Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
20
Helpful
9
Replies

wlc placement

bluesea2010
Level 5
Level 5

‎10-19-2022 01:57 AM

Hi,

I have two questions  ,

1)usually where should I place the wlc  , behind firewall or core

2)I have routed access layer , So  the connectivity to wlc will be layer 2 or layer 3

Thanks

Labels:
0 Helpful
9 Replies 9

marce1000
VIP
VIP

‎10-19-2022 02:48 AM

 

 - There's no unique answer and 'behind core' is somewhat undefined, it depends where the wireless clients are , usually on the Intranet which close proximity to core , to start with.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

bluesea2010
Level 5
Level 5
In response to marce1000

‎10-19-2022 06:31 AM - edited ‎10-19-2022 06:32 AM

Hi,

Sorry it was not behind , I mean  wlc connected to the core .

Now the second question is,

Currently i am following the traditional layer2 architecture between distribution and   access  

I have the SSID EMPLOYEES -10.0.2.0/24

So I have a vlan 10 for  employees in all edge switches and   on distrubtion side gateway configured 

And in the wlc added vlan 10 and one inteface  with the ip 10.0.2.10/24

If I am moving from l2 to l3 , how the configuration would be

Thanks

 

Add vlan

 

 

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-19-2022 12:47 PM

As Marce explained answer is "it depends". I would start my day with reading the CVD's

https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/campus-wired-wireless.html

If that gives me a high-level idea, then I will start reading the WLC configuration guides and design guides. For me there are multiple reasons which can impact the WLC placement in the network.

1. If I have AP's reaching out from the public networks (OEAP)

2. If I have APs distributed across multiple WAN sites connected over MPLS/SD-WAN/VPN etc.

3. If the role of the WLC is Anchor controller

then I would definitely consider placing them in a DMZ which has upstream firewall/IPS/IDS/DDOS protection.

Sometimes AP mode such as Local/Flex also impacts the WLC placement. If my APs are inside LAN segment, then I will definitely place it where it can be centrally accessible (Core Switch possibly) and make sure that is redundantly connected.

Now since you have routed access network, using Flex connect might become a challenge as you might have to work with multiple flex profiles and additional configuration to support the routed access network. I would suggest you go with local mode for AP's as in this case traffic is tunneled to the WLC along with Management traffic. So, from the configuration side you can reduce the complexity.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

bluesea2010
Level 5
Level 5
In response to Arshad Safrulla

‎10-20-2022 05:18 AM


Hi,

This is your post in the below thread


https://community.cisco.com/t5/wireless/issues-with-wireless-in-routed-access-layer-design/td-p/4437641

If the AP’s are in local mode AP will build a capwap tunnel to the controller, so any wireless clients connected will egressing directly from the controller as the client data traffic will be encapsulated with capwap between AP and WLC. In the routed access world this is the preferred method for me as this will reduce complexity. Remember you need L3 reachability between AP management VLAN and WLC AP Manager interface.

If i have ssid test 10.0.2.0/24 (vlan 2 )

Are you saying to create vlan 2 on the access switch and on core 2 ,
and a vlan interface on the controller 10.0.2.10/24

then there will be stp election ?

Please clarify

Then you will create dynamic interface per VLAN in your controller (tag VLAN per said as reqd.) and then corresponding VLAN’s in the upstream switches as well.

Thanks

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to bluesea2010

‎10-20-2022 05:39 AM

Hi Bluesea,

WLC will not participate in STP. In case you are going with local mode AP's as you said you will create the SVI for VLAN2 in Core Switch and then allow it on the trunk connecting to the WLC.

"Then you will create dynamic interface per VLAN in your controller (tag VLAN per said as reqd.) and then corresponding VLAN’s in the upstream switches as well."

Above statement is valid only if Flex AP's then you need to worry about VLAN to SSID mapping and Flex profiles etc. this method is not recommended for routed access networks.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

bluesea2010
Level 5
Level 5
In response to Arshad Safrulla

‎10-20-2022 05:55 AM

Hi @Arshad Safrulla 

In that case do I need to create the same vlan on the access layer also , or access layer  do we need only ap management vlan 

Thanks 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to bluesea2010

‎10-20-2022 06:20 AM

If you are going with Local mode then only AP management VLAN is needed in needed in all access switches.
___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

bluesea2010
Level 5
Level 5
In response to Arshad Safrulla

‎10-25-2022 10:49 PM

Hi @Arshad Safrulla 

What if  we create the vlan  assoicated with the SSID  on the access side 

Thanks

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to bluesea2010

‎10-26-2022 12:46 AM

Then you need to have APs in Flex mode, and you need to create the required Flex profiles. It will be like 1 Flex profile per access switch/stack. 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card