Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
6
Replies

Put firewall at wireless network.

wfqk
Level 5
Level 5

‎11-08-2019 09:34 AM - edited ‎07-05-2021 11:16 AM

Hi We have diagram like one I attached. The users need to go to internet from their PC, AP and switch etc. But we would like the first hop of user traffic is at firewall. That also means when tracert 8.8.8.8 on PC, the first one is at the firewall. Anyone can give some suggestion where we need to put the firewall? Thank you

 

Preview file
67 KB
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎11-08-2019 02:39 PM

Firewall Generally deployed at the edge :

 

1. for securing the entire network should be perimeter that is after ASR and 7K between(thinking that after ASR it is the Internet or MPLS Cloud)

2. why you like to deploy FW at the next level, where are your WLC and other networks?

3. or is this Wireless external ? or for internal users?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

wfqk
Level 5
Level 5
In response to balaji.bandi

‎11-09-2019 08:58 PM

Thank you so much for your reply. I did not make it clear.

 

2. why you like to deploy FW at the next level, where are your WLC and other networks?

    the two WLCs are connected to the two N7K

3. or is this Wireless external ? or for internal users?

    The APs and users are internal and are behind the Switches. If the first hop of the internal user traffic is at firewall, it can prevent some insecurity issue from inside

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to wfqk

‎11-10-2019 05:00 AM

Do you also have perimeter FW ?

 

internal users always should be trusted, not sure how your authentication for the users for wireless?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

wfqk
Level 5
Level 5
In response to balaji.bandi

‎11-10-2019 09:59 AM - edited ‎11-10-2019 10:00 AM

That is because the company has guest and inside wireless vlan with the same AP . Its vlan traffic needs to go through the firewall first. so the first hop is at the firewall. The network has firewall located at between ASR and N7K. Not sure the relation of these vlans connections among N7K, firewall and switch3750 from wireless perspective.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to wfqk

‎11-10-2019 10:58 AM

You need to segment the traffic for the Guest users, which is not required to access internal resources (until any resource required)

 

Corporate SSID can access internal resource.

 

Either case i would suggest to have different segment FW, ASA support context-based FW, so you can do both ways to protect external and internal.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

wfqk
Level 5
Level 5
In response to balaji.bandi

‎11-11-2019 10:12 AM

Thank you very much. you are right.

Just one question: we assume no firewall in all network. if user PC try to access internet in that network, the first hop should be at the gateway, which is defined at controller guest interface, or the guest vlan interface ip address? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card