Description:

This article outlines the best practices for using WLC tunnels and SSIDs.



When operating WLC tunnels:
  • WLC tunnels can be used in scenarios where the operating mode LAN at AP cannot or should not be used with VLAN.
  • Operating a WLC tunnel incurs an overhead, which will result in a lower performance than with the operating mode LAN at AP. The amount of the performance loss depends on the respective scenario. For this reason, operate as few WLC tunnels as possible.
    Important:
    Multiple WLC tunnels should never be assigned to the same bridge group. This can cause the CPU load on the WLAN controller to increase sharply and place the device under permanent load.


When operating SSIDs:
  • You should operate as few SSIDs as possible, as each SSID increases the base load on the WLAN channel.
  • In high-density scenarios, a maximum of two SSIDs should be used (one SSID for internal purposes and one SSID for other purposes, such as a guest network).
  • The use of hidden SSIDs should be avoided.
    • One effect of using hidden SSIDs is to increase the load on the WLAN channel. Each time a WLAN device receives a beacon with a hidden SSID, it sends a request to the access point for each WLAN profile, to see if one of the WLAN profiles is present on the access point. This process is repeated for all other access points that broadcast a hidden SSID because the WLAN device cannot detect whether the hidden SSIDs belong together.
    • Another effect is that the use of a hidden SSID does not improve security: on the contrary, security is reduced. If the SSID is known to attackers, they can set up an suitably prepared access point (rogue AP). This then responds to the requests from a WLAN device (man-in-the-middle attack).
  • If you need to operate a number of separate WLAN networks, it is also possible to make use of LEPS-U (also see Dokumentlinksymbol) or RADIUS authentication (802.1X). In these cases, only one SSID is broadcast. VLAN IDs are used to direct the WLAN devices to different networks, so confining the communications between WLAN devices to their separate networks.