Smart lighting, door controllers, meeting-room screens, wireless presentation bars, building-management sensors—most London offices now run hundreds (sometimes thousands) of “things” alongside laptops and mobiles. Done well, this makes spaces more efficient and pleasant to use. Done badly, you get a flat network where any cheap camera can talk to payroll, multicast floods chew airtime, and a single misbehaving gadget knocks Teams offline.

This practical guide shows how to design Wi-Fi for a modern office and keep IoT in its lane—without piling on operational pain. It’s vendor-neutral, business-first, and grounded in how buildings actually work.

Start with outcomes (so every choice has a purpose)

Before you pick hardware or new buzzwords, write success down in numbers:

• Coverage & quality: ≥ -67 dBm at the seating plane, SNR ≥ 25 dB in busy areas.
  
• Capacity: Design for concurrency, not headcount (meeting rooms = 1.5–2× seats to include phones/tablets).
  
• Security: Corporate kit on WPA3-Enterprise/802.1X; IoT and guest isolated with least-privilege ACLs; no east-west traffic by default.
  
• Multicast sanity: mDNS/Bonjour and other discovery protocols proxied/snooped, never left to free-range.
  
• Operations: Clear run-book, monitoring that surfaces client failure reasons (DHCP, RADIUS, PSK), and a quarterly tune-up cadence.

These targets become your acceptance tests at the end.

Inventory reality (you can’t segment what you don’t know)

List the device types, radios (2.4/5/6 GHz), and authentication capabilities:

• Corporate: Laptops/phones, usually 802.1X-capable; managed by MDM.
  
• AV/meeting tech: Bars, TVs, wireless presentation (often weak on 802.1X; perfect for per-device PSKs).
  
• Access control/BMS: Doors, HVAC, sensors (may be 2.4 GHz only; protect with strict ACLs).
  
• Visitors: Short-lived access, isolated from everyone.
  
• Contractors: Need time-bound, scoped access (e.g., to a specific VLAN or subnet).

Outcome: a policy grid that maps “who needs to talk to what” and nothing more.

SSIDs: fewer is faster

Every extra SSID burns airtime. A lean, scalable pattern:

1. Corporate (802.1X/WPA3-Enterprise)
   Certificate-based (EAP-TLS) with identity-based policy. Full access to corporate services per role.
   
2. Devices/AV (Per-Device PSK)
   Each device gets its own PSK mapped to a VLAN with least-privilege ACLs. You can revoke one TV’s access without touching others.
   
3. Guest (Open + captive portal or short-lived vouchers)
   Client isolation on; simple splash page; bandwidth caps; short retention of logs (GDPR-aware).
   

That’s it. Three SSIDs cover almost every office—and perform better than five.

VLANs & ACLs: zero trust, minus the drama

• VLANs: Separate Corporate, AV/IoT, and Guest from the first switch hop.
  
• ACLs: Default-deny east-west. Permit only the few flows each IoT class needs (e.g., AV → controller, door controllers → BMS broker).
  
• North-south controls: If you prefer, terminate IoT to a small micro-segmentation gateway; same principle: allow only what’s required.

Document this in a simple table. If a rule change takes more than two lines to explain, it’s probably too broad.

Make multicast behave (AirPlay, casting, discovery)

Discovery protocols can drown busy SSIDs:

• mDNS/Bonjour proxy: Advertise only the services you intend (e.g., meeting-room displays), and only to the spaces that need them.
  
• IGMP snooping/querier: Keep multicast from turning into broadcast.
  
• Rate-limit & prune: Kill noisy, unused service types; cap multicast to sensible rates.
  

Result: AirPlay/Chromecast work where you want them—and not across the entire building.

RF basics that prevent 90% of “mystery” issues

• Channels: In dense London floors, prefer 20/40 MHz at 5 GHz; reserve 80 MHz for sparse areas after proof.
  
• 2.4 GHz: Legacy/IoT only. Raise minimum data rates to stop far-edge clinging.
  
• Minimum data rates (all bands): 12–24 Mbps helps roaming and frees airtime.
  
• TX power discipline: Many small cells beat a few loud ones; big cells create co-channel interference.
  
• 6 GHz overlay (if devices support it): Use in premium rooms for clean airtime without breaking 5 GHz for everyone else.

The wired reality (because Wi-Fi sits on copper and fibre)

APs need solid backhaul and stable power:

• Horizontal cabling: New runs should be Cat6A (multi-gig + PoE++ headroom).
  
• Backbone: Use fibre between cabinets; avoid long copper risers.
  
• PoE budgets: Keep 20–30% headroom; brown-outs look like “Wi-Fi issues”.
  
• Cabinet hygiene: Right-length patching, labelled ports, blanking panels, A/B power split.

Mid-programme, many teams discover the cabling is the bottleneck. If you’re planning a refresh or a new floor, partner with London data cabling specialists to get the backbone right—your wireless stability depends on it.

Security that users don’t hate

• 802.1X with certificates (EAP-TLS): No passwords to leak; onboarding via MDM is painless.
  
• Per-device PSK (DPSK/PPSK) for AV/IoT: Individual keys, VLAN-mapped. Revoke a device without impacting the fleet.
  
• Guest simplicity: Quick splash, time-bound access, isolation on; don’t collect more personal data than you need.

Operations: keep it good after day one

• Monitor what matters: Client failure reasons (DHCP, RADIUS, PSK), retransmits, noise floor/DFS events, AP radio health.
  
• Firmware cadence: Quarterly reviews; stage upgrades; lab-test first against your AV bars and scanners.
  
• Change control (lightweight): A simple, shared process for SSID/VLAN tweaks and AP relocations as floorplates evolve.
  
• Quarterly tune-ups: Re-survey hotspots; trim channels and TX power based on real usage.

Two-week rollout plan (no drama required)

Days 1–2: Inventory devices and radios; draft the SSID/VLAN/ACL plan.
Days 3–4: Tidy cabinets; verify PoE headroom; confirm Cat6A to APs and fibre between cabinets.
Days 5–6: Implement the three-SSID model; deploy DPSK/PPSK for AV/IoT; enable mDNS proxy and IGMP snooping.
Days 7–8: Set channel widths (20/40 MHz), minimum data rates, and TX power caps; pilot one meeting-room cluster.
Days 9–10: Validate under real load (screen shares + calls + guest joins). Tune and document.
Days 11–14: Roll floor-by-floor with a back-out plan; brief service desk; schedule the first quarterly tune-up.

Common pitfalls (and how to dodge them)

1. Too many SSIDs. Airtime dies by a thousand beacons; keep it to three.
   
2. “Turn the power up.” Loud APs create bloated cells and more collisions.
   
3. Letting multicast roam free. Proxy/snoop or suffer.
   
4. 2.4 GHz for everything. Use it sparingly for genuine legacy only.
   
5. Skipping the wired layer. Most “Wi-Fi problems” are PoE, DHCP or cabling.
   
6. No acceptance tests. If you don’t measure, you can’t prove—or improve.

Bottom line

Smart offices thrive on reliable wireless and disciplined segmentation. Keep SSIDs lean, corral multicast, isolate IoT with per-device credentials and tight ACLs, and stand it all on clean cabling with PoE headroom. Do that, and your building tech works invisibly—exactly how it should.