cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
558
Views
25
Helpful
11
Replies
Asfandyar70754
Beginner

Data and management ports in Cisco WSA and SMA

Hey guys,

I am implementing Cisco's WSA & SMA and got a bit confused on the ports.

Initially I will need 2 ports on Cisco WSA 395 from switch, 1 for Management port (M1) and 1 for Proxy port (P1). Now I need to know if I should be using both Proxy ports or only 1 would work effectively and secondly on the switch end what config will be needed, all ports in same vlans, stuff like that.

Similarly I will need 2 ports for Cisco SMA 395, 1 for  Management port and 1 for Data port. But I have gone through the documents and there are 4-5 data ports and I want to know what port do I use?

11 REPLIES 11
Rob Ingram
VIP Expert

@Asfandyar70754 for the WSA, I have previously just used M1 for dedicated mgmt and P1 for proxy, these interfaces are in separate VLANs, with a different routing table.

 

The number of interfaces that you choose to connect and how you address them should be dictated by the complexity of your underlying network. It is not necessary to connect multiple interfaces if your network topology or data volumes do not call for it.

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma12-0/user_guide/b_SMA_Admin_Guide_12_0/b_NGSMA_Admin_Guide_appendix_01111.html

 

Keep it simple, unless you've got specific rules to adhere to?


@Rob Ingram wrote:  njmcdirect

@Asfandyar70754for the WSA, I have previously just used M1 for dedicated mgmt and P1 for proxy, these interfaces are in separate VLANs, with a different routing table.

 

The number of interfaces that you choose to connect and how you address them should be dictated by the complexity of your underlying network. It is not necessary to connect multiple interfaces if your network topology or data volumes do not call for it.

https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma12-0/user_guide/b_SMA_Admin_Guide_12_0/b_NGSMA_Admin_Guide_appendix_01111.html

 

Keep it simple, unless you've got specific rules to adhere to?


Thanks a lot for the reply. I will try the suggested solution from your link.

Hi Rob,

So this implementation is in a bank so I as wondering if one Proxy port will be efficient or do I need to use both proxy ports, if yes then they need to be in separate vlans, right?

Hi @Asfandyar70754 Yes, connect M1, P1, and P2 to different subnets. Connect P2 to the internet to receive inbound internet traffic.

 

Thanks Rob.

I do have one more question and that is why I need Cisco SMA, I mean what does it achieves, we only have this cisco WSA in our network.

I want to know if there is some sort of config pushing and stuff.

@Asfandyar70754 Sorry, but I've personally never used the SMA. 

 

It's the centralised management server to manage multiple WSA and/or ESA. It would certainly be worthwhile if you had multiple WSA to manage, in your scenario it may provide some additional reporting and threat analyse information that the WSA alone would not.

 

https://www.cisco.com/c/en/us/products/collateral/security/content-security-management-appliance/datasheet_C78-721194.html

 

Hey Rob,

I have a separate issue, I was going through Configuration guide and came across High availability.

I wanted to know if this HA option is for 2 WSAs or it is for 2 Proxy ports.

 

Hey guys I am looking to upload licenses on Cisco WSA 395 and SMA 395.

Our licenses are traditional on LRP portal and we need to upload it on WSA and SMA.

SMA is one management server to manage a single pane of glass, it maintains config all the WSA one config, so there is no need to configure Locally, and centralised reporting  from all devices (especially logging and tracking)

 

If you have only 1 WSA  in the network, it does not make any sense to use SMA (the use case is not valid), but if you looking in the future to add more and more WSA and ESA, then deploy now WSA and SMA, so you do not need more task to be done later day.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

If you only have one WSA and/or one ESA, you don't need the SMA. Unless you have extraordinarily long log retention requirements.
Create
Recognize Your Peers
Content for Community-Ad