I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets. I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
"The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order. The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route? Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
Thanks for all your help in advance!
In order to do this, I think you would have to traffic shape the data coming off each port the AP is plugged into so that it can place all 12222 and 12223 (LWAPP) traffic on the different VLAN. If you are specifying the WLC address via DHCP or DNS, you'll want that to be the AP-Manager IP and not the Management IP since that's how the APs learn about the AP-Manager address (that or broadcast).
Any reason why they want to design it this way? I can see reclassifying that data (QOS wise), but it sure seems like a lot of work for little to no benefit. In fact, if they're worried about security they could just have one VLAN assigned to "core wireless" and put the AP's, AP-Manager, and Management IPs in that VLAN.
Not sure why they are doing it in this manner ... my guess is that have over thought is process out ... sometimes you just have to keep things simple!
So, if what you're saying is true the AP would come up get an IP address via DHCP learn of the AP Manager IP from the Option 43 configuration and then send the LWAPP join request expecting to receive the join response from the WLC Management Interface or AP Manager IP? Just not sure why I am putting the AP Manager IP in the DHCP or DNS when the Management interface is supposed to be the only routable IP
They're both "routable" but only the Management is "pingable". Keep in mind that the Management interface is used for you to remotely manage the WLC. The AP-Manager is the interface that remotely manages the APs; this is what talks LWAPP back to the APs (and APs talk LWAPP to it).
One thing I realized is that you could probably bring the APs up in a different VLAN (10 lets say), tag the AP-Manager in VLAN 10 and keep the Management interface on the native VLAN. The thing with that is that you'd need a DHCP scope set up for VLAN 10 with option 43 set. That way the only thing on that VLAN is AP and LWAPP traffic.
In my humble opinion, I have made it a point to ensure the AP Manager and the Management IP address are on the same subnet because when I started with the WLC (using 4.x firmware) I initially setup the AP Manager IP address on a separate subnet. I found that no matter what I did, the LAPs wouldn't associate. (It wasn't an experiment, it my first "lesson": Read the documentation.) So ever since, both are in the same subnet.
Before i got off the road i had about 100+ deployments with the AP man and MAN in the same subnet with no issues. What I wouldnt do is pull your AP man vlan out to the APs.
Didn't tried it, but you should give the management IP address as option 43.
The LAP will compile a list of controllers and send a WLC discovery request to the WLC.
The WLC discovery reply contains the sysname, etc but also the AP manager IP address.
You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
"The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
for WLC discovery is included in Appendices C, D, and E of this document.
Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure.
You are the consultant, so you should make the suggestion and tell your customer that it is best practice to put the Management and AP Manager on the same subnet. Show them the Cisco documentation and explain to them the what the management interface is for and the AP Manager interface is for. I would think they "READ" too much and don't understand. Bottom line, it won't work. Initially the AP's will use the management interface to join and then will use the ap manager interface. Traffic will still transverse through the WLC if the AP's are in local mode and then you can specify the traffic to get dropped off on another interface which the clients belong to. Its up to you to make the client aware of what is best practice. Even if you use multiple ap managers because you will not use LAG, you still need the ap managers on the same vlan as the management.