Apr 4

VLANs: Why You Need Them and How They Work (Part 2)

By Jason Hintersteiner

VLANs, or Virtual Local Area Networks, are one of the most powerful, most misunderstood and underutilized tools for Wi-Fi networks in private homes and small-to-medium businesses. This post is part two of three articles on VLANS and provides a practical guide as to why and how you should use them.

How do VLANs work?

Client devices don’t know, and generally shouldn’t know, anything about the VLAN configuration of a network. All VLAN configuration is done on the network router, switch(es), and access point(s). When a client device sends data, each packet is “tagged” as it enters the network so it can be routed to the correct destination, in much the same way your luggage is tagged when you check it at the airport. When the data reaches its intended destination, the tag is removed, which is commonly referred to as either “untagging” or “stripping the tag”.

In networking, the VLAN tag is a 4 byte element inserted into the Media Access Control (MAC) header of the packet. This element contains a 12 bit number indicating the VLAN ID (or VID), meaning that, in theory, a network can have 2^12 or 4096 tags. The all-zero and all-one tag (i.e. VLAN 0 and VLAN 4095) are not used, per the 802.1q specification. Furthermore, VLAN 1 is reserved for “untagged traffic,” meaning that any data traffic in a network that does not have a VLAN tag is considered to be on VLAN 1. This is why all switch and access point VLANs are defaulted to VLAN 1.

By default, each port on a switch will drop VLAN traffic, so any VLAN traffic that is allowed through a switch port must be explicitly defined in the switch configuration. Trunk ports are used to interconnect switches (and access points), where each VLAN in use on the network is explicitly defined as a tagged VLAN, meaning that the switch will pass traffic on that VLAN without touching the VLAN tag.

The tagging/untagging mechanisms in switches and access points differ depending on whether the client is wired or wireless, but functionally they are identical:


  • A wireless client associates to a particular SSID. In the AP configuration, the SSID is associated with a particular VLAN. All traffic coming from a wireless client is tagged with the VLAN ID associated with the SSID. The AP strips the tag associated with the SSID for all data traffic transmitted to a wireless client.
  • So, from the perspective of the switch, all traffic coming from or going to an access point is tagged.


  • #1 The PVID or Port LAN ID, indicates the VLAN ID that should be tagged onto all traffic coming into the port (i.e. from the wired client). Since each port has allowed VLANs explicitly defined on it, an untagged VLAN can be defined, such that any traffic on that particular VLAN gets its tag stripped before the traffic leaves the port. By definition, a wired port connected to a client can have only one PVID and should have only one untagged VLAN. These two should match in order for the connected wired client to communicate in both directions on that VLAN.
  • #2 The router configuration similarly becomes a bit more complex. Each VLAN on the network is considered to be a sub-interface of the LAN interface (since multiple VLANs exist on the same physical wire/NIC). So, instead of defining an IP address, subnet, and DHCP range for a single LAN, each VLAN is treated as a separate LAN, and requires an independent subnet, IP address, and DHCP range.*
Typically, VLANs are used to keep the various LAN subnets isolated, so the router is generally routing WAN to VLAN. Cross-VLAN routing can be done in specific instances, and usually requires the setup of explicit rules with particular exceptions.

One common example would be a hotel with a printer in the lobby. If staff and guests are both meant to use the printer, it could be placed on the visitor VLAN with router rules defined to route traffic from the operations VLAN to the printer on the visitor VLAN. In such a case, however, it is often simpler and cheaper to just buy two printers.

Next time we’ll talk about, “What is Management VLAN and whether or not you should use it.”

Editor’s Note:  This post was originally published in June 2015 and has been updated.

About the Author:  Jason is a Certified Wireless Network Expert (CWNE #171), and holds several industry certifications. He is a Field Applications Engineer Manager, Trainer and Curriculum Developer for EnGenius’ Certified and Advanced Certified System Engineer courses. Jason holds a Masters in Mechanical Engineering from MIT and an MBA from the University of Connecticut. Follow him on Twitter @emperorWiFi

* By convention, some people like matching the second or third octet of the subnet to the VLAN ID. For example, VLAN 8 could be given the subnet or, VLAN 16 could be given the subnet or, etc. These settings are independent, so no correlation between the VLAN ID and the subnet is required, but it is often convenient.

Feb 24

VLANs: Why You Need Them and How They Work (Part 1)

By Jason Hintersteiner

VLANs, or Virtual Local Area Networks, are one of the most powerful, most misunderstood and underutilized, tools for Wi-Fi networks in the private homes and small-to-medium-businesses. This post provides a practical guide as to why and how you should use VLANs.

What are VLANs?

At its simplest, VLANs enable you to transform one physical Local Area Network into multiple, isolated, logical Local Area Networks. VLANs give you multiple LANs with different purposes and intents that are co-located physically, without the expense of additional hardware and cabling. This is extremely useful even for small network applications, especially with the growth of IoT and the proliferation of network appliances measuring and controlling our environment.

Take the “simplest” case of a private home. Even when you only need a single access point to provide Wi-Fi coverage, there are, at least, two distinct and isolated networks needed.

  • For the residents, allowing access to all PCs, network printers, multimedia devices such as AppleTV or SONOS, IP cameras, NEST thermostats, and the like.
  • For guests, that allows Internet access, yet keeps the primary network secure. The homeowner undoubtedly doesn’t want their teenager’s friends, for instance, to hack any of the computers or network appliances in the home.
In more complex SMB applications such as coffee shops, restaurants, doctors’ offices, and multi-dwelling units (apartment buildings, dormitories, hotels), at least two distinct and isolated networks are needed.

  • For business staff for operations, such as point-of-sale, IP surveillance, access control, HVAC control, multimedia, etc.
  • For the businesses’ customers or visitors, which allows Internet access but not access to any network devices used for operations.
Most Wi-Fi networks need to be segmented, at least, into an operations network and a visitor network, with separate access and usage parameters.


  • Access: Restricted to authorized personnel.
  • Data: Company confidential (e.g., especially financial and security data).
  • Security: For a small network, a WPA2-AES Pre-Shared Key provides sufficient security (i.e., a wireless client must know the code to connect). In larger setups, using 802.1x with RADIUS may be appropriate.
  • Device Interaction: Client devices should be able to communicate with each other.
  • Further Segmentation: In some environments, breaking up the operations network into multiple VLANs by function is appropriate, especially to separate out applications like security (i.e., cameras and access control), facilities (HVAC, lighting control), and VoIP.


  • Access: Unrestricted. Also commonly called a “hotspot.”
  • Data: Guest/user data.
  • Security: Typically no encryption is used to facilitate access, though a captive portal may or may not be used to capture email/social media information or set out terms and conditions.
  • Device Interaction: Not permitted. (For example, you don’t want a hotel guest hacking into a device in a different room).

Why a Password on Guest Wi-Fi Doesn’t Increase Data Security

A note on security for visitor/hotspot networks: I keep encountering “visitor” networks that require a WPA2-AES pre-shared key. This is actually quite pointless, and creates a false sense of security. The logic of using a pre-shared key is that a hacker sniffing unencrypted radio frequency transmissions can intercept data traffic. That is true. Unfortunately, using pre-shared key encryption doesn’t solve the problem.

A hacker that has the pre-shared key and who captures the association exchange (which is unencrypted) between a client device and an access point when it connects to the network can use the collective information to decrypt the client device traffic. Furthermore, most security issues on visitor/hotspot networks do not require sniffing the radio frequency, but come from the “wired side” of the network.

Wi-Fi encryption only occurs between the client device and the access point, as the AP decrypts all data traffic before passing it on to the wired network infrastructure. If client isolation on the network is not set up properly (an all-too-common problem), a wireless hacker can simply connect to another wireless client device through the wired network.

So the only thing a WPA2-AES pre-shared key really provides is increased work for the staff, who have to give out the passphrase to all of the visitors. If you want to remain secure when using a hotspot/visitor network, make sure you are using application level security, such as https for web surfing and SSL for your email service. Personal or corporate VPNs are also appropriate and effective.

Many consumer wireless router appliances, such as the EnGenius ESR series, and enterprise wireless access points, such as most EnGenius APs in the EAP/ECB/ENS/ENH/EWS series, come with the ability to set up a “guest network” with a separate subnet and DHCP range. This allows the access point to create a Layer 3 (IP) barrier between the guest network and the operations network to isolate them from each other. Why not use this instead of a VLAN?

This feature is only appropriate for single AP networks. On networks consisting of multiple APs, this configuration prevents roaming between APs since each is creating a separate stand-alone guest network. Any client attempting to roam on the “guest network” will have to re-establish a Layer 3 connection, thus interrupting any streaming applications. So on multi-AP networks, VLANs should always be used to provide visitor/guest networking.

To learn more about VLANs, join us TechTalk: VLAN Fundamentals
March 9 at 10 am PST

Editor’s Note:  This post was originally published in June 2015 and has been updated.

About the Author:  Jason is a Certified Wireless Network Expert (CWNE #171), and holds several industry certifications. He is a Field Applications Engineer Manager, Trainer and Curriculum Developer for EnGenius’ Certified and Advanced Certified System Engineer courses. Jason holds a Masters in Mechanical Engineering from MIT and an MBA from the University of Connecticut. Follow him on Twitter @emperorWiFi

Feb 24

Three Secrets to Maximizing Coverage With FreeStyl Phone Systems

By Doug Hayter

Both the FreeStyl 1 and FreeStyl 2 systems are long range, single-line cordless phones designed to allow staff to make and take calls as they move about a property. With long-range coverage of up to six (6) floors of in-building penetration and 100,000 sq. ft. in an open area, these systems are ideal for homeowners and staff of large estates, front desk staff at motels and IT professionals in offices. Because different environments place different coverage demands on a wireless system, we’d like to share several secrets to evoking the best coverage and performance from these two incredible systems.

Secret 1: Place the FreeStyl Base Clear of Obstacles

Each wall, floor, appliance or piece of furniture a Wi-Fi signal passes through weakens it slightly. So to retain maximum signal over the greatest area, it’s best to put the base unit in an area relatively clear of obstruction. For example, in a motel, it would be best to place the base as far as is feasible from elevators, vending machines, and firewalls, which will interfere most with the signal.

When implementing this secret, the FreeStyl 2 has an advantage out of the box, because its base unit does not have a keypad, so it can be mounted on a wall, high above most obstacles.

Secret 2: Use the Outdoor Antenna Kit

The base unit’s rubber antenna can be removed (it’s a reverse-thread connector, so it can be detached from the base by turning the antenna connector counter-clockwise) and replaced by an optional outdoor antenna kit (SN-UL-AK20L). This outdoor antenna kit comes with over 60 feet of LMR400 low-loss coaxial cable and an Omni-directional 6dBi outdoor antenna. Mount this antenna on the roof and get excellent coverage over large outdoor areas.

Secret 3: Use the Indoor Antenna Kit

For indoor deployments, try the optional indoor antenna kit (SN-UL-AK20L-IND). This kit also comes with over 60 feet of LMR400 low-loss coaxial cable and an Omni-directional dome antenna. Mount this antenna on the ceiling to maximize the coverage in large indoor areas.

Bonus Secrets 4: Split the Signal

In areas where an obstacle hampers coverage so that you cannot mount the base above it, consider whether splitting the signal would allow for coverage in different areas. The FreeStyl systems can use the SN-ULTRA-AS Antenna Splitter with multiple antennas to enable coverage in two separate areas.

Bonus Secret 5: Protect the System

When using an outdoor antenna with a FreeStyl system, protect the base unit with the antenna lightning protection kit (SN-ULTRA-LPK). This kit protects the system against static charge build-ups by sending the charge to ground.

About the Author:  Doug is a Senior Product Line Manager for EnGenius’ Telecom products.

Dec 8

4 Vital Ways 11ac Wave 2 Will Boost Your Network

By Angie Tucker

A year since the first 11ac Wave 2 Access Points first hit the market, early technology adopters are taking advantage of the increased speeds and efficiencies offered by Wave 2. More have taken a wait and see approach, watching as market assortments increase and prices begin to fall.

The 2nd wave of 11ac technology products offer the most advanced wireless technology available. Along with their ultra-fast wireless speeds, reaching theoretical rates nearing 7 Gbps, Wave 2 products support the highest user capacities, built right into the standard.

Still many wonder, “Do I really need to upgrade to Wave 2?” Will my customers actually see that much of a difference in the network?” The following four reasons will help you understand why now is the time to seriously consider upgrading to Wave 2 technology.

1 Marked Increase in Wireless Speeds

The upsurge of mobile streaming video and voice applications puts a tremendous strain on wireless networks, decreasing their speed and efficiency. Wave 2’s increased speeds easily support latency-sensitive applications.

As stated above, 11ac Wave 2 supports theoretical wireless speeds topping nearly 7 Gbps. Though a vast majority of Wave 2 access points on the market aren’t yet offering speeds anywhere near 7 Gbps, available access point speeds are still incredibly fast, reaching rates closer to 1.7 Gbps.

Throughput over a Gig is still likely going to be more than enough to accommodate an abundance of bandwidth-heavy users in a variety of settings. In environments where more bandwidth is needed, Wave 2 is equipped to provide it.

2 Maximum User Capacities

While speed is critical to improving the user experience, network designers, and IT professionals will appreciate the increased number of users, devices, and applications that 11ac Wave 2 networks can handle. Wave 2 adds a fourth spatial wireless antenna stream, whereas previous wireless technology only supported up to three antenna streams. The additional stream, like a highway, adds another available “lane” for sending and receiving data, increasing the number of devices that can connect at a given time.

Increased capacities also mean greater support for Wi-Fi-dependent IoT devices, demanding corporate and education networks with multiple simultaneous devices per user, and the pervasive public availability of Wi-Fi in shopping, hospitality, entertainment and sports complexes.

Long term, Wave 2 future-proofs the network by supporting the increasing capacity needs of future IoT devices and mobile technology advancements on the broad 5 GHz frequency spectrum, which is expanded to support a wider frequency range, to 160 MHz, than earlier wireless standards which maxed out at 80 MHz.

3 Multi-User MIMO Improves Network Efficiency

The addition of MU-MIMO or Multiple User Multiple Input, Multiple Output is new with the 11ac Wave 2 release. MU-MIMO allows multiple Wave 2 client devices to simultaneously communicate with the Access Point improving the efficient use of the frequency spectrum and network bandwidth while allowing simultaneously connected devices to get on and off the network faster than ever.

This is a significant improvement over previous wireless standards, including 11ac Wave 1, which rapidly sent and received data to a single user device at a time.

4 Beamforming Antenna Technology

New antenna technology takes advantage of existing antenna designs to improve the directed efficiency of focused antenna signals to respective client devices. Beamforming technology provides optimal signal and reception reliability between access points and clients.

Beamforming adjusts beam signals instantly to counteract device movement and changing radio conditions. Beamforming enhances the user experience through improved connection reliability between the Access Point and user devices as they move about the network.

EnGenius Neutron EWS 11ac Wave 2 Access Points

EnGenius recently announced the availability of four new enterprise-class 11ac Wave 2 Access Points.

Ideal for deployment in high-density environments such as campuses, sports arenas, shopping malls, and resorts, Neutron 11ac Wave 2 APs combine MU-MIMO technology to provide high user capacities and ultra-fast speeds reaching 2.5 Gbps for reliable, fast connectivity to wireless client devices.

These new access points are designed to work with the Neutron Series Managed Switches and ezMaster™ Network Management Software to provide a scalable and flexible wireless management solution with no AP licensing fees.

Demo a 4×4 Access Point at 50% Off

About the Author:  Angie Tucker is a technical and marketing content writer, editor and media specialist for EnGenius who has worked in the technology industry for over 20 years.

Feb 15

Deploying Outdoor Access Points

By Jason Hintersteiner

Internet access for smartphones, tablets, and other mobile devices is no longer a luxury for business patrons – it’s a necessity. But there is much more to providing reliable, high-speed, high-density wireless access in outdoor environments than simply sticking an access point on the wall.

Due to the harsh conditions characteristic of outdoor environments, such as fluctuating temperatures and constant exposure to moisture and dust, typical indoor access points are not suitable for outdoor deployment. Outdoor access points are specifically designed to withstand the rigors of harsh environments and carry an IP (Ingress Protection) rating that certifies the level of protection the AP possesses against solids and liquids.

Since you’ll be mounting the access points outdoors in locations that are likely nowhere near a power outlet, make sure your APs support Power-over-Ethernet (PoE), which enable the AP to draw electrical power through the network cable. Using shielded CAT5e or CAT6 cable will prevent electromagnetic and RF interference from degrading the performance of your network.

By deploying dual-band access points, you can optimize network performance and user experience by employing features such as band steering, which automatically directs 5 GHz-capable devices such as smart phones and tablets to the less-congested 5 GHz band. This decreases the load on the often-saturated 2.4 GHz band to improve network performance for legacy devices such as network printers and point-of-sale (PoS) systems. Also, dual-band access points can support more users in high-density environments.

Things to keep in mind when selecting locations to mount the access points:

  • Mount the APs out of reach to keep people from tampering or defacing the units.
  • Mount the AP high enough for the signal to travel over any obstructions such as plants or outdoor furniture.
  • Make sure that the AP is securely mounted to keep it from being dislodged by wind or other weather elements.
  • Make sure to ground the AP to protect it during lightning storms. Using an inline Ethernet surge suppressor between the AP and your wired network is generally recommended.
Set the transmit output power level at a medium level, such as 17 dBm on the 2.4 GHz band and 23 dBm on the 5 GHz band. If the power level on the AP is set too high, many mobile client devices could be far enough away from the AP that they do not possess enough transmit power to talk back to the AP.

It may be desirable to paint your access points so that they’ll blend into the surroundings, but carefully consider the type of paint you use. Only use non-metallic paint, as metallic paint can act as an antenna and distort the coverage. Also, realize that painting the AP a dark color may cause it to heat up faster when exposed to the sun.

APs with internal antennas are generally considered more aesthetically pleasing, but an AP with removable external antennas gives you the option of adding higher-gain antennas for longer ranges. APs are available with directional or Omni-directional antennas, and the type you select will depend on your desired coverage. In general, APs with directional antennas will focus the signal in a particular direction, and thus reach further out than Omni-directional antennas.

Using network cable for connectivity to the network backbone, otherwise known as backhaul, is always best, but sometimes using a dedicated wireless backhaul link is necessary. We recommend using a separate, dedicated Point-to-Point (Pt.-to-Pt.) link for backhaul on an independent channel, then cross-connect the Ethernet port of the backhaul link to the Ethernet port of the AP rather than sharing the resources of the 5 GHz radio in the dual-band device for backhaul.

About the Author:  Jason is a Certified Wireless Network Expert (CWNE #171), and holds several industry certifications. He is a Field Applications Engineer Manager, Trainer and Curriculum Developer for EnGenius’ Certified and Advanced Certified System Engineer courses. Jason holds a Masters in Mechanical Engineering from MIT and an MBA from the University of Connecticut. Follow him on Twitter @emperorWiFi

Oct 12

Explaining Free Space Path Loss

By Jason Hintersteiner

The propagation of all radio signals is subject to Free Space Path Loss (FSPL), which is a mathematical definition of the geometric property that the further away you are located from the source of a radio transmission, the energy level in that signal drops as a function of the square of the distance. You can think of throwing a pebble into a pond; as the wave ripples out, the energy is spread over a wider and wider area, and the level of energy at any one point is proportionally smaller.

While this is a geometric effect, wavelength is included in the calculation in order to account for the fact that, mathematically, transmission energy is defined as coming from a point source known as an isotropic antenna. An isotropic antenna is defined as an antenna that radiates energy evenly in a perfect sphere with 0 dBi of gain. While defining such an antenna is mathematically convenient, it is physically impossible to build.

The following graph shows the free space path loss for Wi-Fi at 2.4 GHz and 5 GHz.

The following table shows the free space path loss at 1 meter (3 feet) away from the transmitter at various frequencies commonly used in the telecommunications industry.

Per FCC and other worldwide government regulations, a Wi-Fi signal, at most, has a maximum initial power of 30 dBm (1 W, or 1000 mW), and within the first 3 feet over 40 dB of energy is lost (100 W), meaning that the level of exposure 3 feet away is below -10 dBm (0.0001 W, or 0.1 mW).

Comparative Example 1: Microwave Oven

A microwave oven operated on the 2.4 GHz bands at around 1000 W (60 dBm). Granted microwaves are shielded, but the shielding is not perfect and deteriorates over time, which is why microwave ovens typically interfere with Wi-Fi when in operation, because they put out more energy on the 2.4 GHz band than an AP and this flood the channel, causing wideband interference. Three feet away from a leaky microwave oven, the 2.4 GHz energy level decreases by 40 dB to 20 dBm (0.1 W, or 100 mW), or about 1000x higher than a Wi-Fi access point.

Comparative Example 2: Ham Radio

A ham radio typically operates at 50 W (47 dBm) at 440 MHz. The FSPL at three feet away (i.e. where the operator is sitting) is about 25 dB (approximately 0.32 W or 320 mW), leading to an exposure level of 22 dBm (0.16 W or 160 mW), or about 1600x higher than a Wi-Fi access point.

Comparative Example 3: Cell Phone

A typical cellular phone operates at 23 dBm (0.25 W or 250 mW). However, it operates very close to your head when on a call (about 2 inches), which provides a minimal FSPL of only 3.5 dB (0.0022 W, or 2.2 mW) at 700 MHz (Verizon LTE). This leads to an exposure level of 19.5 dBm (90 mW or 0.09 W), or approximately 100x higher than a Wi-Fi access point. You get more exposure to RF energy from using your cell phone, a ham radio, and a microwave oven than you do from a Wi-Fi access point.

Comparative Example 4: Cell Tower

A typical cellular tower operates around 40 W (46 dBm). At 700 MHz (Verizon LTE), the FSPL at about 1/2 mile – 1 mile away is about 90 dB, leading to an exposure level of -44 dBm (0.00004 mW or 0.00000004 W), or about 4000x lower than from a Wi-Fi access point.

About the Author:  Jason is a Certified Wireless Network Expert (CWNE #171), and holds several industry certifications. He is a Field Applications Engineer Manager, Trainer and Curriculum Developer for EnGenius’ Certified and Advanced Certified System Engineer courses. Jason holds a Masters in Mechanical Engineering from MIT and an MBA from the University of Connecticut. Follow him on Twitter @emperorWiFi

Oct 6

Wi-Fi Beacon Frames Simplified

By Jason Hintersteiner

We talk about the Wi-Fi offerings on one AP, or across multiple APs in the same extended service set (ESS), as if it is all one unified network. In reality, each AP has its own set of SSIDs, and each SSID is on its own VLAN. We set up multple SSIDs purposely to make each of these different SSIDs an “independent” network. Similarly, the SSIDs on the 2.4 GHz band are “independent” from the SSIDs on the 5 GHz band, because different physical radios and antennas are used. I’m using “independent” in quotations, as there are some coupling terms between the SSIDs on the same AP and between the same SSID offered on both the 2.4 GHz and 5 GHz bands. Hence, while we can configure all of these SSIDs and networks independently, they do have interactions in the unbound RF medium, and thus we want to maintain certain relationships between them.

Every SSID on each band broadcasts its own unique beacon frame. This is a periodic advertisement broadcast out to tell any listening devices that this SSID is available and has particular features / capabilities. Client devices depend upon these beacon frames to discover what networks are available (passive scanning), and to ensure that the networks that they are associated with are actually still present and available. A client also has the option to perform active scanning, where a client device sends a broadcast request to see what networks are available, and each SSID from each AP in range will send out a unicast probe response that has the same information as a beacon frame.

Think of a beacon frame as a guy/gal standing out in front of a shop in a silly costume, advertising the shop to any and all passers-by. In contrast, think of the probe request as a potential customer coming up to the guy/gal in the costume and asking “what do you offer?” In the scenario where an AP offers multiple SSIDs (either within the same band and/or across bands), extend the analogy to a strip mall with multiple shops, where each shop has someone in a different silly costume making an advertisement to passers-by, but they have a mutual agreement than only one of them will talk at a time, so they do not talk over each other and confuse customers (i.e. “avoid collisions” in Wi-Fi parlance). The probe request from the client can contain a specific SSID, analogous to a customer walking up to a specific costumed advertiser to ask “what do you offer?”, or a null SSID analogous to a customer asking the entire group of costumed advertisers at once “what do all of you offer?”, with then each costumed advertiser giving his/her unique response.

Each beacon frame (or probe response) contains a lot of information about the specific SSID being offered. While not a complete list, the really important items are as follows:

  • SSID Name: 1-32 character name of the network
  • BSSID: Unique Layer 2 MAC address of the SSID
  • Security capabilities: e.g. open, WEP, WPA, WPA2, personal (passphrase) vs. enterprise (802.1x with RADIUS server)
  • Channel: specific frequency that this SSID on this AP is operating on
  • Channel width: e.g. 20, 40, 80, 160 Mbps
  • Country: List of all supported channels and corresponding channel settings
  • Beacon interval: How often the AP sends out this beacon frame
  • TIM / DTIM: Used for power management to allow devices that sleep to wake up at specific intervals to find out if there is unicast or broadcast data waiting for them
Quite importantly, beacon frames also advertise the connection speeds that the AP can use to connect to a client device. These are broken up into a few different categories:

  • Basic rates: These are the 802.11a/b/g speeds that every connecting client device MUST support in order to maintain a connection
  • Supported rates: These are the 802.11a/b/g speeds that the AP will support and could use if the client device also supports those speeds
  • 802.11n MCS rates: These are the subset of the 78 total modulation and coding schemes (MCS) that are defined for 802.11n that the AP supports. In reality, it gets dictated by the number of spatial streams that the AP supports (MCS 0 -7 for single stream, MCS 8-15 for dual stream, MCS 16 – 23 for three streams, and MCS 24 – 31 for four streams). MCS32 – MCS77 are defined as combinations of asymmetric rates across different streams, which sounds like a neat idea but is utterly impractical in practice.
  • 802.11ac MCS rates / streams: This is simplified compared to 802.11n, as there are no asymmetric rates, and the particular modulation and coding stream combination use the same index no matter how many streams. 256 QAM is added, providing two additional modes per stream, so these are simply MCS 0-9. The beacon indicates whether the AP supports MCS 0-9 on one stream, on two streams, on three streams, etc. up to eight streams. While the beacon is architected such that it could exclude particular modes, e.g. “I don’t support MCS 5 on three streams”, the spec dictates that an AP must support all 802.11ac MCS modes across all of the streams it has available.
Beacons are always sent at the lowest basic rate (and primary channel when using extended channels in 802.11n/ac). This is done to ensure that every possible client in range of the AP hears the beacon frame. When an AP has multiple SSIDs (on the same and/or across multiple radios), it sends out a separate beacon for each SSID on each radio. Each SSID in a particular band must have a unique MAC address, so typically one of the hexadecimal digit (usually the last, but some vendors increment the first) is incremented so that each SSID has a unique MAC address.

If you opt to “hide” the SSID, then the SSID name is blank, but the rest of the beacon is still sent out normally. When the client decides to associate with an SSID, it has to specify the SSID name in the (re)association frame it sends to the AP. This is why hiding an SSID is ineffective as a security measure and thus generally advise network admins not to bother: anyone capturing association / reassociation request frames with a Wi-Fi packet analyzer will capture the name of the SSID in clear text.

Considerations for in-band (2.4. GHz OR 5 GHz) beacon frames

In the case where there are multiple SSIDs within the same band, all of the parameters could be set independently. Obviously the SSID name, BSSID, and the security features are going to be unique, and the channel setting, channel width, and country will be identical. But what about the other parameters?

  • Beacon interval: Usually consistent across all SSIDs within a band. To my knowledge, there isn’t anything to be gained if some of your SSIDs beacon more frequently than others. A typical beacon interval is 100 time units (a time unit is 1.024 ms, so every 102.4 ms). One would use a longer beacon interval (e.g. 300 time units or 307.2 ms) to reduce overhead in the channel, since beacons are transmitted at the lowest speeds and each SSID requires its own beacon).
  • TIM / DTIM: Usually consistent across all SSIDs within a band. To my knowledge, there isn’t anything to be gained if some of your SSIDs require more frequent check-ins from sleeping client devices vs. others. A typical DTIM will require that a sleeping client (e.g. VoIP phone, smartphone, tablet) be awake for every 3-5 beacon frames to check to see if any frames have been queued for it in the interim. If you are using a slower beacon interval, then it is common to require a sleeping client to check in on every beacon.
  • Connection Speeds: Usually consistent across all SSIDs within a band. To my knowledge, there isn’t anything to be gained by allowing particular connection speeds on some SSIDs and not others. Changing lowest basic rates will change the speed at which particular beacons are transmitted, but again there is no advantage to having some beacons go out at faster speeds than others.
I suppose there are some rare use cases where one might want particular SSIDs to act differently. One potential scenario is a guest network, where I want to maximize compatibility with all possible devices that could connect vs. a staff network, where the admin has strict control over the devices and their locations on their network and wants to “optimize” their performance. To me, this seems to introduce a fair amount of complexity for dubious practical gains, which is a situation I generally try to avoid.

Cross-band (2.4 GHz AND 5 GHz) beacon frames

In the case where we have the same SSID on both the 2.4 GHz and 5 GHz bands, we generally want to take advantage of a feature called band steering to force dual-band clients to use the 5 GHz band. The 5 GHz band generally has wider channels and fewer sources of external interference, making for a faster user experience. In this case, the SSID name and all security features (along with VLAN settings, which are set on the AP but are not part of the beacon) should be identical. The channel and channel width will be different (by definition). The connection speeds will be somewhat different based on the differences between 802.11b/g/n on the 2.4 GHz band and 802.11a/n/ac on the 5 GHz band. There is no need to support 802.11b speeds on the 5 GHz band, though the 802.11a and 802.11g speeds are identical, and the 802.11n speeds are also identical (if the streams are identical). As for beacon interval, these are usually identical but there is no requirement to do so. Based on the usage characteristics per band (i.e. how many clients per band, what connection speeds being used, etc.), it could be advantageous to tweak this setting per band to optimize overhead performance.

Across the 2.4 GHz and 5 GHz bands, since the radios are independent on both the AP and client device, some vendors increment the BSSID to identify the particular SSID and some vendors don’t. In this case, it doesn’t matter if the BSSID is reused since 2.4 GHz and 5 GHz transmissions cannot hear each other, and the Layer 1 (physical) and Layer 2 (MAC, think Wi-Fi chipset) levels are physically separate from each other.

The most common network scenario in practice is the need to support 802.11b devices (either legacy or new low-power IoT) and/or 802.11g devices (legacy). Both of these are on the 2.4 GHz band. There were virtually no independent 802.11a client devices, as this standard was primarily used for dedicated point-to-(multi)point wireless links. Hence, if a network needs to support slower 2.4 GHz devices, one probably wants to leave the network configured with a standard beacon interval of 100 time units and support for all 802.11 b/g rates. On the 5 GHz network, we almost always want to maximize performance, so on this band it would make sense to make tweaks, such as using longer beacon intervals (e.g. 300 time units) and drop support for some of the slower 802.11a connection speeds, such as 6 Mbps and 9 Mbps.

About the Author:  Jason is a Certified Wireless Network Expert (CWNE #171), and holds several industry certifications. He is a Field Applications Engineer Manager, Trainer and Curriculum Developer for EnGenius’ Certified and Advanced Certified System Engineer courses. Jason holds a Masters in Mechanical Engineering from MIT and an MBA from the University of Connecticut. Follow him on Twitter @emperorWiFi