cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1513
Views
2
Helpful
8
Replies

Optimal Placement Strategies for Cisco ISE & WLC on network architectu

techno.it
Level 3
Level 3
Hi Team!
 
We're in the process of implementing Cisco ISE and WLC on our network and I'm looking for some insights on where to strategically position these components on the network.
 
Our Cisco network architecture is as follows. 
 
                                                    Internet     
                                                         |
                                                         |
                                        Perimeter Firewall---DMZ
                                                         |
                                                         |
DC ToR > DC Distri > DC Firewall > Core < Campus Access
 
I'd love to hear from anyone who has experience with a similar network setup or who has insights into the best practices for placing Cisco ISE and WLC in a network like ours. Your experiences and recommendations would be greatly appreciated!
 
Looking forward to your valuable input!
1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee
8 Replies 8

@techno.it based on your topology I'd connect the WLC to the Core and I would personally connect ISE behind the DC Firewall.

Leo Laohoo
Hall of Fame
Hall of Fame

Get a reputable systems integrator to understand what the network is like, where all the bits-and-pieces are stashed away and where all the dead bodies are buried.

The worse mistake anyone can do with a loaded question like this is "shop for answers".

techno.it
Level 3
Level 3

@Leo Laohoo 

We are currently collaborating with a third-party VAR. But I am also seeking guidance from the esteemed Cisco community regarding the optimal strategic placement of these components within network infrastructure.


@techno.it wrote:
We are currently collaborating with a third-party VAR. But I am also seeking guidance from the esteemed Cisco community regarding the optimal strategic placement of these components within network infrastructure.

With such limited information other than "this is what our network look like, where does anyone think our WLC and ISE should go?" it would be irresponsible for someone to make any recommendation. 

Next, I do not want to muddle the water to play second fiddle.  If a VAR has been picked, then pick their brains.  Shopping for answers is not the right way to implement something this important.  It will only annoy the VAR and, trust me, wrong decisions will be made if this keeps up.  

@Leo Laohoo Appreciate your concerns. I am just doing my due diligence by getting advice from the experts Cisco community. While VARs play a crucial role in implementation, the responsibility for designing a successful product or project is ultimate.

techno.it
Level 3
Level 3

@Rob Ingram Depending on the wireless requirements for instance we plan to route wireless traffic locally (Flex Connect) would make more sense to have it closer to the core and access points or in the DC?

Corporate SSID that requires internal resources would have to pass through firewall because the traffic has to be filtered.

WLC and ISE shall probably be also connected via an separate interface to the DMZ for below use cases

WLC- to segregate guest network traffic from internal resources using a firewall.

ISE- for a guest portal

thomas
Cisco Employee
Cisco Employee

Thank you @thomas 

The guide is specific to Guest access only. Are there any general design guides for Corporate LAN/Access for Cisco ISE and WLC available? If so, please provide a link if possible. Thank you.