@FlyingFrames It's important to note two things: Firstly, segmenting traffic with VLANs will limit the impact of broadcast, ARP requests, multicast, etc, on 802.3. This, however, may have a limited effect on 802.11 as the medium (the airtime/channel/RF spectrum) is shared between all devices emitting RF signal. For example, if you have two clients connected to an AP with an SSID called 'Employee', the first client is on VLAN 40 and the second is on VLAN 50. When a broadcast packet is sent on VLAN 40, the device on VLAN 50 will need to wait for the packet to be sent, acknowledged, etc, before it can start to receive or send it's own packets, even though it's on a different VLAN. To avoid this scenario, you need to make sure VLAN 40 is only on certain APs and VLAN 50 on the other APs - this isn't really true load balancing but can work in certain environments. Secondly, designing a network where certain APs can connect clients to VLAN 40 and other APs connect client VLAN 50 can cause roaming issues. I tested the following extensively a few years ago with Windows 7 and iOS clients; maybe my testing is now out of date but I don't believe so. Imagine a scenario where the SSID is called 'Employee', VLAN 40's subnet is 192.168.40.0/24 and VLAN 50's subnet is 192.168.50.0/24. A client is associated to an SSID called 'Employee' on VLAN 40 with an IP of 192.168.40.10 and the client then roams to an AP where it is put into VLAN 50. The client shouldn't do a DHCP request as it thinks it has been connected to the network the whole time. Remember the whole point of roaming is to be quick and drop minimum packets but doing a DHCP request only slows things down. This means that client's NIC will still think it's in VLAN 40 with the IP address of 192.168.40.10 and thus won't be able to communicate with anything within VLAN 50 (as they're on different subnet ranges) and it won't be able to find it's own default gateway (as the DG isn't in VLAN 50). To avoid this scenario you need to make sure the client actually disassociates from the SSID completely before moving between areas that have VLAN 40 and VLAN 50; when the client rejoins the SSID it should action a DHCP request, receive a new IP address in the new VLAN. I personally would look at investigating client isolation, as long as the employee devices don't need to communicate directly with each other. Some vendors, in VHD situations, are actually starting to recommend one large VLAN (i.e. a /8) with client isolation enabled. Other things to consider are what are your minimum base rates are set at (broadcasts are sent at the MBR), what's the client to AP ratio, is the WiFi network separated from the LAN, any CCI issues and where is the broadcast traffic coming (I've seen networks crippled by one device generating an excessive amount of broadcast traffic).
... View more