Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
0
Helpful
1
Replies

APIC-EM ZTD for Routers - Controller Placement

michaelwingender
Level 1
Level 1

‎03-25-2019 03:27 AM

Hello Community,

I am currently thinking of implementing a zero touch deployment with APIC-EM Network PNP module for Cisco ISR routers.  The idea is to send the devices to the remove location without unpacking it before and give the people on the remote site just a manual how cabling should be done. We will have a working Internet connection in the location, so devicehelper.cisco.com whould be reachable and I can define the profile in the CCO account with the proper APIC-EM profile. Now for me is the question about the placement of the controller. I have already set up a controller which is serving deployments for access switch so the general concept is already clear for me. I would like to setup a seperate controller for the this purpose cause of security reason, cause it has to be somehow reachable from the internet.

 

I can read in the solution guide to setup a reverse proxy if the controller is behind a DMZ. What exactly is the idea of this reverse proxy from the documentation? The controller is placed in a seperate network segment in a DMZ. So why not simply give the controller a further network interface with in a public segment (maybe with incoming NAT) and open Port443 to be available from the internet. Between Controller and Internet there would be another firewall, so I would only open Port 443. If I use the a reverse Proxy instead, also port 443 of the controller will be available from the Internet and the same requests would arrive. What is the difference to just do incoming NAT for example and why is there a reverse proxy recommended?

 

Br
Michael

 

0 Helpful
1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

‎03-25-2019 06:46 AM

HI there,

Using a reverse proxy doesn't provide any operational benefits compared to just placing the controller in the DMZ.

A revere proxy can be used to secure access to a web server. In this scenario, although not explicitly mentioned in the APIC_EM documentation, URL access restrictions can be put in place. So whereas relying on a firewall to restrict access to TCP/443 from only your known remote-site subnets, using a reverse proxy you can be more granular and restrict the URLs an IP/ subnet can request. Doing so reduces the possible attack surface.

 

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents