One of the things that always bothers me about (including the many different ways of) deploying guest wireless is the need to have a VLAN that contains untrusted guest traffic on the same switches that carry trusted corporate traffic.
Given that the deployment model for a site with local internet break-out such as H-REAP requires the VLAN to be on multiple switches what are the recommendations and best practices to make the chance of someone breaking out of this guest VLAN nil?
Is this a viable model for a high security environment (like a bank or defence company)
Whilst my perception is that the biggest risk here is that someone unintentionally / mistakenly creates a L3 interface on the VLAN e.g. to provide DHCP services the same as all the corporate VLANs, I am also concerned that there is the possibility that someone could potentially attack the devices / switches and configure their way out of the VLAN.
I know there are several ways to get around this (like using the anchor controller) but that doesn't always work.
With anything short of physically separate infrastructure, there's always the risk of an accidental Config error causing you problems... It sounds to me like you probably already know about ACLs, VLANs, VRFs, SGT, Anchor Controllers, Private VLANs, DHCP Snooping, etc etc.... So what exactly are you looking for? All approaches (industry best practise, or otherwise) are all about mitigating risk and balancing effort, complexity and cost. Which of these factors is more important to you?
1) Can I be confident that logical VLAN seperation provides "enough" security and the answer to that really is dependent upon how well and robustly the infrastructure components (AP, WLC, switch) are tested to manage the attack vectors, for example the obvious one being to encapsulate with VLAN tagging, do all the devices "deny" the possibility to spoof the vlan and so on...
2) In terms of configuration - is there something I havent thought of that is a (easy ?) way to not have the untrusted data directly touching the VLAN (e.g. tunnelling or something) between the AP and the local internet break-out (like an anchor controller but without the need to deploy WLCs in every branch) - which would effectively mean it didn't matter if the switch was misconfigured or a bug allowed crafted packets to break the switch or break the security as there's a "buffer" between the guest wireless traffic and the switch.
But I guess as a side question - is there a way to protect against mis-configuration (other than adding a note on the vlan saying "Dont configure a layer 3 address on this VLAN" - VRF Lite could be an option but as you say - quite a bit of overhead.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...