Network Design -- Positioning of a WLC and ISE

whistleblower14 · ‎10-16-2021

Hi,

I´d like to as a Design-related question regarding the general positioning of a Wireless LAN Controller- and ISE NAC appliance in a network!
Would it be necessary/useful to secure respectivly the Wireless LAN Controller and/or the ISE from the rest of the network through a firewall, in which case all AP relevant Mgmt- and Communitcation traffic and either all authentication requests to the ISE had to go through the firewall before reaching both of them?!
How do you basically handle that kind of design or does anybody know if there`re official design guides public published to see a recommendation or suggestion?

thanks for every kind of help in advance!

balaji.bandi · ‎10-16-2021

It all depends on what WLC control do the job, is this for Guest Anchoring or Corporate WIFI

I have attached good CVD, old one still valid and good most conditions ( until you looking to deploy DNAC or SD-Access - different case)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

whistleblower14 · ‎10-17-2021

@balaji.bandi

what do you mean with Guest Anchoring?

In first instance there`s only WLAN Access for Guests planned - using SMS for Authentication! But in the future it could be possible that also Corporate Devices will use WLAN and 802.1x e.g.

balaji.bandi · ‎10-17-2021

you see here what is anchoring explained :

https://mrncciew.com/2013/03/22/auto-anchor-mobility/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Fella · ‎10-16-2021

Every design is different. Some might have to place both in a DC which might be FW’d from eveything or open to some. What if you have local controllers and the ISE in a DC or multiple DC’s. Just figure out what your plan or design is and then go assess it to see if you need to lock it down more or maybe change where things will be located.

-Scott
*** Please rate helpful posts ***

whistleblower14 · ‎10-17-2021

let`s assume that both of the components are located in the HQ or DC - I think it would`nt matter... the question is, would it make sense or is it useful if I put the APs in a different VLAN/IP-Subnet than the WLC and ISE and carry the Mgmt-Traffic like CAPWAP through a Firewall to the Controller (no local Breackout or Flexconnect) and also route traffic for authentication from the WLC to ISE as well through this Firewall? In that case the WLC and ISE have to be in different VLANs/IP-Subnets as well
Or is it best practive to put WLC and ISE in the same VLAN/IP-Subnet without any Security with a Firewall in between?

Scott Fella · ‎10-17-2021

Well, in majority of networks I have seen and deployed, the controllers are typically in the management subnet, aps are one it’s own ap subnet and ISE in the DC or a sever/tools subnet. These all can be on a flat network and also work, but it’s recommended that aps be on its own subnet if possible. I don’t think it’s necessary to have a FW in between the wlc and ISE and really not necessary for the controllers and AP’s. You will have acl’s that you would implement to make sure certain subnets are allowed to manage ISE and the wlc’s as an example. This doesn’t mean you need to have a FW.
Cisco has design guides for everything they have. Take a look here.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc39

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-campus-lan-wlan-design-guide.html

-Scott
*** Please rate helpful posts ***