Can you give opinion how secure is it connect WLC based Wireless LAN to existing LAN and wireless traffic will go through firewall in order to reach server farm, however, it will only go through ACL for Wireless to Wired LAN access. Please share your experience of existing network designs, I have seen in high security environment they make their wireless network completely isolated.
For employee traffic, you can route it from AP->Local WLC -> Core network and route it as required.
For Guest users traffic - AP-> Foreign WLC -> via mobility tunnel - > Anchor controller in DMZ (Behind the FW)
You have to open the the following Ports on your Network at the required devices given below :
You must enable these ports:
Enable these UDP ports for LWAPP traffic:
Data - 12222
Control - 12223
Enable these UDP ports for CAPWAP traffic:
Data - 5247
Control - 5246
Enable these UDP ports for Mobility traffic:
16666 - Secured Mode
16667 - Unsecured Mode
Mobility and data messages are usually exchanged through EtherIP packets. IP protocol 97 must be allowed on the firewall to allow EtherIP packets. If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500. You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.
These ports are optional (depending on your requirements):
TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
UDP 69 for TFTP
TCP 80 and/or 443 for HTTP or HTTPS for GUI access
TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...