Appropriate addressing (subnet separation) for Unified Wireless Infrastructure components.
Good day all,
I am looking for some advice on appropriate IP subnet separation of the various Cisco Unified Wireless Infrastructure components. For example, would all components go on their own firewall secured IP subnets? Can some of the components be grouped together, would there be a performance advantage to that vs a security risk? Just so I am clear, the components I am referring to are WLC, ISE, MSE, and PRIME Infrastructure.
The environment for context is Unified environment, all components are centralized in a single DC (datacenter) but soon to be two DCs. 5508 controllers, 2504 controllers, 3495 security appliances, and 3300 series MSEs. The deployment model for now is (from the BYOD CVD) Basic Guest with two SSIDs (corporate and guest) and using a guest anchor in a internet DMZ.
It really varies, but it comes down to the basic.... security policy for the devices. I usually keep the AP's in it own subnet, the WLC in the same subnet as the switches and the MSE and PI in the server subnet. Wireless will always be on its own subnet and guest, like you have, will be tunneled into its own subnet in the DMZ. Internal wireless should be separate subnet from your wired side.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...