I have a WiSM farm with four WiSMs in a 6509. We installed a FWSM blade in the chassis at the last minute when we implemented this solution because our 6509 could not handle the PAT'ing. Right now the FWSM is a very simple setup - two VLANs, inside and outside, overloading to one IP address when leaving the chassis.
We're not really getting our money's worth out of the blade, and I would like to redesign it. The farm is connected via etherchannel to another 6509 which is a campus router with fiber to campus buildings, and the buildings have users, access points, etc. The access points have their own VLAN, so when they come online, they get an address and build a CAPWAP tunnel back to on of the WiSM controllers.
Each campus building has the same SSID name, but different VLAN mapped to it for each building. Therefore, the WiSM farm has about 150 VLANs for the campus SSIDs.
I have a /24 global IP range I can allocate to the WiSM farm, so my thoughts are at the moment to take each VLAN and overload is to an IP address from the /24 range. I'm more of a L2/L3/802.11 guy than a security guy, so please pardon the "dumb questions".
Should I place a /30 between the campus router and WiSM farm? Or place the /24 there and trunk a VLAN to the WiSM farm?
I'm going to use a static route on the campus router to point the traffic to the WiSM farm. No need to put it into OSPF. (that's how it is now)
Is there anything else I should be considering? Haven't worked with the FWSMs much at all, and I didn't even do the initial configuration on it, either. I realize we're using an expensive blade at the moment for offloading PAT from the 6509, and would like to make much better use of the equipment.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :