Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
You must decide whether or not to use a dedicated SSID (and a separate virtual AP) for one or more highly mobile devices (HMDs) in your design. Base this choice more on the RF and 802.11 capabilities of the device than on security. The dedicated firewall integrated into the controller allows the administrator to isolate the SSID used for connectivity from the security and QoS policies, which are based on the user profile and traffic type. The wireless architect should always seek to use shared SSIDs unless there is a specific reason to do otherwise. Every defined SSID consumes system resources for policy application, LAN bandwidth due to additional tunnels, and spectrum for beacons and other management overhead. In many cases, the cost of additional SSIDs outweighs the benefits. However, for certain roaming devices, a dedicated SSID can result in significant throughput or battery performance advantages.
A dedicated SSID should be used for HMDs if one of the following applies:
- The majority of devices that will associate to the SSID have manufacturer suggested Delivery Traffic Indication Message (DTIM) settings greater than the default settings. The battery save settings (Power Save and DTIM settings) on some devices like voice and single-purpose HMDs can be optimized to larger DTIM values to improve battery life without adversely affecting the device operations. Changes in the DTIM value affect data client performance, so if this SSID parameter needs to be modified outside of the default settings, then a different SSID profile should be used for that group of HMDs.
- Any nondefault 802.11 settings need to be configured to optimize HMD connectivity performance.
- Any nondefault AAA profile settings that need to be configured for some HMDs.
- Any nondefault virtual AP profile settings that need to be configured for some HMDs.
- The encryption and authentication levels supported by some HMDs do not match the encryption and authentication mechanisms enforced on multipurpose HMDs.
- The encryption and authentication methods supported by the HMDs match the security enforced on multipurpose HMDs, but these settings adversely affect HMD roaming due to possible legacy driver behavior or processing power, which would require different 802.1X profile settings to resolve certain key or timing behavior.
- The HMD device infrastructure, such as voice HMD, demands a dedicated VLAN because it does not support Layer 3 connectivity back to certain application servers (like voice call servers).
If none of these criteria match, it should be possible to use the same SSIDs and the same encryption and authentication methods for all HMDs. Different levels of QoS can be enforced based on the traffic type without requiring a separate SSID.
For more information, see:
- Answer ID 489, "What is the DTIM? And how do we use it?"
- The "Understanding Design Principles for Roaming Devices" chapter in the Virtual Optimizing Aruba WLANs for Roaming Devices document.