I know general Cisco design shows WLCs connected on the internal LAN and then connected to guest anchor in DMZ over EOIP tunnel. Our security folks have a problem with this and asked if it is possible to have all the WLCs in the DMZ. They are worried that if something gets misconfigured by mistake on internal WLC then all guests would have access to internal resources - not good!
If you misconfigure a firewall, the whole world can get in! I can understand where they're coming from, but if you can't trust your staff / contractors to do the job properly, then you'll never get anywhere.
Yes, you can have everything firewalled off, just make sure you open the right ports!
Presuming there are no restrictions between your two WLCs, then you only need to consider AP - WLC comms. Read the LWAPP guides for full info on this.
What are you going to do with your clients? Will they all end up in the DMZ, or do you plan on trunking a load of VLANs to the WLC, some from trusted networks, and some from DMZs?
Very thoughtful answer - thanks. My clients (both employees and guests) only need access to the internet. In the case of employees they can start up a VPN if they want to get access to internal resources via VPN gateway. (not very efficient I know but we may deploy HREAP in a future rollout).
So I gather from your response that the primary reason Cisco design shows main WLC on the internal LAN is that employee traffic can go directly to an internal VLAN from there? Is there any other major consideration?
I'm trying to give our security guys a good enough reason to allow it.
What I usually do in this scenario is create a vlan with the only routable interface being on the firewall. I then have the Guest WLAN on this VLAN and connect a firewall interface to this VLAN. this way the clients have no access to internal resources, they have to use the firewall as their layer 3 interface. I then use the web authentication feature in the WLC for Guest access (Username/Pass/Timeouts etc).
An example would be like this, create a VLAN on your switches i.e. Vlan 900. I create a Guest WLAN on the controller on VLAN 900, IP of whatever 172.16.1.10, then I create a subinterface on the firewall trunked to vlan 900. I assign the firewall interface the address 172.16.1.1 or similar and then tell the WLC the default gateway for the WALN is this address. Hope this makes sense.