Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
6
Helpful
7
Replies

Should 9800 Controllers Be on a Separate Mgmt Subnet?

dbrennan_1
Level 1
Level 1

‎11-08-2022 11:43 AM

Is it best practice to have the mgmt IP of your controllers on separate subnet from your switches?  In other words is it OK to have management IP of switches, controllers, etc on the same subnet or is it smarter to create another separate one just for controllers to separate the broadcast domain?

 

Thanks

Labels:
0 Helpful
7 Replies 7

leoloren
Cisco Employee
Cisco Employee

‎11-08-2022 12:28 PM

It is always recommend to use a wireless management VLAN and configure WMI as a Switched VLAN Interface (SVI). If the uplink port or port-channel to the next-hop switch is configured as a dot1q trunk, the wireless management VLAN would be one of the allowed tagged VLAN on the trunk.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-guide/b_wl_16_12_cg/m_config-wmi.html

 

0 Helpful

dbrennan_1
Level 1
Level 1
In response to leoloren

‎11-08-2022 12:45 PM

Yup I get that but it doesn't answer the question.  Is it best practice to have only the wireless controllers on their own SVI, Subnet , Network?  In other words if my controller is using vlan 100 -10.10.100.x/24 is it best practice to NOT allow other switches mgmt IP to  use the same VLAN 100-10.10.100.x/24??

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎11-08-2022 12:42 PM

You can manage the WLC via 2 methods, one is in-band as what @leoloren explained you can use an SVI in the WLC. SInce there is no requirement to configure an SVI in the WLC (except when mdns or dhcp relay is used), you can use the same WMI VLAN to manage the WLC. Make sure that you allow this VLAN in the trunk, if you are using the WMI VLAN, you have to make sure that you have a separate VLAN for the AP management (it is ok to use the same VLAN for AP management when the APs doesn't exceed 100, but still better to use dedicated AP management VLAN). You may use DHCP option 43 or DNS to send the WLC WMI to the APs.

It is always recommended that you configure the Out of Band management port of the WLC (aka Service Port) usually Gig0 in a physical WLC (part of Mgmt-Intf vrf) to be configured for OOB access. Depending on the code you are running you can use this port to perform various task. You may read the release notes for the code you are running in your WLC to get to know the capabilities of this interface. 

Below from 17.6 release notes for 9800

    • The following protocols and features are supported through the management port of the controller:

      • Cisco DNA Center

      • Cisco Smart Software Manager

      • NETCONF

      • NetFlow

      • Cisco Prime Infrastructure

      • Secure Shell

      • Telnet

      • Controller GUI

    • The Cisco Catalyst 9800 Series Wireless Controller has a service port that is referred to as GigabitEthernet 0 port.

      The service port supports only the following IP protocols:

      • DNS

      • File transfer

      • GNMI

      • HTTP

      • HTTPS

      • LDAP

      • Licensing for Smart Licensing feature to communicate with CSSM

      • Netconf

      • NetFlow

      • NTP

      • RADIUS (including CoA)

      • Restconf

      • SNMP

      • SSH

      • SYSLOG

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

dbrennan_1
Level 1
Level 1

‎11-08-2022 01:04 PM

Maybe I'm not explaining this well but here goes last try-

I'm building out a new building.  It has (1) controller (9840) and (5) LAN switches (9300s).  IS IT BEST PRACTICE to have the management IP of the SWITCHES on a separate SVI than the CONTROLLER??  That's the only question I need answered

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to dbrennan_1

‎11-08-2022 01:28 PM

You may read the below document for Cisco listed best practices. Cisco Catalyst 9800 Series Configuration Best Practices - Cisco

I don't see any harm in having the switch management and wlc management in the same VLAN.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

dbrennan_1
Level 1
Level 1
In response to Arshad Safrulla

‎11-08-2022 01:30 PM

Thank you I've read the guide-it mentions nothing of this.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to dbrennan_1

‎11-08-2022 02:01 PM - edited ‎11-08-2022 02:02 PM

@dbrennan_1 wrote:

IS IT BEST PRACTICE to have the management IP of the SWITCHES on a separate SVI than the CONTROLLER??  

That is dependent on the size of the network. 

Each of our sites have different Management IP address subnet.  All of our WLC are on a separate subnet.  Our APs are on different subnets.  One of the things that make it easier for us to do this is because we, the network team, management IPAM.  We manage how each subnet is carved out.  We manage the DHCP servers too.  

Some organization have a team to management DHCP server and talking to them about carving out subnets is like squeezing the last drop out of a lemon.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card