Enterprise Wireless Services Built to Perform Under Load

Every engagement produces an Ekahau project file (.esx), annotated heatmaps for signal strength (RSSI), signal-to-noise ratio, secondary coverage for 802.11k roaming, and channel/interference overlays — exported per floor or zone. The bill of materials includes AP model, mount type, antenna selection,

and cabling and PoE power requirements. Post-install validation adds a second walkthrough with the Ekahau Sidekick 2 to confirm the deployed network matches the predictive model before the engagement closes.

For a single-building commercial environment with complete as-built floor plans, a predictive design and draft BOM typically requires five to ten business days from receipt of materials. Multi-building campuses, healthcare facilities requiring RTLS coexistence modeling, or warehouse environments with high-bay racking that demands directional antenna modeling extend that timeline — usually two to four weeks. We return a fixed-fee SOW before work begins so scope, timeline, and deliverables are defined in writing.

Both. Wi-Fi 7 (802.11be) design and migration is a current service line. Engagements include multi-link operation (MLO) planning, 6 GHz channel strategy for the three available non-overlapping 320 MHz channels under AFC or LPI power class, preamble puncturing configuration for DFS-adjacent deployments, and 802.3bt PoE++ switch-port verification — because Wi-Fi 7 APs operating all three radios at full power typically exceed the 802.3at PoE+ budget.

Migration from Wi-Fi 6E infrastructure follows a documented controller and AP-image cutover sequence with zero unplanned downtime as the design target.

Design enterprise wireless to -67 dBm RSSI at the cell edge for data, with voice handoffs requiring -67 dBm and at least 25 dB SNR. Modern capacity-driven designs using Wi-Fi 6, 6E, and Wi-Fi 7 tighten the target to a -55 dBm to -65 dBm window to sustain MCS11 on a 40 MHz channel with soft roaming, with 6 GHz AP transmit power bounded at 18–21 dBm.

Every wireless site survey we deliver calls these thresholds per SSID and per client class, so your Ekahau design, AP placement drawing, and post-install validation all cite the same RSSI floor.

Voice handsets stay on the tighter edge; data SSIDs use the cost-effective -65 dBm line.

DFS was standardized in IEEE 802.11h. In the US, UNII-2A (5.260–5.320 GHz) and UNII-2C (5.500–5.720 GHz) give you 16 DFS channels. On boot or channel change, the AP must passively scan for radar for 60 seconds on non-TDWR channels and up to 10 minutes on weather-radar channels near airports. Any radar hit forces an immediate channel vacate.

DFS roughly doubles usable 5 GHz spectrum but introduces boot delays and sporadic client drops when radar is detected.

Older Symbol/Zebra scanners, BLE bridges, and some medical IoT silently refuse DFS channels — we validate every fleet per-model before enabling DFS in the wireless design.

The Cisco Catalyst 9800-80 supports up to 6,000 access points, 64,000 concurrent clients, and 80 Gbps of client-data forwarding throughput per chassis. These maxima are published ceilings — not every feature combination scales to the same numbers simultaneously, especially FlexConnect at scale, large SSID counts, or heavy AVC/ETA telemetry.

For most campus deployments under 2,000 APs with HA SSO, the 9800-40 (2,000 APs / 32,000 clients) is the right fit and lowers licensing cost.

Cloud-managed fleets may suit the 9800-CL or Meraki instead.

Our network services team sizes the controller against your AP count, client density, and HA model before the BOM goes out.

The CW9178I is a quad-radio 4×4:4 MU-MIMO AP across 2.4 GHz, 5 GHz, and 6 GHz with a 24 Gbps aggregate frame rate when flex-radio runs in quad mode. It supports MLO across bands, 4096-QAM on all three bands, and 20/40/80/160/320 MHz channel widths on 6 GHz.

The CW9176 is tri-radio with software-defined flex between 2.4 GHz and 5 GHz. Both require 802.3bt Class 6 (up to 60 W) for full operation.

The 9178 is purpose-built for very high density (stadiums, lecture halls, exam rooms) where the quad-radio flex design pays off in stadiums, lecture halls, and exam rooms.

For general enterprise, the 9176 is the right starting point — fewer radios means less co-channel interference and a smaller PoE budget.

Our Wi-Fi 7 design service picks per space, not per building.

The Juniper AP47 (Wi-Fi 7) requires 802.3bt (roughly 29 W at the PD) for full functionality; on 802.3at it runs with reduced functionality. The AP45/AP45E needs 802.3bt for full operation — at 802.3at, dual radios drop to 4×4, and at 802.3af the AP only phones home to request more power. The AP43 (Wi-Fi 6) always requires 802.3at (up to 25.5 W).

Powering at the wrong class triggers dashboard warnings.

A Wi-Fi 7 cutover on existing 802.3at switches will partially function while silently degrading throughput.

The switch inventory audit we run before any AP refresh flags every port that cannot deliver 802.3bt so you budget the PoE injectors or switch replacements before APs show up on site.

AFC is a cloud-based spectrum-sharing system that coordinates 6 GHz channel use between Standard Power APs (36 dBm EIRP, 23 dBm/MHz PSD) and licensed incumbents. Each Standard Power AP must refresh AFC clearance every 24 hours. Low Power Indoor APs (30 dBm EIRP, 5 dBm/MHz PSD) operate across the full 1,200 MHz without AFC. Meraki supports AFC on Wi-Fi 6E (MR57, CW9162/64/66) and Wi-Fi 7 (CW9172/76/78/79) access points.

Standard Power earns its AFC plumbing only for outdoor, warehouse, or stadium scenarios where the extra EIRP pays off.

Indoor enterprise stays on LPI and keeps deployment simple.

Our wireless design team models both modes in Ekahau AI Pro so you can see the capacity trade before committing.

In April 2020 the FCC opened 1,200 MHz of unlicensed spectrum from 5.925 to 7.125 GHz for Wi-Fi. The band is divided into four UNII sub-bands: UNII-5 (5.925–6.425 GHz), UNII-6 (6.425–6.525 GHz), UNII-7 (6.525–6.875 GHz), UNII-8 (6.875–7.125 GHz). It supports up to 59 x 20 MHz channels, 29 x 40 MHz, 14 x 80 MHz, 7 x 160 MHz, or 3 x 320 MHz with Wi-Fi 7.

6 GHz roughly triples useful spectrum compared to 5 GHz in the US.

Incumbent microwave and TV fixed links mean Standard Power needs AFC, so indoor enterprise deployments sit on LPI.

Our Wi-Fi 7 migration practice plans the channel grid against the incumbent map and your client fleet’s 6 GHz support.

IEEE Std 802.11be-2024 (Extremely High Throughput / Wi-Fi 7) was approved 26 September 2024 and formally published 22 July 2025. It standardizes MAC and PHY changes that enable a maximum theoretical throughput of at least 30 Gbit/s in the 1–7.250 GHz range, across 2.4/5/6 GHz, with backward compatibility. Core features are Multi-Link Operation (MLO), 320 MHz channels in 6 GHz, 4096-QAM (4K-QAM), Preamble Puncturing, and 512-Compressed Block Ack.

Real-world Wi-Fi 7 throughput gains come almost entirely from MLO and 320 MHz on 6 GHz. 4K-QAM needs very high SNR (above 36 dB), so it’s only a factor within a few meters of the AP.

Our Wi-Fi 7 design team plans around your actual client fleet’s PHY capabilities — not brochure peak rates.

MLO is a Wi-Fi 7 feature defined in IEEE 802.11be that lets a single client maintain simultaneous links across 2.4/5/6 GHz to the same AP, aggregating bandwidth and improving reliability via redundancy. Unlike band steering — which picks one band at association time — MLO uses both links concurrently with traffic load balancing. Wi-Fi Alliance describes MLO as enabling “more efficient load balancing of traffic among links.”

MLO only benefits Wi-Fi 7 clients.

Most enterprise fleets stay mixed for years — we plan the RF as if MLO is absent and treat MLO gains as bonus performance on capable laptops and phones.

That plan keeps your Wi-Fi 6 and Wi-Fi 6E handsets on a predictable service level.

Cisco Meraki’s high-density design guidance recommends 20 MHz (VHT20) channel width in 5 GHz to maximize non-overlapping channels and reduce co-channel interference. Minimum bitrate should be 12 Mbps or higher — 24 Mbps is common in very-high-density rooms; 11 Mbps only survives if legacy 802.11b clients must be supported. Disable 11b data rates where possible. Target roughly 25 clients per radio and 50 per AP as a planning benchmark.

Every classroom and conference room that “needs more speed” actually needs narrower channels and higher AP density, not wider channels. 80 MHz in high-density is a common self-inflicted wound.

Our high-density wireless engineering models the channel plan against seat count, device mix, and application profile before the first AP goes up.

802.11r FT, defined in IEEE 802.11-2020, reduces authentication, association, and the four-way handshake from 8 messages to 4 by overlaying key material in the initial association. Well-designed enterprise FT roam times run under 50 ms — matching the voice handoff threshold. Without FT, full 802.1X re-auth against a RADIUS server can easily exceed several hundred milliseconds, which voice clients hear as a gap or dropped word.

For voice, push-to-talk, and AGV or robotics workflows, FT is mandatory.

Plain PMK caching and OKC are legacy but still common — some handsets reject one or the other.

Our voice-readiness design validates FT behavior per handset model against your controller before cutover so you don’t discover it on the production floor.

802.11k provides neighbor reports — the AP tells the client about nearby APs (BSSID, channel, RSSI) so the client doesn’t waste airtime actively scanning. 802.11v (BSS Transition Management) lets the AP suggest or request a client roam to a better AP, steering the decision. 802.11r handles the post-decision fast handoff. The three together — 11k/v/r — form the modern enterprise roaming stack.

Enable all three at the controller — client support varies by OS.

Apple, Windows 10+, and most Android devices honor 11k/v/r cleanly.

Some handhelds and IoT devices ignore one or all three. Our wireless validation catches those per-model gaps during the post-install Ekahau sweep and packet capture.

WPA3-Personal uses Simultaneous Authentication of Equals (SAE) with 128-bit encryption, replacing WPA2-PSK’s vulnerable 4-way handshake. Transition mode allows WPA2-Personal and WPA3-SAE clients on the same BSS with the same SSID and passphrase — for mixed fleets migrating off WPA2. Protected Management Frames must be set to capable but not required. The Wi-Fi Alliance added “Transition Disable” to close downgrade attacks once every client is WPA3-capable.

Transition mode is a migration bridge, not a permanent state.

Once legacy WPA2 clients are retired, enable Transition Disable and move to WPA3-only.

Our network security architecture practice plans that migration against your real client fleet inventory so the cutover doesn’t strand scanners, printers, or older handsets.

Yes. PMF (802.11w) is mandatory on every 6 GHz BSS. In 6 GHz, only WPA3, Enhanced Open (OWE), or WPA3-Enterprise 192-bit mode is permitted — no WPA2. Juniper Mist’s Wi-Fi 7 documentation reinforces that GCMP256 encryption is mandatory on every Wi-Fi 7 BSS regardless of the chosen security type.

Any SSID broadcasting on 6 GHz must be WPA3 or OWE.

Creating a WPA2-only SSID “for legacy clients” that also broadcasts 6 GHz is invalid — it won’t pass certification or vendor compliance checks.

We architect the SSID plan on every Wi-Fi 6E or Wi-Fi 7 design so legacy devices stay on 2.4/5 GHz and 6 GHz stays clean.

Wi-Fi Enhanced Open is based on Opportunistic Wireless Encryption (OWE), defined in IETF RFC 8110. It uses a Diffie-Hellman key exchange to encrypt the air between client and AP on open networks — with no password, no user interaction, no lock icon. Traffic is encrypted per-client even though the SSID is “open.” It fits guest networks, hospitality, retail, and cafes where credential distribution is impractical.

Enhanced Open is strictly better than a classic open SSID for guest Wi-Fi.

Pair it with a captive portal for terms-of-service or identity capture if compliance logs are required (GDPR, HIPAA, PCI-DSS).

Our guest and BYOD design practice builds OWE into the SSID plan whenever the client fleet supports it.

The Ruckus R770 is a tri-radio Wi-Fi 7 indoor AP with 2×2:2 on 2.4 GHz and 6 GHz and 4×4:4 on 5 GHz — 8 total spatial streams — with a 12.22 Gbps combined max PHY rate. It supports MLO, 320 MHz channels, 4K-QAM, and Preamble Puncturing. Its differentiators are BeamFlex+ adaptive antenna technology that steers radiation patterns per-client, and ChannelFly predictive channel selection.

Uplinks are a 1/2.5/5/10 GbE primary and a 1 GbE backup.

BeamFlex+ earns real gains in cluttered multipath environments — warehouses, stadiums, arena concourses.

In open-office predictive models it plays a smaller role. We evaluate Ruckus against Cisco, Aruba, and Juniper per site in the vendor-agnostic design stage instead of picking a house brand.

Cisco Catalyst Center Assurance (formerly Cisco DNA Center) uses streaming telemetry from APs, clients, and wireless controllers to build ML-driven baselines. It groups poor-performing APs by likely root cause — capacity, coverage, interference, or client misbehavior — and recommends corrective action, which cuts alarm volume and false positives.

Wireless assurance ships through the Cisco Networking Subscription (Advantage or Premier tier on Catalyst Center); DNA Advantage remains a valid legacy SKU for customers still on the older entitlement.

AI assurance only pays back the license if operators act on the recommendations.

Many deployments leave it running as a wall dashboard without closing the loop.

Our managed services practice tunes the baselines, tightens the alert routing, and walks the tier-1 team through the recommended-action workflow so the license actually produces fewer tickets.

Marvis is Juniper Mist’s AI-native virtual network assistant. It runs recurrent neural network and LSTM models to learn baselines from wired, wireless, and WAN telemetry, fires anomaly detection when deviations occur, and supports natural-language queries. Marvis Minis use unsupervised ML to simulate client connections and surface issues before users report them. Service Level Expectations (SLEs) quantify per-site performance against targets.

Marvis changes tier-1 troubleshooting from “tail the logs” to “ask the assistant” — but only if operators actually query it.

Dashboards without queries leave the AI on the shelf.

Our Mist migration and operations practice trains the NOC on Marvis-first triage and tunes SLE thresholds to your environment so the model learns a realistic baseline.

Cisco and standards literature indicate MCS11 with 1024-QAM needs roughly 35 dB SNR — about 6 dB higher than 256-QAM (MCS9) because the constellation points are 50% tighter. In practice this is only achievable within a few meters of the AP in a clean RF environment. Wi-Fi 7’s 4K-QAM raises the bar further to above 36 dB.

Marketing PHY rates on Wi-Fi 6 and Wi-Fi 7 datasheets assume the perfect RF corner case.

Real-world steady-state throughput usually lands at 30–60% of the brochure rate, and that’s before application overhead.

Our post-install validation service measures real throughput per space, per client, so the design is signed off on measured reality.

Spectralink’s VIEW (Voice Interoperability for Enterprise Wireless) Certification validates WLAN infrastructure against the Versity 92/95/96 handset series. The Versity 92/95/96 phones support 802.11a/b/g/n but do NOT support 6 GHz or 802.11ax — the voice SSID for these phones must not include 6 GHz. 802.11r over-the-air and over-the-DS fast transition are both supported, and PMF is supported on the 92/95/96.

Voice handsets drag the enterprise design backwards.

The voice SSID stays on 5 GHz (with 2.4 for legacy coverage), and cell design is driven by -67 dBm RSSI and 25 dB SNR at the edge — far tighter than data clients need.

Our voice-grade wireless design validates VIEW configuration on every site before the handsets are rolled out.