We size our AP management networks for how many devices we expect to need, but generally a /24 is sufficient for each building since we do not have more than 200 APs in a single building. Small buildings get a /26 each. It really doesn't matter what the prefix length is (as long as it is big enough), but rather how many devices actually end up on a single L2. We avoid stretching L2 across buildings for all use cases, not just AP management. We share the AP management network with other infrastructure devices like UPSes, but not with IP phones, printers, or other end-user devices. I'd imagine that if you keep end-user devices off the same VLAN as your APs, you shouldn't have to worry too much about broadcast traffic even with 2000 APs on a single VLAN if that is actually required. But I'd keep your L2's as small as practical--don't share L2 across buildings if you have the capability to separate them. Don't let laziness dictate the network design. So far this has worked well for us.
On Fri, Jun 19, 2020 at 11:51:24AM -0400, Jesse Thomas wrote: > Hi Everyone, > > Thanks for all the responses thus far—this community is always extremely > helpful. > > I should add that we have L2 connectivity in each location and that all APs > run in Local Mode (tunneled back to controller), so aside from DHCP at > boot, there would be very little broadcast traffic. > > @Bruce - I like your idea of having them on the building VLANs. We do that > for some now and I had not considered that for all of them. However, we are > also looking at Cisco's DNA for management, and I think that would be > easier to manage if the APs were on a dedicated set of networks. We moved > our switches to this model (dedicated management network) starting last > year, and it has worked well for us. > > To ease management, my preference would be for a pair of /22s, or even one > /21, but I worry a little about that many APs in one segment. Has anyone > gone "too big", and had issues as a result? > > Thank you again, > > > -- > Jesse Thomas > Network & Systems Administrator > Hamilton College > 315-859-4211 > > > On Thu, Jun 18, 2020 at 2:46 PM Adam T. Ferrero <a...@temple.edu> wrote: > > > > > We have ~6k APs and place them on AP mgmt. subnets of /22. We tunnel > > all traffic back to controllers so the broadcast isn't significant (no user > > broadcast on the AP mgmt. vlan). The weakest devices we have are VoIP > > phones where 200 broadcast packets per second can hurt them but broadcast > > pps above 50 is abnormal here. > > > > Adam > > > > -----Original Message----- > > From: The EDUCAUSE Wireless Issues Community Group Listserv < > > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Curtis, Bruce > > Sent: Thursday, June 18, 2020 2:19 PM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [External] Re: [WIRELESS-LAN] AP Management Network Size > > > > We take a more Zero Trust approach and don’t put APs on a separate Vlan. > > > > The APs are on the same Vlan as other devices in the building.. > > > > No problems in more than 14 years. > > > > We do give them private IPv4 numbers but they get public IPv6 numbers. > > > > > On Jun 17, 2020, at 2:56 PM, Jesse Thomas <jtho...@hamilton.edu> wrote: > > > > > > Hi Everyone, > > > > > > We are preparing to replace our existing Cisco WiSM2 controllers with > > 9800s. Part of this upgrade will include redesigning our AP management > > network(s)—currently, we have about 500 APs spread across 3 different > > /24's. > > > > > > As we move towards an in-room design in our residence halls and provide > > denser 5GHz coverage throughout campus in the coming years, we expect the > > number of APs to grow by quite a bit. > > > > > > I am interested in how others have sized your AP management networks? I > > have not found any concrete guidance from Cisco and various recommendations > > elsewhere range from /25 to /21. Larger ranges would of course be easier to > > manage, but at the same time we don't want to introduce issues related to > > broadcast traffic. > > > > > > Thanks for any input that you can provide. > > > > > > Regards, ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
