4400 Controllers - Best Practise for connecting to wired network
At one time the best practise recommendation for wireless was to treat the traffic as untrusted and separate it from the wired network by firewalls and intrusion detection. A lot of the reason for this was the weakness of WEP. Now with strong authentication and encryption (e.g., WPA2 and EAP-TLS) in use, and the use of wireless controllers, I'm wondering what the industry is recommending (and doing in case the actions aren't the same as the recommendations).
Are organizations connecting the wireless controllers directly to the internal network or are they separating them with a firewall and IDS infrastructure? If the latter, what does the architecture look like? Are there documents on the Cisco site or on the Internet that show how the controllers could be firewalled? Everthing I've seen shows connections directly to the internal network. Is firewalling the controller an overreaction to the historical paranoia from the WEP days?
Re: 4400 Controllers - Best Practise for connecting to wired net
The argument would be that regardless of what security you put on the wireless, you still don't have the physical security - i.e. someone doesn't need to walk into your building to use your network.
Beyond that if you're using strong auth/enc you can currently be considered safe, we have customers using that direct into their LANs (but then, we also have customers with WEP direct into their LANs!)...
If you are concerned or really need belt 'n' braces security, then go down the firewall/IDS route - there's no harm in it if you have the money. It really depends how much functionality and ease of use you need to balance against it.
Please rate helpful posts
Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...