Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
5
Replies

Guest Anchor Management Interface

Go to solution
davddobie
Level 1
Level 1

‎11-08-2018 12:09 PM - edited ‎07-05-2021 09:25 AM

I am following the Enterprise Mobility Design Guide (below) and I am not clear on the position of the management interface.   Fig. 10.1 and 10.2 show one interface on the DMZ.  Fig. 10.15 shows 2 interfaces, one on the dmz and one on the management vlan.    Is it ok for me to have the management interface connect to the trusted side of my network and just create the anchor behind the firewall?  Or should I have both interfaces on the DMZ and have the tunnel go through the firewall?

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/WirelessNetwork_GuestAccessService.html

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pieterh
VIP
VIP
In response to davddobie

‎11-13-2018 12:00 AM

in rare occasions client traffic may "leak" from the management interface that is a reason to put it "behind bars".

the management interface is used for some client data e.g. if you configure dhcp-proxy or external web-auth.

if running guest-DHCP local on the controller or some other device on the guest vlan this is no concern

 

basically you configure normal rules for management access ssh, https (, snmp), and of course the foreign-anchor communication

View solution in original post

0 Helpful
5 Replies 5

Go to solution
pieterh
VIP
VIP

‎11-09-2018 12:03 AM

it is common practice to put the anchor WLC (including management interface) in a DMZ like 10.1

for some client traffic (e.g. dhcp-proxy) the WLC uses it's management IP

and then yes, the tunnel goes through the firewall.

 

I suggest you read image 10.15 that it is good practice to also place a FW between the guest-DMZ and the server-DMZ.

(wich in turn does not show in 10.1)

 

 

0 Helpful

Go to solution
davddobie
Level 1
Level 1
In response to pieterh

‎11-12-2018 08:09 AM

Thanks for the reply.  Is there any security concerns with putting the management interface on the trust network?  I only have one interface available on my firewall (for my DMZ interface directly connected to the firewall).

 

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to davddobie

‎11-12-2018 08:19 AM

is the firewall able to handle (dot1q) subinterfaces?

than you can use vlans to separate trafic.

 

0 Helpful

Go to solution
davddobie
Level 1
Level 1
In response to pieterh

‎11-12-2018 08:32 AM

Yes it is an ASA.  I will see if we can do that since it seems most secure.  

 

Just in case we do go with the 2 arm approach what should I be concerned with to lock it down?  The management interface would be on our internal management network that has ACLs separating it from the other vlans.  Manage via wireless is disabled.  

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to davddobie

‎11-13-2018 12:00 AM

in rare occasions client traffic may "leak" from the management interface that is a reason to put it "behind bars".

the management interface is used for some client data e.g. if you configure dhcp-proxy or external web-auth.

if running guest-DHCP local on the controller or some other device on the guest vlan this is no concern

 

basically you configure normal rules for management access ssh, https (, snmp), and of course the foreign-anchor communication

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card