Meraki

Community

Large vs Segmented VLANs for Wifi

YG
Here to help
‎May 13 2025 1:35 AM
‎May 13 2025 1:35 AM

Large vs Segmented VLANs for Wifi

Hello,
currently i have a /22 subnet for about 700 users. I was wondering if its best to break it to smaller sizes ie. per floor (about 100 users).
Didn't find an answer if the APs are optimized for broadcast etc.
APs are MR44

 

Thanks

Labels:
0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
‎May 13 2025 2:43 AM
‎May 13 2025 2:43 AM

It depends a lot on the scenario in general, but I particularly like to segment the VLANs by floor, so you don't have to leave all users in the same broadcast domain.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal
‎May 13 2025 7:29 PM
‎May 13 2025 7:29 PM

Segmenting this makes complete sense. How you do it depends on your design.

I know some organisations segment into a VLAN/subnet per-floor for outlets and a separate one for Wi-Fi. This provides a logical way to split a larger network.

 

I've heard of others who segment per business unit, which is great for security but can be a pain if you don't have automation (or a very strong process) to manage user movements across outlets etc.

Boomerang94
Meraki Employee
Meraki Employee
‎May 13 2025 8:09 PM
‎May 13 2025 8:09 PM

The answer to your question is very subjective and highly dependent on the logical flow of traffic in the network. 


If you create 7 new VLANs (1 VLAN per floor), surely the size of each broadcast domain gets smaller. But if there is a lot of traffic flowing between these 7 VLANs, you are putting more load on the L3 gateway device (CPU specifically) as it has to now deal with extra inter-vlan traffic  - something that would not be required if all 700 users were in same broadcast domain (since in L2 communication, nodes can directly talk to each other via source/destination MAC without requiring any L3 involvement). I personally have worked on some cases where the CPU of the gateway device has spiked from 40% to 80% because of this.


If the majority of this wireless traffic is northbound (going out towards gateway/Internet) - then surely segmenting it on a per-floor basis would be a smart move. You can find more information on high-density deployments in this KB: https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...


.ılı.ılı. Cisco Meraki
Network Support Engineer

### If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it ###
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 13 2025 9:17 PM
‎May 13 2025 9:17 PM

Personally, I wouldn't bother.

 

The single /22 is not that big, and it keeps the configuration simple.  I would value the simplicity the most.

 

Otherwise you'll need to think about layer 3 roaming, or do you use a L3 concentrator.  You'll have to create a bunch of new VLANs and new DHCP pools.  New trunk ports.  VLAN allow lists.  You might have to replicate a bunch of firewall rules for each VLAN.  Will your attack surface be increased (even if by human error caused by the complexity)?

 

There are many more things to look at when something is broken.

YG
Here to help
‎May 13 2025 11:37 PM
‎May 13 2025 11:37 PM

Thank you all for your suggestions.

 

My concern is if that is causing any "delays" or overhead  to the users and if its best to split it. I want to exclude this scenarios for better User Experience.

 

Is there any feature/ mechanism on Meraki APs that somehow limit the broadcast to large subnets?

0 Kudos
In response to YG
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 14 2025 12:37 PM
‎May 14 2025 12:37 PM

Meraki APs perform both ARP caching and what Meraki calls "Magic ARP".

https://documentation.meraki.com/MR/Other_Topics/MR_Access_Points_and_Magic_ARPs

 

The ARP broadcast issue is - well - not that much of an issue (IMHO).  At least not at the scale of a /22.

 

You are in the perfect scenario to test this.  While connecting to Wifi, run a packet capture for broadcast traffic.  How much broadcast traffic are you actually receiving?  Is it less than 1 packet per second?

0 Kudos
In response to PhilipDAth
YG
Here to help
‎May 15 2025 1:24 AM
‎May 15 2025 1:24 AM

might say about 5-6 pps now on office peak hours. (ether broadcast) in wireshark as packet capture

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 14 2025 9:48 AM
‎May 14 2025 9:48 AM

The problems usually arise if you have low performance IoT devices on the network that cannot handle large amount of ARP requests on a network.

I'm used to smaller networks so outside of a GUEST SSID I don't see any scenario where I would require to have 1000 clients on any network.  I can imagine having guests at a stadium where that is the case but usually you would have them isolated so they can only talk to the internet.

In any normal company if you do decent segmenting you wouldn't have such big subnets.  But I can imagine if you change it around and almost fully use SGT's for segmentation that you could have larger subnets.

0 Kudos
YG
Here to help
‎May 14 2025 11:31 AM
‎May 14 2025 11:31 AM

Floors where designed for /25 per floor. Wifi at that time (prior COVID) was not so much utilized , as we had deskphones for all users etc. ,so we did a /22 subnet. So post COVID everyone was switching to WIFI. And now basically i was wondering if i should follow the best practice (based on wired) and segment it or if its OK to have this /22 subnet.

Any comments for this?

 

https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Broadcast_Suppression_and_Contro...

0 Kudos
In response to YG
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 14 2025 12:48 PM
‎May 14 2025 12:48 PM

If all the connected devices are performant laptops and smartphones I wouldn't worry too much about the ARP spam too much, however keeping up the minimum wireless datarate is a best practice (at least minimally 12 Mbps).

When it comes to security though I would take a hard look at segmentation based on function of device or perhaps even the function of the employee so you have smaller subnets AND the ability to filter traffic based on business flows.

TBHPTL
Head in the Cloud
3 weeks ago
3 weeks ago

If you are talking a /22 only for just your wireless users then no need to split it up. Meraki enterprise equipment will be able to handle a /22 without issue. Splitting it up will likely mean even more airtime for the added wireless overhead.  If you are sharing the same /22 with your wired clients then, yes, split the wireless from the wired and let your L3 device and firewall decide who talks to what.
monitor what your actually using IP wise and reduce lease times if needed.

 

IMO If wired and wireless you need at least 4 vlans:

  • one for management traffic
  • one for wired employee business use (laptops pcs etc)
  • one for wireless employee business use
  • one for guest/visitor wireless use.

 

Ultimately, it depends...How simple or complicated do you want to make it? IMO, you can rest assured a /22 isn't crippling like it was 20 years ago for wireless or wired, especially  so with true enterprise class equipment.

 

 

 

YG
Here to help
3 weeks ago
3 weeks ago

Thank you all for your comments.

Indeed it will be very time consuming to redesign this. If its not the same like as it was before then i will keep as it is.

 

Thank you

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.