JavaScript is disabled

Some parts of the site utilize JavaScript for enhanced delivery of content, please enable JavaScript and refresh this page to see all content.

Planning and deployment

Planning and Deployment for Wi-Fi 7.

6 minute read

Wi-Fi 7 (IEEE 802.11be PHY/MAC) operates in the 2.4 GHz, 5 GHz, and 6 GHz bands introducing new features and improvements over Wi-Fi 6 and 6E.

Key design principles

For 6 GHz band guidance, refer to the Wi-Fi 6E planning and deployment guidelines. Wi-Fi 7 builds on Wi-Fi 6E requirements.
Create a dedicated SSID for Wi-Fi 7 to enable new features without disrupting legacy clients. For federated SSIDs (eduroam, Govroam, OpenRoaming), modify the existing SSID with staged testing.
Configure MLDs to advertise 5 GHz + 6 GHz bands only. Reserve 2.4 GHz for legacy clients on a separate SSID to avoid unpredictable link selection.
Choose Enhanced Open for guest networks, WPA3-Personal for passphrase networks, and WPA3-Enterprise for 802.1X corporate networks. Wi-Fi 7 requires GCMP-256 unicast ciphers and Beacon Protection across all bands.
Assess your client device mix before enabling WPA3-Personal mixed mode (sae-sub-mode). Prefer GCMP-256 only operation where client support allows.
Do not design for 100% coverage at 4096-QAM MCS rates. Hyper-dense AP placement creates excessive co-channel interference. Balance coverage targets against channel reuse.
Mount APs below ceilings with an unobstructed RF path to clients. Match AP and antenna type (omnidirectional vs. directional) to the environment and density requirements.
Plan for a capacity-based design with overlapping primary and secondary coverage zones. Brownfield deployments may require 0–10% more APs in high-usage areas.
Use 802.3bt/CL6 PoE for new deployments. Enable Intelligent Power Monitoring (IPM) to maximize feature availability on 802.3at/CL4 powered APs.
Ensure cabling plant supports Power over Ethernet (PoE) and speed requirements.
Always survey, test, and validate with target client devices before widespread deployment.

AP planning

Wi-Fi 7 introduces two new MCS rates for 4096-QAM. When planning new deployments, avoid designing for complete coverage at signal levels required for these highest-order modulation rates. Doing so leads to hyper-dense AP placement and excessive co-channel interference (CCI). Instead, take a balanced approach that optimizes channel reuse within your regulatory domain.

AP placement is important which means do not place APs above ceilings. They need to have an unobstructed view to the end users. Be strategic about AP models, omnidirectional vs. directional APs and antennas, and place APs strategically to take advantage where possible.

AP placement and antenna selection

Plan to mount APs below the ceiling with an unobstructed RF path to client devices. Avoid above-ceiling or above-obstruction installations, which will attenuate signal and waste radiated power.

Deliberately plan AP and antenna selection:

Omnidirectional APs or antennas may be used for carpeted office spaces where 360 degree coverage is ideal. A trade off can be increased co-channel interference in high to hyper dense deployments.
Directional APs or antennas help focus energy in high-density areas, reduce signal bleed into adjacent rooms and spaces, and lower co-channel interference.

Match antenna type and AP model to the environment - what works in a carpeted office won’t be suitable for a warehouse or outdoor deployments.

Design philosophy

Plan for a capacity-based design with overlapping primary and secondary coverage zones. For brownfield deployments, this may mean adding 0–10% more APs in targeted locations such as conference rooms, training rooms, or atriums where coverage or capacity was previously insufficient.

Validation

Always survey, test, and validate with deployed end user devices before widespread deployment.

Security

Similar to the security requirements that came Wi-Fi 6E, Wi-Fi 7 also requires use of WPA3 or Enhanced Open along with some additional changes.

Wi-Fi 7 requires clients to support GCMP-256 unicast ciphers and Beacon Protection. These changes affect all bands instead of just the 6 GHz band like with Wi-Fi 6E.

WPA3-Personal

Wi-Fi 7 updates to WPA3-Personal include:

GCMP-256 unicast ciphers
Beacon Protection
Hash-to-element (H2E) for PWE derivation in all bands
SAE with group dependent hashing (GDH) using AKM:24 and (FT AKM:25 supported starting in AOS-10.8)

The sae-sub-mode configuration for WPA3-Personal controls legacy, mixed-mode, or GCMP-256 only operation.

There is a transition mode and sae-sub-mode configuration which enables support for different combinations of security parameters.

SAE sub mode	Key management	Unicast cipher advertisement	Broadcast Integrity Protocol	Effect
`legacy`	AKM:8 (FT-AKM:9)	CCMP-128	BIP-CMAC-128	Legacy mode operating with greatest interoperability
`mix-mode`	AKM:8+24 (FT-AKM:9+25)	CCMP-128 GCMP-256	BIP-CMAC-128	Mixed mode supporting legacy and new
`gcm256-only-mode`	AKM:24 (FT-AKM:25)	GCMP-256	BIP-GMAC-256	Restrict to Wi-Fi 7 only, no interop with legacy

Transition mode support will enable support for WPA2-Personal only devices by advertising legacy WPA2-PSK AKMs and make protected management frames optional in the 2.4 GHz and 5 GHz bands. Note that transition mode is not supported with the sae-sub-mode is set to gcm256-only-mode. Recommendation is to migrate away from transition mode to prevent downgrade attacks.

SSID planning

New SSID approach

A new SSID is recommended. Create a dedicated SSID for Wi-Fi 7 clients. This offers the following benefits:

Enable Wi-Fi 7 features (MLO, 4096-QAM, etc.) without affecting legacy clients
Roll out incrementally and validate behavior before broader adoption
Isolate troubleshooting if issues arise

Existing SSID approach

An existing SSID can be modified to support Wi-Fi 7, but changing the security type on a live network may disrupt legacy clients. Particularly in BYOD environments where you don’t control the device configuration.

This approach may be necessary for federated SSIDs such as eduroam, Govroam, or OpenRoaming, where the solution provider typically mandates a single SSID. In these cases, careful planning and staged testing are essential to understand the impact on existing clients before committing to production changes.

MLO consideration

With Multi-Link Operation (MLO), the client, not the AP, determines which links to use during setup. When the AP MLD advertises all three bands, clients may select different link combinations at association:

If all three 2.4 GHz, 5 GHz, and 6 GHz bands are presented to a client, the client may choose different link combinations at different association times.

Possible tri-band link combinations
2.4 GHz + 5 GHz
2.4 GHz + 6 GHz
2.4 GHz + 5 GHz + 6 GHz
5 GHz + 6 GHz

In most deployments, reserve 2.4 GHz for legacy 2.4 GHz only clients. Configure the SSID to advertise on only 5 GHz + 6 GHz bands. This can avoid unpredictable link selection and keeps 2.4 GHz from being inadvertently used by high-performance clients.

Power Sourcing

Additional radios and capabilities come with increased power requirements. Tri-radio APs require more power than dual-radio APs — 802.3at/CL4 PoE or better required. 802.3bt/CL6 PoE is recommended for new deployments.

Intelligent Power Monitoring

Intelligent power monitoring or IPM is a method for controlling power usage of HPE Aruba Networking APs. The approach actively measures power usage and dynamically adapts the power budget and restrictions.

When IPM is disabled, static power management will apply reductions in order to not exceed worst case limits and stay within the confines of the power budget.

When IPM is enabled, dynamic power management allows the AP to enable full functionality and performance in the majority of cases.

Enabling IPM will allow for, in most cases, most features when tri-radio APs are powered by a 802.3at/CL4 PSE.

Recommendation is enable IPM.

Feedback

Was this page helpful?

Glad to hear it!

Sorry to hear that.

Last modified: December 17, 2025 (0857c68)