Um AP pode ser enviado diretamente para uma loja de retalho remota ou hotel. Quando ligado, adquire um endereço IP via DHCP, contacta a cloud, descarrega o seu perfil pré-configurado e começa a transmitir. Isto elimina a necessidade de dispendiosas "truck rolls" ou de implementar engenheiros de rede altamente qualificados em locais remotos.

Baseado em Controlador: A implementação de APs baseados em controlador geralmente requer mais preparação. O AP deve ser capaz de descobrir o WLC (muitas vezes via Opção DHCP 43 ou resolução DNS). O firmware deve ser frequentemente alinhado manualmente entre o WLC e os APs. Para uma implementação em vários locais, isto exige frequentemente a preparação centralizada do hardware antes do envio, ou a implementação de engenheiros em cada local.

Integração de Inteligência e Análise de Convidados

A implementação dos APs físicos é apenas a base. Para extrair valor de negócio da rede, os locais devem integrar o seu hardware com plataformas de inteligência de convidados como a Purple.

A Purple opera como uma camada agnóstica de hardware, integrando-se perfeitamente com sistemas baseados em controlador e geridos na cloud de grandes fornecedores (Cisco, Meraki, Aruba, Ruckus, Extreme).

Autenticação e Onboarding: A Purple gere a apresentação e autenticação do Captive Portal (via social login, preenchimento de formulário, ou How a wi fi assistant Enables Passwordless Access in 2026 ). A arquitetura do AP apenas precisa de suportar autenticação e contabilidade RADIUS, redirecionando os utilizadores não autenticados para o portal Purple.
Dados de Análise: A Purple ingere dados de presença e localização dos APs para alimentar o seu painel de análise. Quer os dados sejam enviados via API de um painel da cloud ou diretamente de um WLC local, os insights resultantes — tempos de permanência, taxas de retorno e fluxo de pessoas — são idênticos. Para uma análise mais aprofundada sobre como estes dados são gerados, consulte o nosso guia sobre Heatmapping vs Presence Analytics: Technical Differences .

Melhores Práticas e Mitigação de Riscos

Independentemente da arquitetura selecionada, certas melhores práticas fundamentais mitigam os riscos de implementação e garantem a estabilidade a longo prazo.

Priorizar o Tráfego de Gestão: Para implementações geridas na cloud, a ligação dos APs à cloud é crítica. Garanta que o tráfego de gestão tem prioridade QoS no circuito WAN. Se o local partilhar uma ligação à internet para tráfego de convidados e gestão, uma ligação saturada durante as horas de pico pode fazer com que os APs apareçam offline no painel da cloud.
Atualizações de Firmware Faseadas: As plataformas cloud frequentemente enviam atualizações de firmware automaticamente. Embora isto garanta que os patches de segurança são aplicados prontamente, introduz o risco de bugs inesperados. Configure o seu painel da cloud para fasear as atualizações — testando o novo firmware num pequeno subconjunto de APs (por exemplo, o escritório de TI) antes de o implementar em toda a infraestrutura.
Design para Densidade, Não Apenas Cobertura: As implementações modernas raramente falham por falta de sinal; falham devido ao esgotamento da capacidade ou interferência de co-canal. Realize levantamentos de RF preditivos e ativos adequados, garantindo sobreposição de canais e configurações de potência de transmissão apropriadas, particularmente em zonas de alta densidade como lobbies ou salas de conferência. Para insights sobre como melhorar a experiência geral, reveja How To Improve Guest Satisfaction: The Ultimate Playbook .
Padronizar a Arquitetura VLAN: Implemente um esquema VLAN consistente em todos os locais. Isole as interfaces de gestão, dispositivos corporativos, sensores IoT e tráfego de convidados.

ROI e Impacto no Negócio

A decisão entre APs baseados em controlador e geridos na cloud deve ser impulsionada por uma análise do Custo Total de Propriedade (TCO) ao longo de um ciclo de vida de 5 a 7 anos.

Despesa de Capital (CapEx): Os sistemas baseados em controlador frequentemente têm um CapEx inicial mais elevado devido ao custo dos equipamentos WLC e aos requisitos de redundância associados. Os APs geridos na cloud geralmente têm custos de hardware mais baixos, mas exigem licenciamento de subscrição contínuo.
Despesa Operacional (OpEx): Os sistemas geridos na cloud demonstram consistentemente um OpEx mais baixo em implementações multi-site. As poupanças geradas pelo Zero-Touch Provisioning, resolução de problemas centralizada e gestão automatizada de firmware frequentemente compensam os custos de licenciamento recorrentes.
Agilidade de Negócio: A capacidade de implementar novos locais rapidamente, aplicar alterações de política em toda a rede instantaneamente e integrar-se perfeitamente com plataformas de análise proporciona uma vantagem de negócio tangível, particularmente em setores de rápida evolução como o retalho e a hotelaria.

Ao selecionar a arquitetura que se alinha com as suas capacidades operacionais e topologia do local, e ao sobrepor uma plataforma de inteligência agnóstica de hardware como a Purple, as equipas de TI empresariais podem transformar a sua rede WiFi de um centro de custos necessário num ativo estratégico que gera receita.

Definições Principais

WLC (Wireless LAN Controller)

A centralised hardware or virtual appliance that manages configuration, RF coordination, and security policies for multiple 'lightweight' access points.

The core component of a controller-based architecture, representing both a powerful management tool and a potential single point of failure.

CAPWAP

Control and Provisioning of Wireless Access Points. A standard protocol (RFC 5415) used by WLCs to manage a collection of APs.

The tunnel through which controller-based APs receive instructions and often route client data traffic.

Zero-Touch Provisioning (ZTP)

The ability to deploy network hardware at a remote site without manual configuration; the device automatically connects to a cloud platform to download its profile.

The primary driver for operational expenditure (OpEx) savings in multi-site cloud-managed deployments.

Local Survivability

The ability of a cloud-managed AP to continue routing local traffic and authenticating users even if the WAN connection to the cloud dashboard is lost.

A critical evaluation metric for cloud platforms, ensuring that a WAN outage does not result in a complete LAN failure.

Out-of-Band Management

An architecture where management traffic (telemetry, configuration) is separated from user data traffic.

The foundational security principle of cloud-managed APs, ensuring user data remains on the local network.

802.11r (Fast BSS Transition)

An IEEE standard that permits continuous connectivity aboard wireless devices in motion, with fast and secure handoffs from one AP to another.

Crucial for seamless roaming in high-density environments; historically handled better by centralised controllers.

Data Sovereignty

The concept that digital data is subject to the laws of the country in which it is located.

A key consideration when evaluating cloud-managed platforms to ensure compliance with regulations like GDPR.

Air-Gapped Network

A network security measure employed to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet.

Environments requiring true air-gapping mandate the use of on-premises controller-based architectures.

Exemplos Práticos

A national retail chain is deploying guest WiFi across 300 mid-sized stores. They have a lean central IT team of four engineers and no on-site technical staff. They require analytics to track dwell time and footfall.

Deploy cloud-managed APs across all locations. Utilise Zero-Touch Provisioning (ZTP) to ship APs directly to store managers, who simply plug them into the PoE switch. Configure the cloud dashboard to push a standardised SSIDs and VLAN configuration. Integrate the cloud controller with Purple via API/RADIUS for captive portal and analytics.

Comentário do Examinador: This scenario strongly favours cloud-managed architecture. Deploying 300 physical WLCs would be cost-prohibitive, and managing them would overwhelm a lean IT team. The OpEx savings from ZTP and centralised management will rapidly offset the cloud licensing costs.

A newly constructed 60,000-seat sports stadium requires pervasive WiFi for fan engagement, ticketing, and POS systems. The environment will experience massive, simultaneous client onboarding and requires seamless roaming as crowds move through concourses.

Deploy a controller-based architecture with redundant high-availability WLC appliances in the on-site data centre. Utilise high-density directional antennas. Configure the WLC for aggressive load balancing, band steering, and 802.11r Fast BSS Transition.

Comentário do Examinador: While cloud platforms are improving, an ultra-high-density stadium environment is the classic use case for controller-based systems. The real-time, centralised RF coordination provided by a local WLC is necessary to manage the extreme co-channel interference and roaming demands of 60,000 simultaneous users.

Perguntas de Prática

Q1. A boutique hotel chain is upgrading its WiFi across 15 properties. The IT Director wants to move to cloud-managed APs but the Compliance Officer is concerned about PCI DSS compliance for the point-of-sale (POS) terminals in the restaurants. What is the correct architectural approach?

Dica: Consider how data plane traffic is handled in cloud-managed deployments and the requirements of network segmentation.

Ver resposta modelo

Cloud-managed APs are fully suitable, provided proper network segmentation is implemented. The IT team must configure separate VLANs for guest WiFi and the POS network. Because cloud-managed APs utilise out-of-band management, the POS data traffic will break out locally and will not traverse the vendor's cloud, satisfying PCI DSS requirements for the data plane. The vendor's cloud platform must hold appropriate security attestations (e.g., SOC 2) for the management plane.

Q2. During a peak trading event, the primary WAN link at a retail store fails. The store falls back to a low-bandwidth 4G connection. The cloud-managed APs remain online, but the IT team reports they cannot push configuration changes to the store via the dashboard. Why is this happening, and how should the network have been designed to prevent it?

Dica: Consider the relationship between management traffic, data traffic, and QoS on constrained links.

Ver resposta modelo

The APs are operating in 'local survivability' mode. The low-bandwidth 4G connection is likely saturated by essential POS or guest traffic, causing the management tunnels (HTTPS/TLS) to the cloud controller to drop or time out. To prevent this, the network architect should have implemented Quality of Service (QoS) rules on the edge router/firewall to guarantee a minimum bandwidth allocation and prioritise the AP management traffic over the failover link.

Q3. A university campus with an existing controller-based architecture wants to deploy Purple for guest analytics. The network team states they cannot integrate because they do not use cloud-managed APs. Is this correct?

Dica: Consider Purple's integration methodology and hardware dependencies.

Ver resposta modelo

No, this is incorrect. Purple is hardware-agnostic and does not require a cloud-managed architecture. The university's existing Wireless LAN Controllers (WLCs) can be configured to integrate with Purple using standard RADIUS authentication and accounting protocols, redirecting guest traffic to the Purple captive portal. The analytics data will be generated identically to a cloud-managed deployment.