Wireless Guestnet DMZ vs local guestnet traffic

herby.bercy · ‎12-08-2013

Im trying to find solid reasons why the recommended approach for a guestnet evironment using anchor controllers in DMZ is more secured then local wireless guesnet running on its on local seperate vlans.

Other than ease of management and removing local guestent traffic from network via EOIP tunnel out to dmz. Whats are some of the better points for this change? Whats the security risks of local guestnet traffic?

thanks

Stephen Rodriguez · ‎12-08-2013

You've really hit the nail on the head already.

Basically it's about pushing the untrusted traffic out to the DMZ where they have to traverse the firewall to get to anything inside.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick · ‎12-08-2013

What you outlined is the main reasons. Personally it's a personal decision. Security upsell is the guest traffic never touches your switch fabric until the DMz. Either solution is fine. If you do get hit with an audit and the auditor is well versed with guest services he could recommend the anchor in the report.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

herby.bercy · ‎12-08-2013

Thanks guys!

I was thinking using anchor controllers in DMZ allows for easier managing, troubshooting, upgrading and gives ability to implement the ISE infrastructure.

A route we may definitely use and want to make sure we at best position to take advantage.