topic Re: Guest Anchor Management Interface in Wireless

Guest Anchor Management Interface

davddobie — Mon, 05 Jul 2021 16:25:55 GMT

I am following the Enterprise Mobility Design Guide (below) and I am not clear on the position of the management interface. Fig. 10.1 and 10.2 show one interface on the DMZ. Fig. 10.15 shows 2 interfaces, one on the dmz and one on the management vlan. Is it ok for me to have the management interface connect to the trusted side of my network and just create the anchor behind the firewall? Or should I have both interfaces on the DMZ and have the tunnel go through the firewall?

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/WirelessNetwork_GuestAccessService.html

Re: Guest Anchor Management Interface

pieterh — Fri, 09 Nov 2018 08:03:43 GMT

it is common practice to put the anchor WLC (including management interface) in a DMZ like 10.1

for some client traffic (e.g. dhcp-proxy) the WLC uses it's management IP

and then yes, the tunnel goes through the firewall.

I suggest you read image 10.15 that it is good practice to also place a FW between the guest-DMZ and the server-DMZ.

(wich in turn does not show in 10.1)

Re: Guest Anchor Management Interface

davddobie — Mon, 12 Nov 2018 16:09:41 GMT

Thanks for the reply. Is there any security concerns with putting the management interface on the trust network? I only have one interface available on my firewall (for my DMZ interface directly connected to the firewall).

Re: Guest Anchor Management Interface

pieterh — Mon, 12 Nov 2018 16:19:11 GMT

is the firewall able to handle (dot1q) subinterfaces?

than you can use vlans to separate trafic.

Re: Guest Anchor Management Interface

davddobie — Mon, 12 Nov 2018 16:32:20 GMT

Yes it is an ASA. I will see if we can do that since it seems most secure.

Just in case we do go with the 2 arm approach what should I be concerned with to lock it down? The management interface would be on our internal management network that has ACLs separating it from the other vlans. Manage via wireless is disabled.

Re: Guest Anchor Management Interface

pieterh — Tue, 13 Nov 2018 08:00:52 GMT

in rare occasions client traffic may "leak" from the management interface that is a reason to put it "behind bars".

the management interface is used for some client data e.g. if you configure dhcp-proxy or external web-auth.

if running guest-DHCP local on the controller or some other device on the guest vlan this is no concern

basically you configure normal rules for management access ssh, https (, snmp), and of course the foreign-anchor communication