11-08-2022 11:43 AM
Is it best practice to have the mgmt IP of your controllers on separate subnet from your switches? In other words is it OK to have management IP of switches, controllers, etc on the same subnet or is it smarter to create another separate one just for controllers to separate the broadcast domain?
Thanks
11-08-2022 12:28 PM
It is always recommend to use a wireless management VLAN and configure WMI as a Switched VLAN Interface (SVI). If the uplink port or port-channel to the next-hop switch is configured as a dot1q trunk, the wireless management VLAN would be one of the allowed tagged VLAN on the trunk.
11-08-2022 12:45 PM
Yup I get that but it doesn't answer the question. Is it best practice to have only the wireless controllers on their own SVI, Subnet , Network? In other words if my controller is using vlan 100 -10.10.100.x/24 is it best practice to NOT allow other switches mgmt IP to use the same VLAN 100-10.10.100.x/24??
11-08-2022 12:42 PM
You can manage the WLC via 2 methods, one is in-band as what @leoloren explained you can use an SVI in the WLC. SInce there is no requirement to configure an SVI in the WLC (except when mdns or dhcp relay is used), you can use the same WMI VLAN to manage the WLC. Make sure that you allow this VLAN in the trunk, if you are using the WMI VLAN, you have to make sure that you have a separate VLAN for the AP management (it is ok to use the same VLAN for AP management when the APs doesn't exceed 100, but still better to use dedicated AP management VLAN). You may use DHCP option 43 or DNS to send the WLC WMI to the APs.
It is always recommended that you configure the Out of Band management port of the WLC (aka Service Port) usually Gig0 in a physical WLC (part of Mgmt-Intf vrf) to be configured for OOB access. Depending on the code you are running you can use this port to perform various task. You may read the release notes for the code you are running in your WLC to get to know the capabilities of this interface.
Below from 17.6 release notes for 9800
The following protocols and features are supported through the management port of the controller:
Cisco DNA Center
Cisco Smart Software Manager
NETCONF
NetFlow
Cisco Prime Infrastructure
Secure Shell
Telnet
Controller GUI
The Cisco Catalyst 9800 Series Wireless Controller has a service port that is referred to as GigabitEthernet 0 port.
The service port supports only the following IP protocols:
DNS
File transfer
GNMI
HTTP
HTTPS
LDAP
Licensing for Smart Licensing feature to communicate with CSSM
Netconf
NetFlow
NTP
RADIUS (including CoA)
Restconf
SNMP
SSH
SYSLOG
11-08-2022 01:04 PM
Maybe I'm not explaining this well but here goes last try-
I'm building out a new building. It has (1) controller (9840) and (5) LAN switches (9300s). IS IT BEST PRACTICE to have the management IP of the SWITCHES on a separate SVI than the CONTROLLER?? That's the only question I need answered
11-08-2022 01:28 PM
You may read the below document for Cisco listed best practices. Cisco Catalyst 9800 Series Configuration Best Practices - Cisco
I don't see any harm in having the switch management and wlc management in the same VLAN.
11-08-2022 01:30 PM
Thank you I've read the guide-it mentions nothing of this.
11-08-2022 02:01 PM - edited 11-08-2022 02:02 PM
@dbrennan_1 wrote:
IS IT BEST PRACTICE to have the management IP of the SWITCHES on a separate SVI than the CONTROLLER??
That is dependent on the size of the network.
Each of our sites have different Management IP address subnet. All of our WLC are on a separate subnet. Our APs are on different subnets. One of the things that make it easier for us to do this is because we, the network team, management IPAM. We manage how each subnet is carved out. We manage the DHCP servers too.
Some organization have a team to management DHCP server and talking to them about carving out subnets is like squeezing the last drop out of a lemon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide