Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Controller Placement internal or DMZ?

I know general Cisco design shows WLCs connected on the internal LAN and then connected to guest anchor in DMZ over EOIP tunnel. Our security folks have a problem with this and asked if it is possible to have all the WLCs in the DMZ. They are worried that if something gets misconfigured by mistake on internal WLC then all guests would have access to internal resources - not good!

Any ideas about this? Pros and cons?




Re: Controller Placement internal or DMZ?

If you misconfigure a firewall, the whole world can get in! I can understand where they're coming from, but if you can't trust your staff / contractors to do the job properly, then you'll never get anywhere.

That said...

Yes, you can have everything firewalled off, just make sure you open the right ports!

Presuming there are no restrictions between your two WLCs, then you only need to consider AP - WLC comms. Read the LWAPP guides for full info on this.

What are you going to do with your clients? Will they all end up in the DMZ, or do you plan on trunking a load of VLANs to the WLC, some from trusted networks, and some from DMZs?

New Member

Re: Controller Placement internal or DMZ?

Very thoughtful answer - thanks. My clients (both employees and guests) only need access to the internet. In the case of employees they can start up a VPN if they want to get access to internal resources via VPN gateway. (not very efficient I know but we may deploy HREAP in a future rollout).

So I gather from your response that the primary reason Cisco design shows main WLC on the internal LAN is that employee traffic can go directly to an internal VLAN from there? Is there any other major consideration?

I'm trying to give our security guys a good enough reason to allow it.

Thanks for your help - much appreciated....


New Member

Re: Controller Placement internal or DMZ?

What I usually do in this scenario is create a vlan with the only routable interface being on the firewall. I then have the Guest WLAN on this VLAN and connect a firewall interface to this VLAN. this way the clients have no access to internal resources, they have to use the firewall as their layer 3 interface. I then use the web authentication feature in the WLC for Guest access (Username/Pass/Timeouts etc).

An example would be like this, create a VLAN on your switches i.e. Vlan 900. I create a Guest WLAN on the controller on VLAN 900, IP of whatever, then I create a subinterface on the firewall trunked to vlan 900. I assign the firewall interface the address or similar and then tell the WLC the default gateway for the WALN is this address. Hope this makes sense.