Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
179
Views
5
Helpful
3
Replies

L3 connection to a WLC

Go to solution
Mitrixsen
Level 1
Level 1

‎07-19-2025 03:37 AM

Hello, everyone.

I am studying Wireless deployments for my ENCOR exam and I am reading the following document:
https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/TechArch.html#wp1000163

It mentions that:

As mentioned earlier in the distributed WLC model, the WLCs are typically at the distribution layer of the campus network. If this is done, Cisco does not recommend that the WLC connect to the distribution layer via a Layer 2 connection.

My question is, I understand that we can configure our SSIDs to map to different VLANs on the WLC. If we deploy a WLC and the connection to the WLC is layer 3, can you still deploy multiple SSIDs that would map to different VLANs or how would it be handled in this case? Considering that the connection is no longer a trunk there.

Thank you
David

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
bigevilbeard
VIP
VIP

‎07-19-2025 05:34 AM

Been a while, but reading the doc it notes rhat Cisxo does not recommend a layer 2 connection between a wlc and the distribution layer. A layer 2 connection can create large broadcast domains and a some potential stp issues, however using a layer 3 connection this provides better network segmentation and scalability.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP

‎07-19-2025 09:40 AM

If all AP use local SW not central SW then yes no need l2' you need l3 to interconnect wlc to server like ISE.

If any AP run central SW then it mandatory to have l2.

In end WLC not do inter-vlan routing or any routing so traffic from AP is forward by wlc to l3 device via l2 link for routing 

MHM

View solution in original post

Go to solution
Rich R
VIP
VIP

‎07-19-2025 02:49 PM

That is a very old document (you can tell by the style, layout, fonts etc)! It refers to the 3750G switch which went End of Support 7 years ago!
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eol_c51-696372.html

Best practice for 9800 series WLCs is literally the opposite - the WLC should only be used for L2 leaving L3 to the next hop switch/firewall/router.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Wirelessclientinterfaces
For centrally switched traffic, it is mandatory to configure a Layer 2 VLAN (or a pool of VLANs) mapped to the SSID, but the corresponding Layer 3 interface (SVI) is not needed. This is different from AireOS, in which a dynamic interface (Layer 3 interface and related IP address) is required. The recommendation for C9800 is not to configure an SVI for client VLAN, unless ... (read on in the link above)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

3 Replies 3

Go to solution
bigevilbeard
VIP
VIP

‎07-19-2025 05:34 AM

Been a while, but reading the doc it notes rhat Cisxo does not recommend a layer 2 connection between a wlc and the distribution layer. A layer 2 connection can create large broadcast domains and a some potential stp issues, however using a layer 3 connection this provides better network segmentation and scalability.

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Go to solution
MHM Cisco World
VIP
VIP

‎07-19-2025 09:40 AM

If all AP use local SW not central SW then yes no need l2' you need l3 to interconnect wlc to server like ISE.

If any AP run central SW then it mandatory to have l2.

In end WLC not do inter-vlan routing or any routing so traffic from AP is forward by wlc to l3 device via l2 link for routing 

MHM

Go to solution
Rich R
VIP
VIP

‎07-19-2025 02:49 PM

That is a very old document (you can tell by the style, layout, fonts etc)! It refers to the 3750G switch which went End of Support 7 years ago!
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/eol_c51-696372.html

Best practice for 9800 series WLCs is literally the opposite - the WLC should only be used for L2 leaving L3 to the next hop switch/firewall/router.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Wirelessclientinterfaces
For centrally switched traffic, it is mandatory to configure a Layer 2 VLAN (or a pool of VLANs) mapped to the SSID, but the corresponding Layer 3 interface (SVI) is not needed. This is different from AireOS, in which a dynamic interface (Layer 3 interface and related IP address) is required. The recommendation for C9800 is not to configure an SVI for client VLAN, unless ... (read on in the link above)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card