11-08-2018 12:09 PM - edited 07-05-2021 09:25 AM
I am following the Enterprise Mobility Design Guide (below) and I am not clear on the position of the management interface. Fig. 10.1 and 10.2 show one interface on the DMZ. Fig. 10.15 shows 2 interfaces, one on the dmz and one on the management vlan. Is it ok for me to have the management interface connect to the trusted side of my network and just create the anchor behind the firewall? Or should I have both interfaces on the DMZ and have the tunnel go through the firewall?
Solved! Go to Solution.
11-13-2018 12:00 AM
in rare occasions client traffic may "leak" from the management interface that is a reason to put it "behind bars".
the management interface is used for some client data e.g. if you configure dhcp-proxy or external web-auth.
if running guest-DHCP local on the controller or some other device on the guest vlan this is no concern
basically you configure normal rules for management access ssh, https (, snmp), and of course the foreign-anchor communication
11-09-2018 12:03 AM
it is common practice to put the anchor WLC (including management interface) in a DMZ like 10.1
for some client traffic (e.g. dhcp-proxy) the WLC uses it's management IP
and then yes, the tunnel goes through the firewall.
I suggest you read image 10.15 that it is good practice to also place a FW between the guest-DMZ and the server-DMZ.
(wich in turn does not show in 10.1)
11-12-2018 08:09 AM
Thanks for the reply. Is there any security concerns with putting the management interface on the trust network? I only have one interface available on my firewall (for my DMZ interface directly connected to the firewall).
11-12-2018 08:19 AM
is the firewall able to handle (dot1q) subinterfaces?
than you can use vlans to separate trafic.
11-12-2018 08:32 AM
Yes it is an ASA. I will see if we can do that since it seems most secure.
Just in case we do go with the 2 arm approach what should I be concerned with to lock it down? The management interface would be on our internal management network that has ACLs separating it from the other vlans. Manage via wireless is disabled.
11-13-2018 12:00 AM
in rare occasions client traffic may "leak" from the management interface that is a reason to put it "behind bars".
the management interface is used for some client data e.g. if you configure dhcp-proxy or external web-auth.
if running guest-DHCP local on the controller or some other device on the guest vlan this is no concern
basically you configure normal rules for management access ssh, https (, snmp), and of course the foreign-anchor communication
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide