@Andrew Bell wrote:
2 controllers, approximately 700 APs on each network (1400 total).
The 8.6 user guide (pg 51) says the loopback must be configured in a "multiple subnets [...] scenario". It goes on to say that if you don't then the first configured VLAN IP will be used instead. I assume that the logic here is that by configuring a loopback IP explicitly you get to override that automatic selection.
As I understand it, an AP always builds its tunnel to the controller IP address, not to a VLAN IP. So if the controller IP is an interface VLAN IP, then all APs, from both networks, have to have a path to that interface.
With correctly configured routing, there's no reason that path couldn't be from a different interface on the same controller, which solves the problem of eliminating the external connection between the campus and residence networks.
"You must configure a loopback address if you are not using a VLAN ID address to connect the managed device
to the network" - That is an overstatement. A controller's management ip address is on a VLAN and that VLAN has an ip address. You don't "need" a loopback. In your situation, it would be complicating a rather simple network. If your controller's management ip address is on VLAN 100, you would simply do:
config t
interface vlan 100
ip address 192.168.1.20 255.255.255.0
controller-ip vlan 100
And you would be done. No loopback needed. A controller, even in the most complicated networks, only requires a single ip address on a VLAN. The client VLANs do not require an ip address if the client's default gateway is the layer 3 switch (router) instead of the controller.
A controller needs an ip address for (1) Management and (2) for access points to send their traffic to. The only other circumstance where a controller would need an ip address is if you have a captive portal network, and you don't want to host that captive portal on the management ip address of the controller. Please don't get hung up on the loopback interface. It is not necessary....