08-24-2014 08:43 AM - edited 07-05-2021 01:25 AM
Good day all,
I am looking for some advice on appropriate IP subnet separation of the various Cisco Unified Wireless Infrastructure components. For example, would all components go on their own firewall secured IP subnets? Can some of the components be grouped together, would there be a performance advantage to that vs a security risk? Just so I am clear, the components I am referring to are WLC, ISE, MSE, and PRIME Infrastructure.
The environment for context is Unified environment, all components are centralized in a single DC (datacenter) but soon to be two DCs. 5508 controllers, 2504 controllers, 3495 security appliances, and 3300 series MSEs. The deployment model for now is (from the BYOD CVD) Basic Guest with two SSIDs (corporate and guest) and using a guest anchor in a internet DMZ.
Solved! Go to Solution.
08-24-2014 09:43 AM
ISE doesn't have to be in it's own subnet. You can keep it in the server subnet if you like or the same subnet as PI if you want.
Scott
08-24-2014 09:19 AM
It really varies, but it comes down to the basic.... security policy for the devices. I usually keep the AP's in it own subnet, the WLC in the same subnet as the switches and the MSE and PI in the server subnet. Wireless will always be on its own subnet and guest, like you have, will be tunneled into its own subnet in the DMZ. Internal wireless should be separate subnet from your wired side.
Scott
08-24-2014 09:23 AM
Thanks Scott, I am assuming too (given the security issues) that an authentication and security control component like ISE should be isolated in its own firewalled subnet?
08-24-2014 09:43 AM
ISE doesn't have to be in it's own subnet. You can keep it in the server subnet if you like or the same subnet as PI if you want.
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: