This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

APs in same VLAN as controllers?

david_henderson
Contributor II

‎01-04-2016 01:40 PM

We will using bridge mode for all of our APs per Ruckus best practice. All of our servers on campus run under VMWare and all of them whether running Windows, Linux, or some form of Unix reside in vlan 125. Normally we would place our Ruckus vSZ controllers in vlan 125. This is a vlan that at the moment we do not trunk outside the data center with our layer2/3 core switch providing routing to this vlan.

Two questions
  1. Is there any reason to have the Ruckus APs also in vlan 125? It appears that a simple DNS entry can point the APs to the controller in a different vlan
  2. We will be dividing wireless client traffic into different vlans based on type (district owned device, staff or student personal device, or guest device). Should the APs themselves be in a separate vlan from the vlans that carry wireless traffic? In other words, should the 400 APs that we plan on installing be in a vlan by themselves?
10 REPLIES 10

bill_burns_6069
Contributor III

‎01-04-2016 02:12 PM

I would not (in general) want my AP management addresses in the same subnet as my datacenter / servers.

If you've got (or will have) 400 Ruckus APs, then yes, they should have their own subnet.
(at least one)

If you really want them all in the same subnet/VLAN, then that subnet will need to be larger than a "class C" or  "/24" subnet.
If you're in a school district with different address space for each building / school then you'll probably want a different AP management subnet for each school. (otherwise, you'd have to build an overlay network or something like that)

Right now, we're talking about management subnets for the APs.
Personally (with all the APs in one management subnet) I'd be fine w/ putting the controller in that same subnet. Other people in that position might find a reason to secure the controller behind some kind of firewall. That would be one reason to keep it in another subnet than the APs.

If the APs will not all be in the same management subnet then you might-as-well keep the controller in your VLAN 125 (or some VLAN other than the APs) so that (for consistency) the controller would not be in the same subnet as *any* of the APs. (as opposed to being in the same subnet as *some* of them)

re: Question 2:
Yes, the AP management subnets+VLANs should be different from the VLANs (associated w/ WLANS and SSIDs) that carry the users wireless traffic.
0 Kudos

seanmuir
Contributor III

‎01-04-2016 02:14 PM

All you need to know is that the vSCG has 3 planes:

Management

Control

Data

The management plane is simply for you to access the UI of the SCG.

The control plane is what is used for the AP management traffic.

Note: AP management (control plane) and vSCG management (management plane) cannot be on the same subnet so you will have to seperate them via VLAN.

The data plane is mainly used for the following:

  • Encrypted data tunneling: Provides flexible options for data tunneling from all types of Virtual LANs (VLANs), including guest traffic encryption; point of sale data tunneling for PCI compliance; VoIP traffic tunneling; and seamless roaming across Layer 2 subnets.
  • Dynamic data plane scaling: Provides scale and resiliency for large deployments supporting 1Gbps, 10Gbps or higher throughput – which can be dynamically tuned without needing software updates.
  • Cluster architecture: Provides scale and resiliency for large deployments supporting up to 30,000 access points and 300,000 devices. One Virtual SmartZone controller can manage up to two vSZ-D instances, and four-controller cluster can manage up to 8 vSZ-D instances.
  • Support for multiple hypervisors: Provides initial support for two of the industry’s most widely deployed virtualization engines – VMware vSphere and KVM (OpenStack).

When deplying AP's they do not necessarily need to be to on the same subnet as client traffic, but to administer VLAN tagging for AP WAN interface (AP management) can only be done using the CLI at the moment:
set interface wan vlan 10 10.10.10.2 255.255.255.0 10.10.10.1
The client traffic can also be tagged if you like and this achievable via the vSCG UI

Note: If you want to simplify things and have client traffic and AP management on the same VLAN, this is no real issue, as you can prevent access to your management network via the use of ACL's on your venue router.

I hope this answers your questions

Good Luck!
0 Kudos

david_henderson
Contributor II

‎01-04-2016 03:24 PM

Thanks for the quick replies
I have a class A address space so lots of available IP addresses
Here is a summary along with a few scattered questions
  • Put the controller in vlan 125. In other words, the management IP address will be 10.121.125.xxx
  • Put the APs in vlan 8 which is a /22 vlan. This gives me plenty of IP addresses to hand out to APs via DHCP
  • Put the vSZ control plane in vlan 8 as well so the APs and controller's control plan are in the same vlan. How can this be done?
  • I know that data plane and control plan traffic can be separated via the purchase and deployment of vSZ-D. In our situation is there any advantage to doing this?
  • Put the wireless client traffic in a different vlan(s)
It was mentioned about AP management address. My understanding  is once the APs connect to the controller then you cannot go to the IP address of the AP and do any type of management, all of it is done via the controller. Is that correct?
0 Kudos

seanmuir
Contributor III
In response to david_henderson

‎01-04-2016 04:58 PM

Here are my responses:
Put the vSZ control plane in vlan 8 as well so the APs and controller's control plan are in the same vlan. How can this be done?
If its a local vSZ and the AP's are in the same locality, just make the port facing the Control plane an access vlan 8 port.

If they are not in the same locality and they are remote AP's, then the router will do this via VLAN pruning.
I know that data plane and control plan traffic can be separated via the purchase and deployment of vSZ-D. In our situation is there any advantage to doing this?
What are you using the data plane for? If you are clustering then you will need a data plane for HA.

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
			
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Kudos

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
			
					
				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
					
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



		
		
	


	

	
		

			

	
				
			


		

	




			
				


	
		

	
		

			

			
	

	

		


	

	

	

	


		

			
				

					
		

			

	
			
				
					
				
				
			
		


		

	
					
						

							
						

						

							

	
								
							


						

						
					
				

			

			

				
		

			

	
			
				
					
				
				
			
		


		

	
				

	
		
	

	


			

		

		
	
	


			
		

	

	

				
		
		
	
	


		

			

	
		
			

		
			




		
	
	


		

	

		

			

	
		
			

	

		

			

	
		
			
              

		
	
	


		

	

		

			

	
		
			

    

        

            Copyright © 2024 Khoros, LLC