With complex networks, IoT devices, and nearly everything imaginable now able to connect to Wi-Fi, the practice of mapping an SSID to a single VLAN is becoming outdated. Traditionally, whenever data needed to be separated on a wireless network, a new SSID had to be created. Each SSID would then be mapped to a single VLAN, and the VLAN would be routed internally as required.
Having multiple SSIDs, each mapped to a single VLAN, led many organizations to create numerous SSIDs. I have personally seen a single AP broadcasting 14 SSIDs.
Why Is Adding More SSIDs a Bad Idea?
Each additional SSID increases management overhead. Wi-Fi, like all wireless technologies, has a fixed amount of airtime that must be efficiently managed.
At a certain point, the management overhead of multiple SSIDs consumes more airtime than the actual data traffic, reducing overall network efficiency.
Beacon Frames and Airtime Usage
A beacon frame is sent out every 102.4 milliseconds per SSID. These frames broadcast:
- The SSID name
- The security parameters supported by the SSID
- The basic and supported data rates
Since beacon frames must be heard by all potential clients, they are transmitted at the lowest supported data rate:
- On 2.4 GHz, beacon frames are sent at 1 Mbps.
- On 5 GHz, beacon frames are sent at 6 Mbps.
This means that every 100 milliseconds (10 times per second), clients must pause their operations to listen for beacon frames from every SSID in range.
The Impact of Excessive SSIDs
As discussed, excessive SSID overhead can bog down even the most well-designed network.
- If a single AP is broadcasting multiple SSIDs, the impact may be minimal.
- However, when multiple APs broadcast the same excessive number of SSIDs, airtime utilization can be consumed quickly.
For a detailed breakdown, see this chart from Wi-Fi Professionals:
SSIDs Overhead Effect on Channel Utilization.
The Solution: VLAN Segmentation Without Excessive SSIDs
To solve this problem, traffic must be segmented while ensuring each SSID remains secure. This is where Network Access Control (NAC) comes in.
A NAC system does the following:
- Authenticates users and devices based on a predefined list.
- This list can be:
- Manually generated
- Tied to Active Directory roles
- Dynamically assigned based on various factors
This method, known as Role-Based Access Control (RBAC), allows VLANs to be assigned based on user roles rather than relying on separate SSIDs.
Is This Too Complex for Small Networks?
Not really—similar access control models have existed for file permissions in Active Directory for decades. In fact, Novell NetWare had a similar system in the 1990s.
Example: Role-Based VLAN Assignment
Let’s consider a company with two SSIDs:
- Corporate SSID using 802.1X authentication
- Guest SSID with a splash page
Here’s how it works:
- A corporate user enters their credentials.
- The RADIUS server (typically tied to Active Directory) verifies them.
- A properly configured NAC system assigns the device to the correct VLAN automatically.
- Access Control Lists (ACLs) can then be used to restrict communication between VLANs, enhancing security—especially for IoT devices.
Alternatives: MPSK and iPSK
If NAC or 802.1X is not an option, some vendors offer:
- MPSK (Multiple Pre-Shared Key)
- iPSK (Individual Pre-Shared Key)
These work like traditional PSKs but allow multiple unique PSKs within a single SSID.
How This Helps
- Each PSK is assigned a role in the system.
- The controller maps roles to VLANs.
For example:
- User with PSK1 → VLAN 92
- User with PSK2 → VLAN 96
This allows for VLAN segmentation while using only one SSID. While most implementations are based on WPA2, vendors are working on WPA3-compatible versions.
Key Takeaways
✅ Limit networks to 3 SSIDs or fewer whenever possible.
✅ Manage airtime wisely—more SSIDs mean more airtime wasted on management traffic.
✅ Use proper channel planning to avoid interference.
✅ Ensure AP power settings are optimized for efficient coverage and minimal overlap.