cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
1
Helpful
3
Replies

Multisite Remote Border in DMZ

packet2020
Level 1
Level 1

Hi All,

I am looking at adding a Multisite Remote Border for guest services to an existing fabric and trying to determine the best location for it in the network. As it acts like an anchor WLC i'm suggesting on installing it behind our firewall in a DMZ. Is that the typically the recommend approach?

 

3 Replies 3

what u need are:
1) "anchor" BN to be connected with 2 interfaces (routed) in Underlay 
2) L3-handoff to FW to be obviously connected to FW

So if I understand correctly, with the above the anchor BN will be connected directly to the underlay so what happens if the BN got compromised for whatever reason as the underlay communication will not be firewalled (so within the GRT)? From what I understand the anchor BN is treated similar to an anchor wireless controller which would traditionally sit physically (including all network connectivity) behind a firewall in a DMZ. Is this not recommended for the anchor BN or am I overlooking something? Hopefully makes sense.

So if I understand correctly, with the above the anchor BN will be connected directly to the underlay so what happens if the BN got compromised for whatever reason as the underlay communication will not be firewalled (so within the GRT)?
AO> not sure i get your concern here: BN got compromised (what do u mean exactly - hacker got access to it?) due to GRT is not firewalled  or something else? i believe hackers will have more interesting targets in your network than anchor BN. Just as a remark to Underlay accessible in GRT w/o limiting access to it: there is a good practice to protect access to INFRA_VN (almost or about aka Underlay GRT) on central FWs. It's not a panacea but something more solid than open GRT (in some accounts combined with Corporate Office VRF :0)
---
From what I understand the anchor BN is treated similar to an anchor wireless controller which would traditionally sit physically (including all network connectivity) behind a firewall in a DMZ.
AO> u still can place Underlay interfaces of anchor BN in the DMZ, but you must consider permitting LISP/VXLAN (that is similar to what u would do for anchor/foreign WLCs also to honour EoIP), MTU to honour VXLAN, /32 RLOC appearance in anchor site Underlay & FWs performance (if it's single FW processing both LISP/VXLAN - LISP is very chatty btw - & decapsulated Guest traffic). i'm not familiar to such deployments frankly saying. From other hand i saw quite safe legacy deployments where single WLC just had guest traffic centralized in CAPWAP on itself & than just handing it over to L2 interface in DMZ (what is quite similar to "anchor" BN regular design).
---
Is this not recommended for the anchor BN or am I overlooking something? 
AO> honestly i'm not familiar to Cisco recommended designs with anchor BN fully placed in DMZ. From other hand, i'd try to be pragmatic in your case & would avoid overcomplicating things/overestimating "threats".
Speak with your InfoSec, suggest them isolation INFRA_VN behind FW f.e. - it would be trade-of between complexity & reasonable security level.