My MSM Best Practice Tips

Reading Time: 5 minutes

In this post, I will share my MSM best practice tips, when using the controller. This is not a complete list but all the stuff I do first. From time to time I will update the post or create a complete new one, to stay up to date.
So, let’s start now:

1. Which firmware to use?

As you know, there are many different firmware versions out there. This is often very confusing for people, dealing with the controller. For my controller at home, I always use the latest and greatest, but my system at home is far away from a productive system, if you exclude my family, which could be very challenging, when issues with WLAN occur 🙂

  • I always prefer the 5.7.x branch for productive systems. From this branch the latest and greatest.
  • For environments where the new features like RRM required, I would use 6.0.x and again the latest and greatest.
  • Where support for the new Controller, the MSM775 or the new AP, the 425 is needed, use version 6.2.x. Again, latest and greatest.
  • If you wand to use the new GUI with the Dashboard and the Bonjour Gateway functionality, you need to go to 6.3.x or 6.4.x. I would use the latest patch of 6.4.x in this case.

I always recommend to read the release notes and look for the known issues list to decide which version fits best for my environment.

2. Which port should I use for what?

This is always a topic of discussions. Many people are not sure which port to use for what and the bad news is, you are really flexible, which port to use, but I have created some guidance for myself on which port to use for what.

LAN Port

I try to avoid using the LAN port at all. This means, I even did not connect the LAN port to a Switch when working with a standalone controller.
When I work in a teamed environment, which means I have more than on controller, operating as one, I always use the LAN port as the “Control channel”.


Sometimes, I use the LAN port to connect it to the VLAN, the AP’s are in, if the environment require this, but as described in the next section, I always recommend to put the AP’s in a separate VLAN and discover the Controller via L3.

Internet Port

Now the interesting news, I use the Internet Port for the rest. First of all, I configure the management IP on the physical internet port. This will also be the IP, which is propagated to the AP’s, to discover the controller. To let this work, you have to enable AP discover on the internet port:


When doing Teaming, I also have the Teaming IP on the internet port.
All VLAN’s with client data traffic, which needs to go through the controller as egress networks are tagged on the internet port. This is a common configuration and should always be the case, but remember, most of the traffic should be bridged locally as this will bring the most performance for the WLAN clients.

3. Where to put the AP’s

As mentioned above, I always recommend putting AP’s in a separate VLAN’s. I would always use a DHCP server for serving IP addresses to the AP’s. If needed you can set static IP addresses on the DHCP server. This is just my preferred way, you can use, what ever the environment require.
To find the controller you can also use the DHCP server. The option 43 can be used to send the IP address of the controller to the AP. If needed you can also use a DNS server for this part. In my point of view, the worst case is to configure the AP with a static IP via the provisioning settings. The would mean to configure each AP one by one.

4. The Default Group

The Default Group is used for putting all new and unknown AP’s into. This is a great function, but by default, the default VSC is bind to this group, which means, that all new AP’s will send out this SSID. To avoid this, I remove this binding before putting the first AP on the network. This will make sure that every unknown or new AP will work with disabled radios, as now SSID is attached to the AP.
For working AP’s I always create new groups with a very descriptive name to know for what the group is used for.

5. System Time

This more a tip than best practice, but having the correct date and time is very important when working with the MSM controller. For all appliances you have to set the system time manually or configure an NTP server. For the modules, this is not possible, the system time of the switch, containing the module is used for that.
The date is important, as the controller is working with certificates with a given validity period. An incorrect system time can lead to crazy errors while connecting AP’s to the controller. Also user authentication will not work correctly, when the time is not correct.

6. Enable Management traffic for the internet port

If you follow my second advice and you use the internet port for everything, you need to enable the internet port for management traffic. We already did this for the AP discovery, but we need also enable it for other functions:

Management access:


SNMP access:


SOAP access:


Most of the others are no-brainer, but this one is not that obviously, but iMC will use the SOAP API for BYOD and the GMS (Guest Management Tool) will also use this API to gain access to the controller.

If you follow those best practice tips, you will have a good starting point for a stable controller. I will add more tips when needed.
For questions and feedback feel free to use the comment function below. I will try to answer all comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.